Media: Protect your business against identity crime
https://tv.ato.gov.au/ato-tv/media?v=bd1bdiunji3ij9External Link (Duration: 1:18)
Secure your information and systems
It is important you keep your business, staff and client information secure. If data is lost or compromised, it can be very difficult, time consuming and costly to recover.
We, along with leading industry bodies, have created this list of top cyber security tips to help keep you and your business information safe:
- Use strong and secure passphrases
- Use multifactor authentication
- Manage your employees' accesses
- Remove system access from past employees
- Check devices have security updates
- Back up your data
- Don't use USBs or external hard drives from unfamiliar sources
- Use a spam filter on your email account
- Don't download computer programs or open attachments
- Secure your wireless network and avoid public wireless networks
- Be aware about what you share on social media
- Monitor your accounts for unusual activity or transactions
- Ask questions when sourcing software
- Keep up to date with security issues
Use strong and secure passphrases
Consider moving from a password to a passphrase. A passphrase uses 4 or more random words as a password. Regularly change passphrases and don't share them. Check whether your passphrases have been compromised and change them immediately if they have. Learn more about creating and protecting your passphrases at the Australian Cyber Security CentreExternal Link.
Use multifactor authentication
Use multi-factor authenticationExternal Link if possible. Multi-factor authentication requires users to use multiple pieces of information to authenticate themselves.
Multi-factor authentication puts an additional layer of security on your accounts, making it harder for others to gain access.
Manage your employees' accesses
Implementing access controls can limit your employees' access to certain accounts, systems or programs and files, particularly those of sensitive nature. This can minimise the damage caused by a cyber incident.
Remove system access from past employees
Unauthorised access to systems by past employees is a common cause of identity security or fraud issues for businesses. You can mitigate this risk by removing access for people who:
- no longer work for your business
- have changed positions and no longer require access.
It's also important to change the login details for any shared accounts.
Check devices have security updates
Applying updates, also known as patches, to your devices as soon as possible reduces the risk of a cyber incident occurring.
You should:
- turn on automatic updates as having automatic updates ensures the patches are applied as soon as they are available
- consider using vulnerability scanning software as they constantly monitor your systems to identify security risks and vulnerabilities
- upgrade devices, apps, or software to a newer product if the current product no longer receives updates
- run weekly anti-virus softwareExternal Link and malware scans and update your system as soon as a patch becomes available.
Back up your data
Back up your files and devicesExternal Link regularly on a physical device (such as an external hard drive) or in the cloud. This is helpful if your data becomes damaged, lost, stolen or infected by ransomware.
A ransomware attack can:
- lock your computer or encrypt your data until you pay a fee to the criminal
- steal your personal or business information and threaten to leak or sell the information unless a ransom is paid.
Don't use USBs or external hard drives from unfamiliar sources
USBs and external hard drives may contain malware that can infect your business computers without you noticing. Ensure you and any employees only plug in USBs or external hard drives that have come from a trusted source.
Use a spam filter on your email account
Always use a spam filter on your email account and don't open any unsolicited messages.
Be wary of downloading attachments or opening email links you receive, even if they are from a person or business you know. They can infect your computer with malware and lead to your business or client information being stolen and used to commit fraud.
Don't download computer programs or open attachments
Be sure you are downloading authorised and legitimate programs. Unless you know the program is legitimate, don't open attachments or download any files.
Some programs contain malware that can infect your computer (including ransomware that locks your files until you pay a criminal). It can also be used to harvest your sensitive personal and business information.
Secure your wireless network and avoid public wireless networks
Avoid using public wireless networks to complete tasks. Not all wi-fi access points are secure. By making online transactions (such as online banking) on an unsecure network, you can put your information and money at risk.
Ensure you use a strong password for your business wi-fi. Consider the use of a private and public wi-fi network if you need to give your customers internet access.
Be aware about what you share on social media
Keep your personal and business information private and be aware of who you are interacting with online.
Scammers can take the information you publicly display and impersonate you or your business. Impersonators may send emails to trick your staff into providing valuable information or releasing funds.
Monitor your accounts for unusual activity or transactions
Regularly check your business accounts (including bank accounts, digital portals and social media) for transactions or interactions you didn't make or content you didn't post.
If you receive an email alerting you to unexpected changes on your account, don't open any links or attachments. Instead:
- check your accounts by searching for the organisation's website in a web browser
- phone the organisation using a number you've looked up.
Ask questions when sourcing software
When sourcing software for your business, it's recommended to ask vendors about their cyber security practices. For example:
- Will your data be stored in Australia or overseas?
- What data breach support services do they provide?
- Do they follow the Australian Cyber Security Centre's essential 8 mitigation strategiesExternal Link?
- Do they have security certification (ISO27001, iRAPExternal Link) and what were the outcomes of any assessments?
Keep up to date with security issues
Constantly educate yourself about existing and emerging threats.
You can:
- report cybercrimeExternal Link online
- learn how to protect yourself against the latest scams at ScamwatchExternal Link
- learn how to protect yourself
- get help if you are affected by a data breach at IDCAREExternal Link.
The Australian Cyber Security Centre has resources to help businessesExternal Link of all sizes secure their systems and data.
How we developed these tips
We developed these tips in consultation with the Cyber Security Stakeholder Group (CSSG). This group brings together key stakeholders from tax professional, superannuation, government and industry bodies to improve cyber security and combat emerging cyber security threats.
Download a printable version
You can download a printable version of Security tips for business (PDF, 214KB)External Link.