skip to main content
  • Business Intelligence
  • Growth
  • Customers
  • Productivity
  • Business IQ
  • Trends
  • Success Stories
  • Tech
  • Awards
  • Business Tools
  • Subscribe
  • Tech Enquiry
  • quiz image
    Does your business collect or hold any digital data?

    Digital data is any information you collect or store in a digital form, whether it’s on a device (e.g. a computer or phone), the internet or a server. Common types include customer data (like email addresses), employee data (like payroll and salary information) and critical business data (like sales figures).

    Cyber criminals see high value in digital data, which can be maliciously targeted or accidentally exposed through non-secure practices. Stolen, lost or compromised data can leave a business unable to operate, and damage its reputation and bottom line. Some incidents can even cause legal issues or result in fines.
    You have the type of data cyber criminals are looking for.
    Higher risk

    Because you collect digital data, your business could be at high risk of being targeted in an attack. Any customer or employee information you hold can be stolen, sold on, or used to commit crimes like identity theft or financial fraud. Critical business data can be held ransom for payment or used to disrupt your business’s day-to-day operations.

    • Do an audit of the data you have and where it’s stored.
    • If you don’t already have one, create a clear protection plan or policy to manage this data.
    • Run regular tests to make sure you can recover your website or files, and check your back-up frequency is adequate.

    To learn more about how to protect your business information from cyber criminals, download the free Telstra Business Intelligence report on Managing Risks Online.

    You may be a target of cyber criminals even without digital data.
    Lower risk

    Many businesses don’t realise the extent of the data they collect – like customer email addresses, online account login details, invoicing/tax records, email chains and so on – let alone the value it can hold for criminals. But even if you don’t store this data on your systems or cloud services, you could still be at risk. Your email and banking accounts could be targeted through phishing (malicious emails) and other scams, while an unsecured website could be intercepted by hackers.

    • Consider if you inadvertently collect any customer or business-critical data and if you need a protection plan to manage this.
    • Ensure you and your employees are implementing secure online practices.
    • Regularly check that you can recover your website or files, that your back-up frequency is adequate, and that you have a tested plan in place if your technology systems and data are unavailable.
    • To find out more about the vulnerabilities cyber criminals are looking for, download the free Telstra Business Intelligence report on Managing Risks Online.

    You may have the type of data cyber criminals are looking for.
    Higher risk

    Even though you’re not sure if you collect digital data, your business could be at high risk of being targeted in an attack if you do unknowingly collect information online. Any customer or employee information you hold can be stolen, sold on, or used to commit crimes like identity theft or financial fraud. Critical business data can be held ransom for payment or used to disrupt your business’s day-to-day operations.

    • Do an audit of the data you have and where it’s stored.
    • If you don’t already have one, create a clear protection plan or policy to manage this data.
    • Run regular tests to make sure you can recover your website or files, and check your back-up frequency is adequate.
    • To find out more about the type of information cyber criminals are looking for, download the free Telstra Business Intelligence report on Managing Risks Online.

    How many employees (including regular contractors) do you have?
    Most breaches involve some kind of human error (like clicking a malicious email link or using a weak, easily hacked password), and a business’s cyber security controls are only as good as their weakest link. The more employees there are accessing a business’s information and networks, the greater the risk of exposure to an attack.
    As a sole trader, you’re at lower risk of an online attack.
    Lower risk

    As a sole trader, you're at lower risk, but it's important to keep up with the rapidly changing online threat landscape and protect your own systems, networks and devices from an attack. Adopting a protective mindset and applying cyber security fundamentals can help protect your business.

    • Ensure your passwords are unique, use multifactor authentication and keep your system software updated to the latest version.
    • Stay informed of emerging attacks and recommendations by reading reports, articles and government advice in the cyber security space.
    • Consider how you'll stay secure online if you do take on contractors or employees.

    Seek out advice from a cyber security expert if you need it.

    Your number of employees puts you at risk of an online attack.
    Higher risk

    Your business size (2–10 employees) puts you at an increased risk of an online attack. Business owners and managers can help minimise this risk by adopting a protective mindset and implementing security fundamentals.

    • Ensure all passwords are unique, use multifactor authentication and keep your system software updated to the latest version.
    • Educate yourself on current government and expert recommendations by reading reports, articles and studies in the cyber security space.
    • Create policies and processes that educate your employees on cyber security risks and promote secure working habits.
    • Be vigilant around access and identity, so you know who can access what and that you have the authentication tools to know who they are.

    Seek out advice from a cyber security expert if you need it.

    Your number of employees indicates a higher risk of an online attack.
    Higher risk

    Your business size (10+ employees) puts you at higher risk of an online attack. Business owners and managers can help minimise this risk by adopting a protective mindset and implementing security fundamentals.

    • Ensure all passwords are unique, use multifactor authentication and keep your system software updated to the latest version.
    • Educate yourself on current government and expert recommendations by reading reports, articles and studies in the cyber security space.
    • Create policies and processes that educate your employees on cyber security risks and promote secure working habits.
    • Be vigilant around access and identity, so you know who can access what and that you have the authentication tools to know who they are.

    Seek out advice from a cyber security expert if you need it.

    Do your employees or contractors ever use their own devices to complete work?
    Whether they’re supplied by a business or belong to employees, devices (like desktop computers, laptops, mobiles and tablets) are vulnerable to hackers and need protection to help secure your business. The more devices there are, the harder it can be to control whether they have the necessary measures in place to help prevent an attack and the greater the opportunity for criminals to access them.
    Your employees’ device use puts you at a higher security risk.
    Higher risk

    As your employees or contractors use their own devices for work purposes, you're at higher risk of a breach. All devices you and your employees work on need protection to help keep your business safe.

    • Develop a tailored device management plan to minimise your risk.
    • Ensure it includes personal use policies, minimum password requirements, and device protection software that gives you the ability to remotely wipe devices.
    An integrated cyber security plan with device-level protection can help keep your valuable business assets safe.

    As your employees don’t use their own devices for work, you’re at reduced risk of a security breach.
    Lower risk

    As your employees or contractors don't use their own devices for work purposes, your business is at a lower risk of an attack. But it's still important to make sure all of your work devices have the necessary measures in place to help prevent a breach.

    • Implement antivirus software on every device used for work purposes.
    • Set minimum password requirements.
    • Create personal use policies to help keep your business devices secure.

    An integrated cyber security plan with device-level protection can help keep your valuable business assets safe.

    Your employees’ device use could be unknowingly putting you at a higher security risk.
    Higher risk

    As you're not sure if your employees or contractors use their own devices for work purposes, you're at higher risk of a breach. All devices you and your employees work on need protection to help keep your business safe.

    • Check if your employees use any of their devices for work purposes.
    • If so, develop a tailored device management plan to minimise your risk.
    • Ensure it includes personal use policies, minimum password requirements, and device protection software that gives you the ability to remotely wipe devices.

    An integrated cyber security plan with device-level protection can help keep your valuable business assets safe.

    Your business’s device use indicates a lower security risk.
    Lower risk

    As you don't have employees, your business's device use puts you at a lower risk. Even without employees, it's still essential that all of your work devices have the necessary measures in place to help prevent a breach.

    • Implement antivirus software on every device used for work purposes.
    • Use a unique password for all of your accounts to help secure your devices.

    An integrated cyber security plan with device-level protection can help keep your valuable business assets safe.

    How would you respond to an online attack?

    An online or cyber attack is a malicious and deliberate attempt by criminals to breach the systems and information of another individual or organisation.

    The way a business plans for and responds to an online attack can affect the potential fallout of a breach. Preparing for how to manage an attack in advance can help a business recover faster later and minimise any damage to the business, its customers and its bottom line.
    Having a reactive instead of proactive response plan could put you at higher risk of damage from a cyber attack.
    Higher risk

    Engaging an IT expert only when something goes wrong could indicate you have a reactive (rather than proactive) approach to how you handle cyber security, which puts you at a higher risk of damage from online incident.

    • Document an online incident response plan with formal guidelines for how you confirm, report, repair and communicate a breach, as well as any legal obligations.
    • Develop and test a business continuity plan, so you can quickly and confidently fall back to manual processes without disruption if technical systems are offline (which is often the most expensive part of a breach).

    A cyber security expert can provide guidance on developing, reviewing and communicating an incident response plan to help you protect your business's valuables and reputation.

    Having a proactive response plan minimises your risk of damage from a cyber attack.
    Lower risk

    By having a formal cyber security response plan in place, you're helping to minimise your risk of damage from an attack. Being proactive in this area suggests you've thought out the risks and planned for how you'd handle the fallout of an online incident, but it's important to conduct regular reviews.

    • Check that your response plan includes the most up-to-date, best-practice information on how you confirm, report, repair and communicate a breach, as well as any legal obligations.
    • Develop and test a business continuity plan, so you can quickly and confidently fall back to manual processes without disruption if technical systems are offline (which is often the most expensive part of a breach).

    A cyber security expert can help provide guidance on how to review, update and communicate your incident response plan to help you protect your business valuables and reputation.

    Without a proactive response plan, you may be at high risk of damage from a cyber attack.
    Higher risk

    Without a plan in place to respond to an online incident, you are at higher risk of damage from a potential attack, the effects of which can spread across your business in minutes. Proactive planning in this area can help save your business time, money and business resources in the event of a breach.

    • Document your online incident response plan with formal guidelines for how you confirm, report, repair and communicate a breach, as well as any legal obligations.
    • Develop and test a business continuity plan so you can quickly and confidently fall back to manual processes if technical systems are offline (which is often the most expensive part of a breach).

    A cyber security expert can provide guidance on developing, reviewing and communicating an incident response plan to help you protect your business valuables and reputation.

    Do you access public networks for work purposes?

    A public (or shared) network is one that anyone can access to connect to the internet. Examples of these include Wi-Fi networks in airports, hotels, libraries, cafés or other public spaces.

    Public or shared networks that are often used to perform remote work (like in a café, airport or hotel) aren’t always secure. Hackers can use unsecured, shared Wi-Fi networks to distribute malicious software (malware) to other connected devices or to intercept valuable business information, from credit card details to business-critical logins and passwords.
    Using public networks can leave you more vulnerable to an attack.
    Higher risk

    Since you access public networks, you're at higher risk of an online attack.

    • Limit your use of public networks and instead connect to private, secured networks that you know and trust for work purposes.
    • If you must use public networks, use measures – like data encryption, virtual private networks (VPNs), and mobility and device protection on all work devices that move between spaces and networks – to protect yourself from some of the risks.

    When it comes to how you connect to the internet, using secure business-grade networks with password protection and identity management (individual sign-ins) is the best way to keep your business and its information safe.

    Using private, secured networks leaves you at lower risk of an attack.
    Lower risk

    By not accessing public networks for work purposes, you're helping to minimise your risk of an online attack.

    • Continue to limit your use of public networks and only connect to private, secured networks that you know and trust for work purposes.

    When it comes to how you connect to the internet, using secure business-grade networks with password protection and identity management (individual sign-ins) is the best way to keep your business and its information safe.

    You could be unknowingly using public networks, which can leave you more vulnerable to an attack.
    Higher risk

    Since you aren't sure if you access public networks, you're at higher risk of an online attack. If you've ever used a hotel's shared Wi-Fi to pay a business invoice, updated your business's social media account from the café next door or connected to the free Wi-Fi at the airport to shoot off a work email on your mobile, you've used public networks.

    • Limit your use of public networks and instead connect to private, secured networks that you know and trust for work purposes.
    • If you must use public networks, use measures – like data encryption, virtual private networks (VPNs), and mobility and device protection on all work devices that move between spaces and networks – to protect yourself from some of the risks.

    When it comes to how you connect to the internet, using secure business-grade networks with password protection and identity management (individual sign-ins) is the best way to keep your business and its information safe.

    Do your employees or contractors ever access public networks for work purposes?
    When employees or contractors work remotely or on the go, it’s not uncommon for them to access public networks on their mobile devices. As these networks aren’t always secure, this can leave connected devices vulnerable to an attack or create an opportunity for hackers to get hold of a business’s sensitive information.
    Your employees using public networks can put your business at higher risk of an attack.
    Higher risk

    Because your employees access public networks for work purposes, your business is at greater risk of a security breach.

    • Educate your employees on what secure networks are and why they're essential.
    • Implement network and internet access policies that include clear guidelines for when and how employees can safely get online (such as using VPNs when they're on the go).
    Because your employees don’t connect to public networks, you’re at lower risk of an attack.
    Lower risk

    Since your employees don't access public networks for work purposes, they're already using best practice and helping to minimise your risk of an online attack.

    • If you don't already have one, formalise a network and internet access policy so your employees have clear guidelines on where and how they can safely get online.
    Your employees could be unknowingly putting your business at higher risk of an attack if they’re using public networks.
    Higher risk

    Because you're unsure of your employees' network connection practices, it's possible they're accessing public networks and putting your business at greater risk of a security breach.

    • Find out if your employees or contractors are using secure, trusted networks to handle your business's information.
    • If they aren't, educate your employees on what secure networks are and why they're essential.
    • Implement network and internet access policies that include clear guidelines for when and how employees can safely get online (such as using VPNs when they're on the go).

    Because you don’t have employees who connect to public networks, you’re at lower risk of an attack.
    Lower risk

    Because you work alone, there is no risk of employees accessing public networks for work purposes.

    • If you do take on contractors or if your business grows beyond yourself, consider network and access policies so there are clear guidelines on where and how people connected with your business can safely get online.
    Do you update the operating system on your main work device to the latest version when you’re prompted?

    e.g. your MacBook’s latest macOS version, Microsoft Windows latest version, etc.

    All devices (including computers, phones and tablets) use operating systems to run. Cyber criminals try to find weaknesses in these systems to access a device, so most device providers release regular updates to correct (or “patch”) any known security flaws and improve functionality. If these updates aren’t applied as soon as they appear, hackers can target these vulnerabilities through malware attacks that allow the attacker access to the device.
    Your system update habits put you at lower risk of a cyber attack.
    Lower risk

    By updating your operating system automatically or as soon as a prompt appears, you're lowering your risk of a cyber attack.

    • It's worth formally implementing this approach for any devices used in your business, including those of any employees and contractors.
    Your system update habits put you at higher risk of a cyber attack.
    Higher risk

    By delaying or neglecting to update your operating system, you're putting your business at high risk of a cyber attack.

    • Enable automatic updates so patches are installed on your work devices' operating systems as soon as they're available, protecting your business from cyber criminals looking to take advantage of known flaws.
    • You can set a convenient time for most updates so they don't interfere with your day-to-day work.
    Your system update habits may put you at higher risk of a cyber attack.
    Higher risk

    Because you're unsure if you regularly update your operating system, it's possible your devices do not automatically patch known security vulnerabilities, which puts your business at high risk of a cyber attack. It's best practice to keep your operating system up to date with the latest available patches, which helps to protect your business from cyber criminals looking to take advantage of known flaws.

    • Check the settings on your main work device (and any others you work on) to make sure you have automatic updates enabled where possible, or check manually for new updates on a regular basis.
    • You can set a convenient time for most updates so they don't interfere with your day-to-day work.
    How often do you update your antivirus on your main work device?
    Antivirus software helps keep businesses safe online by searching devices for known threats and blocking or removing malware as quickly as possible. Regular updates help to protect devices from the latest known viruses, spyware and other malware that can delete or corrupt files, steal personal or business data, or allow cyber criminals to access devices.
    Your antivirus update practices put your main work device at lower risk of being infected by malware.
    Lower risk

    By enabling automatic updates on your antivirus software, your main work device is at lower risk of being infiltrated by malware. This also applies to any other devices you use for work purposes.

    • Along with having the latest version of your antivirus installed, it's best practice to set up daily automatic updates and scans to help identify and defend your device from quickly evolving online threats.

    While antivirus is a vital component of your security strategy, cyber criminals are constantly updating their methods, so it's a good idea to have a holistic, proactive security plan that evolves as your business needs do.

    Your antivirus update practices put your main work device at high risk of being infected by malware.
    Higher risk

    By running infrequent updates, your main work device is at high risk of being infiltrated by malware. This also applies to any other devices you use for work purposes. While occasional antivirus updates may seem sufficient, new malware is constantly being created by cyber criminals, and they change appearance quickly to avoid detection.

    • Follow best practice by enabling automatic antivirus software updates.
    • Automatic or regular scans are vital to help identify and defend your device from quickly evolving online threats.

    While antivirus is a vital component of your security strategy, cyber criminals are constantly updating their methods, so it's a good idea to have a holistic, proactive security plan that evolves as your business needs do.

    Without antivirus, your main work device is at high risk of being infected by malware.
    Higher risk

    As you don't have antivirus software, your main work device is at high risk of being infected by malware. This also applies to any other devices you use for work purposes. It's imperative for every device to have antivirus software installed with automatic updates enabled.

    Without this protective barrier in place, you could compromise your device through doing common online tasks like opening an infected email attachment, downloading infected apps or files, or even opening a false website link. One click is all it takes.

    • Install antivirus software on your device.
    • Ensure your antivirus software updates automatically.
    • Run regular or automatic scans to help identify and defend your device from quickly evolving online threats.

    While antivirus is a vital component of your security strategy, cyber criminals are constantly updating their methods, so it's a good idea to have a holistic, proactive security plan that evolves as your business needs do.

    How often do you back up your critical business data?

    Depending on how it’s stored and how often it’s backed up, critical business data – including sensitive information, company assets, documents and files – can be stolen, lost or compromised, causing a business’s operations to grind to a halt.

    Regular back-ups are essential to help a business recover their data and maintain business continuity in the event of malicious attacks (like ransomware, which blocks access to data or devices until a ransom is paid), inappropriate access, system failures, broken/lost devices or accidental deletions.

    Your data back-up practices may put your business continuity at high risk.
    Higher risk

    As you're unsure how often you back up your critical business data, it's likely your back-ups are infrequent or aren't happening at all. This means you could lose access to the information you need to operate, potentially putting your business continuity at risk.

    The first step to keeping your data safe and accessible is understanding how, where and how often it's backed up. Then, put measures in place to prevent the risk of data loss.

    • Check where your business's information is stored and consider what would happen if that means of entry was lost.
    • Implement a secure storage solution that you back up regularly.
    • Get familiar with the 3-2-1 strategy: save at least three copies of your data, two of which are on-site on different devices (like a laptop and a hard drive) and one that is off-site or on the cloud.
    • Consider encryption for sensitive data as an extra layer of protection.
    Your data back-up practices are likely to put your business continuity at high risk.
    Higher risk

    As you only back up your critical business data once a year, you could be at risk of losing a year's worth of information. If you need this data to operate, you could be putting your business continuity at risk.

    Help keep your data safe and accessible by implementing best-practice measures in the day-to-day running of your business.

    • Implement a secure storage solution that you back up regularly.
    • Get familiar with and implement the 3-2-1 strategy: save at least three copies of your data, two of which are on-site on different devices (like a laptop and a hard drive) and one that is off-site or on the cloud.
    • Consider encryption for sensitive data as an extra layer of protection.
    Your data back-up practices are likely to put your business continuity at high risk.
    Higher risk

    As you only back up your critical business data weekly or monthly, you're at risk of losing anywhere from a week's to a month's worth of information. If you need this data to operate, you could be putting your business continuity at risk.

    Help keep your data safe and accessible by implementing best-practice measures in the day-to-day running of your business.

    • Implement a secure storage solution that you back up regularly.
    • Get familiar with and implement the 3-2-1 strategy: save at least three copies of your data, two of which are on-site on different devices (like a laptop and a hard drive) and one that is off-site or on the cloud.
    • Consider encryption for sensitive data as an extra layer of protection.
    Your data back-up practices help to ensure your business continuity.
    Lower risk

    Your data back-up solutions may help significantly lower your risk of business disruption as you should be able to recover your critical business data and safeguard your business continuity.

    • Test your restore processes to ensure they are seamless in the event of an incident.
    • If you're backing up your data using an on-site server, consider switching to secure cloud storage with identity controls (like password policies, a password manager and multifactor authentication). This allows you to both work on and store important documents online, making ransomware less effective.
    • If you're not already using it, get familiar with and implement the 3-2-1 strategy: save at least three copies of your data, two of which are on-site on different devices (like a laptop and a hard drive) and one that is off-site or on the cloud.