Managing risk

How to minimise cyber security risk from customers 

Interacting with customers online brings increased cybersecurity risks to any SME, for example email scams and data breaches. Here’s what to do about these risks.

Most businesses these days have at least some digital interaction with their customers – whether this means them logging into your site with their personal details, exchanging payment information, communicating over email, or otherwise working online. 

Consequently, any business is dealing with a cyber threat not just from their own organisation but from their customers too. 

With so many emails exchanged between businesses, one area that’s a possible cyber security risk is phishing – a scam where cybercriminals use fake emails to impersonate an organisation and convince you to hand over personal information.  The ACCC’s Scamwatch says there were 6,324 reports of phishing in July 2021. In particular, an SME might fall victim to a ‘whaling’ or ‘spear’ phishing attack, which is where the scammers use information specific to the business that they’ve found elsewhere. This email may look like it comes from a legitimate source and is usually targeted to certain employees.  

It’s possible that cybercriminals may try to impersonate your customers over email, and request you send private details to them. Scammers may even be able to send fake invoices from you to your customers, or request money is paid into an account that is in fact fraudulent. These so-called ‘payment redirection’ scams cost businesses $128 million last year – with small businesses taking the brunt of this. 

Preventing data breaches 

Another risk is that customers expose you to data breaches. Also, this risk can go both ways – you could be will be attacked yourself and expose your customers, says Kate Carruthers, chief data and insights officer at the University of NSW. 

Think of all the data you are holding on customers or them on you. It might include addresses, bank account details, birthdates and more.  Then consider what might happen if this information was to fall into the hands of cybercriminals, for example through a ransomware attack. It’s not only damaging to your own business but could tarnish your reputation and lose your trust with your customers. 

The Office of the Australian Information Commissioner reports that in the first half of 2021, there were 446 notifications of data breaches, of which 191 came from cyber security incidents; 30% of these were from phishing and 24% from ransomware.  

Examples of recent hacks where private customer data was stolen include an airline ticket processor, Transport for NSW, and Service NSW

The solution: get your own systems up to scratch 

The best way to deal with cyber risks from your customers (and protect them as well) is to ensure your own cybersecurity is in top shape.  

“You cannot control what your customers do,” Ms Carruthers says. 

A good start is to get up-to-date with the Cyber Security Centre’s ‘essential eight’ strategies to mitigate risk. 

For example, implement a process called multi-factor authentication, which calls for a two-step process for logging in – such as a password then getting a code via email or text message. That way, even if your customer somehow exposes you to having a password stolen, the cybercriminals are still unlikely to get into your system. 

Some other good practices to protect against attacks are password managers, which generate and store difficult-to-crack passwords. Also, regularly back up your data to prevent losing files, particularly if they are subject to a ransomware attack. 

Finally, it’s a good idea to look for a simple training course for all your employees so they know what to look out for when it comes to cybersecurity. 


Explore our next-gen cyber training and resources to defend against online threats to your business. Plans start from only $10/month.