Cyber Security for Tradies & Builders

Cyber Security: How Safe is your Data?

In this increasingly digital age, it is vitally important that we protect the data we are sharing online. There are an increasing number of attacks on small business owners recently with potentially devastating impacts. In this Tech talk, we will discuss methods to help you stay safe online and protect your data from Cyber criminals. Xero’s Head Of Industry Matthew Prouse joins us to discuss the lengths Xero is going to in helping us all in this war against cybercrime.

Watch the full replay of this tech talk below.

Understanding Cyber Security Threats [0:05:20s]

Awareness is key in protecting ourselves from cyber threats. As daily life now involves more technology and cloud software we have unfortunately become more vulnerable to cybercrime. Xero has many cybersecurity measures in place as protecting customers means ensuring their data is safe online.

The Cost of Cyber Crime [0:7:50s]

Matt Prouse is head of Industry with Xero. He is involved with various organisations related to cybersecurity. He has provided advisory services to the ATO and sits on the ATO strategic working group. He shares with us some alarming statistics about the cost of cybercrime globally and in Australia, and  small businesses are particularly prone to attack.

  • $172 billion was the cost of cybercrime across the globe last year.
  • 1 in 4 Australian small businesses were subject to some type of cyber crime incident in 2017.
  • Over half of cyber attacks across the globe target small businesses because they are more vulnerable.
  • A third of businesses impacted by an attack won’t survive a week without critical business information.


Mandatory Multi-Factor Authentication [0:10:37s]

Businesses can be compromised if their customer data is stolen, which includes sensitive information such as bank account details, dates of birth, and phone numbers. The rollout of mandatory multi-factor authentication for accounting software in Australia has made it safer for businesses to store data online. This requirement was co-designed by industry experts to protect customer data and make it more secure.

At least a million small businesses in Australia are storing their data online, making them vulnerable to cyber attacks. The Australian Taxation Office (ATO) saw a massive increase in businesses moving to the cloud and have been proactive in creating public education and online safety measures to help keep your information secure.

Australians love technology and use smartphones extensively for both personal and business purposes. This makes them an attractive target for cyber attacks since they store valuable information on their devices. We also tend to be very trusting when it comes to emails from banks or other institutions asking for personal information, making us more susceptible to phishing attacks.

It's not just about compromising your business, it's actually about sucking out the data that you collect about all of your customers and suppliers.

Cyber Attacks on Small Business [0:15:01s]

One in four Australian small businesses is a victim of some form of cyber attack every year. Matt talks us through some of the different types of attacks and how they affect small businesses.

Invoice Doctoring Scam

Many clients have had their invoices doctored with incorrect banking details, instantly they assume it is the accounting package that has been compromised but really it is their emails. The hacker will sent out fake invoices to a list of email addresses, often posing as legitimate businesses. These scams are prevalent in Australia and other parts of the world like Malaysia, Singapore, and Southeast Asia.

Account Takeovers

Most online activities require usernames and passwords and people tend to get lazy and use the same email address and password for multiple accounts. When a website gets compromised, attackers can borrow email addresses and passwords in bulk and use this data to infiltrate your systems that use the same login details. A great website to check out is Have I Been Pwned, it is a database that collects known compromises of email addresses and passwords lurking in various dark corners of the internet so you can check if any of your details have been compromised.

Protecting your business and yourself online [0:19:45s]

Having unique passwords for every account and protecting personal information online is really important. Using the same password for multiple accounts can lead to security breaches.

Smartphones store sensitive information such as fitness data, health records, emails, and financial details. Make sure they are secure by using fingerprint scanners or PIN codes that are not used elsewhere. The most critical app on smartphones is email; ensure it is secure since it contains a huge amount of information across your business and personal life.

Turn on two-step authentication for your email, you can use the same authenticator app that you use to log into Xero today to log into your email when you need to. It’s also a good idea to take a privacy checkup where it’s looking at things like saving passwords in the browser. If a couple websites are using the same or similar passwords, consider changing them to one that is more unique.

Phishing Scams [0:25:31s]

A phishing scam is when you receive an email that says click on this link and then sign in with your username and password. People think oh well I can’t access the file what was that and they don’t really think too much about it but you’ve given up your username and your password. The average dwell time that a hacker in your system before you know about it is 18 months. If you details have been compromised, the hackers can be sitting and waiting for the right moment to gain access to your system.

If you accidentally give up those credentials into a phishing scam and you have two-step authentication turned on, it means that when they go to use those credentials and the two-step authentication is triggered and you get the notification to say here’s your code. This will alert you that a someone else is trying to access your system and give you the opportunity to log in change your password to secure the account again.

The most critical thing that we could all do as small businesses or as business owners is make sure that we have unique passwords for practically everywhere.

Wi-Fi Security [0:29:01s]

Most of us use our devices for both personal and business which makes it extremely important to be aware of the kinds of devices you use and where you use them. Be careful when using public Wi-Fi as you don’t know where the connection is coming from. It is best not to log into any critical business systems like your online banking on free or public Wi-Fi and be cautious when connecting to a VPN to watch shows or download apps from unknown sources.

App security [0:31:05s]

Regularly review all apps and websites that have access to your Facebook or Google account, deleting any you haven’t used in a while or no longer need. Understand that when an app is connected to your Facebook account, it has access to some form of your information. Gaming companies that no longer exist may still have access to servers with user information.

Password Managers [0:33:22s]

You can use password managers like LastPass or OnePassword to store login credentials securely. When choosing which password manager to go with make sure it has strong security features and certifications such as ISO certification.

Another great way to protect your business from cyber attacks is by educating your staff members about cybersecurity best practices, including locking devices and securing passwords. Staff members who have access to business systems on their personal devices can compromise the security of the entire business. Make sure staff create strong passwords for all business-related accounts that are unique and not used for any of their personal accounts. Regularly checking for weak passwords and implementing two-factor authentication can also improve security.

Don't do your online banking on free Wi-Fi, don't do your online banking on public Wi-Fi, don't log into the critical business systems that you use in strange places because you don't know. You're talking to a strange computer and you're relying on that strange computer to actually share and send information backwards and forwards to access something and in some cases that can be problematic.

Password Management Tips [0:37:34s]

Users are bombarded with requests from various tools to save passwords, consider turning off password-saving features in apps like Google Chrome to avoid saving passwords in multiple places. It is important to have a strategy for which tool will store password information. Using Password Management Tools is the best way to keep your passwords secure.

Two-Step Authentication [0:39:36s]

Two-step authentication makes it hard for hackers to use lists of names and email addresses to gain access to your accounts. Two-step authentication requires something you know (e.g., secret questions), something you have (e.g., authenticator code), or something you are (e.g., fingerprint) to gain access to the app or account. Xero is a great example of this, it has two-step authentication, which is mandatory for all users who access a Xero file in Australia.

Risks of using SMS for Login [0:40:59s]

Telcos now advise against using SMS as the second factor because it can be easily hacked by obtaining personal information such as driver’s license numbers and dates of birth. This is why most Accounting software vendors use authenticator codes, pass-phrases, and other solutions instead of SMS. Xero goes one step further with their Security Notice Board, a place where users can report fake emails or invoices from Xero and Xero regularly publishes a list of current scams on the notice board. You can share any suspicious emails to Xero by forwarding the email to

With 96% of businesses that have been compromised it all started with an email compromise so having good business grade email is a mandatory thing nowadays.

Reporting Suspicious Activity [0:46:27s]

Awareness is the biggest tool for businesses in defense against scams. Having routines in business operations makes it easier for the team to be familiar with how the business operates and be able to easily identify anything out of the norm. Things like paying everyone on the same day and being transparent with your team about who your suppliers are, are great safety tactics. If there is any suspicion about an email or payment, it’s important to ask questions directly to the other party first. There are many stories where people paid money into incorrect accounts and never got their money back. Jump on the phone and have a conversation about the change and confirm details if you feel suspicious. Having a good business-grade email is mandatory nowadays to prevent email compromise, adding that extra layer of protection for your business.

Detecting fraud in small business with Xero [0:47:55s]

If you are a Xero subscriber, you will have access to something called the Assurance dashboard if you have advisor level permissions. The Assurance dashboard gives a view of some of the things going on inside your Xero file. It looks at four common signs of internal fraud that may suggest there’s some kind of compromise or something interesting has happened. The last login feature shows who last accessed the Xero file and what they potentially did plus you can monitor all user activity and bank accounts using the tabs. Look for changes made to customer or supplier bank accounts or check for backdated invoices and bills as they are often used to make fraudulent activities look more legitimate. Accountants or bookkeepers should check the dashboard every time they do a bank reconciliation and business owners should also check the dashboard regularly to ensure their accountant is doing their job.

Monitoring your Business Data [0:53:50s]

It is important for business owners to not blindly trust those they employ and use tools like the Assurance dashboard as an additional level of security. Make sure you have an off-boarding process when employees leave your business, including changing all passwords before they leave. Overall, detecting fraud in small businesses requires vigilance and regular monitoring of financial data. Utilising tools like Xero’s Assurance Dashboard can help catch fraudulent activity early on.

You need to make sure that you're up to date with that security technology because it's going to give you the best protection possible. It's not about having really expensive antivirus software, it's about having up-to-date software.

Keeping Devices Secure [0:55:15s]

A compromised business can lead to stolen data, which must be reported to both the tax office and clients. It is important to consider how it would feel to have to inform customers or suppliers that their information has been stolen. Using outdated software with old security measures, such as leaves businesses vulnerable. It is crucial to keep devices up-to-date with the latest security updates. Smartphones require regular updates for security purposes and android phones are supported for two and a half years before requiring an upgrade. Most devices have software firewalls built-in to protect against hacking attempts. However, firewalls may not be effective against identity theft, which is becoming more common.

Ransomware and Cybersecurity Insurance [1: 04:23s]

Ransomware can hold businesses hostage by encrypting their data and demanding payment for the decryption key. Small businesses are often targeted because they may not have strong cybersecurity measures in place. Having cybersecurity insurance may help with paying ransom demands, but it’s better to have data safely stored online. Storing data online will protect against physical device theft or damage.

Passcodes on desktops and laptops are important to protect against unauthorised access by hackers. Auto-delete settings for downloads folders can help protect against malware that may be downloaded accidentally. Mobile devices should also have passcodes or security logins in place.

Cybersecurity Education Resources [01:06:10s]

There are several resources to help you improve cybersecurity awareness.

Xero offers an entry-level cyber security education course on its website.

Stay Smart Online is a government site that provides alerts about the latest scams and threats and guidance on what to do if your data is breached..

Scamwatch allows users to sign up for notifications about new scams as well.


Matthew Prouse - Xero

As Head of Industry at Xero, Matthew helps connect government agencies, policymakers, accountants, bookkeepers, business owners and software developers to the digital economy. Matthew is an elected director of the Australian Business Software Industry Association and Xero's representative on a number of government and industry working groups.


Clinton is driven by a passion to help the construction and field services industries evolve through the use of technology and education.

continue reading

related posts

Marketing Mythbusters

Uncover the truth about digital marketing in our myth-busting session for tradies. We’ll dispel common misconceptions and offer practical advice to boost your business’s online

Read Article >

Need a hand finding the right app for your business?

Complete the form below, and we’ll be in touch to discuss your options.