In the wake of the Optus breach, in which the details of millions of its customers were stolen, UQ Business School said its research found that directors often did not fully understand the importance of cyber security.

It came as two Sydney universities released details of how Optus customers can protect themselves.

The school’s Dr Ivano Bongiovanni said the Optus breach showed no organisation was immune to cyber crime while the university’s director of cybersecurity Dr David Stockdale warned cyber threats were an issue of when, not if.

He said non-executive directors at 43 organisations were interviewed and a key finding was there was uncertainty about best practice.

“There is a misleading perception of cybersecurity being a purely technical topic and directors weren’t engaged or confident talking about it,” he said.

One of the study’s co-authors, Megan Gale, said the potential impact of data breaches was massive and could potentially lead to companies shutting down as well as creating a fraud risk for its customers.

She said the risk was not just for major corporations like Optus and small to medium businesses including not-for-profits and community organisations were at risk and needed to vigilant.

The study found there was a frequent over-reliance on a single board member with cyber-experience and the secrecy that characterises cybersecurity reduces the opportunity for directors to replicate best practices across organisations.

The study coincided with the release of tips for Optus customers to avoid fraud.

Published in The Conversation, the advice from Macquarie and Western Sydney University was for customers to identify all accounts including those which hold credit card details.

“Amazon and eBay are common targets as people often keep credit card details saved to those accounts,” the universities said.

Updating passwords was crucial and adding multi-factor authentication added an extra layer of security but even this was not always enough.

“Ideally, use an application like Google Authenticator or Microsoft Authenticator if the service allows, or an email that is not listed with Optus,” they said.

“Avoid having codes sent to your Optus phone number as it’s at a higher risk of being stolen. One of the most immediate concerns will be using the leaded data to compromise your phone number, which is what many people use for their multi-factor authentication.

“SIM-jacking _getting a mobile phone provider to give access to a phone number they don’t own _ will be a serious threat.

“Most carriers allow you to add a verbal PIN as the second verification step to prevent SIM-jacking.”

Customers could also place a short-term freeze, or credit ban, on credit checks which could stop the thieves taking out credit is a customer’s name but also has the effect of making it difficult for legitimate credit applications.

Equifax offers a paid credit alert service which notifies someone when credit checks were done in their name.

Website HaveIbeeenpwned maintains a data base of stolen data and anyone can check if their data has been made available to cyber criminals. If you find your data on the list you should immediately changed affected passwords.

Using different passwords for every site was important and this can be done with a password manager.

If you have been hacked the universities recommend you contact IDCare, a not-for-profit that helps victims of cybercrime.