Against a backdrop of an increase in financial losses due to cyber events over the past year, it’s more important than ever to assess what cyber risk looks like in your business. It's time to hop in the driver’s seat when it comes to the critical decisions that can affect how well your business will cope in the event of an attack.

Where to start?

When we talk about what it is we are trying to protect in cyber security – we are really talking about:

  1. The confidentiality of our information – ensuring only those who are authorised to can access our information
  2. The integrity of that information –  making sure the information we value cannot be changed by an unauthorised party; and
  3. The availability of that information – ensuring we are able to access it when we need to.

The first R: Risk

This step requires being suspicious of the defences you have in place to protect your information and instead considering your business from the viewpoint of a prospective attacker.

Imagine you wanted to steal your business’ most valuable data. What would you go for? Where do you think you would find that data? If you wanted to disrupt the business’ function, what would you do?

Some businesses may hold sensitive data which attackers seek to exploit to, for instance, sell that data on to other attackers, or extort the business involved, which may be willing to pay a significant sum to stop damage to customers.

In other cases, attackers may seek to disrupt the availability of a system to stop activity, such as a more traditional ransomware attack which denies access to critical systems so that a business is incentivised to pay a fee to restore service so they can continue operating.

In cases where there are process weaknesses – such as using email to receive and send invoices, attackers may seek to exploit these to modify payment details so that they receive payments meant for you or conversely trick you into paying them instead of the suppliers you are intending to pay. 

 To measure the risk against these attacks, consider:

  • How your business runs
  • What data your business holds
  • Where that data is stored
  • The access points to that data
  • How your payments processes operate and the connections and communications you have with suppliers.

By taking a deep dive into the weak points in your business, you can highlight the vulnerabilities that might be attractive targets for real attackers. If you’re still wondering about where or how to start your risk assessment, you can also check out the ACSC’s Cyber Security Assessment Tool |

Okay, my business has some weak points, but how do I fix them without a whole technology team behind me?

There’s no point in identifying your business’ weak spots if you have no plan to counter them – this is where the second R comes in – Resilience.

By focusing on known risky areas, businesses can control for these risks through people, processes and technology.

The good news? There are quick wins to improve your cyber resilience that do not require a whole IT team, or even specialist technical knowledge to implement.

On the people side of things, up your resilience by ensuring that you take time to discuss security awareness with your team. Make sure they know how to spot suspicious emails to stop phishing attempts, which can lead to credentials being leaked or malware insertion.

Consider introducing authentication processes to double-check vendor payment requests. Audit your files by using file classification labels to tag which files hold sensitive data, and using strong passphrases and permissions controls to protect sensitive files or access to shared folders and drives.

On the technology side, business owners with administrator access can improve technology resilience by turning on automatic updates of software, including for operating systems, productivity suites such as O365 and POS, to stop the exploitation of known vulnerabilities.

Turn on multi-factor authentication for email and cloud services - MFA is a very easy and highly effective extra layer of defence which can prevent data loss even in the case of a successful unauthorised entry or credential leak.

Once you are finished hardening your technology, remember to downgrade your access level from administrator to user so that your day-to-day operations are not undertaken with a heightened level of permissions.

Fail to prepare; prepare to fail

It’s an old adage but a good one when it comes to cyber preparedness.

The last part of the three-R puzzle is your recovery. This means thinking through all those scenarios you’ve just used in your risk assessment and resilience planning and figuring out how you’d ensure your business could continue to operate if, in spite of your best efforts, you did suffer a cyber breach.

A business continuity plan can help mitigate the impact of an event. One important part of this plan is having regularly maintained back-ups of critical databases and drives that are stored separately from your main network. You may also want to consider printed call trees of the phone numbers of people you’d need to contact.  

The guides at the ACSC cover the basics and provide templates for your business to continue through an event. Having a plan will save time and money, and can help retain customer trust. 

If your business does experience a cyber incident you can contact us – either on 13 22 21 or on 13 23 39 for CommBiz customers, and report to the Australian Government ReportCyber |

Keeping your accounts safe is our priority. That’s why we have a range of security features and services to help keep you secure 24/7, including fraud prevention technology and secure banking. Find out more at

To learn more from leading experts about what’s important to business and the economy visit CommBank Foresight™ – insights for future-facing businesses.