Seven things small businesses must do now to prevent cyber-attacks

There are steps that SMEs can take to protect themselves against the growing risk of cyber-attack.

Australia’s small and medium sized businesses (SMEs) are increasingly under threat of cyber-attack, but most are unaware of the risk or are doing almost nothing to prevent it, according to a Deakin University cybersecurity expert.

Professor Matthew Warren, Deputy Director of Deakin’s Centre for Cyber Security Research and Innovation, said business owners were becoming more and more dependent on IT systems and therefore vulnerable to new and emerging security risks.

“The problem is that they may not have the appropriate resources, expertise or understanding to protect their systems and key data – they’re using the technology from a convenience perspective but without properly understanding the privacy and security risks.

“Many think security is not their responsibility but it’s a serious risk that can destroy their business.”

SMEs are categorised as any business with less than 200 staff. They represent 96 per cent of Australian businesses, and employ almost half of Australia’s private workforce, contributing a third of Australia’s GDP.

Professor Warren said a key priority in developing Victoria’s small business economy must be the promotion of cyber security and there were seven simple things owners of small and medium businesses should do to protect themselves:

1. Patch systems and enable automatic patching. All systems and packages are updated (called patching) and the patching can be done automatically rather than implemented individually by users.
2. Back up all important data.
3. Use a cloud based email and/or data storage.
4. Use strong authentication. Use passphrases instead of passwords and use two stage authentication where possible.
5. Set up different accounts. For example, you can set up an administrator account, as well as user accounts.
6. Don’t use the same password across all accounts (Twitter, Facebook, LinkedIn, Gmail, Adobe, Apple, etc). When one is hacked, they all become vulnerable if you’re using the same password.
7. Don’t click on links, attachments or images from people not known to you. Criminals often hack one account and use that account to send malware to people in the contact list.

According to Professor Warren, data showed there were nearly 700,000 cyber-attacks against Australian organisations each year, with 60 per cent of those attacks being made against SMEs.

“One prominent example we saw in 2016 was when thieves hacked into the computer system of a SME that held a national security contract with the Federal Government,” he said.

“The intruders had access to the IT network for a long period of time and stole large amounts of the defence supplier’s data.

“While not all breaches will impact on matters of national security, when you consider that the average time it takes to resolve a cyber-attack is 23 days, that can still have an enormous impact on a small business’ operations and ultimately on its bottom line.

“SMES need to ask themselves – if they were a victim of a cyber-attack how much immediate business would they lose, could they restore their system and data, and would their customers have confidence in their organisation in the future?”

Deakin offers a free online SME cyber security short course through FutureLearn. For more information visit

Published by Deakin Research on 7 September 2018

Are you a Deakin academic with a passion to share your research? You may be interested in writing for us.

Find out more