by The Computing Australia Group | Simple Steps to Secure Your Online Accounts
Cybercriminals do not need to “hack” your entire business to cause damage. In many cases, they only need access to one email account, one cloud login, one admin password, or one reused credential. Once inside, they can read confidential emails, reset other passwords, impersonate staff, steal customer data, redirect invoices, access business files, or launch further attacks against your clients and suppliers.
For small and medium-sized businesses, account security is especially important. A compromised account can interrupt daily operations, damage customer trust, expose sensitive information, and create financial loss that is difficult to recover from. The Australian Cyber Security Centre recommends three core starting points for small businesses: turn on multi-factor authentication, update software, and back up information.
The good news is that most account compromises can be prevented with practical, affordable steps. You do not need to be a cybersecurity expert to make your accounts significantly harder to breach. You need strong password habits, multi-factor authentication, software updates, controlled access, staff awareness, and a clear process for responding when something looks suspicious.
This guide explains how cybercriminals target accounts, how passwords are cracked or stolen, and what you can do to protect your business accounts from modern cyber threats.
Why account security matters more than ever
Businesses today rely on online accounts for almost everything: email, banking, payroll, cloud storage, accounting software, customer relationship management systems, social media, websites, remote access tools, and collaboration platforms.
That convenience also creates risk. If a cybercriminal gains access to one account, they may be able to move through your systems and access far more than the original login allowed. For example, access to a business email account could allow an attacker to:
- Reset passwords for other services
- Read confidential client conversations
- Send fake invoices from a trusted email address
- Impersonate a staff member or business owner
- Access cloud storage links and attachments
- Steal contact lists and customer data
- Launch phishing attacks against suppliers or clients
- Hide their activity by deleting security alerts
Account compromise is one of the most common ways cyber incidents begin because it is often easier to trick a person than to break through technical security systems. Cybercriminals know this, which is why phishing, password reuse, fake login pages, and credential theft remain so common.
CISA’s “Secure Our World” guidance focuses on four simple actions that reduce online risk: use strong passwords, enable MFA, update software, and recognise and report phishing. These steps are simple, but they are powerful when applied consistently across your business.
How cybercriminals crack, steal, and abuse passwords
Many people imagine cybercriminals manually typing password guesses into a login screen. In reality, password attacks are usually automated, fast, and data-driven.
Cybercriminals use several common methods to compromise passwords.
1. Brute-force attacks
A brute-force attack uses automated tools to try many possible password combinations until the correct one is found. Short and simple passwords are especially vulnerable because there are fewer possible combinations to test.
For example, a six-character password using only lowercase letters has far fewer possible combinations than a long passphrase using several words. Modern cracking tools can test huge numbers of password guesses very quickly, especially when attackers have obtained stolen password hashes from a breached system.
2. Dictionary attacks
Instead of trying every possible combination, a dictionary attack uses lists of common passwords, names, keyboard patterns, sports teams, locations, seasons, and predictable phrases. Passwords such as Password123, Summer2025!, Companyname1, or Welcome@123 are easy targets.
Cybercriminals also use leaked password databases to identify patterns people commonly use.
3. Credential stuffing
Credential stuffing occurs when attackers use usernames and passwords leaked from one service to try logging in to other services. This is effective because many people reuse the same or similar passwords across multiple accounts.
For example, if an employee used the same password for a personal shopping account and a business email account, a breach of the shopping website could put the business email account at risk.
4. Phishing attacks
Phishing is one of the most effective ways to steal login details. A cybercriminal sends an email, text message, or chat message that looks legitimate and directs the victim to a fake login page. When the user enters their username and password, the attacker captures the credentials.
Modern phishing attacks can look highly convincing. They may imitate Microsoft 365, Google Workspace, banks, delivery companies, cloud storage platforms, social media sites, or internal company tools.
5. Malware and keyloggers
Malware can record keystrokes, steal browser-saved passwords, capture screenshots, or access session cookies. This means even a strong password may be stolen if the device itself is compromised.
6. Social engineering
Social engineering relies on manipulation rather than technical hacking. Attackers may pretend to be IT support, a senior manager, a supplier, a bank representative, or a customer. Their goal is to pressure someone into revealing information, approving a login, changing payment details, or bypassing normal procedures.
This is why account security is not only about passwords. It is about people, devices, processes, and permissions working together.
Create strong, unique passwords for every account
A strong password is still an important first line of defence. However, modern password advice has changed. The goal is not simply to create a complicated password that is hard to remember. The goal is to create passwords that are long, unique, and difficult for attackers to guess.
NIST’s digital identity guidance focuses on authentication and password security practices, including secure handling of authenticators and password verifiers. In practice, businesses should prioritise long, unique passwords and avoid relying on predictable complexity patterns.
A strong password should be:
- Long enough to resist guessing
- Unique to one account only
- Not based on personal information
- Not reused across work and personal accounts
- Not a common word, phrase, or keyboard pattern
- Stored securely in a password manager
A strong password does not need to be impossible to type. A passphrase made from several unrelated words can be easier to remember and harder to crack than a short complex password. For example, a long phrase with unrelated words is generally stronger than a short password with a predictable capital letter and symbol added at the end.
Avoid passwords based on:
- Business name
- Staff name
- Pet name
- Birthdate
- Suburb
- Favourite team
- Common phrases
- Seasonal patterns such as Winter2026!
- Reused company templates such as BusinessName@123
Each account should have its own password. This is especially important for email, banking, accounting software, website admin panels, remote access systems, and cloud platforms.
Use a password manager
Most people cannot realistically remember dozens of strong, unique passwords. That is why password managers are useful.
A password manager stores passwords securely and can generate strong random passwords for each account. Instead of remembering every password, you only need to remember one strong master password and protect the password manager with multi-factor authentication.
Password managers help businesses by:
- Creating long, random passwords
- Reducing password reuse
- Making it easier to share access securely
- Removing the need to store passwords in spreadsheets or notes
- Alerting users to weak or reused passwords
- Helping staff avoid fake login pages by autofilling only on legitimate domains
For business use, choose a reputable password manager that supports team management, access controls, MFA, recovery options, and secure sharing. Avoid storing passwords in browsers alone, shared documents, emails, notebooks, or unsecured spreadsheets.
A password manager should be part of your standard onboarding and offboarding process. When a staff member joins, they should receive access only to the accounts they need. When they leave, their access should be removed immediately.
Turn on multi-factor authentication
Multi-factor authentication, often called MFA or 2FA, adds another layer of protection beyond the password. Even if a cybercriminal steals a password, MFA can stop them from logging in.
Microsoft research found that MFA significantly reduces the risk of account compromise, including in cases involving leaked credentials. This is why MFA should be enabled on every important business account.
MFA may involve:
- An authentication app
- A hardware security key
- A biometric prompt
- A one-time code
- A push notification
- A backup recovery code
For higher-risk accounts, app-based MFA or hardware security keys are generally better than SMS codes. SMS-based MFA is still better than having no MFA, but text messages can be vulnerable to SIM swapping and interception.
Enable MFA on:
- Email accounts
- Cloud storage
- Banking portals
- Accounting software
- Website admin accounts
- Social media accounts
- Remote desktop or VPN access
- Domain registrar accounts
- Password managers
- Customer databases
- E-commerce platforms
Also make sure MFA recovery options are secure. Attackers often target backup email addresses, recovery phone numbers, or weak security questions to bypass stronger login protections.
Keep your software and devices updated
Cybercriminals often exploit known vulnerabilities in outdated software. Once a security flaw becomes public, attackers can quickly scan for systems that have not been patched.
Software updates fix these vulnerabilities and improve security. This applies to:
- Operating systems
- Web browsers
- Email clients
- Mobile apps
- Antivirus and endpoint security tools
- Business software
- Website plugins and themes
- Routers and firewalls
- Remote access tools
- Cloud applications
The ACSC lists software updates as one of the key starting points for small business cyber security. Businesses should enable automatic updates wherever possible and schedule regular maintenance for systems that require manual patching.
Website platforms such as WordPress deserve special attention. Outdated plugins, abandoned themes, weak admin passwords, and unpatched content management systems are common entry points for cybercriminals.
A good update process should include:
- Automatic updates for standard apps where safe
- Regular review of business-critical systems
- Removal of unsupported software
- Testing of major updates before rollout
- Inventory of devices and applications
- Clear responsibility for patch management
If your business uses managed IT support, ask for regular reporting on patch status and device compliance.
Restrict access to sensitive data
Not every employee needs access to every account, file, or system. The more access each person has, the more damage a compromised account can cause.
Use the principle of least privilege. This means each user should only have the access they need to do their job.
For example:
- Reception staff may not need access to financial systems
- Contractors may only need temporary access
- Junior staff may not need administrator privileges
- Marketing staff may need social media access but not domain registrar access
- Former employees should have no access at all
Access should be reviewed regularly, especially when staff change roles, leave the business, or complete a project.
Practical access control measures include:
- Separate accounts for each user
- No shared admin logins
- Role-based permissions
- Regular access reviews
- Immediate removal of ex-employee access
- Separate administrator accounts for IT tasks
- Logging and monitoring of account activity
- Approval processes for sensitive changes
Shared passwords are especially risky because they make it difficult to know who accessed an account and when. Wherever possible, use individual logins with appropriate permissions.
Remove unused apps, extensions, and integrations
Many apps request access to your email, contacts, files, calendars, social media profiles, or cloud storage. Over time, businesses often accumulate old integrations that are no longer needed.
Every unnecessary app is another potential risk. If an old app is compromised, poorly maintained, or still has access to your data, it could expose sensitive information.
Review connected apps and browser extensions regularly. Remove anything that is no longer required, unfamiliar, or unsupported.
Pay close attention to:
- Browser extensions
- Email add-ons
- Cloud storage integrations
- Social media scheduling tools
- CRM plugins
- Accounting software integrations
- Website plugins
- Mobile apps connected to business accounts
- Third-party tools with admin permissions
Only install apps and extensions from trusted sources. Avoid granting broad permissions unless they are genuinely required. For example, an app that only needs to schedule meetings should not require full access to all business files.
Secure your email account first
Email is often the most important account in a business because it is used to reset passwords for other services. If a cybercriminal controls your email, they may be able to take over many other accounts.
Protect business email with:
- Strong unique passwords
- MFA for all users
- Anti-phishing protection
- Spam filtering
- Login alerts
- Secure recovery options
- Conditional access policies
- Device management
- Staff training
- Regular mailbox rule reviews
Cybercriminals who compromise email accounts often create hidden forwarding rules or mailbox rules. These rules may automatically forward messages to the attacker or hide security alerts and invoice-related emails.
If you suspect an email account has been compromised, check:
- Recent login activity
- Forwarding settings
- Mailbox rules
- Deleted items
- Sent items
- MFA settings
- Recovery email and phone number
- Connected apps
- Password reset history
Business email compromise can be extremely costly, especially when attackers use trusted email accounts to request payment changes or send fake invoices.
Manage social media privacy and security
Social media accounts can expose information that helps cybercriminals impersonate staff, guess security answers, or craft convincing phishing messages.
Attackers may use public posts to learn:
- Staff names and roles
- Business locations
- Supplier relationships
- Travel plans
- Personal interests
- Birthdays
- Family details
- Pet names
- Events and conferences
- Internal terminology
This information can be used in targeted phishing or social engineering attacks.
Protect social media accounts by:
- Limiting public personal information
- Using strong unique passwords
- Enabling MFA
- Reviewing admin roles
- Removing former staff access
- Avoiding public oversharing
- Being cautious with quizzes and data-harvesting posts
- Monitoring impersonation accounts
- Securing business page ownership
Business social media accounts should not rely on one person’s personal login. Use proper business management tools and assign roles carefully.
Avoid suspicious requests and phishing attempts
Phishing remains one of the most common ways cybercriminals steal account credentials. Every employee should know how to spot suspicious messages.
Be cautious of messages that:
- Ask for passwords or verification codes
- Create urgency or fear
- Request payment changes
- Ask you to click a login link
- Contain unexpected attachments
- Come from slightly misspelled domains
- Claim your account will be closed
- Ask you to bypass normal procedures
- Request confidential information
- Seem unusual for the sender
Legitimate service providers will not ask for your password by email, text, or phone. IT support should not need your password to help you. If someone asks for it, treat the request as suspicious.
Before clicking a link, hover over it to check the destination. Better yet, go directly to the official website by typing the address into your browser or using a trusted bookmark.
For payment-related requests, use a second verification method. For example, if a supplier emails new bank details, call a known phone number to confirm. Do not use the phone number listed in the suspicious email.
Train your staff regularly
Technology alone cannot prevent every cyber incident. Staff training is essential because people are often the first target.
Cybersecurity training should be practical, short, and repeated regularly. A once-a-year presentation is not enough.
Training should cover:
- Password manager use
- MFA prompts and approval fatigue
- Phishing recognition
- Invoice fraud
- Safe use of attachments
- Reporting suspicious messages
- Social engineering tactics
- Secure remote work
- Data handling
- What to do after a mistake
Create a culture where staff feel safe reporting suspicious activity. If an employee clicks a phishing link, they should report it immediately rather than hide it. Fast reporting can prevent a minor incident from becoming a major breach.
Watch for signs your account has been compromised
Early detection can reduce damage. Look for warning signs such as:
- Password reset emails you did not request
- MFA prompts you did not initiate
- Login alerts from unfamiliar locations
- Emails marked as read unexpectedly
- Messages in your sent folder that you did not send
- Missing emails
- New forwarding rules
- Unfamiliar connected apps
- Changed recovery details
- Customers receiving strange emails from your account
- Social media posts you did not publish
- Files being changed, deleted, or shared unexpectedly
If you notice any of these signs, act immediately.
Manage social media privacy and security
If you believe an account has been compromised, take these steps as soon as possible:
1. Change the password from a secure device.
2. Sign out of all active sessions.
3. Enable or reset MFA.
4. Review recovery email addresses and phone numbers.
5. Remove suspicious connected apps.
6. Check forwarding rules and mailbox filters.
7. Review recent account activity.
8. Notify your IT provider or security team.
9. Alert affected staff, clients, or suppliers if necessary.
10. Check whether other accounts used the same password.
11. Preserve evidence such as emails, screenshots, and login logs.
12. Report serious cyber incidents through the appropriate channels.
Do not assume the attacker only accessed one account. If a reused password was involved, check every account that may share the same or similar password.
Back up your important information
Backups are essential because account compromise can lead to data loss, ransomware, accidental deletion, or malicious deletion.
The ACSC recommends backups as one of the key starting points for small businesses. A reliable backup strategy should include regular backups, secure storage, and testing to confirm that files can actually be restored.
A good backup strategy should follow the 3-2-1 approach:
- Keep at least three copies of important data
- Store copies on two different types of storage
- Keep one copy offline or separate from your main network
Cloud storage alone is not always a complete backup. If an attacker gains access to your cloud account, they may delete or encrypt files. Make sure your backup system includes version history, restricted access, and recovery testing.
Protect mobile devices and remote workers
Many business accounts are accessed from mobile phones, tablets, laptops, and home networks. These devices need protection too.
Remote and mobile security measures include:
- Device passcodes or biometrics
- Automatic screen locking
- Device encryption
- Remote wipe capability
- Secure Wi-Fi practices
- VPN where appropriate
- Mobile device management for business devices
- Avoiding public computers for business logins
- Keeping apps and operating systems updated
- Reporting lost or stolen devices immediately
Staff should avoid approving MFA prompts they did not initiate. Attackers sometimes use repeated login attempts to trigger MFA fatigue, hoping a user will approve a request just to stop the notifications.
Build a simple account security checklist
Use this checklist to strengthen your business accounts:
- Use a password manager
- Create unique passwords for every account
- Turn on MFA for all important accounts
- Prefer authenticator apps or security keys over SMS
- Update software and devices regularly
- Remove unused apps and browser extensions
- Review account permissions every quarter
- Remove former staff access immediately
- Secure email accounts first
- Review mailbox forwarding rules
- Train staff to recognise phishing
- Verify payment changes by phone
- Back up important data
- Monitor login alerts
- Create an incident response process
These steps make your business a harder target. Cybercriminals often look for easy opportunities. When your accounts are protected with strong passwords, MFA, updated software, and good access controls, attackers are more likely to move on to a weaker target.
Final thoughts
Cybercriminals are constantly changing their tactics, but the foundations of account security remain clear. Use strong and unique passwords, store them in a password manager, enable multi-factor authentication, keep software updated, restrict access, train your staff, and respond quickly to suspicious activity.
For small businesses, these steps are not optional. A single compromised account can lead to financial loss, data exposure, reputational damage, and operational disruption. But with the right protections in place, you can significantly reduce your risk.
If you need help securing your business accounts, reviewing your cybersecurity posture, or responding to suspicious account activity, Computing Australia can assist. With over 20 years of experience supporting businesses, our cybersecurity experts in Perth are available 24/7 to help protect your systems, accounts, and data.
Need help protecting your business from cybercriminals? Contact Computing Australia today or email cybersecurity@computingaustralia.group for expert cybersecurity support.
Jargon Buster
Social engineering – A manipulation technique that utilises human error to gain private information, access, or valuables. E.g. Phishing
Browser extensions – A small software application that adds functionality to a web browser. E.g. AdBlock
Blake Parry
FAQ
How do cybercriminals steal passwords?
Cybercriminals steal passwords through phishing emails, fake login pages, malware, data breaches, credential stuffing and social engineering. They often use automated tools to test stolen usernames and passwords across multiple online platforms.
What is the best way to protect my accounts from cybercriminals?
The best way to protect your accounts is to use strong, unique passwords, enable multi-factor authentication, keep your software updated, avoid suspicious links and use a trusted password manager to store your login details securely.
Why should I use a password manager?
A password manager helps you create, store and manage strong passwords for every account. It reduces the risk of password reuse and makes it easier to maintain secure login details without needing to remember every password.
Is two-factor authentication important?
Yes. Two-factor authentication adds an extra layer of security by requiring a second verification step, such as a code or authentication app. This helps protect your account even if your password is stolen.
How can I tell if an email or message is suspicious?
Be careful with messages that ask for passwords, urgent payments, personal details or login information. Also avoid unexpected links, attachments, spelling mistakes, unfamiliar senders and emails that pressure you to act immediately.
