Business owners face additional challenges when maintaining online safety and security including expensive equipment, staff and sensitive corporate information. Online security is about protecting your information, which is often the most critical and valuable asset a business will own. 

The following topics are of specific interest to business owners:

Online criminals are now actively targeting smaller businesses because they believe their devices are vulnerable.

Steps to securing your business online

1. Provide online security awareness

Put in place an online security awareness program to keep you and your staff informed about good online security practices. It should include:

  • basic training for staff
  • updates and reminders on policies, standards and best practices
  • a regular, scheduled review to update existing security measures
  • signing up staff to the free Stay Smart Online Alert Service to stay up to date with the latest online threat information.

Training and educating your staff is vital to having a strong online security system in place.

2. Define roles and responsibilities

You should put at least one person in your business in charge of making sure all staff understand their responsibilities for online security. This person should consider the following:

  • learning about threats, trends and security options
  • planning, acquiring and implementing security safeguards
  • helping other personnel understand online security best practices and policies
  • enforcing online security best practices and policies with management support
  • maintaining and updating the security safeguards used by your business.

Successful online security within a business of any size relies on management support, good internal communication and individuals taking personal responsibility for their online activities.

3. Include online security in your business plan

Changes in technology mean there are few businesses today that don't operate online in some capacity. An online security plan is an essential part of your overall business plan.

Your plan should clearly and simply outline the key principles and rules for online security within your business.

You can identify and adapt existing standards to deal with specific online security issues or technologies in the business, or write your own.

Include in your plan

  • the safety and security measures you have undertaken to enable retrieval and restoration of your data in the event that you have fallen victim to an online attack
  • action plans to follow if something does go wrong covering such things as:
    • what to do if business equipment is lost or stolen
    • what to do if you think a computer is infected with a virus
    • what to do if there has been a loss of data
  • your expectations of employees in regard to use of business provided internet and social media, sensitive information, strong passwords
  • instructions about how staff may use email and the internet, including blocked sites and restrictions on the size of email attachments
  • outline who has access and how sensitive data should be handled and stored
  • a tracking system to know who is using what equipment in the organisation
  • systems in place to ensure anti-virus, anti-spyware, operating systems, web browsers and other software are kept up to date
  • systems in place to ensure security is maintained while staff are mobile
  • a process for reporting breaches, using the guidelines offered by the OAIC – Data breach notification – A guide to handling personal information security breaches.


  • Use the Stay Smart Online small business assessment tool to identify gaps and options for online security for your business.
  • Identify all business assets (such as computers and business information) and determine their importance and value to the business.
  • Discuss online security threats with employees or outside experts (as required) and determine which assets are at risk of harm if one or more of those threats occur.
  • Prioritise risks as high, medium or low and determine what can be done to reduce those risks.
  • Evaluate the threats, risks and potential security safeguards and then decide what can and should be done to improve online security. 
  • Communicate the online security plan to all employees so they understand their roles and responsibilities. Explain policies and standards to personnel so that they will understand the rationale for rules, to whom they apply and any consequences for not following the policy.
  • Regularly review and update your plan.

4. Budget for online security

Having an effective online security plan may cost time and money and must be taken into account when drawing up your annual business plans and budgets. Fortunately, there are some free services, tools and advice available. Additionally, policies or internal documents can often be developed in-house at minimal cost. There are free anti-malware products available however it may suit your organisation to purchase products and associated annual subscription fees must be considered.

Do you know what your insurance covers? In some cases, your insurance may cover losses due to an online security incident. It is important to discuss this with your insurance provider in advance.

5. Passwords

Implement a strong password practice that identifies the rules for passwords used in your business. Explain to your employees that strong passwords are important to the security of the business, and that they should do the following to protect their password:

  • Learn how to create and use strong passwords.
  • Keep their passwords confidential.
  • Change their passwords regularly (ideally every one to three months).
  • Avoid using the same password for multiple accounts or systems.
  • Always change passwords for new equipment (for example routers and webcams) from the default supplied by the manufacturer to a new and complex one.

6. Point-Of-Sale (POS) security

Your POS systems can be another way to access your computer networks, and it is extremely important to protect them. Online criminals can hack into POS systems to steal payment card numbers and the associated personal identification number (PIN), which they can then use to access your customers' accounts.

  • Make sure that your POS system is behind a firewall. A firewall is a security control, which is used to restrict incoming and outgoing network traffic. Your Internet Service Provider (ISP) may include a firewall with the router or other hardware or software that they provide you, but it is important to check. If they don't provide one, you will need to purchase one.
  • Set up strong encryption for the transmission of all data (e.g., cardholder data) between your POS system and the POS service provider. The service provider should implement this by default. Ask your POS service provider or an online security consultant (with POS experience) for help if you are not sure what to do.
  • Do not use the default user name and password for your POS system (which was shipped with it), create a new user name and password that are unique to your business.
  • Always limit access to client data only to those employees who have a need to access it and are authorised to do so.
  • Keep anti-malware software up to date.

7. Backup and recovery options

Backups are used to restore lost or damaged files. Backing up data will help ensure that your business is able to recover quickly and completely from a system crash, data corruption or breach, or other setback.

Things to think about when developing your backup plan:

  • What do you need to back up?
  • How often do you need to back up?
  • How long should you keep backups? Check with your lawyer, accountant or another responsible party to confirm your requirements.
  • Storing your backups off site and offline.

Find out more: