Insight
A plain-English guide to cyber security for Australian small business: the essential controls that stop most attacks, what they cost, and when to get help.
A plain-English guide to cyber security for Australian small business: the essential controls that stop most attacks, what they cost, and when to get help.
Cyber security for a small business comes down to a handful of basics done consistently: turn on multi-factor authentication, keep software updated, back up your data, train your team to spot scams, and limit who has admin access. Get those right and you have stopped the vast majority of attacks that reach businesses your size.
If you run a business with a few staff and a lot on your plate, cyber security can feel like a specialist problem for big companies with big budgets. It isn't. The attacks that actually reach Australian small businesses are rarely sophisticated. They are automated, opportunistic, and they succeed because a basic control was switched off.
This guide covers what genuinely matters for a business your size, in plain English. No jargon, no scare tactics. Just the controls that give you the most protection for the least effort and money, and how to know when it is worth bringing in help.
Ryan here. As the IT side of NexSync, I set this up for professional services firms across Western Sydney every week. Here is what I tell every owner who asks where to start.
The biggest risks are email scams, stolen passwords and ransomware, not hackers targeting you by name. Most attacks are automated and cast a wide net, looking for any business with a weak spot. The Australian Signals Directorate reports small businesses lose thousands per incident on average, and the disruption often hurts more than the dollar figure.
Note: Because these attacks are automated rather than aimed at you personally, being small is no protection; the bots probe every business that has a weak spot.
In practice, the three that catch small businesses most often are:
Five controls stop most attacks: multi-factor authentication, regular updates, good backups, staff awareness and limited admin access. None of them are expensive, and together they close the doors criminals walk through most often.
| Control | What it does | Effort |
|---|---|---|
| Multi-factor authentication (MFA) | Stops a stolen password being enough to get in | Low |
| Software updates | Closes the security holes attackers exploit | Low |
| Backups | Lets you recover after ransomware or mistakes | Medium |
| Staff awareness | Turns your team into a filter, not a weak point | Low |
| Least privilege access | Limits the damage if one account is breached | Medium |
If you do nothing else this quarter, turn on multi-factor authentication everywhere you can, starting with email. It is the single highest-value thing you can do, and in Microsoft 365 it is included in plans you likely already pay for.
Tip: Roll MFA out to your admin and finance accounts first, because those are the logins an attacker most wants and the ones that cause the most damage if taken.
The Essential Eight is a set of eight baseline security strategies published by the Australian Cyber Security Centre to help organisations protect themselves. It covers things like application control, patching, MFA and daily backups. You do not need to implement all eight perfectly on day one, but it is the best free framework to work towards.
We break the whole thing down without the acronyms in the Essential Eight explained in plain English. For the official source, see the ACSC Essential Eight.
Keep at least three copies of your important data, on two different types of storage, with one copy off-site or in the cloud. This is the widely used 3-2-1 rule, and it is what saves businesses when ransomware or hardware failure strikes. Test that you can actually restore from a backup, because an untested backup is just a hope.
Warning: Ransomware and hardware failure give no notice, so the time to confirm a restore works is now, on a calm day, not while your files are locked.
For most small businesses, cloud backup through Microsoft 365 or a dedicated backup service is the simplest path. We cover the details in how to back up your business data, and it pairs naturally with well-set-up cloud storage.
Most small businesses can cover the essentials for a modest monthly amount, often between $30 and $80 per staff member per month for managed security on top of their existing software. Many of the highest-impact controls, like MFA and updates, cost nothing but a bit of time to set up. Spend where the risk is, not on shiny tools you will never use.
Bring in help when you cannot confidently say your backups work, your MFA is on everywhere, and someone is watching for problems. If security is one more thing you keep meaning to get to, that gap is the risk. There is no shame in outsourcing it, the same way you would your accounting.
An honest note: plenty of small businesses can handle the basics themselves with a bit of guidance. If you have someone technical in-house and a simple setup, you may not need a managed service yet. When you do, our cyber security service and local teams (for example cyber security in Parramatta) are built for businesses your size. If email is your main risk, tightening up Microsoft 365 is often the first move.
Turning on multi-factor authentication, starting with email. It stops a stolen or guessed password from being enough to get into your accounts, and it is included in most Microsoft 365 plans at no extra cost.
Yes, but rarely by name. Most attacks are automated and hit any business with a weak spot, which is why small businesses are caught so often. Basic controls make you a much harder target.
You are not legally required to, but it is the best free framework to work towards. Start with MFA, updates and backups, then build up the other strategies over time.
The essentials can cost very little, since MFA and updates are mostly free to enable. Managed security typically runs between $30 and $80 per staff member per month if you outsource it.
Turn on MFA for your email and key accounts today, then confirm you have a working, tested backup. Those two steps alone remove the most common ways small businesses get hurt.
Want a second opinion on where your business stands? Take the free business health check and we will point out the gaps worth closing first.
Tell us where your business is at, and we will tell you where we would start.