The ACSC Small Business Cyber Security Guide has been specifically designed for small businesses to understand, take action, and increase their cyber security resilience against ever-evolving cyber security threats.
According to the ACSC, internal processes and employees are the last, and one of the most important lines of defence in protecting your business from cyber security threats.
Given small businesses often lack the resources for dedicated IT staff, the ACSC has outlined the following three things businesses can do to mitigate the risk of a cyber event.
Access control
Access control is simply about managing who can access what within your business’ computing environment. Access control is a way to limit access to a computing system. It helps protect your business by restricting access to:
- files and folders
- applications
- databases
- mailboxes
- online accounts
- networks
Typically, employees don’t require full access to all data, accounts, and systems in a business in order to perform their role. This access should be restricted where possible so that employees and external providers do not accidentally or maliciously endanger your business.
Access control systems and procedures allow a business owner or operator to:
- decide who should access certain files, databases, and mailboxes
- control any access permitted to external providers e.g. accountants, website hosting providers
- restrict who has access to accounts such as supplier websites and social media
- reduce potential damage if any accounts, devices, or systems are compromised, and
- revoke access to systems and data when an employee changes roles or leaves the business.
Depending on the nature of your business, the principle of least privilege is the safest approach for most small businesses.
It gives users the bare minimum permissions they need to perform their work. This also reduces the risk of an ‘insider’ accidentally or maliciously endangering your business.
Passphrases
Passphrases are a more secure version of a password. Multi-factor authentication (MFA) is one of the most effective ways to protect your accounts from cybercriminals. However, if MFA is not available, then you should use a passphrase to protect your account.
A passphrase uses four or more random words as your password. For example, ‘crystal onion clay pretzel’. Passphrases are hard for cybercriminals to crack but easy for you to remember.
Create passphrases that are:
- Long: The longer your passphrase, the better. Make it at least 14 characters in length.
- Unpredictable: use a random mix of unrelated words. No famous phrases, quotes or lyrics.
- Unique: Do not reuse passphrases on multiple accounts.
If a website or service requires a complex password including symbols, capital letters, or numbers, you can include these in your passphrase. Your passphrase should still be long, unpredictable and unique for the best security.
If you are unable to use MFA on an account or device, it is important to use a passphrase to stay secure. In these situations, a secure passphrase may be the only barrier between adversaries and your valuable information.
Remember to make your passphrases unique, as reusing a password makes it easy for a cybercriminal to hack multiple accounts.
Employee training
Train your employees in cyber security basics, including updating their devices, securing their accounts, and identifying scam messages.
You should also consider implementing a cyber security incident response plan to guide your business and your staff in the event of a cyber incident. This will help you understand your critical devices and processes, as well as key contacts that you can use to respond and recover.
Employees can be the first and last line of defence against cyber security threats. Training can change the habits and behaviour of staff and create shared accountability in keeping your business safe. Cyber security is everyone’s responsibility.
Cyber security is continuously evolving. Keeping everybody up to date on cyber security threats could be the difference between whether or not a criminal gains access to your money, accounts or data.
