Cybersecurity for Small Business Australia: 10 Essential Steps

Australian small businesses are being targeted by cybercriminals at a rate that many business owners still underestimate. The assumption that attackers focus exclusively on large enterprises is wrong. In practice, small and medium businesses are attractive targets precisely because they often lack the security controls of larger organisations.

According to the ASD’s Annual Cyber Threat Report 2022-23, the average cost of a cybercrime incident for a small Australian business exceeded $46,000. For many small businesses, a single serious incident can be devastating.

The good news is that most cyberattacks against Australian businesses are not sophisticated. They rely on known vulnerabilities, weak credentials, and gaps that are entirely preventable. These 10 steps address the most common and most impactful security measures Australian small businesses should have in place.

1. Enable Multi-Factor Authentication on Everything

Multi-factor authentication (MFA) requires users to verify their identity through a second factor beyond their password, such as an authentication app, SMS code, or hardware token. It is one of the single most effective controls available.

Microsoft’s internal research has found that MFA blocks more than 99 per cent of automated credential attacks. Enable it on your email accounts, cloud services, remote access tools, and any system containing sensitive data. There is no acceptable reason not to have MFA enabled on business-critical accounts.

2. Keep Software and Operating Systems Patched

Unpatched software is one of the most common entry points for attackers. When a vulnerability is discovered in an operating system or application, software vendors release a patch. Attackers actively scan for unpatched systems and exploit known vulnerabilities, often within hours of a patch being published.

Enable automatic updates where possible. For business systems where automatic updates need to be managed, establish a patching schedule that ensures critical and high-severity vulnerabilities are addressed within timeframes appropriate for your risk profile.

This is a core component of the ASD’s Essential Eight framework and one of the most important controls for any Australian business.

3. Back Up Your Data and Test Your Backups

Ransomware attacks encrypt your data and demand payment for the decryption key. A reliable, tested backup is one of the most effective ways to recover from a ransomware attack without paying a ransom.

Effective backups follow the 3-2-1 rule: three copies of your data, across two different media types, with one copy stored offsite or in the cloud. Critically, backups must be tested regularly. An untested backup is an assumption, not a recovery plan.

4. Use Strong, Unique Passwords and a Password Manager

Credential theft remains one of the most common causes of business email compromise and unauthorised access. Passwords that are weak, reused across multiple services, or shared between staff are a significant vulnerability.

Implement a business password manager to generate and store strong, unique passwords for every account. This removes the burden on individual staff to remember complex passwords and eliminates the practice of reusing credentials.

5. Control Who Has Access to What

Not every employee needs access to every system or piece of data. The principle of least privilege means giving users only the access they need to do their job, nothing more.

Review administrative privileges regularly. Admin accounts should be separate from standard user accounts and used only for tasks that require administrative access. This limits the damage an attacker can do if a standard user account is compromised.

6. Secure Your Email Against Phishing

Phishing remains the most common initial access method used against Australian businesses. Attackers send convincing emails that trick employees into clicking malicious links, opening dangerous attachments, or transferring funds.

Key controls include:

• Enable spam and phishing filters on your email platform
• Configure DMARC, DKIM, and SPF records on your domain to prevent email spoofing
• Train staff to recognise phishing attempts and report suspicious emails
• Implement a process for verifying financial requests received via email before acting on them

7. Protect Your Endpoints

Every device that connects to your business network is a potential entry point for an attacker. Endpoint protection goes beyond traditional antivirus to include modern endpoint detection and response (EDR) solutions that can detect and contain threats in real time.

Ensure all business devices — including laptops, desktops, and mobile devices used for work — have up-to-date endpoint protection software installed and managed centrally.

8. Secure Your Network

Your office network and any remote access your staff use should be properly secured.

• Use a business-grade firewall and keep its firmware updated
• Segment your network where possible so that a compromise in one area does not spread easily
• Use a VPN for remote access rather than exposing services directly to the internet
• Change default credentials on all network devices immediately

If you are still using consumer-grade networking equipment for your business, it is worth a review.

9. Train Your Staff

Technology controls alone are not enough. Your staff are both a potential vulnerability and one of your strongest defences. Regular, practical security awareness training helps employees recognise threats, understand their responsibilities, and respond appropriately when something goes wrong.

Training does not need to be lengthy or complex to be effective. Short, regular sessions covering phishing recognition, password hygiene, and incident reporting procedures will have a meaningful impact on your security posture.

The ASD recommends security awareness training as part of the Essential Eight framework.

10. Have an Incident Response Plan

Most small businesses have no plan for what to do when a cyber incident occurs. In the middle of a crisis, the absence of a plan leads to delays, poor decisions, and greater damage.

A basic incident response plan should cover:

• Who is responsible for managing a cybersecurity incident
• Who to contact (your IT or security provider, legal counsel, insurer, the ACSC)
• How to contain a suspected breach
• How to communicate with affected clients and staff
• How to preserve evidence for investigation

You do not need a sophisticated plan to start with. A clear, documented process that your team understands is significantly better than no plan at all.

The ACSC’s ReportCyber portal at cyber.gov.au allows Australian businesses to report cybercrime and access guidance when an incident occurs.

Where to Start

If you are not sure where to begin, a cybersecurity gap assessment is the most effective starting point. It gives you an objective picture of your current security posture, identifies the highest-priority gaps, and helps you make informed decisions about where to invest first.

The ASD’s Essential Eight framework provides a practical baseline for Australian businesses. Achieving Maturity Level 1 across all eight strategies addresses the most common attack vectors and provides a solid foundation to build from.