How to protect your business online

​Being ‘out there’ in the digital world presents enormous opportunities for your SME but also some risks that need to be recognised and managed. This article was written by the Office of the Australian Small Business and Family Enterprise Ombudsman.It has never been a more important time for small business to ‘go digital’. The digital world offers access to new markets, easier compliance with administrative tasks and the prospect of improved payment times.We’ve found that where a business is fully digitalised, it’s 30% more likely to be in the fast-growing part of the small to medium-sized enterprise sector – it’s also much more likely to employ staff.To engage digitally, it’s important to start with a clear digital strategy on how you will trade and market online (including social media) and the systems you can use to support your business. Although the ‘front end’ of trade and marketing is the exciting part that opens up new opportunities, the ‘back end’ is the one that does the heavy lifting and has the potential to provide real business efficiencies, especially in terms of costs and compliance time reduction. The back end includes invoicing, payment, accounting, regulatory compliance and other systems.The back end also necessarily involves security to protect businesses against cyber attacks. Heard of hacking, ransomware and identity theft? These are real threats to business, but there are ways you can prepare for these attacks while still conducting business online. By recognising that the threat is real, and taking some small steps, you can avoid living in fear of attack and fully embrace the opportunities the internet offers.

Protecting your e-business

Typically speaking, small businesses do not have cyber security experts working for them or a plan on how to protect their online systems. The Australian Small Business and Family Enterprise Ombudsman’s free The small business cyber security best practice guide lists simple, but effective steps that any small business can take to keep safe online.The guide includes how to evaluate your online presence and risks you face, how to make your accounts more secure and what to do if you are the target of a cyber attack. A key to being cyber secure is ensuring that everyone in your business is on board and has the confidence and understanding to adopt approaches to keep your business safe.So, what are the three key steps to staying safe online that every small business can take?

Step 1: Know your risk

Remaining safe online can be achieved if you manage the risk of conducting business over the internet. Training and education for you – and your staff – about the risks of operating online will save your business time, effort and money in the long run.One of the easiest ways to do this is by visiting the Australian Government’s Stay smart online and ensuring you have simple systems in place (like regular back-ups and updated passwords, firewalls and point-of-sale security). There is even an alert service to keep you up to date and information on how to tailor a response plan for your business if anything does go wrong.

Step 2: Keep current

Once you have your systems in place, it’s then really important to keep those systems up-to-date. A recent survey shows that 87% of small businesses believe antivirus software alone is enough to keep them safe. This is not true.Due to the changing nature of cyber attacks and small businesses becoming a more popular target, relying on a single cyber security prevention measure is similar to only having a latch on your front door without any other prevention measures.Keeping all your systems up to date with the latest security and other patches is critical. Spend an extra minute, say, each time you make a pay run, to check for system updates.

Step 3: Recognise how easy it is to know your risk, keep current and take some simple steps

Keeping software updated and regularly changing your passwords is a straightforward and quick job. You can also set up your IT systems to update automatically each fortnight which gives your business a fighting chance at being protected from online threats. Think about the online world as an extension of your physical operations and bring it into your regular operating model.Another tip is to limit the personal details you share about yourself online, as some cyber criminals will use this information to help them break into your business or use it to impersonate you to a client, service provider or friend. We’ve heard more than one story of business email accounts being hacked and criminals impersonating staff to request unusual money transfers.In these situations the emails looked real, but the businesses were aware of impersonation scams and took some easy steps to check before making a payment (such as making a quick phone call to confirm given the unusual circumstances).

Reporting when things go wrong

In Australia, the Commonwealth Government’s Notifiable Data Breaches (NDB) scheme came into effect on 22 February 2018. This means that Australian businesses must disclose breaches of personal customer data where there’s a likelihood of serious harm (not just financial harm but also psychological, emotional, physical, reputational and other forms of harm).Breaches can include unauthorised access to computers, files and even accidental disclosure of information, like emailing personal information to the wrong person.The scheme applies to businesses with a turnover of $3 million or more. However, there are many smaller businesses that hold personal information that are also required to report including:

• businesses that provide health services (such as doctors, pharmacists, gyms, childcare centres and private schools)
• businesses that trade in personal information (such as disclosing a mailing list to another person for commercial gain)
• credit reporting bodies
• businesses that hold Tax File Number information (where TFN information is involved in the breach).

It’s important to note that many businesses hold TFN information. Bookkeepers, accountants and tax agents will generally hold this sort of information. But also any business that employs staff who have quoted their TFN can also be caught where that information is inappropriately disclosed.Reports need to be made to the Office of the Australian Information Commissioner within 30 days of a breach. If a report is not made, significant penalties can apply.If you’re in Australia, information is available about Data breach preparation and response. Search for a similar resource in your own country if you’re outside of Australia.Even if you are not required to report a breach under the NDB scheme, you can still report incidents to the Australian cybercrime online reporting network to help with law enforcement.

More information

The digital world is an exciting place to take your business and, with a little planning and some back-end reinforcement, you can take your business to a whole new level.Visit www.asbfeo.gov.au for more information, or if you’re within Australia you can call the Australian Small Business and Family Enterprise Ombudsman on 1300 650 460. Look for a similar organisation in your own country if you’re outside of Australia.

References

Australian Government n.d., ACORN: Australian cybercrime online reporting network, An Australian Government initiative, retrieved 20 June 2018, https://www.acorn.gov.au/.

Australian Government 2018, Data breach preparation and response – a guide to managing data breaches in accordance with the Privacy Act 1988 (Cth), Australian Government, Office of the Australian Information Commissioner, Sydney, NSW, February, retrieved 20 June 2018, https://www.oaic.gov.au/agencies-and-organisations/guides/data-breach-preparation-and-response.

Australian Government 2018, Stay smart online, Stay smart online program, Cyber Crime and Security Branch, Attorney-General’s Department, Canberra, Australia, retrieved 20 June 2018, https://www.staysmartonline.gov.au/.

Australian Small Business and Family Enterprise Ombudsman 2017–2018, The small business cyber security best practice guide, Infographic, Commonwealth of Australia, retrieved 5 June 2018, http://www.asbfeo.gov.au/sites/default/files/documents/ASBFEO-cyber-security-guide.pdf. [specific to Australia]

Commonwealth of Australia 2018, Australian small business and family enterprise ombudsman, Australian Government, retrieved 20 June 2018, http://www.asbfeo.gov.au/.