From today, businesses are legally required to report ransomware payments.

If someone extorts payment from you by locking up your data, you now have 72 hours to tell the Government – or potentially face disciplinary action.

The rule change will apply to businesses with an annual turnover of $3 million or more; you’ll also be obligated to pay if you’re responsible for a “critical infrastructure asset” (under Part 2B of the 2018 SOCI Act). Non-monetary payments (e.g. services, gifts, or information) will also need to be reported.

Note that this change doesn’t mean you have to report every ransomware attack – just instances where a payment was made. You might still need to report under existing obligations, but small businesses are generally exempt from these.

Small businesses still need to take action

Though the new rules target larger businesses – who are more likely to pay extortioners – that doesn’t mean that small businesses don’t get attacked.

“Small business gets targeted all the time,” said IT consultant and Tech Seek founder Fil Strati.

Strati, who works with small businesses, once had a small dental clinic on his books who lost their files to a ransomware attack. All the files were infected except for the database files for their practice software. The clinic didn’t pay the ransom, and the files weren’t critical, but it was still a memorable lesson.

“[The malware] wasn’t looking for those particular files,” Strati explained. “They were lucky.”

Meanwhile, larger firms have been picking up a shift in targets when it comes to ransomware attacks.

“Our Incident Response team has noticed a shift away from ‘big game hunting’, or ransomware attacks targeting the big end of town, and towards SMEs who are generally less prepared,” said Mark Thomas, Director of Security Services ANZ at Arctic Wolf.

What you need to know

Never pay a ransom. If you do pay up, said Strati, there’s no guarantee you get your data back. And paying can tell a cybercriminal that you’re cashed up, making you vulnerable to retargeting.

Instead, small businesses should have a secure backup system in place, Strati advised.

“A lot of small-business owners will plug in an external hard drive and use that as their backup,” he explained. “But if that drive is connected, when you get infected, it will jump across to that drive as well.”

Beware of using cloud storage – that can also be infected by malware, Strati added.

As for how often you need to backup, that depends on how much data you can afford to lose. If you could lose a month’s worth of data, for instance, then maybe you only need to back up once a month.

If you are targeted – or if you have been targeted before – don’t feel bad. It can be easy to fall for a scam when you’re stressed or busy with running a business.

“It’s designed to catch you when you’re too busy,” said Strati. “We’re so busy doing what we’re doing.”

What can you do to protect yourself?

ISB asked Strati what a small-business owner can reasonably do to protect their business from a ransomware attack. Here are some steps you can take:

• Train your staff to recognise cyber threats.
• Use multi-factor authentication.
• Backup as frequently as you can afford to lose data.
• Physically separate your backups from your computer.
• Consider endpoint protection and response (EDR) software: In the event of an attack, this can help you figure out what data has been breached. Strati encourages businesses who handle sensitive data to consider this option.
• If you’re particularly concerned, consider paying your antivirus service provider for round-the-clock monitoring via a security operation centre, if your provider offers this.
• Never pay a ransom – this could just invite further extortion attempts later.
• Know who to call in the event of an attack – i.e. who owns your domain? Do you have a tech provider for your website?
• Make an emergency plan with contact details and clear steps in case an attack happens to you, so you can attack as quickly and calmly as possible.

The post New ransomware rules for businesses: Are you prepared for an attack? appeared first on Inside Small Business.

As part of the partnership, graduates from the Cyber Wardens course in May will now be eligible to access the Bronze CyberCert certification, a foundational cybersecurity certification that helps small businesses build trust with customers and partners.

The offer also includes a discounted and fast-tracked upgrade to Silver certification, which will unlock cyber insurance. This is available to all small businesses with a valid ABN who apply within four weeks of completing the Cyber Wardens training.

“Our mission is to help small businesses make cyber security part of their everyday business, and be recognised and rewarded for their efforts to protect Australians against cyber crime,” said COSBOA CEO Luke Achterstraat.

“This partnership means practical training through Cyber Wardens now leads directly to respected industry certification through CyberCert. It’s a win for businesses, customers, and the security of our broader economy.”

Ryan Ettridge, chief of growth and partnerships at CyberCert, said the partnership represented a “game-changing” opportunity for small businesses.

“This is about giving you the protection you need, so you can stay focused on what you do best: Running and growing your business,” Ettridge added.

The post COSBOA’s Cyber Wardens program wins global support appeared first on Inside Small Business.

The goal of the mystery box scam is to collect personal and financial information by tricking victims into believing they have made a fantastic purchase.

As the traditional scheme lost its allure, scammers have devised new ways to make it more convincing, such as running ads on social media and adding small details like surveys ‘to ensure’ you are a real person and not a bot, the researchers explained.

They even put in more effort by running ads with impersonated content creators, making multiple versions of the ad to avoid automatic detection, and creating social media pages that look like the originals.

The researchers found that the mystery box ads pointed to various online shops selling a variety of products, from clothes and beauty products to electronic equipment.

The online shop appears to offer many subscription tiers with all kinds of perks, which makes the scheme more tempting as people believe that it will provide them with discounts across the entire website.

“Right before you agree to give them money and financial information, you also agree to a subscription model (written in a tiny font) that turns your current mystery shopping adventure into recurring payments,” the researchers said.

The payment page often references a website called naillr[.]com, where victims are promised to get a loyalty membership card that gives discounts and perks.

“The basic idea is to have a process as convoluted as possible, and to make it sound like a good idea at the same time. By the time the victim is actually paying a subscription, it already seems like an investment,” they added.

By following the URLs related by tracker ID, Bitdefender found more than 200 websites in this campaign, many of which are still online. Many of them are linked to a single address in Cyprus, likely home to an offshore company.

“While many of these frauds are seemingly linked to the same operators, a lot of other scammers also figure out that subscription is the new normal. 

“With funds pumped into ads, real-looking websites, impersonations of people and brands, and all kinds of other avenues of attack, we’re bound to see these kinds of frauds inundate the online world,” the researchers concluded.

• This story was originally published on Internet Retailing.

The post ‘Mystery Box’ scam steps up subscription scams online  appeared first on Inside Small Business.

Securing customer data isn’t optional – so why does it still feel overwhelming for so many SMEs?  With Australia recording 527 data breaches in the first half of 2024 alone – the highest in over three years – the urgency for stronger security measures has never been greater. A single breach can lead to financial penalties, legal action and a loss of customer trust. Yet, compliance feels overwhelming. The good news? Protecting customer data and maintaining compliance doesn’t have to be complicated or costly.

Understanding legal compliance for SMEs

SMEs in Australia must adhere to the Privacy Act 1988 and the Australian Privacy Principles (APPs) if they collect, store, or process personal information. Even businesses not legally required to follow these regulations should still implement best practices to maintain trust and avoid reputational damage.

Many SMEs collect more customer data than they need – often storing it in unsecured spreadsheets, outdated systems, or even email threads. This not only increases security risks but also makes compliance more challenging. A better approach? Only collect essential personal data, obtain clear and informed customer consent, and secure information with encryption and restricted access. Regularly updating privacy policies to reflect current practices isn’t just about legal compliance – it’s about building a culture of data security that fosters long-term customer trust.

However, a worrying gap remains between awareness and action. Zoho research found that nearly 350,000 businesses don’t know what to do if they experience a data breach. Even more concerning, 19.7 per cent of SMEs didn’t realise they had a legal responsibility to communicate with customers about the data they collect. Without clear guidance, many SMEs risk non-compliance and financial penalties simply due to a lack of awareness.

Avoiding common data handling pitfalls

Many SMEs unknowingly expose themselves to security risks through outdated software, unsecured data storage, and poor access controls. Zoho research reveals that while 59.4 per cent of SMEs acknowledge their vulnerability to data breaches, many are not taking adequate action to strengthen their data security. Cybercriminals target businesses using outdated systems, making it critical to keep software and security tools updated.

Additionally, SMEs often rely on multiple different apps, many of which may not be necessary, to store, process, and manage customer data. The more systems a business uses, the more challenging it becomes to track and protect customer data. This complexity, combined with limited resources, makes it harder to ensure data privacy and security, increasing the risk of non-compliance and breaches.

Another common oversight is granting unnecessary data access to employees. Implementing role-based permissions ensures only authorised personnel can view critical information. Regular security training is equally important – staff who can recognise phishing attempts and social engineering scams are the first line of defence against cyber threats.

Strengthening data protection through consent and security measures

Transparency in data collection isn’t just good practice but a legal requirement. And these policies should be clear, specific, and regularly updated to remain compliant. Additionally, customers must have easy opt-out options; failing to provide a clear way to withdraw consent creates compliance risks and trust issues. Free online privacy policy generators can help SMEs align with legal requirements, but consulting a legal expert offers added peace of mind.

SMEs must prioritise security measures to protect collected data. Cyber threats are constantly evolving, and businesses need to stay ahead. Routine security audits help identify vulnerabilities before they lead to costly breaches. Multi-factor authentication protects sensitive accounts from unauthorised access, while encrypted backups provide a safety net against ransomware or accidental data loss. Monitoring access logs ensures businesses can track who interacts with customer data.

By implementing both consent-based data collection and strong security measures, SMEs can enhance compliance, mitigate risks, and build long-term customer trust. As cyber threats grow, prioritising security isn’t just about avoiding penalties – it’s a strategic investment in long-term success.

The post How can SMEs ensure compliance with data protection standards? appeared first on Inside Small Business.

The number of these assets has rapidly increased with the proliferation of generative AI and the increased complexity that comes with it, as well as continued growth in the number of IoT devices used in offices and employees’ homes.

As such, 87 per cent have acknowledged that their network security is either directly or somewhat connected to their organisation’s business risk, particularly when it comes to managing their technology assets. More so, a majority has recognised that failing to manage risk across exposed assets can have significant negative impacts beyond immediate security threats, including financial performance (45 per cent), customer trust/brand reputation (42 per cent), employee productivity (42 per cent), operational continuity (38 per cent), regulatory compliance and legal risks (36 per cent), and market competitiveness (33 per cent)

Despite this recognition, though, only 45 per cent of Australian organisations use dedicated tools to proactively manage risk across their attack surface, the study revealed. In particular, 38 per cent have admitted that they do not have a continuous monitoring process in place, which would be crucial in mitigating and containing risk before it can impact operations.

Furthermore, only 23 per cent of responding Australian organisations’ budgets are dedicated to managing attack surface risk. However, 80 per cent have insisted that their current resources are adequate for addressing these challenges.

Andrew Philp, ANZ field CISO at Trend Micro, commented: “As far back as 2022, organisations globally – including here in Australia – were becoming increasingly concerned that their cyber-attack surface was spiralling out of control. That concern is even more pressing today. Yet while many local organisations understand the impact this has on operational and reputational risk, there remains a concerning gap in proactive, continuous risk mitigation strategies. Managing cyber risk exposure must become a strategic priority for all Australian businesses.”

Against this backdrop, Trend’s survey has found that artificial intelligence (AI) is emerging as a powerful enabler in the fight against cyber threats, with 62 per cent of Australian respondents currently leveraging AI-driven tools as part of their cybersecurity strategy. Overall, 84 per cent have emphasised the importance of utilising AI for predictive analytics and threat intelligence. However, 48 per cent said they would need more information and assurances so they can put AI into their security measure consideration.

The post Majority of cybersecurity incidents caused by unmanaged technology assets appeared first on Inside Small Business.

Rise in online breaches

One report, the 2025 Data Breach Investigations Report (DBIR) by Verizon Business, has revealed a surge in system breaches across the Asia-Pacific region. Malware accounted for 83 per cent of the breaches this year, and ransomware accounted for 51 per cent.

“This year’s report reinforces the growing complexity and persistence of cyber threats facing organisations worldwide. In the Asia-Pacific region in particular, external actors are targeting critical infrastructure and exploiting third-party vulnerabilities. The rising incidence of breaches highlights the imperative for businesses to reassess their risk frameworks,” said Robert Le Busque, regional VP Asia Pacific for Verizon Business. 

The report also revealed an alarming rise in espionage-motivated attacks in the manufacturing and healthcare sectors, and persistent threats to the education, financial, and retail industries. It also noted that the median ransom payment to cybercriminals amounted to US$115,000, a significant amount for many small and medium-sized businesses (SMEs).

“Glass-half-full types can celebrate the rise in the number of victim organisations that did not pay ransoms with 64 per cent not paying vs 50 per cent two years ago. The glass-half-empty personas will see in the DBIR that organisations that don’t have the proper IT and cybersecurity maturity – often the SME sized organisations – are paying the price for their size with ransomware being present in 88 per cent of breaches,” said Craig Robinson, research VP, security services at IDC.

According to Verizon Business, educating the public on the types of attacker motives, tactics and techniques is a key head start in raising global awareness and cyber readiness” 

Bots derailing e-commerce traffic

Meanwhile, a report by application security and delivery solutions provider Radware found that automated bots – good and bad bots – accounted for 57 per cent of e-commerce website traffic during the 2024 holiday season. 

The 2025 E-commerce Bot Threat Report found that bad bots made up 31 per cent of total internet traffic during the last holiday season and nearly 60 per cent of the malicious traffic that employed advanced behavioural techniques to evade traditional threat detection. Malicious bot traffic directed at mobile platforms also rose 160 per cent between the 2023 and 2024 holiday shopping seasons.

The report also noted that this was the first time that automated, non-DDoS generating bots drove more traffic than human shoppers, signalling a critical shift in the cybersecurity landscape for e-commerce providers and online retailers.

“Bad bots are no longer just based on simple scripts – they’re sophisticated, AI-enhanced agents capable of outsmarting traditional defence,” said Ron Meyran, Radware’s VP of cyber threat intelligence. “E-commerce providers and online retailers that rely on conventional security measures will find themselves increasingly exposed, not just during the holidays but year-round.”

The report pointed out that combating these bots requires sophisticated security strategies, including accurate AI-powered detection of attack patterns, including rotating IPs and identities, distributed attacks, Captcha farm services, and other advanced anomalies, without causing false positives.

The post Small businesses facing growing threats from breaches and bots appeared first on Inside Small Business.

The campaign comes as a new survey commissioned by CommBank shows that 84 per cent of small to medium business owners and senior managers are either taking action to protect their business from scams or planning to do so, after 36 per cent have reported having experienced a scam at least once since starting their business.

According to the survey, the steps SMEs have taken to combat scams include checking bank accounts and invoices more regularly and thoroughly (58 per cent), upgrading software (50 per cent), providing additional training for staff (30 per cent) and engaging third-party suppliers such as security consultants (25 per cent).

CommBank Executive General Manager Small Business Banking, Rebecca Warren, said it’s encouraging to see more businesses take steps to protect themselves against scams.

“We know running a small business involves wearing many hats, and it often means you’re incredibly busy with not much time to spare. As a result, business owners may be less likely to spot some of the red flags, which can make them vulnerable to scams,” Warren said.

Warren reminded that there is often a spike in scam events during busy holiday periods, calling for extra caution during the upcoming Easter break. SMEs are urged to be in the lookout in particular to business email compromise scams which involve obtaining unauthorised access to an email account to intercept and redirect payment requests.

“While we have seen a 70 per cent reduction in customer scam losses across the bank over the past two years, scammers recognise business owners or key staff are often on holiday at this time of year and this affords them more opportunity combined with less chance of being caught,” she said.

With scammers now leveraging AI to create highly sophisticated and convincing communications, making it even harder to identify fraudulent activity, Warren said it is more crucial than ever to upskill on cyber safety and scams awareness.

To help protect small businesses from the rising threat of AI scams, Cyber Wardens is launching a new course offering, Safe AI for Small Business, later this month.

“Cyber attacks on small businesses can cause devastating financial loss and personal distress for owners, employees and customers. That’s why the Cyber Wardens program for owners and employees is such an important initiative,” said COSBOA CEO Luke Achterstraat.

“The more business owners and their staff are aware of the risks, the more likely they’ll be able to spot red flags. People truly are the first line of defence, and it’s encouraging to see scams protection is top of mind for so many business owners,” Warren said. “Awareness, combined with robust processes and technology, will significantly reduce risk for hard-working Aussie small business owners.”

The post SMEs urged to remain vigilant against Easter scams appeared first on Inside Small Business.

Understanding legal compliance for SMEs

SMEs in Australia must adhere to the Privacy Act 1988 and the Australian Privacy Principles (APPs) if they collect, store, or process personal information. Even businesses not legally required to follow these regulations should still implement best practices to maintain trust and avoid reputational damage.

Many SMEs collect more customer data than they need – often storing it in unsecured spreadsheets, outdated systems, or even email threads. This not only increases security risks but also makes compliance more challenging.

A better approach? Only collect essential personal data, obtain clear and informed customer consent, and secure information with encryption and restricted access. Regularly updating privacy policies to reflect current practices isn’t just about legal compliance – it’s about building a culture of data security that fosters long-term customer trust.

However, a worrying gap remains between awareness and action. Zoho research found that nearly 350,000 businesses don’t know what to do if they experience a data breach. Even more concerning, 19.7 per cent of SMEs didn’t realise they had a legal responsibility to communicate with customers about the data they collect. Without clear guidance, many SMEs risk non-compliance and financial penalties simply due to a lack of awareness.

Avoiding common data handling pitfalls

Many SMEs unknowingly expose themselves to security risks through outdated software, unsecured data storage, and poor access controls. Zoho research reveals that while 59.4 per cent of SMEs acknowledge their vulnerability to data breaches, many are not taking adequate action to strengthen their data security. Cybercriminals target businesses using outdated systems, making it critical to keep software and security tools updated.

Additionally, SMEs often rely on multiple apps – many of which may not be necessary – to store, process, and manage customer data. The more systems a business uses, the more challenging it becomes to track and protect customer data. This complexity, combined with limited resources, makes it harder to ensure data privacy and security, increasing the risk of non-compliance and breaches.

Another common oversight is granting unnecessary data access to employees. Implementing role-based permissions ensures only authorised personnel can view critical information. Regular security training is equally important – staff who can recognise phishing attempts and social engineering scams are the first line of defense against cyber threats.

Strengthening data protection through consent and security measures

Transparency in data collection isn’t just good practice – it’s a legal requirement. Policies should be clear, specific, and regularly updated to remain compliant. Additionally, customers must have easy opt-out options; failing to provide a clear way to withdraw consent creates compliance risks and trust issues. Free online privacy policy generators can help SMEs align with legal requirements, but consulting a legal expert offers added peace of mind.

Beyond consent, SMEs must prioritise security measures to protect collected data. Cyber threats are constantly evolving, and businesses need to stay ahead. Routine security audits help identify vulnerabilities before they lead to costly breaches. Multi-factor authentication protects sensitive accounts from unauthorised access, while encrypted backups provide a safety net against ransomware or accidental data loss. Monitoring access logs ensures businesses can track who interacts with customer data.

While data protection may seem complex, compliance is well within reach for SMEs that take a proactive approach. Strengthening security measures not only mitigates risks but also builds customer confidence and differentiates businesses in an increasingly data-conscious marketplace. As cyber threats grow, prioritising security isn’t just about avoiding penalties—it’s a strategic investment in long-term success.

The post How can SMEs ensure compliance with data protection standards? appeared first on Inside Small Business.

The reminder comes amidst rising cybercriminal activities that exploit vulnerabilities in email systems and financial processes, with SMEs being primarily targeted as their technology infrastructure has been typically less complicated to infiltrate than larger corporations.

Typically, scammers would hack into a business’s internal system and update invoice payment details and would ask their victims for payments to be deposited to these updated bank accounts, with the victims losing money in the process.

The Federal Government’s Annual Cyber Threat Report stated the total self-reported BEC losses were almost $84 million over the 2023-2024 financial year across Australia, with the majority of cybercrime reports lodged by small businesses.

ANZ Scams Portfolio Lead Ruth Talalla commented, “Scams remain an ongoing challenge for Australians, with cybercriminals increasingly adopting sophisticated practices such as BEC and fake invoice scams to exploit consumers. We encourage business owners and individuals to be on high alert and double check all details before making any payments. If you receive an unusual or unexpected payment request, notice updated details on an invoice, or are making a payment to a new account, it’s important to verify the details directly with the legitimate company or person before sending funds.”

ANZ shared that these email and invoice scams can be detected by recognising the following signs:

• Unexpected contact method or requests – Someone the victim does not usually communicate with via email or social media asks for personal information or payment (e.g., on WhatsApp).
• Modified payment details on an invoice – Payment details do not match with previous invoices
• Dodgy domains – Cybercriminals may use email domains that look similar to the real sender’s email address.
• Poorly written text or inconsistent message formats – There are grammar or spelling mistakes present, as well as an unusual tone the sender does not usually use.
• Missing or faked email signature – Typically, cybercriminals will lack the legitimate company’s or individual’s email signature.

ANZ also shared some tips on how to avoid falling victim to these scams:

• Never call the phone number provided in a suspicious email or message. Instead, use a phone number that has been independently verified and speak to someone you have previously dealt with if possible.
• Verify new or updated account details with the legitimate company using a phone number that has been sourced independently before transferring any funds.
• If an email or message creates a sense of urgency, do not rush and take time verify its authenticity.
• Use PayID for payments when available to confirm the identity of the recipient.
• For large payments, send a small amount first and confirm it has been received by the legitimate company or individual before sending the full amount.

Customers who believe they may be victims of email compromise and fake invoice scams are advised to contact their bank and the authorities immediately.

The post Small businesses warned against email and invoice scams appeared first on Inside Small Business.

Australia’s small and medium enterprises (SMEs) make up 99.8 per cent of all businesses within the country and drive the economy forward. However, while they’re focused on keeping the lights on, cybercriminals are laser-focused on bringing them down and SMEs are often defenceless.

Unlike large enterprises, SMEs operate with limited resources, lack dedicated cybersecurity teams, and are disproportionately impacted by the IT and cyber skills crisis. These factors make them attractive targets for cybercriminals who exploit security gaps.

We have a national strategy for this – but is it working?

To address these challenges, the Australian government’s 2023-2030 Cybersecurity Strategy and subsequent Australian Cyber Security Action Plan have set forth a national framework to enhance cyber resilience.

The first step is to acknowledge the challenges, particularly the presence of security gaps that leave SMEs’ digital environments vulnerable. Many are running outdated software, using weak passwords, and skipping critical patches. Cybercriminals don’t even need to be creative – they just exploit vulnerabilities that should’ve been fixed months ago.

Balancing protection and productivity

Another challenge is the security versus usability struggle. SMEs want protection, but not at the cost of productivity. Cybersecurity measures, while essential, can introduce friction that slows down daily operations, leading to resistance from employees and leadership. While implementing security measures such as multi-factor authentication (MFA) and Zero Trust frameworks can improve protection, SMEs often struggle with integration across legacy systems that were never designed with modern security in mind. Retrofitting these older environments can be complex and expensive, requiring specialised expertise that many SMEs lack in-house.

Ongoing management and monitoring of access controls add another layer of complexity, requiring continuous vigilance to avoid security gaps. Without dedicated IT resources, SMEs risk misconfigurations that could leave them just as vulnerable as before.

The burden of tech debt

And then there’s tech debt. Technological transformation plays a crucial role in SMEs’ cybersecurity postures. Businesses at different stages of digital maturity face unique challenges. Companies still reliant on legacy systems often depend on external vendors for upgrades and support, limiting their ability to implement modern security measures. On the other hand, more advanced organisations can adopt new technologies with greater agility and incorporate advanced cybersecurity solutions into their infrastructure.

A lack of scalable, cost-effective solutions

SMEs need the tools and support to fight smarter, not harder. The best way for SMEs to tackle these challenges is to adopt a strategic approach that prioritises security without compromising operational efficiency. This means scalable, cost-effective solutions tailored to their unique challenges. SMEs need practical solutions that simplify security operations, ensure compliance with industry regulations, and offer automated threat detection and response capabilities.

Why we need collective defense for SMEs

The Cyber Security Action Plan highlights the need for collaboration between public and private sectors, and for good reason – no single company can fight off cyberthreats alone, and unless all heads are together, we will not achieve national cyber resilience.

Private companies, large and small, must work in tandem with government agencies to share threat intelligence, develop innovative solutions, and create unified security standards. A collective approach enables faster incident response, better resource allocation, and a more robust defence against cyberthreats that impact the broader economy.

This collaboration is key to building a cybersecurity-aware workforce. It will enable SMEs to better leverage available resources, participate in cybersecurity training programs, and adopt best practices that align with national cybersecurity objectives. Cybersecurity training isn’t just for IT staff – it’s for everyone.

SMEs cannot afford to take a passive approach to cybersecurity. As digital threats become more aggressive and complex, business must proactively adopt solutions that enhance security without overwhelming their limited resources. Cybersecurity is a critical business priority that requires strategic investment and collaboration.

The post Cybersecurity a critical priority for Australia’s small businesses appeared first on Inside Small Business.