Cyber Security Health Check and Action Plan
Cybercrime in Australia is evolving fast, and small businesses are squarely in the firing line.
In 2025, AI-powered scams, voice cloning, and highly targeted business email compromise (BEC) attacks are replacing the clumsy, obvious phishing emails of the past. These scams are harder to spot, faster to execute, and can cause serious financial and reputational damage.
The good news? Protecting your business doesn’t have to mean expensive software or a full-time IT team. With the right habits, awareness, and a few smart tools, you can shut down the most common entry points criminals use to get in.
Related Articles
This Cyber Security Health Check gives you ten essential, practical tips, plus a bonus that you can start using today. Each one is designed to be easy to implement, low-cost, and highly effective against the threats Australian small businesses face right now.
Tip 1 – AI-Aware Phishing, Vishing & Scam Protection
Phishing is an attempt to get sensitive info via email, text, or malicious links. In a recent case, a Sydney man scammed $3.5M from the NT Government.
- He registered a Business Name that was similar to a construction company the NT Government was working with.
- He set up a new bank account for his new company.
- He set up email addresses that appeared to belong to employees of the original construction company.
- Sent an email with forged vendor identification, so they thought he was the vendor they were working with.
- The NT Government then transferred $3,583,363 to the fraudulent account.
- They got most of it back with $11,603 outstanding.
Vishing is the new Phishing!
Vishing (short for voice phishing) is a type of social engineering attack where bad actors use phone calls to trick people into revealing sensitive information.
The Vishers impersonate trusted organisations like banks, government agencies to gain trust and try to get login details, personal information, etc. Vishing bypasses cybersecurity tools and exploits human weakness.
Add AI to the mix, and it becomes even more dangerous as AI tools can now clone voices and create highly convincing personalised emails and texts.
Every breach starts with initial access
AI, Vishing, Phishing Actions
- Always verify payment or bank detail changes – call a trusted number to verify.
- Hang up and call back. If the phone call seems weird, hang up and call back and or call the number you trust for that organisation.
- Educate your staff – Scammers often pretend to be in a hurry or on a call or something so they pressure a quick response.
- Check sender domains carefully. Hover your mouse over the URL and verify it is a valid domain.
Tip 2 – Malware
Malware is the term used to refer to any type of code that is used for a malicious purpose.
- Ransomware: Encrypts your data for a ransom.
- Infostealer: Collects your personal information.
- Keyloggers: Records your keystrokes.
Malware is distributed in several ways.
- Spam email or messages (either as a link or attachment).
- Malicious websites attempt to install malware when you visit.
- Exploiting weaknesses in software on your devices.
- Posing as a trusted application that you download and install yourself.
Malware Actions
- Enable automatic updates on all devices.
- Don’t click on suspicious links.
- Only download from trusted sites.
Tip 3 – Email Security
Business Email Compromise (BEC) is a targeted cyberattack where a threat actor gains access to a company’s email account to impersonate employees, executives, or vendors. Issues include.
- Creating fraudulent online accounts.
- Obtaining password resets and accessing your accounts.
- Spreading scam messaging or malware to your contacts.
- Setting up auto-forward rules to send your emails to a different address.
If someone gains access to your email account, you have been “pwned”.
False Invoicing Fraud – fake invoices that appear legitimate, tricking businesses or customers into making payments to fraudulent accounts.
Email Security Actions
- Set up a strong password and 2FA for your email.
- Email forwarding – Check your email forwarding settings regularly. Unauthorised changes could indicate a breach.
False Invoicing
-
- If you receive an email with an invoice to pay, contact the company via a different method to verify the bank details.
- Be very careful of any email from a provider advising that they have changed bank details.
- Pwning – Check ‘Have I been Pwned’ to see if your email has been compromised.
Tip 4 – Passwords
- Never use the same password twice.
- Use a strong password.
- 12+ Characters
- Letters, numbers, symbols
- Check your password strength with Bitwarden
- Always use a Password Manager.
Password Actions
- Test your password strength with Bitwarden Password Strength Tester
- Set up a Password Manager like LastPass
Tip 5 – Two-Factor Authentication (2FA)
Two-factor authentication (2FA) is an identity and access management security method that requires two forms of identification to access resources and data. Use 2FA in conjunction with a strong password.
2FA can guard against identity theft, data loss, and business email compromise.
2FA Actions
- Install Google Authenticator on your phone.
- Enable 2FA on all accounts.
- Social accounts
- Mygov
- Everywhere!
Tip 6 – Data Security
Data security is the practice of protecting digital information from unauthorised access, corruption or theft throughout its lifecycle. It spans both physical and digital environments, including on-premises systems, mobile devices, cloud platforms and third-party applications.
The primary goal of data security is to defend against today’s growing spectrum of cyber threats, such as ransomware, malware, insider threats and human error, while still enabling secure and efficient data use.
If you use Google Drive, Dropbox, iCloud, Amazon S3, OneDrive or SharePoint, your files are encrypted both when they’re stored and when they are sent or downloaded. That’s great for protecting data from outside breaches, but if someone gets your login details, they can still access your files. That’s why strong passwords, Multi-factor Authentication, and careful sharing are just as important.
Data Security Actions
- Ensure all cloud storage is password-protected.
- Use data encryption.
- Have a password-protected offline data backup. This is a safeguard for your data against cyberattacks like ransomware, ensuring you can recover your information even if your main systems are compromised.
- Shred sensitive data and lock all storage.
Tip 7 – Public Wi-fi
Like many things online, there are risks when using public Wi-Fi hotspots. They can be accessed by anyone and are often free and unsecured. These hotspots can be prime targets for cybercriminals, who may attempt to use them to steal your passwords or sensitive information.
Public Wi-Fi actions
- Don’t use public hotspots or hotel free Wi-Fi! Use 4G/5G instead.
- If you do use public Wi-Fi, use a VPN. A VPN is a virtual private network, which is a service that encrypts and secures your data when using the internet. It acts as an extra layer of protection when using public Wi-Fi hotspots.
Tip 8 – Router Password and Remote Access
Password
The Internet Router in your home or office is a potential welcome mat for cyber criminals. You would never leave the house with the back door unlocked, and similarly, you should make sure your router is secured.
Most routers have an admin control panel, where you log in to change settings (Wi-Fi, name, password, firewall rules, etc). By default, you access this from inside your home or office network (e.g. typing 192.168.0.1 in your browser). Look at the sticker underneath the router for login details.
Out of the box, your router login is probably something like this
- Username ‘Admin’
- Password ‘password’
Remote Access
Remote login (also called remote administration or remote management) lets you access that control panel from anywhere in the world over the internet.
If remote login is turned on and the default username/password hasn’t been changed, hackers can find and log in to your router from anywhere.
Once inside, they can
- Change your WI-FI password
- Intercept or redirect traffic
- Open the network to other attacks (including ransomware)
Router Actions
- Change the default router login details.
- Turn off remote access
Tip 9 – Credit Reports
Credit Reports can help with
- Spotting Identity Theft.
- Finding frauds and scams: See if loans are taken out in your name.
- Fixing errors that lower your credit score.
Email Security Actions
Tip 10 – IDCARE
IDCARE is the National Identity and Cyber Support Service. They are a not-for-profit charity formed to address a critical support gap for individuals with identity and cybersecurity concerns and breaches.
They have a three-step process
- Start with a small business cyber health check.
- Meet with a cybersecurity expert to review the health check findings and provide recommendations.
- Taking a deeper dive to look at your website and credentials compromise.
IDCARE Actions
- Book a free Small Business Resilience checkup with IDCare.
- Look at the IDCARE Factsheets – show your staff.
Bonus Tip – Google Alerts
Google Alerts is a powerful tool that helps you stay on top of all the things that are important to you. Once you set it up, you’ll get email notifications anytime Google finds new results on topics you care about.
Google Alerts Actions
- Set up a Google Alert for your Business Name.
- See what people are saying about your brand.
- Identify fraudulent use of your business name.
- Contact people who mention you – may get a backlink.
- Set up a Google Alert for your Website
- See if anyone is sharing your content.
- Set up a Google Alert for your name.
- Set up a Google Alert for your main business email.
- Can set up alerts for key topics in your industry or competitors
- May help with content creation and marketing.
Take Action today
Don’t wait for a breach to find your weak spots. Start with one tip today and take a big step toward protecting your business from tomorrow’s threats
A secure, well-built website is your first line of defence online. At Captivate Websites, we design, build, and maintain websites with performance and security in mind, so you can focus on running your business. Let’s talk about your next website project.
Cyber Security Frequently Asked Questions
If I have antivirus, do I still need to update my software?
Yes — antivirus can’t protect against all exploits. Many attacks target unpatched software vulnerabilities.
How often should I check my email forwarding settings?
At least once a month — early detection can prevent serious breaches.
Is a password manager safe? What if it gets hacked?
Reputable managers encrypt your data so it’s unreadable without your master password.
Is hotel Wi-Fi safe?
Not really — even with a password, it’s shared. Use a VPN or mobile hotspot.
How do I log in to my Router?
By default, you access this from inside your home or office network (e.g. typing 192.168.0.1 in your browser.
Do I need to change my Wi-Fi password often?
Not unless it’s been shared with untrusted people. Focus on strength and admin security.
How can I tell if a voice call is a scam when it sounds exactly like someone I know?
Always verify urgent or unusual requests via a different method — hang up and call back on a trusted number.
Is it worth paying for anti-phishing software?
It can help, but human awareness is your best defence. Software catches many threats, but not all.
What’s the safest way to know if a download is legitimate?
Only download from the developer’s official site or trusted app stores.
What’s the cheapest way to back up data securely?
Use free or low-cost cloud storage and an encrypted external hard drive.
How often should I change passwords?
Change them if there’s a breach. Otherwise, focus on long, unique passwords.
What’s the most secure email service?
Most are secure if you use strong passwords, 2FA, and regular monitoring.
Does checking my credit report lower my score?
No — personal checks don’t affect your score.
Is SMS 2FA good enough?
It’s better than nothing, but app-based 2FA is more secure.
Is 2FA a hassle for staff?
It adds seconds to login but greatly reduces risk. Most adapt quickly.