This guide has been developed to help businesses and users protect themselves from the most common cyber security incidents.
Cyber security doesn’t have to be difficult. There are simple measures that if understood and implemented, can significantly avoid, or reduce the impact of, the most common cyber security incidents.
If you are learning about cyber security for the first time, or are keeping yourself up to date, this guide is a place to start. If you want to improve your cyber security further, you can find more information and advice at the Australian Cyber Security Centre
The Australian Cyber Security Centre (ACSC), as part of the Australian Signals Directorate , provides cyber security advice, assistance and operational responses to prevent, detect and remediate cyber threats to Australia.
Cyber Threats Key Areas
For a user or small business, even the smallest cyber security incident can have devastating impacts.
This section is designed to help you stay alert and prepared. It identifies and explains the most common types of cyber threats and what you can do to protect your business.
Malicious Software (Malware)
Malware is a blanket term for malicious software including viruses, spyware, trojans and worms.
Malware gains access to important information such as bank or credit card numbers and passwords. It can also take control or spy on a user’s computer. What criminals choose to do with this access and data includes:
- Other serious crimes
Protecting against malware
Automatically update your operating system
Automatically update your software applications
Ensure the virus protection software is installed and operating.
Setup up regular backups for business and personal data.
Scam Emails (Phishing)
Pronounced ‘fishing’, they are emails from individuals or organisations you ‘think’ you know. They mimic phrasing, branding and logos to appear ‘real’, before conning users to click on a link or attachment. Here, they defraud users by asking them to provide or confirm their personal information, such as passwords and credit card numbers, or to pay a fake account. They can also send an attachment, designed to look genuine, with malware inside.
Phishing emails are typically sent to thousands of people. Even if only a small percentage of recipients fall for the scam, they can net significant data and sums of money.
- Phishing (low sophistication, many targets) Usually general emails with obvious warning signs, sent to thousands of targets
- Spear Phishing (high sophistication, less targets) Fraudulent and sophisticated messages sent to a specific individual, usually the business owner, receptionist or finance and payroll manager
- Whaling (high sophistication, less and high value targets) Spear phishing aimed at very big fish like CEOs
Emails, SMS, Instant Messaging, Social Media
Phishing scams are not limited to emails. They are increasingly sophisticated and harder to spot.
Be cautious of:
- Requests for money, especially if urgent or overdue
- Bank account changes
- Requests to check or confirm login details
Ransomware attacks are typically carried out via a malicious but legitimate looking email link or attachment. When downloaded or opened, most ransomware encrypts a user’s files, then demands a ransom to restore access – typically payable using cryptocurrency, like Bitcoin.
Ransom, an age-old and effective crime, is now being committed online. Ransomware offers cyber criminals a low-risk, high-reward income. It is easy to develop and distribute. Also many businesses and users are unprepared to deal with ransomware attacks.
How to prevent ransomware
Update operating systems an install patches when released by vendor
Ensure Virus and malware protection software is turned on
Implement a good firewall strategy for your mail servers and Internet access
Do not open any attachments or files from unknown sources
Backup your business and personal data to a separate device and offsite if possible.
Software Considerations Key areas
Securely organising your software can drastically increase your business’ protection from the most common types of cyber threats.
For example, your operating system is the most important piece of software on your computer. It manages your computer’s hardware and all its programs, and therefore needs to be updated, backed up and maintained.
Improve resilience, stay up to date and stay safe with these software considerations for small businesses.
An update is a new, improved or safer version of a software (program, app or operating system like Microsoft Windows or Apple iOS) your business has installed on its computers or mobile devices.
An automatic update is a default or ‘set and forget’ system that updates your software as soon as one is available.
- Turn on or confirm auto-updates, especially for operating systems
- Regularly check for and install updates ASAP if auto-updates are unavailable, especially for software
- Install updates as soon as possible (if auto-updates unavailable)
- Set a convenient time for auto-updates to avoid disruptions to business as usual
- If you use Anti-Virus software, ensure automatic updates are turned on
A backup is a digital copy of your business’ most important information e.g. customer details, sales figures. This can be to an external, disconnected hard drive e.g. USB or to the Cloud.
An automatic backup is a default or ‘set and forget’ system that backs up your data automatically, without human intervention.
- Choose a backup system that’s right for your business and personal data
- Test you’re able to restore your backup regularly
- Store a physical backup somewhere safe offsite
Certain industries have obligations to keep records for specific periods of time. Make sure you are aware of your business’ data retention requirements.
Multi-Factor Authentication (MFA)
MFA is a security measure that requires two or more proofs of identity to grant you access
MFA typically requires a combination of something the user knows (pin, secret question), physically possesses (card, token) .
The multiple layers make it much harder for criminals to attack your business. Criminals might manage to steal one proof of identity e.g. PIN, but they still need to obtain and use the other proofs of identity. Two-factor authentication (2FA) is the most common type of MFA.
Accessing important internal and external accounts
Small businesses should implement MFA wherever possible. Some MFA options include, but are not limited to:
- Physical token
- Random pin
- Biometrics/ fingerprint
- Authenticator app
Using a phrase or sentence, not one word, as your password
A passphrase is similar to a password. It is used to verify access to a computer system, program or service. Passphrases are most effective when they are:
- Used with multi-factor authentication
- Unique – not a famous phrase or lyric, and not re-used
- Longer – phrases are generally longer than words
- Complex – naturally occurring in a sentence with uppercase, symbols and punctuation
- Easy to remember – saves you being locked out.