People and Procedures Key Areas

People and Procedures

Key Areas

Apply cyber security measures at every level!


Your internal processes and your workforce are the last, and one of the most important lines of defence


Address how you can manage who can access and control your business’ information


Train your staff



Using a phrase or sentence, not one word, as your password

A passphrase is similar to a password. It is used to verify access to a computer system, program or service. Passphrases are most effective when they are:

  • Used with multi-factor authentication
  • Unique not a famous phrase or lyric, and not re-used
  • Longer phrases are generally longer than words
  • Complex naturally occurring in a sentence with uppercase, symbols and punctuation
  • Easy to remembersaves you being locked out.



Greater security & more convenience

  • Harder to crack against common password attacks
  • Easier to remember than random characters
  • Meets password requirements easily – upper and lower-case lettering, symbols and punctuation

Brute Force Attacks and Dictionary Attacks
both generate millions of password/passphrase attempts per second.



For all fixed and mobile devices

Passphrases will significantly increase security across all of your business’ devices. See below for a comparison of password vs passphrase security.


Access Control


A process to regulate who can access what within your business’ computing environment

Access control is a way to limit access to a computing system. It allows business owners to:

  • Decide who they would like to give access privileges to
  • Determine which roles require what access
  • Enforce staff access control limits.




To minimise risk of unauthorised access to important information

Many small businesses employ internal staff or outsource work to external suppliers e.g. website hosting companies.

Access control systems help you protect your business by allowing you to limit staff and supplier access to your computer:

  • Networks
  • Files
  • Applications
  • Sensitive data


Principle of least privilege

Depending on the nature of your business, the principle of least privilege is the safest approach for most small businesses. It gives users the bare minimum permissions they need to perform their work. This also reduces the risk of an ‘insider’ accidentally or maliciously endangering your business.


Employee Training


Education to protect your staff and business against cyber threats

A cyber security incident response plan can help to change the habits and behaviours of staff and create a sense of shared accountability in keeping your small business safe. Your cyber security incident response plan teaches staff how to:

  • Recognise
  • Avoid
  • Report
  • Remove
  • Recover


Employees can be the first and last line of defence against cyber threats

Employees make mistakes. As business owners, you have a legal responsibility to keep your business and customer information safe. That’s why having a cyber security training program is vital.


Regular cyber security awareness and training

Cyber security is continuously evolving. Keeping everybody up to date could be the difference between whether or not a criminal accesses your money or data.

Learning about cyber security for the fist time?

Or are you keeping yourself up to date? This guide is an excellent place to start! If you want to improve your cyber security further, you can find more information and advice on the ACSC website at:

The ACSC is here to help make Australia the safest place to connect online.

The Australian Cyber Security Centre (ACSC), as part of the Australian Signals Directorate (ASD), provides cyber security advice, assistance and operational responses to prevent, detect and remediate cyber threats to Australia.