Let’s Talk: Cybersecurity best practices for SMEs

Cybersecurity is no longer a challenge exclusive to large corporations. SMEs are increasingly becoming targets for cyberattacks. With the digital landscape evolving rapidly, it’s essential for SMEs to prioritize robust cybersecurity measures.

In this week’s edition of Let’s Talk, we delve into the critical issue of cybersecurity for SMEs. Our experts explore the specific threats facing smaller businesses, share practical strategies for bolstering defences, and discuss the importance of staying informed about the latest cyber trends.

Let’s Talk…

More Let’s Talk episodes

Contribute to Dynamic Business ✍

Kelly Sabo, Segment Leader, SMB and Mid Market, Cisco ANZ

“For SMEs, robust cybersecurity is vital. Attackers often target SMEs, viewing them as easier prey due to perceived weaker defences compared to larger organisations. Additionally, many SMEs collaborate with larger companies, making them enticing entry points for cybercriminals aiming to infiltrate broader networks.

“Cisco stats show that in Australia 79% of SMEs believe that a serious cybersecurity breach could mean the end for their business. This statistic highlights the urgent need for a proactive, rather than reactive, cybersecurity strategy. It’s not a question of if, but when an attack will occur.

“To mitigate these threats, SMEs should prioritise cybersecurity by implementing strong, unique passwords, enabling multi-factor authentication, and regularly updating software. Comprehensive employee training is also essential. Every staff member should be adept at recognising phishing attempts and practising safe online behaviours. By adopting these measures, SMEs can significantly enhance their cybersecurity posture, safeguarding their operations and maintaining customer trust.”

Steve Manley, Regional VP for Australia and New Zealand at Palo Alto Networks

“Cybersecurity and safety should be top priorities for businesses of all sizes and industries. While large corporations often make headlines when targeted by cyber attacks, SMEs are equally vulnerable due to their comparatively weaker protection. In fact, a cyber crime is reported by a small business to the Australian Cyber Security Centre (ACSC) every ten minutes.

“SMEs often lack the resources, tools, and understanding necessary to safeguard their sensitive data. Unlike larger enterprises, they may underestimate the value of their information to hackers, simply because it doesn’t match the scale of larger corporations. Coupled with underdeveloped protective measures like backups and disaster recovery plans, a cyber attack can devastate an SME.

“Given these threats, it’s essential for SMEs to invest in security education, fostering awareness and a clear understanding of their responsibility to protect critical data. They should also consider adopting proactive security tools powered by AI, such as Palo Alto Networks’ Precision AI system, which leverages machine learning and AI for real-time security and safety. It’s crucial to remember that Australian SMEs are valuable, their data is valuable, and it must be safeguarded.”

Jo Stewart-Rattray, Oceania Ambassador at ISACA

“Safeguarding digital trust through robust cybersecurity measures is crucial for success, regardless of the organisation’s size. ISACA’s recent State of Digital Trust 2024 report highlights the top three benefits of high digital trust: a positive reputation (71%), more reliable data for decision-making (60%) and fewer privacy breaches (60%).

“For small and medium enterprises, limited resources can make it more challenging to implement robust cybersecurity measures. However, there are some key practices that can help protect consumer data and enhance trust:

1. Data Minimisation: Only collect essential customer information. Avoid handling sensitive data like credit card details directly; instead, use secure payment gateways.
2. Educate and Enforce Policies: Ensure staff understand their roles in protecting data, leveraging encryption and secure storage practices.
3. Invest in Technology: Allocate funds for high-quality security platforms to monitor and respond to suspicious activities. The right technology can reduce costs and boost profitability by preventing breaches.
4. Engage Experts: Hiring qualified cybersecurity professionals or managed security services can provide tailored, cost-effective protection. Look for credentials such as CISM, CGEIT, CRISC, and CISA.

“Keeping your customers’ data safe is not only a moral obligation but also good for business!”

Craig Nielsen, Vice President for Asia Pacific and Japan at GitLab

“As organisations manage the complexity of their evolving tech stacks, we see many struggling to manage the expanding attack surface. Cybersecurity teams can combat this with operational simplification and automation — which also applies to DevSecOps processes — and by optimising design decisions while reducing difficult-to-maintain code and redundant dependencies.

“Organisations should approach software development through the lens of software tool chain optimisation — being intentional about the tools they adopt and what they decide to build into their codebases. This will help minimise dependencies, improve the security of the software supply chain, reduce scanner noise, and ease the burden on developers to fix non-critical issues.

“Second, organisations should embrace tested and assured design patterns based on repeatable use cases: the “paved roads” approach. A paved road is a recommended path, including a curated set of tools, processes, and components, that teams can follow to build secure applications more efficiently.

“Adopting paved roads potentially removes some flexibility, but ultimately reduces the operational burden and rework on engineering teams and increases security. This needs to be a collaborative effort between security and development. Security can help design paved roads, but engineering must be involved to operate and maintain them as part of the codebase.”

Garry Valenzisi, Vice President & General Manager APAC at Iron Mountain

“Small businesses, with tighter budgets for security measures, are often easy targets for hackers. But as our reliance for the online ecosystem deepens, so does the need to strengthen our digital defenses. And navigating this threat landscape means taking a proactive approach.

“Understanding your data is an important first step, and managing and protecting this data effectively and in compliance with the law is vital. A data audit will help you to determine what information you have, pinpoint the most valuable assets and know where these records lie. Once you have this information, you can take the necessary steps to ensure it is contained securely by updating security software, managing access controls and implementing a dual authentication system – or, even destroying the data you don’t need.

“Employees can be your greatest weakness but also your greatest asset in spotting and protecting against cyber threats. It’s important to educate them on common cyberattack tactics to look out for and develop a strategy to prevent and minimise business risk – which is essential in any business, regardless of size. In return, you’ll feel prepared and confident to face any cyber threats that come your way.”

Ben King, VP Security Trust and Culture at Okta

“Okta solves security challenges for SMEs with a robust modern identity service, making login and authentication easier for employees, customers, and partners.

“This aligns with key cybersecurity best practices that SMEs should implement:

• Identity Management: Identity is security. Centralise user authentication on a single platform. Okta’s solution automates this process, improving efficiency and security.
• Strong Access Controls: Implement multi-factor authentication and limit administrator access. Okta’s passwordless authentication enhances security and user experience.
• Regular Updates: Maintain an up-to-date inventory of network devices and software.
• Data Protection: Regularly back up data and properly dispose of unused equipment. Secure wireless networks by changing default settings and using encryption.
• Employee Education: Train staff on creating strong passwords, securing personal devices, and recognising cyber threats.
• Security Software: Install and maintain anti-virus, anti-malware software, and network firewalls.
• Incident Response: Develop and regularly practice a cyber incident response plan.

“Okta empowers small businesses to scale quickly, securely, and efficiently through identity management. Our vendor-neutral platform offers speed, scalability, and security compliance, allowing SMEs to focus on strategic goals. By automating processes and centralising user authentication, Okta strengthens an SME’s security posture and delivers their customers a seamless user experience.”

Dr Aastha Gupta, Co-founder and CEO ViCyber

“For small business owners, cybersecurity is not just an IT issue but a foundational aspect of business continuity and trust. Conducting annual cyber health checks is essential, allowing SMEs to identify and rectify vulnerabilities in their office infrastructure, thus safeguarding client data, operational and compliance integrity. This proactive measure prevents severe financial losses and reputational damage.

“Starting with basic cybersecurity measures is vital; achieving at least Level 1 compliance with the Essential Eight Maturity Model lays a foundational security framework as per Government. This model includes strategies like application whitelisting and restricting administrative privileges, which are critical for businesses facing resource constraints.

“Identity and access management also deserves special focus. By enforcing complex passwords, multi-factor authentication (MFA), and the use of reputable password managers instead of insecure methods, SMEs can significantly diminish the risk of unauthorised access. Educating employees on safe online practices is equally important, as many cyber threats exploit human errors. Integrating firewalls and antivirus software creates a resilient, secure environment, crucial for fostering business growth and customer confidence in an increasingly digital world.”

E-Yang Tang, Practice Leader for Security, Resiliency, and Network, Kyndryl Australia and New Zealand

“The rise in cyberattacks targeting smaller companies, often serving as entry points for larger organisations, has intensified the focus on supply chain security. In turn, small-to-medium enterprises (SMEs) are under more scrutiny than ever to ramp up their security practices and comply with stringent industry standards, all while operating with limited resources.

“It is crucial SMEs conduct regular infrastructure assessments to identify and mitigate vulnerabilities to decrease risk of exploitation. Part of this is identifying and updating outdated legacy infrastructure, which exposes organisations to unnecessary risk. Undergoing this assessment helps evaluate cyber readiness, identifies gaps and builds a roadmap for continuous improvement. Meanwhile, investing in intrusion detection tools offers an additional layer of protection.

“However, technology alone is insufficient. Staff training is paramount. Employees must be equipped to recognise and report suspicious activities.

“Finally, it goes without saying that having a cyber incident recovery plan is perhaps the most important best practice. Having a robust incident response plan in place is vital for minimising the impact of an inevitable cyberattack.

“By combining technological measures with human awareness and preparedness, SMEs can significantly enhance their resilience against cyber threats.”

Kumar Mitra, Managing Director and General Manager – Central Asia Pacific & ANZ, Lenovo Infrastructure Solutions Group

“In today’s digital landscape, security forms the bedrock of effective business operations and customer trust. Elements like securing networks, conducting regular data backups, and having a solid incident response plan form the core of a robust cybersecurity strategy. Additionally, cyber insurance can help mitigate financial damages from breaches.

“Employee education is equally crucial. As our Chief AI & Security Officer, Doug Fisher, puts it, ‘Our whole job is to create trust for our customers – we have to be diligent.’ Cybersecurity is a shared responsibility, and comprehensive training is important to minimize risks, especially with generative AI (GenAI) platforms. SMEs must educate their teams to avoid inputting sensitive information into GenAI models, which often rely on public data and can pose significant security threats.

“Cloud data security is another critical area of focus. With valuable information like customer data and intellectual property in the cloud, businesses must implement stringent security measures. Regular backups and a zero-trust architecture—requiring continuous verification of users and devices—are essential for maintaining business continuity and securing cloud data.”

Vic Guerrero, Director of Channel Alliances at NinjaOne

“As threats continue to evolve, cybersecurity has rocketed in importance for businesses of all sizes. However, for smaller and medium sized organisations it can be difficult to allocate the necessary resources and time to bolstering cybersecurity posture. Many SMEs (small and medium-sized enterprises) do not have dedicated cybersecurity professionals, and instead the workload falls on IT teams.

“Therefore, SMEs must focus on making cybersecurity simple and efficient for IT professionals as they balance their responsibilities. A unified platform for IT and security helps streamline operations, providing a central location to manage employee device protection, system patches, and backups.

“It’s also important to have a security-oriented culture across the organisation. Cybersecurity is no longer the sole responsibility of IT professionals, but instead requires a collaborative effort from every employee. From the top, company directors should be more aware of their compliance obligations, and throughout the organisation, employees should receive education on phishing, password sharing, and the value of multi-factor authentication.

“Finally, it is integral SMEs align their cyber strategy to national standards. Implementing the government’s Essential Eight model is integral to building a robust cybersecurity framework, especially when under-resourced.

“With the right IT and security suite, culture, and strategy, SMEs can remain protected in the ever-evolving threat landscape.”

Mark Thomas, Director of Security Services, ANZ at Arctic Wolf

“As technology continues to evolve at a rapid pace, it is harder for businesses to get a foothold into security best-practices – particularly for resource-strapped SMEs. To improve cyber hygiene, there is a number of basic security measures that SMEs can take to protect against cyber threats and reduce business risk.

“Australian organisations are still failing to patch regularly, with over half of external exposure incidents stemming from vulnerabilities with known patches. It’s critical that SMEs stay on top of vulnerability management by regularly patching and updating software in their environment.

“One of the most important pillars of a business’ security posture is understanding the breadth of their attack surface and having holistic visibility enabled through security operations. By taking stock of all assets across the enterprise, SMEs can better manage and prioritise risks and improve their overall cybersecurity posture.

“People are often the first line of defence against credential-based attacks and common phishing attempts that exploit social engineering techniques. SMEs should create a company culture around cybersecurity by implementing a robust security awareness training program across the business and enforcing multi-factor authentication (MFA) to enhance security operations.”

Anthony Spiteri, Regional CTO APJ at Veeam Software

“According to the Veeam 2024 Data Protection Trends Report, 75% of organisations have experienced at least one attack (or more) within the past year.

“While ransomware is undeniably a threat, a thorough cybersecurity plan alone is not enough to keep businesses safe. Industry experts tell us that cybersecurity focuses on securing data, and many companies understand the basics—investing in reliable antivirus and anti-malware software to detect and neutralise threats before they cause significant damage.

“However, to ensure business continuity, businesses must implement a holistic strategy and view cybersecurity as a subset of data resilience. Data resilience refers to an organisation’s ability to withstand and recover from data-related disruptions or failures. This includes ensuring data is available whenever and however it is needed.

“Veeam approaches data resilience through five key pillars. Beyond cybersecurity, companies should consider the following four elements:

1. Backup Strategy: Implement a robust backup strategy to ensure data can be recovered in the event of a loss.
2. Recovery Plan: Develop a comprehensive recovery plan to restore operations swiftly after a disruption.
3. Data Freedom: Ensure data freedom, giving users control over data permissions and allowing flexibility to move data securely.
4. Data Intelligence: Leverage new technologies to enhance products and improve decision-making.

“By addressing these five pillars, businesses can build a resilient infrastructure capable of withstanding and recovering from various data-related challenges.”

Aaron Bugal, Field CTO, APJ at Sophos

“Small businesses face many of the same threats used to attack larger enterprises. While the amount of money on offer is generally less than what’s available from a larger business, the higher success rate of an attack is very attractive to cybercriminals.

“Enhancing cybersecurity within small businesses begins with a culture shift. Cybercriminals expect SMEs to be less prepared and without sophisticated modern tools and solutions, so it is essential these assumptions are proved wrong. Regardless of IT budget constraints, SMEs should look to perfect the basics. This is done through educating staff, deploying multifactor authentication, while patching servers and network appliances with the utmost priority.

“In the event of a breach, it is equally as important to have the ability to respond quickly. Unfortunately, speed is something that small business owners seldom have on their side due to their lack of manpower, so investing in third-party security experts to monitor and respond 24/7 is table stakes for an effective defence in 2024.

“Staying safe isn’t impossible for SMEs, it just requires comprehensive planning and layered defences to improve response time and minimise damages.”

Brenton Steenkamp, Cyber Partner at Clayton Utz

“For SMEs, cybersecurity best practices begin with data minimisation. Scrutinise your systems, manage unstructured data across platforms, and enforce stringent security controls for third-party access to ensure compliance and reduce legal risk. Effective data security requires a collaborative effort across teams to map and analyse all data assets, both structured and unstructured. SMEs should prioritise protection based on data sensitivity, use technology to identify risks, and ensure compliance at every stage. Turning awareness into action is important for SMEs too. This can be done by implementing strong data security measures, minimising data storage, implementing robust third-party management, and appointing data owners to oversee data quality, compliance, and effective governance. These steps can help to safeguard your business from cyber threats while ensuring legal and regulatory compliance.”

Luke McCarthy, Australia and New Zealand Country Manager and Director at SUSE

“With attackers leveraging AI for malicious purposes, SMEs might feel tempted into hasty and costly security measures. However, security strategies shouldn’t be driven by panic-induced decisions that can create more risk than they deliver intended outcomes.

“Firstly, implementing a zero-trust approach simplifies security operations and lower security costs. This model operates on the principle that no entity, inside or outside the business network, should be trusted by default. It means continually verifying the identity and integrity of every device and user trying to access systems and limiting the information available to just what that individual requires.

“Secondly, open source solutions (as opposed to closed source, proprietary ones) give SMEs access to advanced capabilities that were once reserved for larger organisations with infinitely bigger budgets. It’s well understood that AI will significantly impact the way SMEs secure themselves, particularly in areas like threat detection, response automation, and predictive analytics. But one of the major benefits open source adds to this is its collaborative nature, ensuring constant updates and broad-based problem-solving – it’s far more than just one pool of intelligence. This community-driven approach promotes more secure software and applications, offering SMEs a robust but cost-effective way to improve their security without the risk of over-reliance on single solutions or organisations – ‘silver bullets’ are misnomers.”

Mollie Eckersley, Head of Operations, BrightHR ANZ

“It seems like every other week a new cybersecurity breach hits the headlines in Australia. Businesses have their work cut out to protect themselves from cybersecurity threats and be aware of the different threats that emerge.

“In the current digital environment, exercising caution in every interaction is paramount. It’s unfortunately too easy for employees who are aware of cybersecurity best practices to slip up, forget, and make a mistake.

“That’s why consistent training and awareness-building courses are any business’s secret weapon. Especially for small businesses that are more likely to be vulnerable to threats and don’t have the sophisticated cybersecurity environment to protect them.

“The other important factor to consider is what devices your employees are using to access information. Putting policies in place to ensure that your employees aren’t using business devices to access their personal information or vice versa is vital. Prevention is better than any cure when it comes to cybersecurity.”

Ivano Bongiovanni, General Manager at AUSCERT

“With SMEs representing a significant proportion of Australia’s economic prosperity, they are a ripe field for cybercriminals to harvest. And with many business operators under economic pressure, cybercrime is an existential threat.

“Some cybersecurity solutions may be expensive but the first steps in the right direction can be made at a low cost.  SMEs need to analyse what data they collect and store, how they process it and what do they do with it. Then they can determine what level of protection needs to be applied that is the right fit for their risks and budget.

“For most SMEs, ransomware remains the most significant threat. Best practices and guidelines, such as the Australian Signals Directorate’s Essential Eight, can help reduce likelihood or impact of an attack and ensure they can recover quickly.

“The government provides many free resources to SMEs to help protect their business. It is important that all businesses in Australia, regardless of size, make cybersecurity part of their daily routine just like business development, customer relations, and accounting and continuously educate their staff on how to work in a cyber secure way.”

Sascha Giese, Global Technical Evangelist for Observability at SolarWinds

“Despite resource constraints, robust cybersecurity is essential for small and medium-sized enterprises (SMEs) to safeguard sensitive data, maintain customer trust, and ensure business continuity.

“Secure by Design” should be a crucial principle for SMEs, emphasising the integration of security from the outset, rather than as an afterthought. This also means embedding security in all operations – from staff training to network security to secure coding practices. This proactive approach helps build a resilient security framework against potential threats.

“Adopting an “assume breach” mentality is also vital. Recognising that breaches are inevitable, SMEs should focus on looking at the possible result, and determine how to limit the impact. By assuming a compromised environment, businesses can strengthen defences and reduce vulnerabilities.

“And finally, observability is key — gaining deep visibility into the entire IT environment allows for quicker detection and response to security incidents. If you can’t see it, you can’t secure it.”

Peter Kokkinos, Vice President & Managing Director for Asia-Pacific at Udemy

“Cyber threats are evolving, and cybercriminals are targeting businesses regardless of size or industry. It’s well known that Australian businesses have been targets of relentless cyberattacks. Enterprise systems are vulnerable because employee access and multiple entry points increase the potential attack surface. In 2023, 30% of reported data breaches were caused due to human error. Therefore, it is vital that organisations prioritise continuous cybersecurity education for employees at all levels.

“For this reason, Australia doesn’t have a skills gap; we have a learning gap. If the workforce doesn’t have the tools and resources to build their knowledge rapidly and regularly, then this gap poses a substantial risk to the workforce across industries.

“With more than 700 courses dedicated to cybersecurity, Udemy is empowering individuals and businesses to address the growing demand worldwide.

“Employees need, and should demand, high-quality learning experiences that enable them to remain competitive. Investing in retraining and upskilling a diverse group of talent creates well-rounded professionals who are prepared to thrive in the workplace of the future.”

Chris Fisher, Regional Director of Australia and New Zealand at Vectra AI

“The current business landscape is witnessing an increased deployment of Generative Artificial Intelligence (GenAI) – enabled tools like Microsoft Copilot to reimagine business models in the name of innovation. Unfortunately, this has directly contributed to an alarming spike in cyberattack frequency, severity and diversity. Recent research suggests that 75% of cybersecurity professionals have seen an increase in AI-powered cyberattacks over the past year, with 85% attributing these to hackers weaponising AI.

“Despite these challenges, GenAI presents an exciting opportunity for SMEs to use AI technology to protect their business against cyberattacks. If businesses go back to basics, leverage proven security expertise, and create a robust foundation of security measures, they are well-placed for innovation without the potential fallout.

“Defending against the unknown today requires a security solution that combines both security research and data science. Instant AI-driven remediation enables security teams to stop unauthorised behaviour, eliminate access and prevent breaches, application abuse, exfiltration and other damage, within minutes not months.”

Laetitia Boden, Founder of Gatheroo

“Cybersecurity is not just something for the tech experts—it’s something everyone involved with the business needs to take seriously. It’s not just about what happens within your own business; it’s also about how you interact with your suppliers and clients.

“As a leader and expert in your field, it’s important to build a culture where security is top of mind. You’ve got a duty of care to ensure that not only your business but also that everyone you come in contact with is protected. This means checking in on your suppliers’ cybersecurity practices and making sure your clients know the best ways to keep communication secure.

“Using the right tools and having strong processes in place can make a big difference here. They help ensure everyone’s on the same page when it comes to protecting data and staying compliant. Remember, cybersecurity isn’t a one-time job—it’s an ongoing effort that needs everyone to pitch in. By working together, you can keep your business and your partnerships safe from cyber threats.”

Chris Dahl, Co-CEO, Pin Payments

“In today’s digital age, cybersecurity is a critical concern for businesses of all sizes, particularly SMEs. To help these businesses navigate the complexities of cybersecurity, here’s a concise overview of six key strategies:

1. Proactive Approach: Cybersecurity demands constant vigilance and adaptation. Threats evolve, and complacency leaves businesses vulnerable. Regular assessments, updates, and training are key.
2. Strategic Framework: Develop a comprehensive framework encompassing risk assessment, incident response, and data protection. Regularly assess key operational elements and adjust your strategy.
3. Risk Management and Capital Allocation: Invest in cybersecurity. Allocate resources for planning, preparedness, response, and recovery. Actively manage third-party risks.
4. Proper Data Management: Re-evaluate data retention to balance insights and risks. Foster a culture of security awareness through employee training.
5. Ongoing Management and Director Duties: Effective cybersecurity starts at the top. Business leaders and risk management teams must collaborate with clear communication and shared responsibility.
6. Legal and Regulatory Compliance: Stay informed and compliant with all relevant standards. Non-compliance can result in severe penalties.”

Luke Dash, Chief Executive Officer at ISMS.online

“Alignment with information security standards like ISO 27001 is vital for SMEs looking to secure their data against cyber threats, establish a competitive advantage and attract a broader range of customers.

“The ISO 27001 standard enables your organisation to create, maintain, monitor and continuously improve an information security management system (ISMS). This is done by implementing a thorough risk management process and addressing identified risks to your information assets using the standard’s 93 security controls.

“These controls are split into four key areas:

• Organisational controls
• People controls
• Technological controls
• Physical controls.

“ISO 27001 controls cover everything from your information security policy to your cryptography policy, your employee information security awareness and training actions to your clear screen policy. With an ISO 27001-compliant ISMS, you can ensure you’ve addressed potential risks to your organisation’s assets, reducing the risk of cyber incidents. Because the standard requires continual improvement your ISMS will grow with you, securing your business against cyber threats.”

Andrew Kay, Director of Systems Engineering, APJ at Illumio

“SMEs are not confident when it comes to cybersecurity. Global Illumio research found that only 17 per cent of small businesses feel prepared to handle a cyberattack, with more than half believing an attack is likely to become a disaster.

“One of the biggest cybersecurity issues for SMEs is protection in cloud environments. Australian businesses are increasingly storing sensitive data and running high-value applications in the cloud, meaning any disruption can pose severe consequences for business operations, revenue, and customer trust. Given SMEs typically have finite resources, they need security solutions that they don’t need specialist skill sets to build and manage themselves, that provide insight into the current attack surface and generate confidence through adaptive controls that limit breach damage.

“To build cyber resilience in the cloud, SMEs need simple, proactive security solutions that contain breaches as they happen. Zero Trust Segmentation (ZTS) operates on the premise that breaches are inevitable. By segmenting networks into smaller, manageable zones, ZTS limits attackers’ ability to move laterally, ensuring that if the inevitable intrusion occurs, its impact is minimised. This approach enables a granular level of visibility and control, something SMEs sorely need, and allows for greater agility and responsiveness.”

Chase Doelling, Principal Strategist at JumpCloud

“Recent global IT outages have demonstrated the vulnerability of organizations relying on single-vendor solutions and revealed—quite painfully—that IT monocultures fail and can put all organizational resources at risk. To enhance security in the face of any disruption, SMEs should consider the following cybersecurity practices:

• Question homogeneous infrastructure and avoid being exclusively aligned with a single platform or vendor. Many IT professionals align themselves with specific “platforms,” making it part of their identity – but this reliance creates a dangerous dependency that can lead to catastrophic security failures.
• Elevate IT and Security roles to C-suite functions, ensuring they have a seat at the decision-making table. This also creates space for critical conversations with senior leadership around the risks associated with homogeneous IT architectures.
• Create redundancy through mixed-platform environments can keep data and resources secure and reduce the risk of Shadow IT. Supporting multi-cloud solutions and diverse device types across the organization ensures users don’t adopt sketchy workarounds when singular systems fail.
• Regularly review and update cybersecurity strategies and playbooks.

“By implementing these practices, SMEs can significantly improve their cybersecurity posture and keep organizational resources secure even during severe disruptions.”

David Price, CEO at Peninsula Australia and Peninsula New Zealand

“As major data breaches in recent times have taught us, businesses must be vigilant when it comes to cybersecurity. Having information stolen by hackers can lead to risks including a breach of customer privacy, loss of revenue and reputational damage, negative impacts that many small businesses cannot afford.

“It’s imperative to have at least a basic understanding of cybersecurity, what it entails, how strong your systems are, and what policies and procedures should be in place. Armed with this information, you’re in a better position to hire the right qualified and trained cybersecurity professionals to protect your business.

“Look for experts with proven experience or recognised credentials such as Certified Information Security Manager (CISM), Certified in Governance of Enterprise (CGEIT), Certificate in Risk and Information Systems Control (CRISC), and Certified Information Systems Auditor (CISA) and a police check. Professional bodies or associations are a good starting point to find experts.

“Training staff on cybersecurity awareness is just as important – after all, phishing attacks are one of the most common ways cyberattacks are conducted.

“Many small business owners are hesitant to spend on cybersecurity, but the importance of being cyber secure makes it a non-negotiable investment.”

Mark Jones, Senior Partner at Tesserent

“As an SME safeguarding your digital assets and information is crucial. The Australian Cyber Security Centre’s (ACSC) Small Business Cyber Security Guide is a resource that offers practical advice to mitigate cyber threats. Tesserent one of the largest cyber security providers in Australia, recommends following this useful free resource which outlines key steps to take including implementing multi-factor authentication, regularly updating software, and backing up data.

“The risk of being impacted by common threats such as phishing, email scams, and ransomware can be reduced through some fundamental controls like employee training, strong passwords, and secure networks. Consulting IT professionals and following a structured backup plan is also recommended. Proactively addressing these issues can significantly enhance your business’s resilience against cyber-attacks.”

Ryan Economos, APAC Field CTO at Mimecast Sales Engineering

“There’s no doubt that SMEs are at increased cyber risk. What’s less clear for many SME leaders is where to begin in building up their cyber defences.

“With limited budgets and minimal cybersecurity expertise, organisations can be challenged with putting in place the necessary controls. And in today’s uncertain economy, SME leaders may be tempted to put off cybersecurity planning and investments.

“Understanding and implementing the foundational components of an effective cybersecurity strategy is the smartest approach to tackle this problem. SME leaders can take several actions that can prove powerful in mitigating their organisations’ cyber risk including:

• Designate a cybersecurity point person.
• Develop and practice an incident response plan.
• Conduct regular training for employees.
• Back it up. The threat of ransomware persists and continues to evolve as cybercriminals adapt to overcome companies’ bolstered protections.
• Perform regular patch management (software update that remediates vulnerabilities).
• Secure email and other communication channels. Email Security Cloud Integrated platform is a purpose-built, AI-powered integrated cloud email security solution that enhances and extends Microsoft 365 protections for small to medium-sized companies.

“By taking the actions above, SME leaders can create a foundation upon which they can continue to develop a robust cybersecurity defence.”

Geoff Schomburgk, Vice President of Asia Pacific and Japan at Yubico

“Protecting small and medium enterprises (SMEs) against cyber attacks will keep the innovation engine for the Australian economy safe since 97.3% of all businesses are SMEs.

“SMEs currently underestimate the risk of a cybersecurity breach. According to our research report, the State of Global Enterprise Authentication Survey of 2022, one in three breaches involved an SME. 52 per cent of SMEs experienced at least one cyberattack during that year and 40 per cent do not have a comprehensive and up-to-date cybersecurity incident response plan.

“Passwords are increasingly the cause of costly security breaches, with weak or stolen passwords responsible for more than 80 per cent of breaches. Stolen credentials can be used to launch ransomware, phishing and malware attacks on an unsuspecting business.

“Authentication using only a username and password is single-factor authentication. SMEs can significantly reduce cyber risks by adding a physical layer of Multi-Factor Authentication (MFA) with security keys.

“Even legacy MFA methods, such as SMS or mobile authentication, have been proven to be highly vulnerable to phishing. Phishing-resistant MFA is the modern and effective approach to protecting your hard work, brand image and business.”

Hank Clark, Executive Director and Chief Strategy Officer at CSO Group

“Australian SMEs are the lifeblood of Australia’s economy, contributing to nearly $590 billion of value in 2022-23, roughly a third of Australia’s total GDP. Despite this, SMEs are a soft target for cyber criminals.

“To defend themselves from the rise in complex and targeted potential cyber-attacks, there are several strategies SMEs can employ:

• Treat cyber security as a priority – Cyber security is no longer a ‘nice to have’ and it isn’t just for ‘tech people’ anymore. Cyber breaches are costly, negatively impact trust and in cases affecting sensitive customer data, can be catastrophic. No business or individual is too small to be a target. Prioritising cyber security is a proactive step toward mitigating business risk and protecting what matters most.
• Use the resources that are available to you as a small business – There are many great tools to help SMEs both at the state and the federal government level. This is a good starting point for SMEs as it provides sound guidance, particularly for those who are just starting up.
• Understand your risks and develop a strategy – A well-articulated cyber security strategy helps to focus and prioritise investment towards the areas of greatest risk.  It is a great tool for raising cyber awareness across the business and maximising the value realised through cyber initiatives.
• Find a good partner – It is important to get the right technology partner who has the knowledge and experience to support your business because cyber threats are constantly evolving. Australian SMEs need to constantly remain vigilant and safeguard themselves against all types of attacks as it’s not a matter of if they will suffer a cyber-attack, but when.”

Soren Norgaard, Director of Security Exhibition & Conference at Diversified Communications

“As cyber threats continue to evolve and businesses become increasingly reliant on technology to run, it’s essential for small businesses to stay ahead by implementing strong cybersecurity practices.

“Ensuring all systems and software are regularly updated to protect against vulnerabilities is essential to prevent criminals from taking advantage of outdated technology. Consider implementing Two-Factor Authentication across online accounts for an extra layer of security.

“Educate your employees on the importance of cybersecurity by sharing tips on proper password management and sending out test phishing emails to help them recognise the signs.

“You don’t need to rely on internal knowledge or resources, either. Invite a security expert to talk to your staff or set up a small cybersecurity class during work hours.

“For more insights into best practice cybersecurity, consider attending industry events such as the upcoming Security Exhibition & Conference. These platforms provide excellent opportunities to learn from experts and stay updated on the latest developments in the field. Cyber threats are ever-changing, but a renewed focus on cybersecurity can help safeguard your business and its valuable data.”

Konstantin Klyagin, Founder of Redwerk and QAwerk

“You may have heard that the biggest cybersecurity threat comes from within an organization. Since phishing attacks remain a common and costly issue, SMEs should prioritize employee cybersecurity training, including practical workshops and simulations.

“Stolen or compromised credentials were the most prevalent attack vector in 2024. That’s why relying only on strong password policies and MFA is not enough. SMEs need to exercise a holistic approach to enhance their security. Implement a single sign-on (SSO) solution for critical systems to simplify logins and reduce password fatigue. Additionally, web application firewalls (WAFs) and rate-limiting techniques can detect and block brute-force attacks.

“IT failure accounted for 23% of data breaches in 2024. Outdated, unpatched, and misconfigured software often contains known security holes that hackers can probe. Older systems may not support modern security protocols or the latest antivirus software. Regular code security audits can help SMEs identify and address vulnerabilities before they are exploited.

“Don’t neglect physical workplace security. Ensure employees lock their computers when unattended and avoid leaving passwords on sticky notes. Implement a visitor sign-in policy and escort visitors throughout the building. Remember to restrict access to sensitive areas like network rooms and server facilities.

“Given that cyber threats are constantly evolving, SMEs must keep up with the latest vulnerabilities and regularly update their incident response plans.”

Jacqueline Jayne, Cybersecurity Expert

“SMEs face numerous cyber threats daily; phishing, smishing, vishing, and qishing are the most prevalent. Data breaches and significant financial losses are the results of these malicious threats, and to counteract evolving cyber threats, continuous (engaging) education and training for SMEs and their employees is critical.

“Business email compromise (aka BEC) scams are on the rise with cybercriminals impersonating trusted contacts to redirect payments. Ensure your payment processes are clear and strictly adhered to.

“Passwords are another weak link. Ditch the Post-it notes and spreadsheets; instead, use a Password Manager, and implement Multi-Factor Authentication (MFA). The MFA layer of security requires not just a password plus a unique code from an authentication app, making unauthorised access harder.

“New vulnerabilities are discovered regularly, so enable automatic software and operating systems updates to stay protected.

“Finally and sometimes overlooked, backup your data. Regular backups can be a lifesaver in the event of a breach, enabling you to restore your systems without paying a ransom and delay. Use external devices, backup systems, or secure cloud storage to safeguard your data.

“Being vigilant, staying informed, and following best practices reduces the risk of cyberattacks and creates a safer digital environment for SMEs.”

Paul Wilson, Chief Technology Officer, Blue Connections IT

“There are four ways small and medium-sized enterprises (SMEs) can prioritise cybersecurity to protect their operations and sensitive data:

1. Implement strict access controls
   Enforce the use of strong passwords, multifactor authentication (MFA), and strict access controls to minimise the risk of unauthorised access to systems, sensitive information, and accounts. Keeping all software up to date also ensures that known vulnerabilities are patched, preventing potential exploits.
2. Train employees in best practices
   Educate staff to recognise phishing attempts and understand the importance of data security protocols. Regular training sessions keep employees vigilant against the latest threats, fostering a culture of security awareness.
3. Back up data regularly
   Automated backups should be scheduled, and the integrity of these backups should be checked routinely. SMEs should also develop a comprehensive incident response plan outlining steps to take in the event of a breach. Regularly testing and updating this plan will ensure its effectiveness and relevance to evolving threats.
4. Partner with managed security service providers (MSSPs)
   MSSPs offer specialised expertise and continuous monitoring as a cost-effective alternative to an in-house security team. SMEs can better protect against sophisticated cyberthreats and ensure ongoing compliance with industry standards by partnering with an MSSP.”

Cam Roberson, Vice President at Beachhead Solutions

“SMEs must adopt proactive threat response measures to get ahead of attacks. This should involve utilizing sentinel technology to pre-set customized responses to potential security threats like hacking attempts, geo-fence violations, and lost devices. By automatically running scripts, revoking data access, or sending alerts when threats are detected, SMEs can prevent successful attacks before they occur.

“Another vital cybersecurity practice is maintaining comprehensive compliance reporting. This allows SMEs to demonstrate their commitment to regulatory compliance through detailed, on-demand reports covering security posture, risk assessments, and compliance status. Such transparency helps build trust and retain business by showcasing adherence to complex compliance frameworks and data privacy standards.

“Lastly, SMEs should consider strategies and solutions that streamline compliance across multiple requirements. By adopting a single platform that meets dozens (if not more) cybersecurity compliance mandates—including CMMC 2.0, HIPAA, FTC Safeguards, and NIST 800-171—SMEs can efficiently monitor and enforce policies, encryption, access controls, and risk mitigation across their networks. Getting this right will avoid costly non-compliance penalties and reputation damage.”

Saaim Khan, Founder & Principal Advisor at Cyber Matters

“In today’s digital landscape, cybersecurity isn’t just about protection; it’s a strategic growth vector for SMEs, SaaS, and small businesses. Building trust with your customers is crucial, and a robust cybersecurity posture is the currency that buys that trust. Start by embedding security hygiene into your business from day one. Good cybersecurity solutions don’t necessarily mean extra expenses; many effective measures are cost-efficient and are probably already included in your existing technology stack.

“Think of cybersecurity like an onion, with layers that cover all aspects of your business. Begin with risk awareness embedded into every business process, ensuring that everyone understands the importance of security. Prioritise data security to protect sensitive information. Secure devices to prevent unauthorized access and breaches. Fortify your network and cloud infrastructure to defend against external threats. Finally, focus on people security by educating employees on best practices and fostering a culture of vigilance.

“By adopting these layered security measures, you can safeguard your business, build unwavering customer trust, and create a resilient foundation for future growth.”

Narendra Shukla, Consulting Services at Edwise Consulting

“Australia witnessed over 50% rise in cybersecurity incidents from 2020 to 2023 alone. The frequency of reported cyber incidents in Australia is trending upward, averaging 1 incident every 6 minutes instead of 1 every 7 minutes in 2021 (Reported by Australian Cyber Security Centre). The rise in cyber incidents now costs 14% more per incident to Australian businesses.

“These trends paint the picture of the rising cyber threats in Australia, which means businesses will need a more tailored and proactive approach to keeping pace with the growing threats.

“Baseline best practices include educating employees, implementing a robust password policy, and regularly updating software. However, to effectively mitigate risk, organisations should conduct a comprehensive risk assessment to identify vulnerabilities and protect their business through appropriate cyber insurance.

“Depending on their cybersecurity maturity level, businesses may benefit from engaging external consultants to identify threats and implement appropriate changes to align with global best practice capabilities such as Segmentation, Hardening, Identity Management, Legacy System Remediation, Cyber Forensic Capability, Event Detection and Response etc.

“The key to better cyber protection lies in understanding the unique challenges before preparing and implementing an effective mitigation plan and consistently uplifting capabilities to align with the changing trends.”

Fred Thiele, Group Chief Information Security Officer at Interactive

“Maintaining strong cyber hygiene is crucial for safeguarding against ever-evolving cyber threats. Recent high-profile breaches, including 447 ransomware reports received by the ACSC, underscore the urgent need for effective cyber practices. With incidents costing Australian businesses up to $250,000 each and the economy $2.59 billion annually, prioritising preventive measures has never been more critical.

“Cyber hygiene involves fundamental practices like the management of vulnerabilities, identities, and assets. These practices are essential for maintaining the health and security of systems and should be integrated into the daily operations of any organisation.

“Fred Thiele, Group CISO at Interactive, stresses, “Cyber hygiene isn’t a one-time project; it’s an ongoing effort embedded into the very fabric of an organisation. It’s about creating habits that become second nature for everyone, not just ticking off a checklist.” Good cyber hygiene also combines best practice, technology countermeasures and strong cyber security awareness training.

“Effective cyber hygiene can’t be underestimated. It helps protect against threats and also ensures that IT and security teams spend less time managing crises, allowing them to focus on strategic initiatives. For businesses seeking to enhance their cyber resilience, investing in robust cyber hygiene practices is a critical step.”

Mitch Colton, Founder and Managing Director at Colton Computer Technologies

“One of our strong best practice recommendations is to invest your time and energy in building a solid data strategy. Many companies are struggling with SaaS app sprawl and don’t know where valuable company data is stored. You need to ensure confidential data is protected by data access rights and saved according to data storage format rules and a data architecture plan. Plus, organisations should be proactively deleting any data that doesn’t hold business value to avoid data exposure and reduce risk.

“Overlaying an effective data strategy with multi-factor authentication, secure file sharing, and appropriate cyber security tools and monitoring will mitigate the risk of a data breach and the associated reputational damage.

“SMEs often make the mistake of thinking, “It won’t happen to me,” when, in fact, they are a major target for cyber attacks due to their less sophisticated defence systems. The sad part is that the majority of SMEs will struggle to stay in business if they fall victim to a cyber incident.”

Simon Wijckmans, CEO at c/side

“The third-party scripts that SMEs interject into their websites to run everything from analytics to chatbots to error handling must be better monitored and secured. The repercussions, as headlines continue to show, are increasingly high. The average business’s website runs more than 20 of these third-party scripts (which change frequently, posing significant security risks). Malicious actors can exploit vulnerabilities within the scripts to redirect users, steal sensitive information, or manipulate website content—as we saw with polyfill[.]io only weeks ago. As a result of increased security awareness on the infrastructure and open source supply chain, malicious actors increasingly seek to weaponize the browser as the place of execution, yet most sites have nothing in place to monitor client-side behavior. To mitigate these risks, SMEs should implement real-time monitoring of all third-party scripts running on their websites. This involves tracking script changes, assessing their behavior, and validating their security. Regular security assessments and vulnerability scans of these scripts are essential. By maintaining visibility and control over third-party scripts, SMEs can significantly reduce their attack surface and protect their users’ data. This practice aligns with evolving security standards, such as PCI DSS 4.0—which mandates tamper-detection mechanisms for entities handling card data.”

Discover Let’s Talk Business Topics

Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.