Why do criminals target small businesses?

The media regularly reports companies being hacked into, suffering data breaches and online service attacks. While attacks on large, multinational corporations make the headlines, small and medium businesses (SMBs) are often the forgotten victims. But in fact, SMBs are more actively targeted by cyber criminals than large businesses.

This is because SMBs often lack the resources of large companies, and have fewer security measures in place, making them an attractive target for cyber criminals.

The good news is, there are simple things all SMBs can do to prevent being a victim of cybercrime. Make sure you also listen to our NAB Security Podcast on Cyber Security for business.

What cyber criminals want from your business

Cyber criminals are mostly motivated by money. They can make money by:

  • holding your data to ransom in exchange for payment
  • selling your data to a competitor or other criminal
  • stealing funds from your accounts
  • stealing your identity.

How cyber criminals go about their business

Cyber attack techniques fall into the following categories:

  • Obtaining your details by deceptive email, text messages or telephone calls, such as:
    • spam or phishing - find out more in How to identify spam and phishing messages.
    • spear-phishing - this takes phishing one step further by targeting one person about a topic directly relevant to them; spear-phishing is one of the main ways cyber criminals get in to organisations to steal data, conduct corporate espionage or steal money.
    • wire fraud - this is where cyber criminals trick financial staff into transferring your money to an external bank account.
  • Stealing your business data or identity by:

How to minimise the risk of a cyber attack on your business

Like managing any business risk you can put the right controls, processes and tools in place to protect your data. Here are some practical ways to prevent a cyber attack turning into a costly cyber incident.

Basic computer security controls and software can protect your business

Computer security controls are administrative settings on computers and internet devices that can help minimise cyber safety risks.

Always keep the following up to date:

  • Operating systems.
  • Applications and web plug-ins.
  • Anti-virus software.
  • Internet browsers.

A patch is software designed to update a computer program to fix or improve it. This includes fixing security vulnerabilities and bugs. You’ll find an option in the software update settings options of your computer or device that will enable you to turn on or check automatic updates and installation of the latest patches.

Schedule some time each week to check all updates have been successfully applied. You can do this by performing a search of your programs and viewing the latest installed updates on your computer or internet device.

Manage access to your network and payment controls by:

  • limiting access to your network - only grant access based on each employee’s roles and  responsibilities
  • using two-factor authentication (2FA) to secure access to your network - 2FA is where you add at least one more secure verifier of your identity on top of a username and password that only you know, such as a security token or an SMS code sent to your smartphone
  • setting up dual authorisations for all online payment transactions - this means there is always more than one person that must approve money moving out of your business
  • setting up daily payment limits on all your financial accounts - this limit can help alert you to any financial transaction activity that is not usual.

Good security processes can protect your business

The best way to protect your business is to practice good security processes.  Minimise your cyber security risk by:

  • having an incident management plan in place - identify and document all your key contacts, processes and business continuity plans; store your plan securely and outside of your business network
  • ensuring each employee has unique login credentials - employees must never share their username or password under any circumstance
  • always locking your computer or device in your absence - develop a habit of always locking your computer or device if you’re not using it; make sure your employees do the same
  • protecting your information with a secure back-up solution - you’ll find more information in Understanding the value of your business data
  • educating your employees on good security practices - you’ll find more information in Understanding the value of your business data
  • regularly review the programs installed on your computers and devices - always uninstall programs that are not being used.

Information to help keep your business safe

Here are some helpful online resources to explore to help you keep your business safe.

Microsoft security information

Apple / iOS security information

Android security information

Australian government cyber security tips and support

Helpful resources

How we can help

If you’re a NAB customer and you believe your business or personal accounts have been impacted by fraud or a scam, we’re here to help. Explore the immediate steps you can take to protect yourself and discover when you should get in touch with us to make a report.

Learn what to do in the event of fraud or scams

Get updates on the latest fraud alerts


IDCARE is Australia and New Zealand's not-for-profit counselling and support service set up to assist Australians impacted by identity theft and cyber-related crimes.

IDCARE can assist NAB customers to navigate through the process when identity details or credentials have been compromised through fraud or scams. IDCARE is a free service for all Australians.

Learn more about IDCARE, opens in new window

Australian Government | Australian Cyber Security Centre (ACSC)

The Australian Cyber Security Centre (ACSC) brings cyber security capabilities from across the Australian Government together in a single location. It’s the hub for private and public sector collaboration and information sharing to combat cyber security threats. ACSC provides topical, relevant and timely information on how home internet users and small businesses can protect themselves from, and reduce the risk of, cyber security threats such as software vulnerabilities, online scams, malicious activities and risky online behaviours.

Learn more about the Australian Cyber Security Centre, opens in new window

Australian Government | ReportCyber

ReportCyber is a secure reporting and referral service for cybercrime and online incidents which may be in breach of Australian law. The ReportCyber website provides a cybercrime reporting mechanism as well as helpful information about cybercrime.

Learn more about ReportCyber, opens in new window

Australian Competition and Consumer Commission | Scamwatch

Scamwatch provides information to consumers and small businesses about how to recognise, avoid and report scams using publications, videos and other online resources.

Learn more about Scamwatch, opens in new window

Australian Government | Office of the eSafety Commissioner

The Office of the eSafety Commissioner provides online safety education for Australian children and young people, a complaints service for young Australians who experience serious cyberbullying, and address illegal online content.

Learn more about the Office of the eSafety Commissioner, opens in new window

Australian Government | Attorney-General’s Department

The Attorney-General’s Department website provides helpful information and resources about your rights and protections in regards to identity security, freedom of information and cyber security. The Department has developed a range of resources to assist people protect their identity and recover from the effects of identity crime.

Learn more about the Attorney-General’s Department, opens in new window

Related articles

Important information