CYBERSECURITYCyberproofing Small and Medium Businesses -- a Small Step with a Big Impact

By Bart Hogeveen

Published 5 July 2022

Small businesses are not immune to cybersecurity incidents. In fact, they’re often more vulnerable because they lack the time, resources and sometimes the skills to prepare for and defend against an attack, or to mitigate and remedy any consequences. In Australia, they created a tool to help businesses quickly and easily test the security of their websites.

Small businesses are not immune to cybersecurity incidents. In fact, they’re often more vulnerable because they lack the time, resources and sometimes the skills to prepare for and defend against an attack, or to mitigate and remedy any consequences.

That is why ASPI, supported by .au Domain Administration, or auDA, created a tool—.auCheck—to help businesses quickly and easily test the security of their websites. The tool is intended to empower businesses to improve their internet security practices.

There are 2.3 million small businesses in Australia. While not all have an active or extensive online presence, digital transformation prompted by the Covid-19 pandemic has made every business increasingly dependent on the secure use of the internet.

In its latest threat assessment, the Australian Cyber Security Centre reports that small organizations, sole traders, medium-sized businesses, schools and contributors in the supply chain are among the entities most affected by cybercrime and state-sponsored cyber operations. Cybercriminals seek financial gain or sensitive business information and personal data. Even if they are not direct targets, businesses may fall victim due to the spread of ransomware or a data breach.

In the 2020 Australian cybersecurity strategy the government instructs all businesses to take responsibility for securing their products, services and supply chains, and for protecting their customers from known cybersecurity vulnerabilities.

So, how best can a sole trader or a micro or small business—and even some medium enterprises—be empowered to protect their online presence, data, systems and transactions?

The answer lies in the architecture of the internet. Historically, the community of technicians has developed internet standards, most of which include critical security features that find their way into national standards. They are reflected in the Australian government’s Information security manual.

But uptake of standards doesn’t happen automatically. Among other things, it requires public- and private-sector leadership, foresight and ambition, and demand from the market.

That’s why we launched .auCheck, a free tool that allows owners of websites and email domains, users and customers to check if their site and email standards are up to date.

For most smaller businesses, websites and email accounts are their first and often only platforms for interaction with customers, suppliers and resellers. A designer creates the webpage, adds third-party features such as a payment cart and it’s all then managed by a hosting provider. A registrar provides a license to use a .au domain name and other providers are enlisted for web and mail security or cloud storage services.

Trust and confidence are critical, but how can business owners check that their providers have enabled the most up-to-date settings and follow the latest security advice from the ACSC? This can be quite complicated and time-consuming if the business operators don’t possess technical knowledge and insights.

On .auCheck you can enter a domain name (e.g. or to check whether its settings meet recommended standards. You can also check the configuration of your current internet connection. The tests verify the internet records for the domain name and don’t involve any penetration testing (in which attempts are made to find vulnerabilities in a system). These records are public and ensure devices can communicate and that their authenticity can be verified.

The most important standards that .auCheck tests include:

·  Protocols that enable the establishment of encrypted connections

·  Security of regular website applications such as online forms and shopping carts

·  Security of the domain name by checking whether a cryptographic record is available and correctly configured

·  Application of a set of authenticity marks in your email that help against phishing attacks

·  The use of version 6 of the internet protocol (IPv6) which will accommodate the inclusion of new devices and connections.

The results show users how the website or email domain is performing. Business owners are encouraged to share their .auCheck test report with their IT providers, have a conversation and make an informed decision about the required security features for their online business presence.

As Australians become more familiar with internet security and demand higher standards, Australian internet service providers are more likely to apply .auCheck-recommended standards by default. This will help make the .au and Australian internet ecosystem more secure.

Our .auCheck is part of a global effort to boost the cybersecurity of individuals and small businesses. Similar initiatives have been launched in the UK (WebCheck and MailCheck) and the Netherlands ( to improve the security of small business owners’ online presence.

With .auCheck, the Australian internet community can become active (early) adopters of secure internet standards. That’s how we make sure the .au domain remains one of the most secure ways to connect online.

To check the security of your online services, visit

Bart Hogeveen is the head of cyber capacity-building with ASPI’s International Cyber Policy Centre.This article is published courtesy of the Australian Strategic Policy Institute (ASPI).