Articles > Commercial Property

Cyber security for small businesses

June 18, 2024  

Keeping your Business Secure from Cyber Threats Legally

In Australia, many small businesses have rapidly digitised, bringing new opportunities but also increasing their vulnerability to cyber incidents which can cause financial loss, reputational damage, and interruption to trading.

It is important that company directors have awareness of cyber security as part of their professional development. Such awareness can lead to decreased vulnerability, lower losses from attacks, quicker data recovery and reputational repair, and greater protection from liability.

In the last financial year, nearly 94,000 cyber crimes were reported to the Australian Cyber Security Centre. The average cost of cybercrime to affected small businesses is now $46,000, with small businesses having limited ability to absorb these losses.

How to prepare for a Cyber Attack?

Simple measures recommended by Australian Signals Directorate (ASD) as a starting point to mitigate Cyber Security incidents:

  • Turn on multi-factor authentication
  • Update your software
  • Backup your information.

Educate employees to raise awareness

Be aware of common cyber security threats, know how to spot scams and phishing attacks, implement business policies, such as the procedure for reporting suspicious emails or confirming invoices are genuine before paying. However, new methods of hacking are always developed by hackers to maximise profits, so it is important to keep employees refreshed periodically.

Create an emergency plan

Having an emergency plan developed could reduce the impact and financial loss on your business. This means your staff will spend less time figuring out what to do and more time acting.

Register your business with ACSC Partnership Program

Become an Australian Cyber Security Centre (ACSC) partner, so you will receive the latest information in the monthly newsletters and stay alert when a new cyber threat is found. Cybercriminals actively exploit vulnerabilities within minutes of their discovery, staying informed will help businesses to understand the threats it is likely to face.

We recommend that businesses refer to this as a useful checklist Small Business Cyber Security Checklist.

What can you do legally if your business experiences a Cyber Attack?

In November last year, the Mandatory Notification of Data Breach (MNDB) scheme commenced, replacing the previous scheme, which was merely voluntary. The changes have been enacted under amendments to the PPIP Act.

Under the PPIP Act, agencies include NSW government agencies, statutory authorities, universities, NSW local councils, and other bodies whose accounts are subject to the Auditor General.

The MNDB Scheme requires agencies to notify the NSW Privacy Commissioner and affected individuals if an “eligible data breach” occurs.

An eligible data breach occurs if there is unauthorised access, disclosure or loss of an individual’s personal information which is likely to cause serious harm to the affected individual.

Under the MNDB Scheme, if an agency discovers a data breach it must:

  • Immediately make all reasonable efforts to contain the data breach;
  • Assess within 30 days whether it is reasonably likely an eligible data breach occurred;
  • During the assessment period, take all reasonable steps to mitigate the harm done by the breach; and
  • If an eligible data breach has occurred (or there are reasonable grounds to believe so):
  • Notify the NSW Privacy Commissioner;
  • Notify each affected individual (to the extent reasonably practicable); and
  • Where not practicable to notify each affected individual, issue a public notice.


While there are no monetary penalties for non-compliance with the MNDB scheme, reputational damage remains an important consideration.

What’s more, individuals affected by an agency’s conduct may seek review of that conduct under Part 5 of the PPIP Act. Even if the agency takes remedial action, the individual may still apply to the NSW Civil and Administrative Tribunal for administrative review. The tribunal may order the Agency to pay the individual up to $40,000 for loss or damage suffered.

Our Services

If your business is experiencing a cyber attack, our team can help you in notifying the Australian Information Commissioner and potentially affected consumers.We can provide comprehensive support to identify the responsible parties, determine the size of any claims, and advise on legal options to pursue recovery of any losses.