March 22, 2023

How small to medium businesses (SMB’s) can better protect themselves against cyber attack

Cyber-attacks on Australian small to medium businesses (SMBs) are not only on the rise, but rapidly increasing in frequency and sophistication.  According to the latest Annual Cyber Threat Report, the Australian Cyber Security Centre (ACSC) recorded 76,000 cybercrime reports, representing a 13% increase from the previous financial year.  This equates to one cybercrime report being made every seven minutes.

In addition, SMBs suffered the highest average loss, with the average cost per cybercrime reported as over $39,000 for small businesses, $88,000 for medium businesses, and over $62,000 for large businesses.

With cyber attacks a growing threat, it’s essential that SMB’s take cybersecurity seriously and implement strong security measures to protect their systems and data.  Below we take a look at why SMBs are more vulnerable to cyber attacks and the most common threats to be aware of.  Most importantly, we also outline the most effective and inexpensive practices available to protect your SMB against cyber incidents.


Why SMBs are more vulnerable to cyber attacks

Australian SMBs operate in a different environment compared to larger enterprises, with 97% of SMBs operating with less than 20 staff.  Limited resources can make it challenging to prioritise cybersecurity, with a lack of budget or staff to implement strong security measures.

SMBs may also neglect cybersecurity as they mistakenly believe they are already protected by default security measures via third party suppliers, or that their business is not valuable enough to warrant attention from attackers.

Unfortunately, cybercriminals are increasingly using automated tools to target SMBs, exploiting vulnerabilities in their systems and software to gain access to sensitive data.  In addition, the COVID-19 pandemic accelerated the shift towards remote work and online operations, increasing the attack surface for SMBs. Cybercriminals have been taking advantage of this shift by launching attacks on poorly secured remote access points and exploiting vulnerabilities in online systems.

Overall, SMBs need to recognise the importance of cybersecurity and take proactive steps to protect their systems and data. While there may be challenges and obstacles, neglecting cybersecurity can be costly and devastating for SMBs in the long run, with the Australian Small Business and Family Enterprise Ombudsman estimating that over 60% of Australian SMBs do not survive a cyber-attack or data breach.


The most frequently reported cybercrimes

According to the ACSC report, the most frequently reported cyber enabled crimes were: 

·         online fraud: approximately 27%

·         online shopping: approximately 14%

·         online banking: approximately 13%

ACSC: Cybercrime reports by type for financial year 2021–22


Although cyber dependent crimes, such as ransomware, were a very small percentage of total cybercrime reports, the ACSC assesses that ransomware remains the most destructive cybercrime threat. This is due to the increased impact on victim organisations, as their business is disrupted by the encryption of data, but they also face reputational damage if stolen data is released or sold on. The public are also impacted by disruptions and data breaches resulting from ransomware.

According to a survey by the Australian Institute of Criminology, out of approximately 15,000 Australian computer users, SMB owners were twice as likely as other respondents to have been the victim of ransomware attacks and were more likely to have paid the ransom.

Phishing, hacking, remote access scams, and malware should also be of concern to SMBs, whether onsite or at home. Scamwatch data shows that the main delivery methods for these attacks are via smartphones and email.


The best ways to protect your SMB from cyber attacks

With hackers and scammers becoming more ambitious and bolder in their attempts, it’s no longer viable to simply set security measures and forget about them. Preventative actions, multi-layered approaches and regular assessments are key for SMBs to stay ahead.  Below are some of the best ways to protect your business from a cyber attack:


1.     Implement a cybersecurity policy

In order to create a cybersecurity policy, it’s best to start by undertaking a security assessment to establish a baseline and close existing vulnerabilities.  It’s also important to review the cyber security posture of remote workers and their use of communication, collaboration and business productivity software.

SMBs should then establish a cybersecurity policy that outlines best practices, procedures, and guidelines for employees to follow. This policy should be regularly reviewed and updated to reflect changes in the company’s operations or the threat landscape.


2.                 Employee education and awareness

One of the most common ways that cyber criminals gain access to a company’s systems is through its employees. It’s essential to educate all employees on best practices for cybersecurity, such as how to create strong passwords, how to recognise phishing emails, how to avoid downloading malware and how to reduce the risks of data breaches when sending emails.

The latest notifiable data breaches report from the Office of the Australian Information Commissioner (OAIC) showed that 25% of breaches were caused by human error – most commonly by sending emails to the wrong address, closely followed by unintended release or publication, and thirdly by the failure to use BCC when sending emails.


3.                 Introduce access controls

Access control is a way to limit access to a computing system.  It helps protect your business by restricting access to files and folders, applications, mailboxes, networks and online accounts, for example.

Typically, staff do not require full access to all data, accounts, and systems in a business in order to perform their role and this access should be restricted where possible.  Depending on the nature of your business, the principle of least privilege is the safest approach for most small businesses.  It gives users the bare minimum permissions they need to perform their work and also reduces the risk of an ‘insider’ accidentally or maliciously endangering your business.


4.                 Implement multi-factor authentication

Multi-factor authentication (MFA) adds an extra layer of protection to your company’s systems by requiring more than just a password to access an account. This means that even if an attacker has stolen an employee’s password, they still won’t be able to access the account without the second authentication factor.

SMB’s should implement MFA on important accounts wherever possible, prioritising financial and email accounts. Some MFA options include, but are not limited to:

  • Physical token
  • Random pin number
  • Biometrics/ fingerprint
  • Authenticator app
  • Email
  • SMS


5.                 Use Passphrases

While MFA is one of the most effective ways to protect your accounts from cybercriminals, if it’s not available, then passphrases should be used to protect accounts.

A passphrase uses four or more random words as your password. For example, ‘mirror banana clay ferrari’.  Passphrases are hard for cybercriminals to crack, but should be easy for users to remember.

Passphrases should be:

  • Long: The longer your passphrase, the better, at least 14 characters in length.
  • Unpredictable: A random mix of unrelated words with no famous phrases, quotes or lyrics.
  • Unique: Do not reuse passphrases on multiple accounts.


For more on this see: Creating a best practice password policy for your business


6.                 Keep software up to date

Cyber attackers often take advantage of vulnerabilities in software to gain access to systems.   An operating system, for example, is the most important piece of software on a computer. It manages the computer’s hardware and all its programs, and as such needs to be updated regularly to ensure you are always using the most secure version.

Keeping all software, including operating systems, browsers, and other applications, up to date with the latest security patches can help prevent the most common types of cyber threats.


7.                 Regularly backup important data

A backup is a digital copy of your business’ most important information such as customer details and financial records. This can be saved to an external storage device or to the cloud.  An automatic backup is a default or ‘set and forget’ system that backs up your data automatically, without human intervention.

Safely disconnecting and removing your backup storage device after each backup will ensure it remains secure during a cyber incident. Regularly backing up important data is essential in case of a cyber attack. If your systems are compromised, having a backup of critical data means that it can be restored quickly, minimising downtime and potential losses.


8.                 Partner with a managed IT service provider

SMB’s may either not have any IT staff or the ones that they do have may not specialise in cyber security.  Partnering with a managed service provider (MSP) such as Neo Technologies, can be a cost effective way to gain access to expertise and additional cybersecurity tools such as firewalls, anti-virus software, and intrusion detection systems that can help protect your company’s systems from attacks.

An MSP can advise on cybersecurity tools that are appropriate for the size and complexity of your business, and will keep them updated with the latest security patches.  They can also routinely monitor the processes within your network to keep an eye out for irregularities, performing scanning for malware and viruses.


9.                 Consider cyber insurance

Cyber attacks can be costly, causing SMB’s to go into debt or to even shut their doors completely. A cyber attack may also cause financial loss to third parties a SMB deals with, such as clients and/or suppliers. For example, if a computer virus is transmitted to a third party or discloses confidential information, that third party may suffer their own losses. This is known as ‘third party liability’, and the losses incurred from this can be substantial.

Cyber Insurance can help mitigate the risks by paying the costs for your business to recover and to also cover liability for third party costs as well.

As with any insurance policy, the cost of cyber insurance will be dependent upon a number of factors such as the size of the business, industry type, revenue and number of employees.


For more on this see: 3 reasons why you need cyber insurance


Cybersecurity is essential for protecting your business and your customers.  Neglecting cybersecurity can result in significant financial, legal, and reputational consequences, and can put the future of your business at risk.

With cyber threats on the rise, SMB’s need a trusted advisor and partner with specialised knowledge in the strict confidentiality and security requirements for various industries.  With over 25 years of experience, Neo Technologies can keep your company secure, connected and compliant, allowing SMB’s to focus on future business goals. We offer end to end IT services, solutions, support and advisory with a depth and breadth of specialised knowledge that sets us apart from our competitors. Contact us on 1300 661 832 to learn more about ways we can help protect your business from cybersecurity attacks.


Julie Dunmore

Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam erat volutpat. Ut wisi enim ad minim veniam, quis nostrud exerci tation ullamcorper suscipit lobortis nisl ut aliquip ex ea commodo consequat.

Subscribe today

We value your privacy and will never spam you.