Information technology (IT) threat preparation for small business
A cybercrime is reported in Australia every few minutes and results in the loss of millions of dollars every year. Online security is vital to protect your electronic data, IT systems and customer or client details.
Potential information technology (IT) threats include:
- cyber-attack or data hacking
- IT failure.
To prepare and get back to business sooner after an incident, use these 4 stages to help manage an information technology (IT) threat including cyber-attacks or IT failures:
Top 10 tips to manage an information technology (IT) threat
Make a plan
Identify your risks and plan what you will do
Improve IT security
Seek IT advice, backup data and update IT systems
Ensure staff are aware of IT threats and follow IT security measures
Contain and assess the threat
If hacked, assess the threat, seek help and contain the damage
Report cyber-crimes or data breaches
Know how to report legally notifiable incidents
Notify financial institution and customers
Advise impacted staff or customers of issue and how to further protect their information
Communicate the steps you've taken to protect staff or customer data
Investigate and monitor the breach
Fully investigate and monitor your IT systems for any ongoing suspicious activity
Promote your business
Develop marketing strategies to promote positive news
Record lessons learned and update IT systems, policies and staff training
Prevent and prepare for an information technology (IT) threat
Prevention and preparedness are critical to protecting your IT systems and your customers' data. Assessing potential risks and putting safeguards in place can prevent many information technology (IT) threats from impacting your business. Businesses have been forced to close or faced serious legal action as a result of cyber-attacks.
Make a plan
Complete a business continuity plan to prepare, respond and recover from potential IT-related risks.
Steps to include in your plan:
- Learn about the legal IT requirements as part of the Spam Act 2003 (Cwlth), the Electronic Transactions (Qld) Act 2001 and privacy laws.
- Identify key events and risks that are most likely to occur and would have the most negative impact on your business, including
- cyber-attack or data-hacking where hardware, data or information is illegally accessed or stolen
- phishing – scam emails, texts, messages or phone calls designed to trick you out of money or information
- malicious software (or malware) which is used to access bank details, credit card numbers or passwords
- denial-of-service attacks – disrupts websites or emails.
- Read the small and medium business information and resources from the Australian Cyber Security Centre, including
- Learn about the latest scams by visiting Scamwatch from the Australian Competition and Consumer Commission.
- Plan and respond to key risks and incidents by developing IT policies and procedures, including
- improving IT security by hiring an IT expert
- backing up your data regularly to external and cloud storage
- testing backups monthly to ensure they can restore data
- updating software systems, such as Windows, regularly
- auditing and automatically updating your IT systems and software
- providing a secure site through Transport Layer Security (TLS)
- requiring multi-factor authentication
- strengthening passwords by using at least 10 characters (including letters, numbers and special characters) or a passphrase and issue alerts to change passwords regularly
- using password protected encrypted links rather than attachments
- using zero knowledge encryption cloud storage.
- Investigate buying cyber risk and liability insurance.
- Install anti-virus and anti-spyware software, spam filters and ransomware protections to secure your computers against threats.
- Train staff to
- follow IT security procedures
- avoid and report a cybercrime to the Australian Cyber Security Centre.
- Control access to your computer system by
- limiting who has access (i.e. restricting administrator privileges)
- not sharing passwords
- closing accounts when staff leave.
- Plan how to recover from an incident.
- Conduct regular training with staff and update your plan.
Respond during an information technology (IT) threat
If a cyber attack does happen, responding quickly can help you get back to business sooner.
- Check for any suspicious activity, unauthorised bank withdrawals or unauthorised access to customer information.
- Assess what information has been breached, the cause, extend of the breach and what you can do to fix the issue, including:
- advising staff not to share or click on links in suspect emails
- backing up your system
- shutting down the breached system (if possible)
- changing computer access privileges and passwords
- appointing an external IT or cyber security expert.
- Assess if the data breach will result in serious harm to anyone whose information was involved.
- Report data breaches to the Australian Cyber Security Centre.
Take action if these situations occur:
- financial details or credit cards have been fraudulently accessed
- notify your bank or other financial institution immediately
- suspend accounts or take other action
- consult with law enforcement agencies who are investigating the breach before making the details public of any fraudulent activity
- when serious harm has occurred, you must
- notify suppliers/clients/customers/guests impacted
- tell them how to protect themselves and what you're doing to fix it – read the suggested communication messages
- offer support to staff if they have been affected – use the wellbeing and mental health resources available.
Learn more about responding to negative social media or media coverage relating to the incident.
Report cybercrime or data breaches to the following agencies:
- computer or online crimes (e.g. fraud, online image abuse, identity theft or threats and intimidation) must be reported to police using ReportCyber
- notifable data breaches must be reported online using the Notifiable Data Breach form or by phone on 1300 363 992 (Note: You have a legal requirement to report unauthorised access of personal information held by your business if it could result in serious harm)
- cyberbullying, image based abuse or illegal and harmful content can be reported online to the eSafety Commissioner.
Recover from an information technology (IT) threat
Learning from what has gone wrong can prevent issues in the future.
- Fully investigate the data breach (or have an IT expert investigate).
- Monitor your systems for any ongoing suspicious activity.
- Consider how you handled the crisis and identify and document lessons learned.
- Update or enhance IT security systems to detect and prevent future breaches.
- Update your business continuity and cyber security emergency plan.
- Train staff in updated policies and procedures.
- Keep customers and suppliers updated about your business operations.
- Answer emails promptly.
- Develop marketing strategies to promote your business.
- Use social media channels and your website to get the message out widely.
- Use innovative ways such as videos, photos and promotions to advise when your business is back up and running.
If a breach of your customers or clients' personal information could cause serious harm, you are legally required to inform those affected including the Australian Information Commissioner. If the breach is low or no risk to anyone, you may decide not to advise people.
You can adapt the messages below to suit your stakeholders.
- Our (telephone/online services/website) have been disrupted today due to unexpected technical issues.
- Our team is working to resolve the issue as soon as possible. We'll provide updates as soon as more information is available.
- We apologise for any inconvenience this may have caused. If you urgently need to contact us, please (phone/email/message or visit us at).
We are contacting you to let you know a data breach has affected your personal data. On (date), we detected a breach of our organisation's IT security. As a result, some of your information has been accessed (provide type of data if possible – e.g. contact details).
We've launched a full investigation to resolve the issue and we're working closely with authorities (the Australian Cyber Security Centre, the Australian Federal Policy and/or the Australian Information Commissioner).
We're taking the following steps to protect you by:
- engaging an external cyber security agency to ensure we've taken all possible measures to minimise the impact of this security breach and reduce the risk of it happening again
- continuing to monitor for suspicious activity and coordinating with relevant authorities and agencies
- continuing to improve our systems to detect and prevent unauthorised access to user information.
We take our obligations to safeguard your personal data very seriously. We recommend you consider taking the following steps to protect any further access to your (personal information or account details). As further safeguards:
- update your password – use at least 12 characters including numbers, symbols, capital letters and lower-case letters (avoid using date of birth or names)
- review and update your contact methods for resetting passwords
- review your account transactions and let us know if you notice anything suspicious
- don't open attachments or click on links from unknown sources
- ignore unsolicited communications that ask for your personal data or refer you a web page asking for personal data
- also report anything out of the ordinary to (provide details).
We sincerely apologise for any inconvenience this breach may have caused. If you have any questions or concerns please don't hesitate to contact us via (email and/or phone).
We'll keep you informed if there is any further information about this breach.
- Read preparing for and responding to cyber security incidents by the Australian Cyber Security Centre.
- Visit the Australian Cyber Security Centre for more resources.
- Learn more about data breach preparation and response (PDF, 1.2MB) by the Australian Information Commissioner.
Go back to Small business disaster hub for other industries and disasters.
- Last reviewed: 17 May 2021
- Last updated: 5 Jan 2022