ACSC revamps cyber security guidance for small business
The ACSC has released updated cyber security guidelines for small businesses, with cyber threats increasingly on the rise.
The Australian Cyber Security Centre (ACSC) has revamped its Small Business Cyber Security Guide and developed a video and cyber security checklist to help small businesses deal with threats.
The updated guidance includes a number of new recommendations including the use of password managers and the importance of network and security and emergency planning.
Creating an emergency plan
ACSC said that having an emergency plan in place when a cyber security incident occurs means staff spend less time figuring out what to do and more time acting.
“When responding to a cyber security incident, every minute accounts,” the ACSC guide stated.
Business owners should consider a range of questions including the process for staff reporting a potential cyber security incident.
ACSC said the plan should also cover who will be contacted for assistance.
“For example, IT professionals and your bank,” the guide stated.
Business owners also need to think about they will manage the operations of the business if any critical systems are offline.
“Make sure your staff are familiar with the emergency plan, including any roles or responsibilities they may have. Maintain a hard copy of the plan in case your systems are offline when you need it,” the guide said.
Protecting your data
With data breaches on the rise, the guide also stressed the importance of understanding what data the business holds and in what locations.
“Some small businesses may have additional obligations under legislation,” said ACSC.
Where data is stored across numerous devices or services it increases the number of systems that need to be kept secure and backed up.
“Numerous systems can also create more opportunities for a cyber criminal to attack. Where possible, store your business data in a central location that is secure and backed up regularly,” the guide said.
“Centralising your data can create a bigger breach if your systems are compromised, so ensure this central location is adequately protected with secure configurations and restricted access. Speak to an IT or cyber security professional for advice.”
Implementing access controls
Restricting user access is another way to limit the damage caused by a cyber security incident.
“Typically, staff do not require full access to all data, accounts, and systems in a business. They should only be allowed to access what they need to perform their duties,” the guide said.
“Restricting access will help limit the damage caused by a cyber security incident. For example, if a staff member’s computer is infected with ransomware, with proper access controls it might only affect a small number of files rather than the entire business.”
Use stronger passwords
Business owners should also use password managers and passphrase to create strong passwords.
“A password manager acts like a virtual safe for your passwords. You can use it to create and store strong, unique passwords for each of your accounts. If you have a lot of accounts, this removes the burden of remembering unique passwords,” said ACSC.
“You don’t have to remember the passwords or the accounts they belong to, as it is all recorded in your password manager.”
Business scam attacks skyrocketing
Recent data released by Eftsure this week indicates that scams targeting Australian businesses are surging as the end of the financial year approaches.
Eftsure has reported a 250 per cent increase in detected scam attempts since the start of April.
The increasing sophistication of scams targeting Australian businesses is being driven in part by recent consumer data breaches, including attacks against Optus, Medibank and Latitude Financial as well as corporate data breaches.
Eftsure’s co-founder and chief executive Mark Chazan said scammers are using stolen personal data to target busy accounts payable teams ahead of the new financial year.
“With June 30 rapidly approaching, accounts payable teams are under increasing pressure, working overtime to close out the accounts before the year end,” Mr Chazan said.
“This pressure makes teams more vulnerable to attack, with scammers leveraging personal data sourced from the dark web to enable sophisticated email phishing attacks, social engineering attempts and other scams.