Common online security risks and advice on what you can do to protect yourself.
- Jan 22, 2024
- 1 min read
Common online security risks and advice on what you can do to protect yourself.Threats
Business email compromise
Protect your business and employees from phishing attacks designed to steal your money, goods or information.
Business email compromise (BEC) is a form of targeted phishing, or spear phishing. Criminals target organisations and try to scam them out of money or goods. They also target employees and try and trick them into revealing important business information.
Business email compromise (BEC) is a form of targeted phishing, or spear phishing. Criminals target organisations and try to scam them out of money or goods. They also target employees and try and trick them into revealing important business information.
Criminals use emails to pretend to be business representatives. They also use the compromised email accounts of employees.
Maybe a friend, colleague, or service provider has received a suspicious email from ‘you’, but you didn’t send it. The email may request payment for an invoice or ask to change bank account details.
Alternatively, maybe you noticed you are receiving unusual emails in your own email account. They may be about suspicious login activity or unexpected password resets. You might have also noticed emails have been deleted or moved to different folders.
These could be indicators of BEC.
Common online security risks and advice on what you can do to protect yourself.
Common online security risks and advice on what you can do to protect yourself.
What is a data breach?
A data breach occurs when sensitive or personal information is accessed, disclosed or exposed to unauthorised people. This may be by accident, or the result of a security breach. For example, when an email with personal information is sent to the wrong person, or a computer system is hacked and personal information is stolen.
Organisations collect and store many personal details. You trust them with details such as your address, phone number, identification documents, credit card number, health records and more.
If your information is involved in a data breach, the potential consequences can be far reaching. Depending on the information involved, a data breach may lead to the compromise of your online accounts, including banking. The information could also be used in targeted scams and to steal your identity.
The Notifiable Data Breaches scheme
In Australia, the Notifiable Data Breaches scheme means many organisations must tell you if your personal data has been involved in a data breach and this has put you at risk of serious harm. This could include serious physical, psychological, emotional, financial or reputational harm.
When an organisation notifies you about a data breach, they must also provide recommendations for how you can protect yourself.
The scheme applies to Australian government agencies, businesses and not-for-profit organisations with an annual turnover of more than $3 million, credit reporting bodies and health service providers, among others.
Read more about the Notifiable Data Breaches scheme
Can I prevent a data breach?
There is always a risk of a data breach, as the information you provide to organisations is stored on many different systems. There are actions you can take to minimise the likelihood and impact that a data breach can have on you.
Prepare for the likelihood of a data breach
Minimise the amount of personal information shared with an organisation. Only tell organisations the information that they need to provide services, rather than everything they ask for. For example, if asked for a home address consider if the organisation really requires this information, especially if it is not mandatory.
Look for organisations that have a commitment to cyber security. Think twice about organisations with a poor cyber security reputation.
Minimise the impact of a data breach
Avoid re-using passwords. A data breach may occur and compromise your password. If you have reused this password across other online accounts, they also may be at risk. By using a unique password across each of your online accounts, in the event one of your passwords is compromised in a data breach, this password can’t be used to access your other accounts. Use a strong password, such as a passphrase. Consider also using a password manager to create and manage different passwords. For more information, see our advice on passphrases.
Use multi-factor authentication (MFA) across your accounts. In the case a data breach compromises your password, it cannot be used to access your other accounts. For more information, see our advice on MFA.
Back up important information. A data breach could also result in a loss of access to data and information held by the affected organisation. For more information, see our advice on backups.
Hacking
What is hacking?
Hacking refers to unauthorised access of a system or network, often to exploit a system’s data or manipulate its normal behaviour.
How it works
Hackers have to find a way to break into a network or account, just like a thief needs to find a way to break into a home. Often finding out a password is the first step in cracking a network’s security.
Once in, a hacker can modify how a network works, steal data, obtain passwords, get credit card information, watch what you are doing or install malicious software (malware) to further the attack.
While hacking is often highly targeted, some hacking tools such as ransomware or phishing malware can spread on their own via links and attachments. Malware can compromise your system or accounts without someone specifically targeting you.
How to protect yourself from hacking
Always install updates for applications and operating systems when they are available. The longer you delay, the longer you are vulnerable to hackers or malware.
Use strong, unique passwords. The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has published advice on using password managers and creating unique passphrases, a strong type of password.
Always use multi-factor authentication, where possible.
Always backup your data so if your system is compromised, you won’t necessarily lose everything.
Always practice secure online browsing behaviour and be on the lookout for suspicious links or email attachments.
For more information, access our guides on Personal Cyber Security:
Identity theft
What is identity theft?
Identity theft is when a cybercriminal gains access to your personal information to steal money or gain other benefits. They can create fake identity documents in your name, get loans and benefits or apply for real identity documents in your name, but with another person's photograph.
The financial and emotional consequences can be devastating for victims. Once your identity has been stolen it can be difficult to recover and you may have problems for years to come.
What type of information do cybercriminals steal?
A cybercriminal may look to steal a range of personal information including your:
name
date of birth
driver’s licence number
address
mother’s maiden name
place of birth
credit card details
tax file number
Medicare card details
passport information
personal identification number (pin)
online account username and login details.
How do you know if your identity has been stolen?
Look out for these common warning signs:
Your bank statements show purchases or withdrawals you have not made.
You stop receiving mail you may be expecting (e.g. electricity bills) or receive no mail.
You receive bills or receipts for things you haven’t purchased or statements for loans or credit cards you haven’t applied for.
A government agency may inform you that you are receiving a government benefit that you never applied for.
You have been refused credit because of a poor credit history due to debts you have not incurred.
You may be contacted by debt collectors.
How to protect yourself and your family
Cyber criminals can learn a lot about you from your social media accounts. Here are some tips to protect yourself and your family:
Limit what you share online. Reconsider sharing information on social media like your birthday, photos of a new house that include your address, or photos that identify your children’s school, or details of schools you attended. These details are often used for security questions on financial and other important accounts.
Set your social media privacy settings to 'private'. Ensure you’re only sharing your photos and posts with people you know and trust.
Don’t accept 'friend' requests from strangers.
Cybercriminals try to trick you into giving away your personal information. They often impersonate well-known organisations to ask you to confirm your personal details via messages or websites. Because of this, many companies now state they will not ask you to update or confirm your details, like passwords, PINs, credit card information or account details via links in messages.
If there really is a need to update your details, you should do so by typing the organisation's official website address manually into your internet browser and not use links from messages.
Think twice before entering your personal details into a website you’re not familiar with. See our advice about shopping online securely and browsing the web securely for questions to ask to help determine if a website is genuine.
Cybercriminals crack weak passwords – there’s even software that guesses billions of passwords per second!
Use strong, unique passwords or passphrases for each online account.
Cybercriminals use bugs in software to gain access to devices.
Keep your devices updated with the latest software, including antivirus software. Installing software updates will give you the latest security. You can even set updates to install automatically.
Other tips for protecting your online identity:
Think twice about what you access over public or untrusted Wi-Fi. We have published a list of tips to follow when using public Wi-Fi, for example using a VPN.
Regularly check your account statements including credit cards, bank statements, telephone and internet bills for possible fraudulent activity.
Check your credit report at least once a year to help you catch any unauthorised activity.
Always lock your mailbox and shred any sensitive documentation you no longer need.
Be wary of phone calls that ask for your personal information.
Be wary of people trying to view your PIN while you are using ATMs and making other purchases.
Malware
Malware is the term used to refer to any type of code or program that is used for a malicious purpose.
Cybercriminals use malware for many different reasons. Common types of malware are used for:
stealing your information and account details
encrypting your data for ransom
installing other software without your knowledge.
A malware attack can have serious and ongoing impacts. Malware can also act as an entry point for cybercriminals, opening the door to further malicious activity.
Malware is distributed in several ways:
by spam email or messages (either as a link or an attachment)
by malicious websites that attempt to install malware when you visit
by exploiting weaknesses in software on your devices
by posing as a trusted application that you download and install yourself.
Some malware may even pretend to be antivirus or security products.
Potential warning signs of malware
Malware can behave in many different ways. There are a number of signs you may notice that could be due to a malware infection.
You notice unusual account activity, for example, logins from an unusual location or at an unusual time, or your passwords have been changed and you are unable to access your accounts.
Your device consistently slows down, overheats, battery drains fast or runs its cooling fan faster than usual (these are signs that your processor is running at capacity).
Unexpected files and programs on your device. You may notice new programs, toolbars and icons have been installed.
Unable to access files, or ransom demands for release of your files.
You consistently see error messages that you never used to see.
Your web browser automatically takes you to a web page you did not intend to open.
Suspicious pop-up ads about updating or downloading a program.
Someone knows something that they could only have found out if they had access to your device.
Learn more about malware
There are many different types of malware but most are used to either steal your information, your computer’s resources or your money. This table lists some of the most common types of malware affecting people and businesses in the wild today.
Type | What it does |
Ransomware | A type of malware that encrypts all your personal files and prevent access to them, unless a ransom is paid to restore access to the files. For guidance on preventing ransomware, read our Ransomware Advice. |
Pharming | A way of harvesting personal information, where a cybercriminal puts malicious code on your device that redirects you to a fake website. |
Trojans and backdoors | Traditionally, trojans are programs that appear to serve a useful purpose but do something malicious when run. Trojans may steal information, download additional malicious files or even provide a ‘backdoor’ into your device – allowing a cybercriminal to do almost anything they like. |
Keyloggers | Records which keys you press and sends that information to a cybercriminal. This could include passwords and credit card details. |
Viruses and Worms | Viruses infect files by inserting themselves into the file’s code and then running whenever the file is opened. Worms are standalone malicious programs that spread themselves from computer to computer. Similar to Trojans, viruses and worms can have many different payloads – for example, they can steal your information, download and install other malicious files, delete your files or even send spam. |
Web Shell Malware | Malicious scripts that allow cyber criminals to compromise web servers and use it as a permanent backdoor to launch additional attacks. ASD and NSA have jointly produced a Cybersecurity Information Sheet: Detect and Prevent Web Shell Malware (PDF) |
Adware | Adware is a type of malware that gathers information to show you targeted advertising. In most cases, it is not dangerous but occasionally it can interfere with your system. For instance, it could open a webpage in your browser, which contains another type of malware. |
Ransomware
Never pay a ransom
There is no guarantee you will regain access to your information, nor prevent it from being sold or leaked online. You may also be targeted by another attack.
Call the Australian Cyber Security Centre 24/7 Hotline on 1300 CYBER1 (1300 292 371) if you need cyber security assistance.
The effects of ransomware
Ransomware can cause severe damage to both individuals and organisations. You could face significant downtime while you restore your devices and data to their original state.
If you don’t have a backup, it could be impossible to recover your files.
Downtime or data loss can hurt your reputation, and cost you money.
What to look for
Ransomware can infect your devices in the same way as other malware or viruses. For example:
visiting unsafe or suspicious websites
opening emails or files from unknown sources
clicking on malicious links in emails or on social media.
Common signs you may be a victim of ransomware include:
pop-up messages requesting funds or payment to unlock files.
you cannot access your devices, or your login doesn’t work for unknown reasons.
files request a password or a code to open or access them.
files have moved or are not in their usual folders or locations.
files have unusual file extensions, or their names or icons have changed to something strange.
Case Study: Ransomware attacks can be devastating, but backups protect what matters most.
How backing up saved a business from ransomware.
Ransomware can happen to anyone, anywhere, at any time, and for one business, it did. With assistance provided by the Australian Cyber Security Centre (ACSC), the business recovered from the attack, files intact and avoided months in downtime.
Gerri, who worked at a small design firm, noticed one morning they could not access a design file. The file extension was different and the icon was a blank page rather than the usual logo. Suspecting something, they raised it with their colleague Simon.
Simon decided to look at all the files on their server and noticed in real time that their files were being encrypted randomly, making them unusable.
“We actually caught it happening and then I pulled the plugs on everything and managed to save a lot,” said Simon.
A txt file titled ‘Read Me’ popped up – it was a note sent by a cybercriminal saying the files were encrypted with ransomware. The note demand a ransom in cryptocurrency to unlock them.
Simon took a screenshot of the ransom note and ran anti-malware and anti-virus on all their machines. He quickly called the Australian Cyber Security Hotline on 1300 CYBER1 to report the ransomware attack and seek advice about how to recover.
Luckily, the business was following ACSC best practice advice and kept regular backups of their work to cloud servers and external drives, as well as a Network Attached Storage device.
Due to Simon’s quick thinking and awareness, he was able to save the majority of their files. However, they lost some newer files that were encrypted by the ransomware.
The business consulted an IT professional, who reformatted their systems to ensure there was no trace of ransomware on their networks, as well as updated their anti-virus software.
Unfortunately, the encrypted files could not be recovered, taking the business an additional two weeks to recreate the lost work and to get all the systems back up and running.
“The downside was having to reload the software onto the systems, which took hours for some.” said Simon.
However, if it was not for the backups made prior to the attack, the situation could have been much more severe.
“Backup all your stuff daily… if it wasn’t for that we would have been stuck for months.” said Simon.
The ACSC has updated its ransomware guidance to help Australian individuals and businesses protect themselves and respond to a ransomware attack.
The ACSC is here to help all Australians impacted by cyber incidents. ACSC cyber security advice and assistance is available 24/7 through the Australian Cyber Security Hotline (1300 CYBER1) and through ReportCyber.
Ransomware Case Study: John & Sons
Ransomware Case Study: The Croft Family
ACSC advice
Prepare yourself
To protect yourself against ransomware attacks, see our resources below.
Never pay a ransom
There is no guarantee you will regain access to your information, nor prevent it from being sold or leaked online. You may also be targeted by another attack.
The practical guides below will help you to protect yourself against ransomware attacks and tell you what to do if you’re held to ransom.
If you get stuck
Call the Australian Cyber Security Centre 24/7 Hotline on 1300 CYBER1 (1300 292 371) if you need help, or contact an IT professional for assistance.
Scams
What are scams?
Online scams cost Australians millions of dollars each year and anyone can be targeted.
Scams are a common way that cybercriminals compromise your online accounts. Scammers’ goal is to trick you into paying money or giving away your personal information. They will use email, text messages, phone calls or social media, and often pretend to be a person or organisation you trust.
Knowing what the common types of scams are, and what to look out for could save you from becoming a victim.
There are various types of scams, and cybercriminals always create new ones. It is important to be aware of these scams and their consequences, and take the necessary precautions to stay secure in the digital world.
Identity theft is one of the most serious consequence of scams. It occurs when someone uses your identity to steal money or gain other benefits. Once your identity is stolen, scammers can do serious damage such as opening new bank accounts and taking out loans in your name, signing contracts such as opening new phone plans, gaining access to your government online services, stealing your superannuation and more.
Scammers are very creative and always come up with new ideas to take advantage of you. For example, they may impersonate government departments (e.g. the Australian Taxation Office, asking for payment), set up fake dating or social media profiles, or tell you that one of your accounts was compromised and prompt you to take action – usually by clicking on links or give them personal information to ‘solve the problem’.
Scammers will attempt to gain access to your devices, accounts, or personal information through various methods.
Phishing
When scammers trick you into giving away your personal details, for example by luring you to click on malicious links or attachments that look legitimate. Scammers may impersonate your bank or a government department, and ask you to give out information such as your account number, password, or credit card numbers.
Malware
When you are tricked into installing software that gives scammers access to your files and track your activity.
Ransomware
When cybercriminals demand payment for you to regain access to your files.
Spear phishing
These messages are a class of phishing messages that target specific people and organisations, and may contain information that is true to make them appear more authentic. These messages can be extremely difficult to detect.
Remote access
When scammers falsely claim to be from a known company, such as your bank or your internet provider, and trick you into giving them remote access to your computer.
Hacking
When cybercriminals break into your devices by exploiting security weaknesses on your devices or network, and gain access to your personal data.
Scams are becoming more sophisticated and harder to spot. If you have any doubts about whether a message is genuine, first check if it is a scam by following these steps.
Go directly to a source you can trust
If you have any doubts about a message or call, contact the organisation directly: Visit the official website to find their phone number or to log in to your account via the official website: do not use the links or contact details given to you in the message.
Check what the official source says about what details they might request from you
Often companies or government agencies will say what they will and will not ask you online or over the phone. For example, the bank may tell you that they will never ask for your password. If someone claiming to be from the bank then asks you for your password, you know it is likely a scam.
What to look out for
There are common indicators of scams, such as phishing.
Suspicious sender’s address: Scammers may use an email address that closely resembles one from a legitimate business, by changing a few characters.
Generic greetings and signature: Scammers may use generic greeting such as “Dear valued customer” or “Sir/Ma’am”, or limited contact information in the signature block. These are strong indicators of a phishing email.
Spoofed hyperlinks and websites: Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain: for example .com instead of .net.
Spelling and layout: Misspellings, bad grammar and punctuation, and inconsistent formatting are all indications of scams.
Suspicious attachments: Unsolicited requests to open or download attachments are red flags: don’t do it.
Common things scammers do to trick you
In addition to exploiting security weaknesses, scammers prey on our human nature through various techniques, to prompt us to do certain things.
Authority: Is the message claiming to be from someone official, such as your bank, a government department, a utility company, your doctor or a solicitor? Criminals pretend to be important people or organisations to trick you into doing what they want.
Urgency: Are you told that you have a limited time to respond, for example, ‘within 24 hours’ or ‘immediately’? Scammers often threaten you with fines or other negative consequences.
Emotion: Does the message make you panic, fearful, hopeful or curious? Scammers use threatening language, make false claims of support, or tease you into wanting to find out more.
Scarcity: Is the message offering something that seems too good to be true, such as money or a ‘good deal’? Fear of missing out on an opportunity can make you respond quickly.
Current events: Are you expecting to see a message like this? Scammers will exploit current news stories and events to make their claims seem more real (e.g. COVID-19).
Professor David Lacey, Chair of Cyber Security at the University of the Sunshine Coast, and Professor Monica Whitty, cyber psychologist at the University of Melbourne, give some insights into how scammers can trick us.
National Anti-Scam Centre
For more examples of common scams in Australia, or to report a scam, visit National Anti-Scam Centre - Scamwatch.
How to avoid being a victim: security tips
The best way to protect yourself from scams such as phishing attempts is to:
stay aware of current threats
be very cautious online
take steps to block malicious or unwanted messages from reaching you in the first place.
Reduce your exposure to scams
Never open links or attachments you didn’t expect to receive, or that came from people or organisations you don’t know.
Scammers may pose as someone you know, or even gain access to their social media accounts to send out scams. Think twice if you receive a weird message that contains a link or attachment, or unusual requests (e.g. asking for money). It can be hard to know if it is legitimate, but the best way to know if your friend or a scammer is behind the message is to check with your friends offline.
Use a spam filter on your email account to block deceptive messages from even reaching you.
Update all computers, phones, tablets and smart devices and turn on automatic updates.
Stay informed on the latest threats by signing up for the Australian Signals Directorate’s Australian Cyber Security Centre's (ASD’s ACSC) Alert Service. You can also visit National Anti-Scam Centre - Scamwatch to find information about the latest scams.
Protect your accounts
Use multi-factor authentication and strong, unique passphrases on your accounts. If you fall for a phishing scam, this will help limit the damage.
Never share your log-in details, multi-factor authentication or verification codes with anyone. Scammers will attempt to build trust with you, hoping to get these codes to access your account.
Check that requests are legitimate
If you are transferring money or sensitive data, verify the request and payment details face-to-face or using a phone number you know to be correct. Do not use the details you have been sent because these could be fraudulent. Cybercriminals may intercept email communications, so confirming bank account details over the phone with the person you are transacting with for large payments adds an extra layer of protection.
Understand that your financial institution and other large organisations (such as Amazon, Apple, Facebook, Google, PayPal and others) would never send you a link and ask you to enter your personal or financial details.
Similarly, government agencies such as the Australian Taxation Office (ATO) will never ask you to pay money over the phone, and law enforcement agencies such as the Australian Federal Police (AFP) will not call you to issue an arrest warrant. All of these threats are scams.
If you do not recognise or trust an email address or URL, open a search engine and search for it along with the word ‘review’. This way, you can find the information without directly clicking on the suspicious link.
System and network attacks
What are system and network attacks?
There are many threats to the security of your systems, network, and data. These can range from technical threats like denial-of-service and ransomware, to individual threats like malicious insiders and business email compromise.
Targeted attacks of this nature could result in a data breach or financial loss. Read through our advice below on how to prepare your organisation against some of these threats.
Report and recover from system and network attacks
There has been a security breach. What should I do?
Attacks against your systems and networks can happen at any time, to any person or business. The effects can be devastating, often crippling productivity and exposing sensitive data.
There are some ways to tell if there was an attack on your systems and network:
You notice unusual activity on your systems, network or files, or you cannot access them.
Your computer or network is slower than normal.
People are receiving suspicious emails that appear to be from you or your company.
You have received a ransom to decrypt your data or prevent it from being leaked or sold online.
Preparing for and Responding to Denial-of-Service Attacks
Introduction
Denial-of-service attacks are designed to disrupt or degrade online services such as website, email and DNS services. To achieve this goal, malicious actors may use a number of approaches to deny access to legitimate users of online services such as:
using multiple computers to direct a large volume of unwanted network traffic at online services in an attempt to consume all available network bandwidth
using multiple computers to direct tailored traffic at online services in an attempt to consume the processing resources of online services
hijacking online services in an attempt to redirect legitimate users away from those services to other services.
Although organisations cannot avoid being targeted by denial-of-service attacks, there are a number of measures that organisations can implement to prepare for and potentially reduce the impact if targeted. Preparing for denial-of-service attacks before they occur is by far the best strategy, it is very difficult to respond once they begin and efforts at this stage are unlikely to be effective.
While an organisation’s primary focus is likely to be preventing themselves from being a victim of denial-of-service attacks, all organisations can take steps to ensure that their own online services cannot be abused by malicious actors to conduct denial-of-service attacks targeting others.
Preparing for denial-of-service attacks
Before implementing any measures to prepare for denial-of-service attacks, organisations should determine whether a business requirement exists for their online services to withstand denial-of-service attacks, or whether temporary denial of access to online services is acceptable to the organisation.
If organisations wish to increase their ability to withstand denial-of-service attacks, they should, where appropriate and practical, implement the following measures prior to any denial-of-service attacks beginning:
Determine what functionality and quality of service is acceptable to legitimate users of online services, how to maintain such functionality, and what functionality can be lived without during denial-of-service attacks.
Discuss with service providers the details of their denial-of-service attack prevention and mitigation strategies. Specifically, the service provider’s:
capacity to withstand denial-of-service attacks
any costs likely to be incurred by customers resulting from denial-of-service attacks
thresholds for notifying customers or turning off their online services during denial-of-service attacks
pre-approved actions that can be undertaken during denial-of-service attacks
denial-of-service attack prevention arrangements with upstream providers (e.g. Tier 2 service providers) to block malicious traffic as far upstream as possible.
Protect organisation domain names by using registrar locking and confirming domain registration details (e.g. contact details) are correct.
Ensure 24x7 contact details are maintained for service providers and that service providers maintain 24x7 contact details for their customers.
Establish additional out-of-band contact details (e.g. mobile phone number and non-organisational email) for service providers to use when normal communication channels fail.
Implement availability monitoring with real-time alerting to detect denial-of-service attacks and measure their impact.
Partition critical online services (e.g. email services) from other online services that are more likely to be targeted (e.g. web hosting services).
Pre-prepare a static version of a website that requires minimal processing and bandwidth in order to facilitate continuity of service when under denial-of-service attacks.
Use cloud-based hosting from a major cloud service provider (preferably from multiple major cloud service providers to obtain redundancy) with high bandwidth and content delivery networks that cache non-dynamic websites. If using a content delivery network, avoid disclosing the IP address of the web server under the organisation’s control (referred to as the origin web server), and use a firewall to ensure that only the content delivery network can access this web server.
Use a denial-of-service attack mitigation service.
Responding to denial-of-service attacks
Organisations that wish to attempt to withstand denial-of-service attacks, but have not pre- prepared should, where appropriate and practical, implement the following measures, noting that they will be much less effective than had they been able to adequately prepare beforehand:
Discuss with service providers their ability to immediately implement any responsive actions, noting service providers may be unable or unwilling to do so, or may charge additional fees for services not covered in contracts.
Temporarily transfer online services to cloud-based hosting hosted by a major cloud service provider (preferably from multiple major cloud service providers to obtain redundancy) with high bandwidth and content delivery networks that cache non-dynamic websites. If using a content delivery network, avoid disclosing the IP address of the origin web server, and use a firewall to ensure that only the content delivery network can access this web server.
Use a denial-of-service attack mitigation service for the duration of the denial-of-service attacks.
Deliberately disable functionality or remove content from online services that enable the current denial-of-service attack to be effective (e.g. implement a pre-prepared low resource version of the website, remove search functionality, or remove dynamic content or very large files).
Avoiding contributing to denial-of-service attacks
Organisations should ensure that they are not unwittingly contributing to denial-of-service attacks which could impact other organisations and/or individuals. In doing so, a key risk is the exposure of improperly configured or protected services which can be abused as part of a traffic amplification attack.
To ensure that the risk to others is minimised, organisations should implement the following measures:
prioritise the review of protocols as outlined in the US Cybersecurity & Infrastructure Security Agency’s UDP-Based Amplification Attacks publication
monitor for new amplification vectors as they are identified and review accordingly
configure both inbound and outbound network access controls to limit access to authorised services and entities
if not required, block anonymous public access of amplification-prone services
if blocking or applying access controls is not possible or appropriate, consider implementing a rate-limiting mechanism to reduce the consequences of abuse
if possible, secure the configuration of exposed services at the application level to limit the risk of abuse.
Malicious insiders
Malicious insiders can be employees, former employees, contractors or business associates who have legitimate access to your systems and data, but use that access to destroy data, steal data or sabotage your systems. It does not include well-meaning staff who accidentally put your cyber security at risk or spill data.
There are many reasons an insider can be or become malicious including revenge, coercion, ideology, ego or seeking financial gain through intellectual property theft or espionage. They could:
impact external sites, creating public damage to your brand
prevent your systems from functioning properly
steal or sell business trade secrets or intellectual property (IP)
install malware for their own purposes.
Cyber adversaries can use employees whose trust they have gained to access your business systems and accounts. Employees could provide information to a malicious insider unknowingly, or mention sensitive details in trust.
How do I recover from a malicious insider threat?
Report illegal activity to the police.
Recovering from a malicious insider depends on the damage they have done. If they have damaged your website, installed malware or otherwise stopped your systems from functioning properly, you can put in place technical solutions to those problems.
However, if they have stolen data, there is very little you can do to recover. If you have unique logins and auditing on your systems (more information below), you or the police might be able to identify who the malicious insider is. However, this will not recover the stolen data. That is why prevention is key.
How do I prevent a malicious insider threat?
How to protect against malicious insiders will depend on your organisation, systems, culture and business processes, and how well this is communicated and understood by staff.
A malicious insider's system access and knowledge of your business processes (particularly its checks and balances) can make them hard to detect. But there are practices you can put in place to reduce the risk of a malicious insider in your organisation.
Technical controls
Control removable storage
One of the easiest ways for a malicious insider to steal data is simply to plug in a removable storage device, like a USB stick. If possible, control who is allowed to connect removable media to your network, and what devices can be connected.
You could also block you network from connectivity with unapproved smartphones, tablets and Bluetooth/Wi-Fi/3G/4G devices.
Control outbound emails and files
Another way for a malicious insider to steal data is to email it to themselves, either through their work email address or personal webmail. They could also use upload files to cloud-based storage services. To prevent this:
implement a system to block and log outgoing emails with sensitive keywords or data patterns
block the use of unapproved cloud computing services including personal webmail.
Backups
Malicious insiders may set out to ruin your business by destroying your information systems. Keeping regular backups, which are only accessible to trusted staff, will reduce this risk.
Require strong passwords and multi-factor authentication
Requiring strong passwords and using multi-factor authentication means that even if a malicious insider gets hold of a colleague's user id, it is difficult for them to get access to that account to perform malicious actions.
Access controls
Restrict access
If your business is dependent on critical intellectual property, or other highly sensitive and vulnerable information, you should restrict staff access to only what they need to do their job.
If that is impractical and wider access is provided, ensure transactions are logged, monitored and audited, and that staff are aware this is an ongoing practice. If possible, consider having a separate team to review audit logs.
Tracking the assignment and use of privileged accounts will help control who can do what on the network and restrict unauthorised activities.
Use unique logons
Staff should have unique logons to systems. Don't let staff share a logon unless there is no other practical alternative. If staff must share a logon, try to devise a way to control this arrangement.
Deactivate access
When an employee finishes with your organisation, or their role changes, make sure their associated network and system access is deactivated at the same time.
Any shared passwords the person knows should also be changed. For example:
shared office WiFi password
alarm code
bank account passwords
remote access details
shared email accounts
administrative or privileged user accounts.
To help in this process, keep a checklist of all systems a staff member potentially has access to so that the access removals and password changes can be systematically checked and actioned as necessary. Provided the list is updated as new systems are added, the task of keeping it up to date should not be too onerous.
Auditing and logging
Many business information systems will log, monitor and audit staff network activities. You should investigate what logging capabilities your system has, especially for high-risk systems, such as ones that authorise payments.
Of course, without unique logons, auditing loses its value if you cannot identify who did the transaction.
Similarly, when looking to buy new software or cloud services, you should check that appropriate technical controls are included for critical transactions.
To be effective, you need to make sure audits of your system are regularly reviewed and that unusual activity is followed up. Make sure your staff know of your auditing and review process, so they are deterred from considering unauthorised activities.
Focus on your culture
The culture of your organisation and overall contentment of your staff is important in mitigating the insider threat. The more integrity and transparency you have in your work environment, the harder it is to act dishonestly. Additionally, happy, valued and challenged staff members are less likely to act to harm your organisation.
Collaboration can also help discourage malicious insiders, by discouraging a culture of lone operators and reducing the incentives and opportunities for staff to work against your organisation.
An active approach to staff welfare will help you support your staff, and provide early warning signs of changes in their circumstances which might put them, and your organisation, at risk.
Business processes
Personnel security
For all employees, irrespective of their system access, pre-employment and background checks are a good first step.
Be clear with new starters on how you can and will verify pre-employment information and conduct background checks. You should also include a dispute process to identify incorrect information from these checks.
Identity should be established using a recognised form of identification, such as an Australian state or territory driver's licence or Australian passport.
Police records checks are obtainable through State and Territory police forces.
You can check referees and previous places of employment.
In addition, there are firms that specialise in doing background checks on individuals.
You could also consider ongoing, periodic checks to ensure that you employees' situations haven't changed.
For more information and mitigation strategies, read the Australian Government's The insider threat to your business---A personnel security handbook.
ICT staff
ICT staff have powerful access, and can often bypass access controls and audit trails.
In the Australian Government these roles are known as 'positions of trust' and require a security clearance.
If your business is big enough to have its own ICT staff with this level of privileged access, you should make sure they have a high level of integrity.
Improve staff education
Make staff cyber security awareness a priority in your organisation.
Documenting and training staff in business activities helps drive a clear and shared understanding of expectations and culture. Educating staff on the business and the risk environment it operates in is key to this outcome.
Cyber security documentation loses its value if staff are not made aware of its existence and use.
Make staff aware that they are responsible for activities under their logon and the importance of protecting their logon from misuse.
For example, staff should be made aware of the importance of:
choosing a strong password
not sharing their password/logon details with others
either remembering their password, or ensuring it is securely stored so others cannot access it
locking their computer or device when they leave their desk.
Data Spill Management Guide
Introduction
A data spill is the accidental or deliberate exposure of data into an uncontrolled or unauthorised environment, or to persons without a need-to-know. A data spill is sometimes referred to as data breach or a data leak.
Data spills usually fall into one of two categories:
The transfer of data to a system which is not authorised to handle the data. Such a transfer may be performed via email or digital media.
The unauthorised disclosure of data on the internet, including via web forums, social media and other types of cloud-based storage.
Data spills are considered cyber security incidents and should be reported to the Australian Cyber Security Centre (ACSC).
Data spill management overview
Educating users of system and web usage policies, as well as how to appropriately identify and handle data, can greatly assist in preventing data spills. However, in the event of a data spill, organisations should use the following five step process:
Identify: Recognise that a data spill has taken place.
Contain: Determine the breadth of the data spill.
Assess: Decide on the most appropriate course of action to address the data spill.
Remediate: Remediate the data spill based on the course of action chosen.
Prevent: Implement prevention measures to stop similar incidents from occurring in the future.
Step 1: Identify
Data spills are usually identified by users. Organisations should include in standard procedures for all users that they notify an appropriate security contact of any suspected data spill or access to data that they are not authorised to access.
Data spills can also be identified through monitoring, auditing and logging. For example:
Preventing non-protectively marked emails from being sent or received by an organisation’s email server or email client.
Using data loss prevention tools that can warn users and alert administrators of possible security violations.
An immediate assessment should be performed to:
Track data flow, movement and storage locations of the spilled data to assist in determining what devices and systems are affected.
Identify affected system users, including any external to the organisation.
Determine the length of time between the data spill and the identification of the data spill.
Step 2: Contain
Containment may involve physically isolating or logically separating affected systems from a network. Logical separation can be achieved by temporarily removing software functionality or applying access controls to systems to prevent further exposure.
For example, the containment process taken for a data spill involving an internal email may include:
Identifying the sender and recipients of the email, contacting them and directing them not to forward or access the email.
Determining if it is necessary to retain a copy of the email so that the sensitivity of the data can be verified by the data owners for a damage assessment.
Determining if it is necessary to delete the email from affected users’ inboxes as quickly as possible to prevent further dissemination of the email.
Proceeding to the assessment phase to determine what further actions are required, including potential sanitisation of the email server and workstations.
Step 3: Assess
After containment, to prevent further access and exposure of spilled data, a thorough assessment should be performed. This includes:
Identifying affected system users, systems and devices. While the identification process highlights the systems and users that are initially affected, a more thorough assessment should be performed after the containment process. This should include devices such as workstations, backup storage, printers, print servers, network shares, email inbox and servers, content filtering appliances, webmail and external systems. Organisations should involve their system and network administrators in this process.
Contacting the data owners and relevant authorities. The data owners should be contacted and notified of the data spill. The data owners should be able to provide guidance on any specific handling requirements for the data, if applicable, to minimise its exposure.
Performing a damage assessment. Organisations should perform a damage assessment to determine what harm was caused by the data spill. Organisations should assume that the spilled data is compromised and base remediation procedures or risk management on a worst-case scenario.
Step 4: Remediate
Organisations should work in collaboration with data owners to determine a satisfactory remediation of any data spill noting remediation is usually achieved through a balance of technical controls and risk management activities.
For each system identified during the assessment stage, a remediation strategy should be developed that covers:
access controls to the data and the systems that hold the data
utilisation rate of memory storage (i.e. ability for the system to naturally overwrite free space through data attrition and growth)
criticality of the system to the business (e.g. mission critical Storage Area Network or a user workstation)
the exposure duration of data (i.e. is it a recent exposure or has the data been exposed for a long period of time)
sanitisation options available for the media (e.g. raw disk overwrite, file overwrite or physical destruction)
disposal consideration of the asset at end of life (i.e. will the asset be resold or physically destroyed)
balancing the risk of drawing attention to the data versus accepting the damage
resources, impacts and financial costs to replace or sanitise affected systems.
All remediation actions, including their outcomes, should be appropriately documented.
Step 5: Prevent
Actions that cause data spills should be reviewed to determine why they occurred (e.g. non-adherence of policy, gaps in existing procedures or absence of a technical control).
The review should result in the implementation of preventative measures to reduce the likelihood of future data spills occurring. This may include additional user training or improved technical controls.
Malware
Malware is the term used to refer to any type of code or program that is used for a malicious purpose.
Cybercriminals use malware for many different reasons. Common types of malware are used for:
stealing your information and account details
encrypting your data for ransom
installing other software without your knowledge.
A malware attack can have serious and ongoing impacts. Malware can also act as an entry point for cybercriminals, opening the door to further malicious activity.
Malware is distributed in several ways:
by spam email or messages (either as a link or an attachment)
by malicious websites that attempt to install malware when you visit
by exploiting weaknesses in software on your devices
by posing as a trusted application that you download and install yourself.
Some malware may even pretend to be antivirus or security products.
Potential warning signs of malware
Malware can behave in many different ways. There are a number of signs you may notice that could be due to a malware infection.
You notice unusual account activity, for example, logins from an unusual location or at an unusual time, or your passwords have been changed and you are unable to access your accounts.
Your device consistently slows down, overheats, battery drains fast or runs its cooling fan faster than usual (these are signs that your processor is running at capacity).
Unexpected files and programs on your device. You may notice new programs, toolbars and icons have been installed.
Unable to access files, or ransom demands for release of your files.
You consistently see error messages that you never used to see.
Your web browser automatically takes you to a web page you did not intend to open.
Suspicious pop-up ads about updating or downloading a program.
Someone knows something that they could only have found out if they had access to your device.
Learn more about malware
There are many different types of malware but most are used to either steal your information, your computer’s resources or your money. This table lists some of the most common types of malware affecting people and businesses in the wild today.
Type | What it does |
Ransomware | A type of malware that encrypts all your personal files and prevent access to them, unless a ransom is paid to restore access to the files. For guidance on preventing ransomware, read our Ransomware Advice. |
Pharming | A way of harvesting personal information, where a cybercriminal puts malicious code on your device that redirects you to a fake website. |
Trojans and backdoors | Traditionally, trojans are programs that appear to serve a useful purpose but do something malicious when run. Trojans may steal information, download additional malicious files or even provide a ‘backdoor’ into your device – allowing a cybercriminal to do almost anything they like. |
Keyloggers | Records which keys you press and sends that information to a cybercriminal. This could include passwords and credit card details. |
Viruses and Worms | Viruses infect files by inserting themselves into the file’s code and then running whenever the file is opened. Worms are standalone malicious programs that spread themselves from computer to computer. Similar to Trojans, viruses and worms can have many different payloads – for example, they can steal your information, download and install other malicious files, delete your files or even send spam. |
Web Shell Malware | Malicious scripts that allow cyber criminals to compromise web servers and use it as a permanent backdoor to launch additional attacks. ASD and NSA have jointly produced a Cybersecurity Information Sheet: Detect and Prevent Web Shell Malware (PDF) |
Adware | Adware is a type of malware that gathers information to show you targeted advertising. In most cases, it is not dangerous but occasionally it can interfere with your system. For instance, it could open a webpage in your browser, which contains another type of malware. |
Small Business Cyber Security Guide
For a small business, even a minor cyber security incident can have devastating impacts.
This guide includes basic security measures to help protect your business against common cyber security threats. As a starting point, we recommend the following three measures:
Turn on multi-factor authentication
Update your software
Back up your information
This guide might include measures that are not relevant to your business, or your business may have more complex needs. After completing this guide, we recommend small businesses implement Maturity Level One of the Essential Eight.
If you have questions about this advice or cyber security more broadly, we recommend you speak to an IT professional or a trusted advisor.
Threats to small businesses
Scams are a common way that cybercriminals target small businesses. Their goal is to scam you or your staff into:
sending money or gift cards
clicking on malicious links or attachments
giving away sensitive information, such as passwords.
Cybercriminals may try and scam your business through email, text messages, phone calls and social media. They will often pretend to be a person or organisation you trust.
Phishing attacks
Of particular concern to small businesses are phishing attacks. These scams often contain a link to a fake website where you are encouraged to log in to an account or enter confidential details.
Phishing attacks typically compromise your account passwords. Cybercriminals often use this method to “takeover” the social media accounts of small businesses and hold them to ransom.
Ways to mitigate
If a message is from a known entity and seems suspicious, use caution. Contact the person or business separately to check if message is legitimate. Use contact details you find through a legitimate source, for instance by visiting the business’s official website, and not those contained in the suspicious message.
Learn more about identifying scams and phishing attacks with the following resources:
Case study An employee at a courier company received an email from one of their Executive staff, asking that they purchase 6 x $500 MasterCard prepaid credit cards. The Executive told her to keep it confidential as the cards would be gift vouchers for staff members. Once purchased, the employee was asked to photograph both sides of the cards and send them through to the Executive as proof of purchase. As instructed, the employee went to a post office and used her personal credit card to purchase the gift cards. She replied to the Executive’s email and sent through photos of the gift cards as proof. After returning from the post office, the employee gave the physical cards to the Executive – who had no knowledge of them. On review, all emails about the gift cards came from a random email address and were not from the Executive’s legitimate email account. It had been a scam.
Email Attacks
In addition to scams like phishing, a common email attack against small businesses is business email compromise (BEC). Criminals can impersonate business representatives by using compromised email accounts, or through other means – like using a domain name that looks similar to a real business. Aside from stealing information, the goal of these attacks is usually to scam victims into sending funds to a bank account operated by the scammer.
Ways to mitigate
The best defence against email attacks is training and awareness for your employees. Ensure your staff know to always be cautious of emails with the following:
requests for payments, especially if urgent or overdue
change of bank details
an email address that doesn't look quite right, such as the domain name not exactly matching the supplier's company name.
While these attacks can be devastating, the mitigation measures are easy and cost almost nothing. When staff receive emails like this, the most effective mitigation is to call the sender to confirm they are legitimate. Do not use the contact details you have been sent as these could be fraudulent. Introduce a formal process for staff to follow when payment requests are received or bank details are changed.
Learn to protect your business from BEC scams and email compromise with the following resources:
Case study A small construction business received an email from their supplier saying they had changed banks. The supplier provided new account details for invoice payments. Because the email seemed legitimate, the construction business did not call the supplier to confirm the change in bank account details. The business paid an invoice from the supplier for over $70,000. The following day, another employee mistakenly paid the same invoice again for an additional amount over $70,000. In total, over $150,000 was paid to the new bank account. When the business rang their supplier to ask if they could refund the duplicate payment, the supplier advised those banking details were incorrect. An investigation was launched immediately, and the supplier discovered that one of their email accounts had been hacked and was sending out fraudulent bank account details. No funds were recovered.
Malicious Software
Malware is a blanket term for malicious software designed to cause harm, such as ransomware, viruses, spyware and trojans. Malware can:
steal or lock the files on your device
steal your bank or credit card numbers
steal your usernames and passwords
take control of or spy on your computer.
Malware can stop your device from working properly, delete or corrupt your files, or allow others to access your personal or business information. If your device is infected with malware, you could be vulnerable to other attacks. The malware could also spread to other devices on your network.
Your device can be infected by malware in a number of ways, including:
visiting websites that have been infected by malware
downloading infected files or software from the internet
opening infected email attachments.
Ransomware
Ransomware is a common and dangerous type of malware. It works by locking up or encrypting your files so you can no longer access them. A ransom, usually in the form of cryptocurrency, is demanded to restore access to the files. Cybercriminals might also threaten to publish or sell data online, unless a ransom is paid.
Ways to mitigate
While anti-virus or security software can help protect you from malware, no software is 100% effective. Staff must be vigilant with emails, websites and file downloads and regularly update their devices to stay secure.
See the following resources for more information on protecting your business from ransomware:
Case study Employees of an auto parts store came into work one morning and were not able to boot their server computer. When their IT provider got access to the server, they found a window open that said all the computer data had been encrypted. The note demanded they pay a ransom in bitcoin to unlock the files. There was a backup drive plugged into the computer, which had also been encrypted. They tried to connect more backup drives, but the files were automatically encrypted within seconds. They had failed to remove the ransomware before attempting to recover their data and lost every backup file they had. The only option left was to factory reset the server and start fresh with a new system. Their business lost many years of data and had to start over.
Secure your accounts
Multi-factor authentication (MFA) makes it harder for cybercriminals to access your accounts.
MFA adds another layer of security to your account. It is one of the most effective ways to protect your accounts from someone getting access, so you should use it wherever possible. Anyone who logs into your account will need to provide something else in addition to your username and password. This could be a unique code from a text message or an authenticator app.
For more information, read our advice on MFA.
Getting started
You might already be using MFA on some accounts, but you should turn it on wherever you can.
Start with your important accounts like email, banking, document storage and social media.
MFA is often set up through the security settings on your account. If you’re not sure how to set it up, read our advice on MFA or do a separate search online (for example, “facebook mfa”).
Some services may use a different name for MFA, such as “two-factor authentication” or “two-step verification”, so don’t be surprised by these terms in your search.
✓ Turn on MFA wherever possible, starting with your most important accounts.
Use strong passwords an phrases
Protect your accounts from cybercriminals with a secure password or passphrase.
Many small businesses face cyber attacks as a result of poor password behaviours. For example, reusing the same password on multiple accounts. You can use both password managers and passphrases to create strong passwords.
A password manager acts like a virtual safe for your passwords. You can use it to create and store strong, unique passwords for each of your accounts. If you have a lot of accounts, this removes the burden of remembering unique passwords. You don’t have to remember the passwords or the accounts they belong to, as it is all recorded in your password manager.
For accounts that you sign into regularly, or that you otherwise don’t want to store in a password manager, consider using a passphrase as your password. Passphrases are a combination of random words, for example ‘crystal onion clay pretzel’. They are useful when you want a secure password that is easy to remember. Use a random mix of four or more words and keep it unique – do not reuse a passphrase across multiple accounts. For more information, read our advice on passphrases and password managers.
Getting started
Find a password manager that’s right for your business. Do a search online for “password managers” and compare the security, quality and features of any products you are considering. If you are unsure, ask an IT professional or trusted advisor for a recommendation.
Protect your password manager by using MFA and a long, unique passphrase as your master password. Make your master password as strong as you can.
Add your existing accounts into your password manager. Then, use the password manager to randomly generate new passwords which are at least 14 characters in length. Starting with your most important accounts, update the passwords to the new ones you have created with your password manager.
✓ Use a password manager to create and store unique passwords or passphrases for each of your important accounts.
Managing Shared Accounts
Sharing accounts can compromise security and makes it difficult to track malicious activity.
In a small business, there may be legitimate reasons why staff need to share accounts, but it should be avoided as much as possible. When multiple staff use the same account it can be hard to track activity back to a specific employee and even harder to track cybercriminals breaking in. Unless you change the password, employees could also continue accessing accounts even after they have left the business.
Getting started
Where possible, create individual accounts for each staff member instead of sharing accounts.
Create and maintain a list of the shared accounts in your business and which staff have access to them. Consider where you could eliminate shared accounts or reduce the number of staff with access.
Be mindful of how you share passwords and passphrases. Use secure communication methods, such as a password manager that will allow secure sharing of passwords (including passphrases) between staff. If your password manager does not have this feature, split the password across different communication methods.
Remember to change the login details for shared accounts if a staff member leaves the business or changes roles.
Use MFA on shared accounts where possible. Many services allow to you have MFA even if an account is shared on multiple devices. For example, you can have up to five devices connected to a single Instagram account and still use MFA to log in.
✓ Limit the use of shared accounts and secure any that are used in your business.
Implementing Access Control
Restricting user access can limit the damage caused by a cyber security incident.
Access control is a way to limit access to certain files and systems. Typically, staff do not require full access to all data, accounts, and systems in a business. They should only be allowed to access what they need to perform their duties.
Restricting access will help limit the damage caused by a cyber security incident. For example, if a staff member’s computer is infected with ransomware, with proper access controls it might only affect a small number of files rather than the entire business.
Getting started
Identify each user in your business and what they have access to. Decide if they have the appropriate access permissions for their role. Consider access to:
files and folders
databases
mailbox
applications
online accounts
networks.
Implementing the principle of least privilege is typically the safest approach for most small businesses. Under this principle, users have the bare minimum permissions they need to perform their work. For example, not every staff member may need access to financial or HR files.
Avoid giving staff administrator-level access on any devices or systems.
Revoke access from staff who leave the business.
Access controls might be managed by your IT provider or IT staff. Speak to them if you are unsure how to action this step.
✓ Ensure each user can access only what they need for their role.
Prepare your staff
Educate Employees
Employees with good cyber security practices are your first line of defence against cyber attacks.
Your employees should have an awareness of cyber security, including the following topics:
common cyber security threats such as business email compromise and ransomware
protective measures including strong passwords or passphrases, MFA and software updates
how to spot scams and phishing attacks
business specific policies (for example, processes for reporting suspicious emails or for validating invoices are genuine before paying)
what to do in an emergency.
The ACSC website has resources for most of these topics at cyber.gov.au/learn. You might consider other ways of educating your employees, for example with a formal course or internal training. However you decide, remember that cyber security training isn’t a once-off requirement and should be refreshed periodically.
Getting started
Set time aside for your employees to focus on cyber security training, or organise a course for everyone to attend.
Encourage employees to visit cyber.gov.au/learn and work through the modules and quizzes.
Consider adding cyber security training or practices into the induction process for new employees.
Encourage positive security habits in your staff to build a positive security culture in your business. You might do this by offering rewards or finding ways to make security processes easier. For example, rewarding staff who identify phishing emails or providing a password manager for your staff to use.
✓ Determine how cyber security awareness will be taught in your business.
Make an Emergency Plan
An emergency plan could reduce the impact of a cyber attack on your business.
When responding to a cyber security incident, every minute accounts. Having an emergency plan means your staff can spend less time figuring out what to do and more time taking action.
Consider the following questions when creating your emergency plan:
What is the process for your staff to report potential cyber security incidents?
Who do you contact for assistance? For example, IT professionals and your bank.
How will the incident be communicated to your staff, stakeholders, or customers?
How will you manage business as usual, if any critical systems are offline?
Make sure your staff are familiar with the emergency plan, including any roles or responsibilities they may have. Maintain a hard copy of the plan in case your systems are offline when you need it.
Getting started
Think about relevant threats to your business, such as ransomware and business email compromise. Consider how different threats could affect your business and how you should respond to each scenario.
Create a plan that addresses the above questions. For example, a contact list with names and numbers of people who can help you recover from an incident.
For more guidance, read the ACSC’s advice on preparing for cyber security incidents and our Cyber Incident Response Plan.
Use the ACSC’s Exercise in a Box to test your emergency plan in a safe environment.
✓ Create an emergency plan for cyber security incidents.
Stay Informed
Become an ACSC partner to receive the latest information from the ACSC.
Stay informed of the latest cyber threats and vulnerabilities by becoming an ACSC partner. This service will send you monthly newsletters and alerts when a new cyber threat is identified.
Cyber security is a rapidly evolving field. Cybercriminals actively exploit vulnerabilities within minutes of their discovery. Staying informed of the cyber security landscape will help your business to understand the threats it is likely to face and how to protect against them.
Protect your devices and information
Update your software
Keeping your software up-to-date is one of the best ways to protect your business from a cyber attack.
Updates can fix security flaws in your operating system and other software, so that it is harder for a cybercriminal to break in. New flaws are discovered all the time, so don’t ignore prompts to update. Regularly updating your software will reduce the chance of a cybercriminal using a known weakness to run malware or hack your device.
If your device or software is too old, then updates may not be available. If the manufacturer has stopped supporting the product with updates, you should consider upgrading to a newer product to stay secure. Examples of systems that no longer receive major updates are the iPhone 7 and Microsoft Windows 7.
Getting started
Update all of your devices, apps and other software. This is often done through the Settings menu. If you need help, the ACSC has published guidance on updates.
Where possible, turn on automatic updates. If this setting is not available, set a reminder to regularly check for updates. Try to schedule updates to occur outside of business hours to avoid disruptions.
Check that other devices in your business network are regularly updated, including servers and Network Attached Storage (NAS) devices if you have them. Speak to an IT professional if you are unsure.
✓ Turn on automatic updates for your devices and software.
Backup your information
Regular backups can help you recover your information if it is lost or compromised.
Backing up important information should be a regular or automatic practice in your business. Without a regular backup, it could be impossible for you to recover your information after a cyber attack.
There are many methods and products you could use to back up your information. For detailed advice on backing up your business, read our advice for backups. The best option will vary for each business, so speak with an IT professional if you are unsure.
Getting started
Create a plan or procedure for backing up your business. This will be different for every business. Your plan should answer the following questions:
What data is or is not backed up?
When do backups occur?
Where are the backups stored?
Who is responsible for managing the backups?
How long are the backups kept for?
How often are the backups tested?
Think about everywhere your important information is stored. Are these locations included in your backup plan? For example, information held in your email or cloud accounts.
Ask an IT professional if you need help creating your plan or setting up your backups.
✓ Create and implement a plan to regularly back up your information.
Use security Software
Security software such as anti-virus and ransomware protection can help protect your devices.
Use security software to detect and remove malware from your devices. Anti-virus software can be set up to regularly scan for suspicious files and programs. When a threat is found, you will receive an alert and the suspicious file will be quarantined or removed.
Many small businesses can use Windows Security to protect themselves from viruses and malware. Windows Security is built-in to Windows 10 and Windows 11 devices and includes free virus and threat protection. You can also use it to turn on ransomware protection features on your device.
For alternative products and options, read our advice on anti-virus software.
Getting started
To learn more about Windows Security, search for “Windows Security” in your Start Menu. You should also visit Microsoft’s website for more information, including how to use controlled folder access for protection against ransomware.
Ask an IT professional or trusted advisor for a recommendation if you’re not sure which security software is best for your business.
Set up your security software to automatically do regular scans, for example every week.
Familiarise yourself with your security software, including what a legitimate alert looks like. This will help you avoid scams that pretend to be your anti-virus software.
✓ Set up security software to complete regular scans on your devices.
Secure your network and external devices
Protect your business from a cyber attack by addressing potential vulnerabilities in your network.
The devices and services in your network can be a prime target for cybercriminals. Many of these systems can be complex to secure, so discuss the following recommendations with an IT professional.
Secure your servers: If you use a NAS or other server in your home or business, take extra care to secure them. These devices are common targets for cybercriminals because they often store important files or perform important functions. There are many mitigation strategies required to protect these devices. For example, it's important to ensure any server or NAS devices are updated regularly. Administrative accounts should be secured with a strong passphrase or multi-factor authentication.
Minimise external facing footprint: Audit and secure any internet exposed services on your network. This might include Remote Desktop, File Shares, Webmail and remote administration services.
Migrate to cloud services: Consider using online or cloud services that offer built-in security, instead of managing your own. For example, use online services for things like email or website hosting rather than running and securing these services yourself.
Improve your router’s security: Follow our guidance on ways to secure your router, including updating default passwords, turning on “Guest” Wi-Fi for customers or visitors, and using the strongest encryption protocols.
Understand your cyber supply chain: Modern businesses often outsource multiple services. For example, using a Managed Service Provider to maintain their IT. Security issues with these services or providers could have a significant impact to your business. For detailed advice on cyber supply chain risk management read our Cyber Supply Chain Guidance
✓ Speak to an IT professional about ways to secure your network.
Harden your website
Websites are a prime target for cyber attacks.
Protect your website from being hijacked by following some basic security measures:
secure your website login with multi-factor authentication or a strong password
regularly update your website’s content management systems and plugins
back up your website regularly so you can restore it after a cyber attack.
The ACSC has additional resources available for website owners
Getting started
Set up auto-renewal for your website’s domain name.
If an external party manages or develops your website, speak with them about ways to improve your website security.
✓ Read through the ACSC resources on website security.
Reset your devices before selling them or disposing of them
The data on your old devices could be accessed by strangers.
If you do not dispose of your devices securely, cybercriminals could access the information on it. This could include emails, files and other business data. Remove all information from your business devices before selling, trading or throwing them away. For example, by doing a factory reset. This will help wipe any information and restore the device to its original settings.
For advice on resetting your devices, read our guidance on how to dispose of your device securely.
Getting started
Even when following the right steps, your information may still be able to be recovered. If the information on your device is particularly sensitive, you should consider using a data destruction service or asking an IT professional to help you dispose of it securely.
✓ Perform a factory reset before selling or disposing of business devices.
Keep your devices locked an physically secure at all times
Data held by your business is an attractive target to cybercriminals.
Data breaches are on the rise – don’t let your business fall victim. It’s important to understand what data your business holds, and in what locations. Once you’re aware, use the recommendations in this guide to help protect your data from being accessed by cybercriminals. Some small businesses may also have additional obligations under legislation.
Consolidate your business data. You might have data stored across numerous devices or services. When data is decentralised, it increases the number of systems you have to keep secure and backed up. Numerous systems can also create more opportunities for a cybercriminal to attack. Where possible, store your business data in a central location that is secure and backed up regularly. Centralising your data can create a bigger breach if your systems are compromised, so ensure this central location is adequately protected with secure configurations and restricted access. Speak to an IT or cyber security professional for advice.
Know your obligations for protecting data. Some small businesses may have legal obligations for handling personal information they collect. Read the Office of the Australian Information Commissioner’s guide for small businesses to learn more. Consult with a legal professional if you are unsure.
✓ Understand the data your business holds and your responsibilities to protect it.
All information provided has been reused only for distribution of information to educate our customers an the Australian Public of the current scams. This information is vital for you to read which could prevent your business being attacked by a cyber attacks.
Comments