Cyber security – protect your online business activity

Cyber security is the tools and techniques applied to IT data and systems to protect them from attacks and loss.

A cyber attack can seriously damage your business and you may have to spend lots of time, money and resources to fix it.

On this page

Best practice cyber security processes can improve your business by:

  • preventing loss
  • maintaining legislative compliance
  • building customer trust
  • maintaining business continuity.

Legal obligations for cyber security

If your business handles personal data (of employees, customers and suppliers) and financial information, you are responsible for meeting all legislative data-protection requirements.

Learn more about legal requirements for working online.

Online threats and risks

Online threats and risks can target your IT systems, data and online assets and negatively affect your business, such as:

  • brand and reputational damage
  • loss of confidential and sensitive data
  • loss of business continuity
  • fines if your business is found negligent.
You may need to scroll across to see all columns

Threat

Description

Prevention

Malware

Software designed to damage a computer system

  • Install anti-virus software
  • Use strong passwords
  • Change passwords regularly

Trojans

Disguised as harmless software to attack computers

  • Install anti-virus software

Cookies

Software that tracks your movements online and reports back to originating website

  • Clear cookies from web browser settings regularly

Spam

Unsolicited emails sent out in bulk

  • Use junk email filters in your inbox

Phishing

Fake emails designed to capture your sensitive data and information

  • Do not open or click any links in unsolicited emails

Hackers

People who are trying to gain unauthorised access to your computer or systems

  • Keep your software up to date
  • Use a firewall

ID theft

Using your personal information to commit fraud

  • Store personal information securely and do not give it out to sources you don't trust

IP theft

Stealing and profiting from private company or business data and information

  • Identify and secure your most valuable data
  • Create non-disclosure agreements with employees
  • Create security policies and procedures
  • Complete security training with personnel

Protecting your business from cybercrime

Protect your business with these tools and resources.

Reporting cybercrime

Reporting suspicious online activities can help authorities to combat cybercrime and develop tools and awareness programs to protect businesses and individuals from attacks.

You can report suspected cyber security threats to your business through the ACSC.

Read the preventing and reporting cybercrime recommendations from the Queensland Police Service.

Online security and fraud

Operating your business in a secure online environment will help you meet your legal obligations to keep your customers' information private.

Effective online security management is critical in managing your business's risk, and building and maintaining customer confidence and trust.

Use online security policies and procedures to plan and implement effective online security for your business.

Find out how to implement online security policies in your business.

Protect your business from fraud

Fraud occurs when someone uses false data or information for illegal profit.

You can protect your business from fraud by:

  • securing bank accounts and related information
  • managing access to personal and financial information
  • conducting background checks on staff and contractors
  • using suitable IT system security
  • purchasing insurance.

Learn more about your fraud protection obligations.

Protecting your data, hardware, and software

All computers, servers and wireless networks that your business uses must be protected against online and cyber security threats and risks.

Steps to guard against external threats to IT systems

  • Install anti-virus and anti-spyware software, including spam filters, and ensure they are active and updated regularly.
  • Enable wireless network security and change the default password immediately because most default passwords are known to hackers.
  • Install a software firewall, typically included in IT security bundles or operating systems.
  • Choose strong passwords involving a combination of numbers, symbols and upper- and lower-case letters.
  • Change passwords regularly—every 90 days is recommended.
  • Find out if your computer's operating system has a free built-in virus and security system and backs up to the cloud.
  • Back up data regularly and store copies off-site or in the cloud.

Learn more about cloud computing for business.

The ACSC has guides on implementing security protections for different software applications and devices.

Data protection

You will need to protect your desktop computers and devices with robust, secure passwords. If your data is not adequately protected, hackers may be able to access your networks and corrupt or steal information.

Backing up your data is crucial—having a copy of your data in a separate location will enable you to recover information quickly and easily in the event of any data loss. You can back up your data to the cloud or an external drive.

You should establish policies for your business on how staff can protect data to avoid data loss from staff inadvertently taking important files outside of your business by emails, external drives or laptops.

Learn more about how to prevent data theft.

Protecting and renewing your domain name

Your domain name is your intellectual property. Letting your domain name expire means you could lose control of your online presence, branding and company website.

This may leave your business and customers vulnerable to cybercriminals. If criminals gain access to your domain name, they could create a fake website as your brand and send phishing scams to your customers.

Note down when your domain name will need renewing so it doesn't expire. Domain names can be renewed for more than 1 year at a time.

Common protection methods

These are some common protections that can be used.

Encrypted certificates that verify the site ID and creates a secure web link when used, and protect secure data and make your website more trusted.

Alphanumeric codes that ensure only verified users can access systems.

A program that will scan and detect threats to the system.

A software tool that will scan all data being entered and users, and only allow access to trusted items.

A function to ensure all software programs have the most up-to-date protections.

Internal documents that will explain the security requirements and actions for a business, and can be used for staff training.

Internal threats to IT systems

Threats to IT systems can occur from within your business. These internal threats could occur when staff are unaware of suitable protections or in some cases there could be malicious intent.

Steps to guard against internal threats to IT systems

  • Allow only authorised staff to access IT data and systems.
  • Create IT policies and procedures.
  • Assess the risks of employees connecting portable devices to work systems.
  • Check for spam claiming to be from 'trusted' email senders—for example, banks do not do business by email.
  • Think before opening attachments or sharing information to ensure data protection.
  • Store data carefully—choose who has access to it and decide what devices you will allow staff to connect to your network.
  • Create strong, individual passwords to protect your website so only authorised users can access the site and make changes.
  • Change shared passwords and revoke access from employees when they leave your organisation.
  • Ensure that all file access and transfer mechanisms are approved and included in your cyber security plan.
  • Read about protecting customers' personal information from the Office of the Australian Information Commissioner.

Seeking help from specialists

Cyber security and IT specialists can help develop a custom plan for your business if you do not want to manage digital risks yourself. This may be a good option for you if you are not tech savvy or do not feel confident.

When talking to cyber security and IT specialists, it is important to ask the following questions.

  • Is there a one-off or ongoing payment? You may want to seek advice on setting up your security protections but typically you won't need ongoing help unless your needs are complex.
  • Will you create a custom security plan for my business? If you are paying a professional, it's important to make sure that their advice is tailored to your needs.
  • Can you explain all the inclusions in your service? Many of the protections you will need can be set up easily yourself for little or no cost, so make sure you are only paying for services you are not comfortable completing yourself.

Also consider...