You may think ‘it’ll never happen to me’. But small businesses are under cyber attack, and as a business owner you need to take responsibility. Follow these steps to strengthen your cyber defences.

As the owner of a small-medium sized business, you may be forgiven for thinking cyber criminals wouldn’t be interested in you, and would prioritise attacks against bigger businesses than a little old electrical contractor.

Unfortunately, that’s not the case. The most recent stats from the government show the average self-reported cost of a cybercrime event for a small Australian business in 2024-25 was $56,600, up 14% on the previous year, while for a medium-sized Aussie business it was  $97.200 – up 55%. In total there were almost 85,000 cybercrime reports in 2024-25, and 42,500 calls to the Australian Cyber Security Hotline. 

And that’s just the reported events – it’s thought many cyber attacks aren’t reported in Australia, so the true figure is likely to be higher.

There are a growing number of cyber threats for Australian businesses, including an increasing number of AI-related threats for 2026, so it’s smart to take time to review the cyber security measures you have in place.

Every business today has programs or digital assets that store valuable business information – think website, email programs, any database program, your customer records, invoicing and accounting platforms – and if you get hacked there’s a lot of information there that cyber criminals could use. 

So, it’s important you keep your platforms and your people as up-to-date as possible. Here are eight steps every business should take to keep their cyber security in decent shape.

Enforce multi-factor authentication

Multi-factor authentication (MFA) simply means that you need to use at least two pieces of identifying information to access your systems. For example, this could be a code that’s produced by an authenticator app on your phone or a code that’s sent via SMS, that you need to put in alongside your password. Every credible program offers – actually, encourages – MFA today, so make sure you have it turned on as mandatory for everyone who can access your programs.

Good password management 

P@ssw0rd. M1Ke73. These are not good passwords, and can be cracked pretty simply by the automated tools cybercriminals are using today. Anyone who is accessing your systems and platforms must do so with strong, unique passwords, the longer the better. Password Manager programs are excellent here, while strong, unique passphrases, such as random words put together ‘potato cupboard water bottle’ are recommended. Ensure all your employees who are logging in have a good, strong password – and not one that’s short and simple.

Regular software updates

Your software providers will often update software to ensure security and functionality is up to scratch, so make sure you have updates automatically turned on. For most online tools this will happen automatically, but for devices such as smartphones you may need to manually update – so put a weekly or monthly calendar reminder in to check.

An approach of least privilege

Your people should only have access to information they need, so ensuring you have the right restrictions in place for each user is an important part of good cyber security management. For example, your apprentice may need to log time against a job, but doesn’t need to see customer details or invoices. While it may take an extra few minutes when setting them up in the first place, it’s worth it.

Monitor access

Every so often, take a look at when your people are logging into different platforms. During the working day? Makes sense. Logging in at 11pm? Less so. Log-ons outside of working hours can be suspicious, so keep an eye out for any activity that doesn’t seem legit.

Device security

Make sure that devices you’re using to access business info are up-to-date, and have good antivirus software on them too. And, when devices leave the business, you have a comprehensive process for wiping them clean of any sensitive information.

User management

People leave businesses, that’s a fact of life. And today, as part of your exit process, you need to ensure their access is revoked. Their user accounts should either be deleted or reassigned to someone else in the business, and passwords changed. There should be no possibility they can access business information after they leave the organisation – it doesn’t matter how ‘decent’ they are.

Continual staff training

Many cyber attacks succeed because of human error, so keeping your staff up-to-date on good cyber practice is key. From regular information sessions about scams to look out for, to spot testing your team with password checks or ‘fake’ emails, it’s essential that every single person is thinking about cyber security every day.

Cybersecurity practices for electrical contractors – final thoughts

Cyber security isn’t one person’s job, it’s a cultural approach, and everyone needs to be switched on. As well as the financial loss – can you really afford to lose almost $60k? – you’re risking your reputation. You may be tempted to think it won’t happen to you, but it very, very easily can. You need to have processes in place in case it does happen, but with the right preventative measures in place, you can reduce the risk significantly.

Supplier Spotlight