Cyber security for small businesses has different priorities and levels of risk compared to others. As a small business, you are less likely to be adequately protected, and more likely to be targeted for this reason. Depending on what industry you’re in can also affect your likelihood of a cyber incident.

Businesses in the health industry were hardest hit by data breaches this year, out of a total 242 reported breaches. Nearly half of these breaches were caused by a malicious attack, possibly due to insufficient cyber security precautions. These numbers show that anyone can be a victim of an attack, and there is no reason to think it may not happen to you.


What is a data breach?

A data breach is an incident involving unauthorised access of data, usually by an individual. Data breaches can be accidental and unintended, or intentionally malicious. Accidental data breaches usually come down to human error, such as sending a sensitive email to the wrong recipient. Through vigilance and employee education, you can prevent or at least minimise these incidents. A malicious data breach looks like a hacker gaining access to sensitive data for financial or personal gain. These type of incidents require cyber security measures to prevent.

Understanding terminology and context of cyber security terms plays a critical role in protecting your business. In order to identify risks, vulnerabilities and attacks, you have to know what they look like.


How can I reduce the risk of a data breach?

There are a number of strategies you can, and should, use to mitigate the risk of data breach, whether intentional or not. Some of these come down to common sense, and some fall under a more technical umbrella.

If you practice good password management, sensible browsing activity and keep your systems up to date, then you’re already taking good strides towards reducing risk. You will need to utilise a variety of strategies and policies within your business, however, in order to fully protect your data from being accessed.

There are a number of essential steps that especially help cyber security for small businesses. The Australian Signals Directorate (ASD) has published this list ‘the essential eight’. These are cyber security protocols that any and every small business should implement as a foundation for cyber security protection. For further information on how you can mitigate the risk of a data breach, have a read of our top cyber security tips and consider performing a cyber security audit, by following a checklist or by utilising a third-party team that specialises in IT and security and have them evaluate, test and upgrade your cyber security tactics.


Essential 8 Checklist


What are different types of cyber attack?

There are a variety of cyber attacks that can strike you, and being aware of them is an important factor in being able to prevent them. Some are more likely to hit small businesses, due to lower risk, and higher chance of financial gain. Ransomware is a prime example of this type of attack. Ransomware is a type of malware attack that holds your data hostage in exchange for a ransom, usually paid in cryptocurrency in order to be untraceable. As a small business, you will pay the ransom fee more often than not, being likely unprepared for this type of attack.

Other common types of attack include phishing attempts, malware attacks, DDoS attacks and watering hole attack. Attackers will often disguise these malicious links within emails or trusted websites. One of the primary ways you can prevent these cyber attacks is to know what you’re looking for, and ensure that your employees are educated on the topic and take responsibility for cyber security as well.

Many types of attack aim to take advantage of structural weaknesses in your operating system, or software. This is usually doable when businesses don’t have their systems running on the latest updates and patches. This is an easy step to take that helps manage cyber security for small businesses.


How will I be affected by a cyber attack?

This is an excellent question. Cyber security for small businesses may seem unnecessary and excessive, because surely it’s not that big a deal, right? Nope. It’s kind of a big deal! Cyber attacks can leave your reputation in tatters, and lose you clients (and therefore income). Investigating, containing and managing any attack or breach incurs a tangible financial cost to your business. As your processes are put on the back burner to handle the attack, your productivity takes a hit. We cannot overstate the very real cost of cyber attacks.

Studies show that the average cost to an Australian company in the event of a data breach is a whopping $2.51 million. Yes, let that sink in. Can your business afford to waste $2.51m on a data breach that you could have easily prevented?

Whether it’s private customer information, financial data, or sensitive intellectual property — you’re faced with the fact that data has been compromised. You have to notify your customer base, and let’s face it, they may not be happy. So you’ll be dealing with a PR backlash, a loss of trust, and possibly a loss of business if they decide to go elsewhere. You have to spend time and money, either yourself or through an IT company, to identify and contain the breach. Then you need to protect your system moving forward by upgrading, or implementing higher security measures to prevent another similar incident.

A malicious ransomware attack could even leave your data totally compromised or destroyed. Without proper backup or business continuity plans in place, you’ve potentially lost days, weeks, months, or years worth of work.


What cyber security compliance regulations are there?

In terms of cyber security for small businesses, there are a few regulations (or cyber security frameworks) you can follow. These are templates, or guidelines that outline protocols and policies you should implement to boost your cyber security. Depending on the nature of your business, you may find a set of cyber security guidelines designed just for you. If you’re a healthcare practice, the RACGP has a framework geared towards protecting patient information, information availability and risk assessment. CPA Australia has a set of articles and checklist that focus on the best way to protect your information.

ISO 27001 is the cyber security framework laid out by the International Organisation of Standards. This framework focuses on information security management, maintenance and risk management. ISO also advocates for an important factor of cyber security, where it should be the responsibility of everyone, and an integral part of every department. The Australian government has published several documents that also fall under this scope, from the Information Security Manual by the Australian Signals Directorate (ASD) or the Protective Security Policy Framework (PSPF). Government agencies and departments tasked with protecting highly sensitive information use these frameworks, so you have access to a great foundation of cyber security for small businesses.


How do I know what to focus on?

You can take a cyber security questionnaire in order to determine where your weaknesses may lie. We’ve created one for such an occasion, but these are easy enough to find. The questionnaire will help you to identify vulnerabilities and what you need to focus on. You can (and probably should) hire some experts to assist you with this process. However, doing the questionnaire beforehand will allow you to provide an outline of what you need and give you essential knowledge too.

Understanding the whole context of your business process takes a critical role here. It may seem obvious, but actually identify where sensitive information enters the system, for example. What programs, or applications are processing the sensitive information? This should include all mobile devices, laptops, external hard drives and PCs that interacts with said data. Is your network hardware secure too? Data storage, servers, and routers should be secure. If not, how can you improve this? Do you have any cyber security policies already in place; fundamentals like firewalls, encryption, and VPNs which all interact to protect your system.

Once you learn more about cyber security for small businesses, you start to get a feel for where to start. You will need to evaluate your system at regular intervals, to identify any changes or vulnerabilities that may have developed. You should roll out system patches and software updates promptly every time, as they often repair coding vulnerabilities.



Being a small business doesn’t mean you can disregard cyber security, in fact, the opposite. Your livelihood depends on protecting your reputation and your data, so it’s essential to have solid cyber security measures in place. However, this doesn’t mean you need to blow out your budget by building state-of-the-art network solutions for your business (though it might be nice!). You can utilise many off-the-shelf solutions to protect your business, whether it’s G Suite for storing all your data, or the Cisco security suite. Hire an external IT company for managed services covering cyber security, networks and includes monitoring. Get started right in your own office though, by keeping your staff trained and aware,  and keeping your systems updated.

Cyber security is a big deal, but it doesn’t need to be a big deal, if you follow some IT common sense!