As a small business owner you might think that your business is too small for a cyber attack. As a matter of fact, according to the New Zealand National Cyber Security Centre (NCSC), 43% of cybercrime is targeted at small businesses. SMEs make especially good targets because they’ve got much to lose. It is common for small businesses to pay ransomware attacks to avoid losing or leaking data, since such an attack could have a disastrous effect on their operations.

Research from NCSC indicates that the average cost of a data breach for a SME is $173k, but less than half of small and medium businesses are prepared for a cyber incident. Luckily, there are some easy, cost-effective ways you can adopt to increase your cyber security resilience as a business owner.

1. Think before you click

Online scams, especially phishing attempts, often arrive in the form of emails pretending to be from your bank or a service you use. In the past, these scams were easier to identify because of clear red flags, like poor grammar or strange formatting. But today, with scammers using AI to create realistic-looking messages, spotting the difference can be much trickier.

If you receive an unexpected email, text, or call, don’t take the message at face value. Instead, reach out directly to the organisation using their official contact information. They can help you find out if it’s a scam and avoid falling for it.

2. Make it long, strong and memorable

While it might seem convenient to use the same password for everything, doing so leaves your entire digital life vulnerable. If one account is compromised, it’s like handing over the keys to all your accounts.

The best practice is to create unique passwords for each platform. It might sound like common sense, but research shows that 43% of New Zealanders use the same passwords for multiple accounts. Since remembering different passwords for everything is next to impossible, a password manager — like 1Password, Bitwarden, or Proton — makes it easy to generate and store secure passwords.

When it comes to password strength, size does matter. According to Keeper Security, an 8-character password can be cracked in just a day, but a 16-character one? It could take thousands of years. While some sites ask for special characters, experts suggest a combination of memorable words can often be more effective than a random jumble. Passphrases (random phrases of four or more words, like bananasaredinnerfood) are easy to remember but hard for attackers to crack.

It’s also a good idea to change your passwords regularly — ideally every three months, and certainly after a data breach. To help keep your information safe, you can check if your accounts have been affected using websites like haveibeenpwned.com.

3. Be two steps ahead with 2FA

Two-factor authentication (2FA) is becoming a go-to security measure for banks and other high profile institutions, but surprisingly, 32% of New Zealanders still don’t use it for their main online accounts.

By adding 2FA, you’re required to not only enter your password but also confirm your identity through a code sent to your phone or email, making it much harder for attackers to access your account. Even if someone manages to get your password, without the second step, they’re blocked.

You can also use authentication apps like Google Authenticator or Authy for an added layer of security. These apps work with various platforms to provide real-time codes, keeping your accounts even safer. Start by enabling 2FA on your most important accounts, like your bank, email, and social media. Find out how to set it up for your accounts at Own Your Online.

4. Be smart with what you share

Social media is a big part of your life and your business, but it’s also a prime target for scams. One of the most frequent issues is impersonation, where someone duplicates a friend’s account — using the same name and profile picture — and tries to add you to their contacts. Before accepting a new request, double-check if you’re already connected with them. Give them a call or visit their profile; they might have even posted a warning about the impersonation.

Be mindful of how you use your personal and business accounts, as either could expose sensitive information and put your business at risk. To be safer, set your social media privacy settings to ‘Private’ or ‘Friends only,’ so you can control who sees your posts and who you’re sharing them with. And avoid oversharing: even a simple birthday post can reveal personal details like your location or birth date, which scammers can use to their advantage.

5. Before you pay, verify

Business email compromise (BEC) is a particularly sneaky type of cyberattack where criminals intercept a legitimate invoice — often from one of your frequent suppliers — and duplicate the invoice so it looks exactly the same except for the bank account details. To the untrained eye, the invoice looks exactly the same, so you process the payment as usual. The problem is that money ends up in the hands of a scammer.

What makes BEC so dangerous is that it often flies under the radar of security software, and you may not even realise something’s wrong until your supplier follows up on an unpaid invoice. It’s a reminder to always double-check any unexpected changes in payment details by contacting the supplier directly through a known, trusted phone number or email address. Taking a few extra moments to verify can save you from a costly mistake.

Learn more at Own Your Online

When it comes to cybersecurity small steps can make a big difference in protecting your business from major risks. As part of Cyber Smart Week, the New Zealand government has launched the ‘Scamathon’ campaign, to raise awareness of online threats. Visit Own Your Online to learn how to spot common scams and boost your online security.

Grow your business safely

Need flexible access to funds that could help your business grow? Speak with one of our small business lending specialists.