Running a small business in Australia means wearing many hats. Cybersecurity probably isn't your full-time job—but that doesn't mean you can ignore it.
The good news: you don't need enterprise budgets to make meaningful improvements. This checklist covers ten things any small business can do this quarter—most of them free or low-cost.
Before You Start
Cyber incidents cost Australian small businesses an average of $46,000 per breach. The average downtime after ransomware is 23 days. These aren't abstract statistics—they're the difference between staying in business and closing your doors.
The goal isn't perfection. It's measurable progress.
---
The Checklist
1. Enable Multi-Factor Authentication (MFA) Everywhere
Why: Passwords alone are insufficient. MFA blocks 99% of automated attacks.
- ▸Start with your email (Microsoft 365, Google Workspace)
- ▸Then your accounting software (Xero, MYOB, QuickBooks)
- ▸Then your CRM and any system containing customer data
- ▸Use an authenticator app over SMS where possible
Time required: 2-3 hours to audit and enable across your team.
Cost: Free for most platforms.
---
2. Audit Your Admin Accounts
Why: Attackers target admin accounts because they unlock everything.
- ▸List all accounts with admin privileges in your organisation
- ▸Remove any that are no longer needed or belong to former employees
- ▸Ensure admin accounts are separate from regular use accounts
- ▸Enable MFA on all admin accounts immediately
Red flag: Any admin account without MFA is a critical vulnerability.
---
3. Update Everything (Yes, Everything)
Why: Outdated software is how most attacks get in. Patch availability doesn't mean patch applied.
- ▸Enable automatic updates on all operating systems (Windows, macOS, iOS, Android)
- ▸Enable automatic updates on all applications
- ▸Document your software inventory so you know what needs updating
- ▸Pay special attention to Microsoft Office, Adobe products, and web browsers
Red flag: Any device running Windows 7 or older—no longer receiving security updates.
---
4. Back Up Your Data—And Test It
Why: Backups are the only thing that guarantees recovery from ransomware.
- ▸Follow the 3-2-1 rule: three copies, two different media types, one offsite
- ▸Automate backups so they run without human intervention
- ▸Test your restores quarterly—backups that don't work are worthless
- ▸Document the restore process so anyone on your team can do it
Time required: Initial setup 2-4 hours. Testing 30 minutes quarterly.
Cost: Cloud backup services start from $5/month for small deployments.
---
5. Segment Your Network
Why: If attackers get into one area, segmentation stops them from spreading.
- ▸Separate your guest WiFi from your business network
- ▸Separate devices (printers, IoT) from workstations
- ▸Use VLANs if your router supports them
- ▸Limit file sharing between departments where possible
Low-budget option: Most business routers support basic network segmentation.
---
6. Review Who Has Access to What
Why: Excess access is excess risk. Former employees, contractors, and old accounts are common breach points.
- ▸Conduct a quarterly access review
- ▸Remove access for people who have left or changed roles
- ▸Apply the principle of least privilege: only grant access to what each person genuinely needs
- ▸Document access for critical systems
Red flag: Any account that hasn't been used in 90 days—disable it.
---
7. Train Your Team on Phishing
Why: Your team is both your biggest vulnerability and your first line of defence.
- ▸Show examples of real phishing emails (there are many public resources)
- ▸Teach the red flags: unexpected urgency, unusual sender addresses, mismatched links
- ▸Establish a clear process for reporting suspicious emails
- ▸Never punish people for reporting—celebrate the catch
Time required: 1 hour initial training, 15 minutes monthly refreshers.
Cost: Free if you use free resources; paid training platforms start from $10/user/month.
---
8. Secure Your Email
Why: Email remains the primary attack vector for small businesses.
- ▸Enable SPF, DKIM, and DMARC on your domain
- ▸Consider additional email filtering beyond what your provider offers
- ▸Enable warning banners on external emails (e.g., "[EXTERNAL]")
- ▸Disable macros in Office by default
Cost: DMARC is free. Premium email filtering varies.
---
9. Document Your Incident Response Plan
Why: When something goes wrong, you don't want to be figuring out what to do while systems are down.
- ▸Write down who to call (IT support, management, legal, insurer)
- ▸Document how to isolate affected systems
- ▸Know your backup restore procedures
- ▸Identify your regulatory notification obligations (Notifiable Data Breaches scheme)
- ▸Keep a printed copy off-network
Time required: 2-3 hours to create an initial plan.
---
10. Review Your Cyber Insurance
Why: When things go wrong, insurance can be the difference between survival and closure.
- ▸Confirm you have cyber liability coverage
- ▸Review what it covers: incident response, business interruption, regulatory penalties
- ▸Understand your obligations: what must you do to maintain coverage?
- ▸Check if you have a breach response hotlines and what support is included
Red flag: Policy excludes "acts of war" or has high deductibles that might make claiming pointless.
---
Making Progress Without Overwhelm
You don't have to do everything at once. Start with the items that cost the least and provide the most immediate protection:
- ▸Enable MFA on email and admin accounts
- ▸Enable automatic updates on all devices
- ▸Back up your data and test a restore
- ▸Conduct a basic access audit
- ▸Brief your team on phishing
- ▸Complete the full checklist
- ▸Document your incident response plan
- ▸Review your cyber insurance
When to Call for Help
Some tasks require expertise. Call a professional if:
- ▸You need a formal security assessment
- ▸You're implementing network segmentation
- ▸You're subject to specific compliance requirements (Essential Eight, ISO 27001, Privacy Act)
- ▸You've experienced an incident and need response support
The cost of professional help is almost always less than the cost of a breach.
---
The Bottom Line
Cybersecurity doesn't have to be overwhelming. Work through this checklist systematically, track your progress, and revisit it quarterly.
Small improvements compound. Each step you take makes you harder to attack—and attackers will move on to easier targets.
Your business deserves protection. Start this week.
---
Need a hand working through this checklist? [Contact us](/) for a tailored security assessment for your small business.
