Pillar guide · Updated April 2026

Small Business Cybersecurity: The Practical 2026 Guide

The practical framework for Australian small businesses. Essential Eight, MFA, backups, NDB obligations, incident response - the controls that actually matter, prioritised, without enterprise resources.

TL;DR - Most small businesses do not have a cybersecurity problem. They have a deferred decisions problem. The password policy that was never enforced, the phishing-test results that nobody acted on, the "we'll set up MFA properly next quarter" that is now nine quarters old. This guide is a practical framework for fixing that without pretending you have enterprise resources. Start with the Essential Eight self-assessment, implement MFA and backup first, then work through the rest in priority order. Most of what you need is free or built into tools you already pay for.

Who this guide is for

  • Small and medium business owners who know they should do something about security but are not sure what
  • Office managers and ops leaders who have inherited IT responsibilities without asking for them
  • Sole traders and consultants who are their own entire IT department
  • Early-stage startups with a handful of staff, no CISO, and a growing data footprint

If your business has more than 100 staff or a dedicated security team, this guide is too basic - see the Microsoft Copilot Security pillar and the enterprise-angle posts in the Business & IT Security archive instead.

The uncomfortable 10-minute reality check

Before any framework, walk through this list honestly. A "no" on any item is not a criticism - it is the list of things to fix.

  • Do all your staff use multi-factor authentication on their work accounts? (Not most. All.)
  • If a staff laptop was stolen today, is the drive encrypted?
  • When a staff member leaves, is there a checklist that gets followed to remove their access from every system? Within 24 hours?
  • If your primary file server or cloud drive was ransomware-encrypted tonight, could you restore the critical data tomorrow from a backup the attacker cannot reach?
  • Do you know what data your business holds about customers that would trigger a Notifiable Data Breach obligation under Australian law?
  • Do you have a policy for what staff should do when they receive a suspicious email, and has that policy been read in the last 12 months?
  • Have you reviewed who has admin access to your Microsoft 365 / Google Workspace tenant in the last six months?
  • Is there a named person whose responsibility cybersecurity is - and does everyone else in the business know who that is?

Most small businesses answer "no" to at least five of these. That is not unusual. The rest of this guide is how to move the "no"s to "yes"es.

The Essential Eight for small business

The Essential Eight is the Australian Cyber Security Centre's prioritised set of mitigation strategies. It was designed for government and enterprise but maps well onto small business. Even if you are not in Australia, the list is one of the most practical SMB checklists available.

The eight controls, ranked (by the ACSC, based on what actually stops real attacks):

  1. Application control - only pre-approved applications can run on work devices. For small business, this often looks like enforcing Microsoft Defender / AppLocker / macOS Gatekeeper rather than running a dedicated allowlist product.
  2. Patch applications - keep browsers, PDF readers, Office, and other user apps current. Auto-updates on.
  3. Configure Microsoft Office macro settings - block macros from the internet, require signed macros only, log macro activity.
  4. User application hardening - disable Flash (mostly dead), Java (mostly unneeded), old Office features nobody uses, and aggressive browser plugins.
  5. Restrict administrative privileges - admin accounts are for admin work. Daily work runs on standard user accounts. No exceptions, including for the business owner.
  6. Patch operating systems - auto-updates on. Upgrade off unsupported versions (Windows 10 ended support October 2025 - if you still have Windows 10 machines in production, that is your highest-priority item this week).
  7. Multi-factor authentication - on every account that supports it. No exceptions.
  8. Regular backups - following the 3-2-1 rule, with at least one copy the attacker cannot reach.

The ACSC measures each control on a maturity scale from 0 to 3. Most small businesses start at 0 or 1. Moving from 0 to maturity level 1 across all eight is a genuinely achievable six-to-twelve month project for a business with no dedicated security function.

The eight real risks (ranked by likelihood × impact)

For a small business with fewer than 100 staff, here is the actual threat ranking I see at clients. It is not the ranking in the security vendor marketing.

1. Email compromise (phishing → credential theft)

The overwhelmingly most common SMB incident. Staff clicks a phishing link, enters their email password on a fake login page, attacker logs into their real account. From there: read customer emails, insert invoice-fraud instructions, set up forwarding rules, pivot to other accounts. Most business email compromise incidents follow this exact pattern.

The fix: MFA (stops 99% of this), phishing-resistant MFA (YubiKey or passkeys for high-value roles), staff training with real phishing simulations (see our phishing test post for what actually works vs. what is compliance theatre).

2. Ransomware

The incident that can kill a business outright. Encrypts files, sometimes exfiltrates them first for double-extortion, demands payment. The cost is rarely just the ransom - downtime, incident response, regulatory reporting, legal fees, customer trust.

The fix: the Essential Eight. Particularly: MFA, patch OS, patch apps, backups (offline / immutable), and restrict admin privileges. See ransomware compliance for the reporting obligations if one lands.

3. Insider risk (usually accidental, occasionally malicious)

The staff member who emails the customer database to their personal Gmail to "work from home". The outgoing contractor who keeps their admin credentials. The newly-promoted staffer who accidentally shares a folder containing payroll data "with anyone who has the link".

The fix: least-privilege access, regular access reviews, offboarding checklist, DLP policies on outbound email, logging that lets you detect the "worked from home on customer data" pattern.

4. Business email compromise (invoice fraud)

A more sophisticated cousin of email compromise. The attacker gets into your CFO's email, waits patiently, watches for an invoice exchange, then intercepts and redirects the payment to their own bank account. Average loss per incident: AU$84,000 (ACCC Scamwatch 2024 data).

The fix: MFA on finance staff email, out-of-band verification for payment changes (callback on a known number, not the number in the email), staff training specifically on payment-change tactics.

5. Supply chain / vendor compromise

Your accounting software gets breached, or your CRM vendor has an incident, or your MSP is compromised, and your data leaks through their door. You are not the target - your vendor was - but your data is exposed anyway.

The fix: vendor due diligence before signing (SOC 2, ISO 27001, breach history), minimum necessary data shared with each vendor, awareness that this is an increasing pattern.

6. Unpatched vulnerabilities on internet-exposed services

If you have a VPN, a remote access tool, or a web application facing the internet, it has CVEs. If you have not patched for three months, one of those CVEs is now known-exploited. Ransomware crews increasingly target known-exploited bugs on exposed services as their entry point.

The fix: inventory what you expose to the internet, patch those systems within 48 hours of vendor patch release, or retire them.

7. Cloud misconfiguration

The SharePoint site that was supposed to be private but is set to "anyone with the link". The S3 bucket that has been public since 2021. The Google Drive folder that a former contractor still has access to. These are not attacks, they are self-inflicted.

The fix: periodic access reviews, "anyone with the link" sharing disabled or audited, secure-by-default configurations. Shadow IT post has the wider lens.

8. Device theft

A staff laptop is stolen from a car. If the drive is encrypted (BitLocker / FileVault / LUKS), the incident is "we need to replace a laptop" - AU$2,000 of pain. If it is not encrypted, the incident is every customer record, every email, and every document that was on the device - potentially a Notifiable Data Breach and tens of thousands in direct cost plus reputational damage.

The fix: full-disk encryption on every device. It is free, built in, and takes ten minutes per machine.

Pre-incident checklist

This is the audit. Work through it in order. None of it is optional.

1. MFA on everything that supports it

  • Microsoft 365 / Google Workspace: enforce via Conditional Access (M365) or context-aware access (Workspace)
  • Banking, payroll, accounting software
  • Any SaaS that holds customer data
  • Remote access (VPN, RDP gateway)
  • Admin consoles of every platform

2. Backups under the 3-2-1 rule

  • Three copies of critical data
  • On two different media
  • One copy offsite or offline (attacker cannot reach it to encrypt it)
  • Tested restore at least quarterly - a backup you have never restored is a theory, not a backup

3. Patching

  • OS auto-updates enabled on every device
  • Office / productivity apps on current version
  • Internet-facing services patched within 48 hours of vendor advisory
  • Retire anything that no longer receives security updates - Windows 10 end-of-life was October 2025

4. Admin privilege audit

  • List every account with admin rights in your tenant, domain, or server
  • For each: is it still needed? Is the account still active? Was it a contractor?
  • Use separate admin accounts for admin work (no day-to-day email, no browsing)
  • Privileged Identity Management (available in Entra ID P2) for just-in-time admin access is worth the licence uplift at any size

5. Offboarding checklist

  • Named person responsible
  • Written steps for disabling accounts in every system
  • 24-hour SLA from termination
  • Recovery of hardware, credentials, and physical access
  • Audit trail kept for at least 12 months

6. Email hardening

  • SPF, DKIM, DMARC records configured correctly for your sending domain
  • Anti-spoofing policies in M365 / Workspace
  • Safe attachments / safe links scanning (M365 Defender for Office, Workspace's equivalent)
  • External-sender banners on incoming email

7. Staff training that is not theatre

  • Phishing simulations four times a year - not annually
  • Results shared back to staff with context, not just "you failed"
  • Specific topics: invoice fraud, urgency-based scams, MFA fatigue, gift card scams
  • New starters trained in week one, not week six

8. Named security owner

  • One person whose accountability this is
  • Does not need to be technical - the MD in a 20-person business is fine, with an MSP or consultant on retainer
  • Everyone else knows the name and how to reach them

9. Incident response plan

  • Document who gets called, in what order
  • External resources: MSP, lawyer, cyber insurer, breach notification PR
  • Practised annually via a tabletop exercise (pizza, two hours, walk through "what if ransomware hits Friday at 4pm")
  • See our incident response post

10. Cyber insurance

  • Policy that covers incident response, legal costs, notification costs, business interruption
  • Read the exclusions - many require MFA, patching, and specific controls as preconditions
  • Broker who specialises in cyber (not just your general business broker)

Compliance: what an Australian SMB actually owes

Australian Privacy Principles (APP)

If your business has annual revenue over AU$3M (and some smaller businesses by type - health, credit, etc.), the Privacy Act applies. APP 11 requires reasonable steps to protect personal information. The Essential Eight is the most practical interpretation of "reasonable steps" for a small business.

Even if you are under the AU$3M threshold, applying the APP voluntarily is a strong position in the event of an incident. Courts and regulators look favourably on it.

Notifiable Data Breach scheme (NDB)

If you are covered by the Privacy Act and suffer a breach likely to result in serious harm, you must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable.

What triggers NDB:

  • Personal information (name + DOB + address, Medicare numbers, TFN, driver's licence, financial account data)
  • Unauthorised access, disclosure, or loss
  • Likely to cause serious harm (physical, psychological, emotional, financial, reputational)

Penalties for non-notification were lifted significantly in 2022 - currently up to AU$50M or 30% of adjusted turnover. Have an incident response plan that includes the 30-day assessment window.

Industry-specific

  • Healthcare: My Health Records Act, state privacy legislation
  • Financial services: APRA CPS 234 (if you are an APRA-regulated entity)
  • Government contractors: ACSC Information Security Manual alignment often required
  • EU customers: GDPR applies if you offer goods/services to EU residents, regardless of your location
  • Payment cards: PCI DSS applies if you process, store, or transmit card data

When to hire an MSP vs DIY

DIY works when:

  • You have under 20 staff
  • The owner or a capable ops lead has time for ~2 hours/week on this
  • Your tech stack is primarily M365 or Workspace (well-documented, good defaults)
  • You are not in a regulated industry

MSP makes sense when:

  • You have over 20 staff (the time cost crosses a meaningful threshold)
  • You are in a regulated industry
  • You need help passing a compliance audit
  • Your tech stack is complicated (mixed cloud, on-prem servers, custom apps)
  • A cyber incident would threaten the business's continued operation

Red flags when shopping for an MSP:

  • They sell you "cybersecurity" as a separate product you add on top of "IT support"
  • They cannot articulate what they do about MFA, backups, patching, or incident response
  • They use "we'll monitor your systems 24/7" without specifics about what they monitor or what actions they take
  • Their contract has no SLA for incident response
  • They will not let you talk to existing clients

Good signs:

  • They can walk through the Essential Eight with you and tell you where your org sits on each
  • They have a documented incident response process
  • They carry their own cyber insurance
  • They use MFA internally (yes, ask)
  • They are happy to work with your cyber insurer's preferred response vendor

What to do if you are breached

The first two hours matter more than the next two weeks.

  1. Preserve the evidence. Don't reinstall, don't wipe, don't power off if the incident is still active. The logs and disk state are your only way to understand what happened.
  2. Contain the blast radius. Isolate affected systems from the network. Disable compromised accounts (do not delete - you need the evidence). Rotate any credentials the attacker may have seen.
  3. Activate the incident response plan. Named lead takes charge. MSP notified. Cyber insurer notified - they often require this for cover to apply. Legal counsel if personal information is likely involved.
  4. Assess notification obligations. NDB 30-day clock starts from "aware or ought to have been aware". Document the decision whether to notify, even if you decide not to.
  5. Communicate carefully. Internal staff first. Customers only after you know what happened. Never downplay in writing - it will be discovered later and used against you.
  6. Do not pay a ransom without professional advice. It may be illegal depending on who the attacker is. It rarely restores data cleanly. It funds future attacks.

Ongoing hygiene (the small-business monthly routine)

  • Monthly: review user access additions/removals, patching compliance, backup success rates, any flagged security alerts
  • Quarterly: Essential Eight self-assessment (has any dimension slipped?), staff phishing simulation, tabletop walk-through of one incident scenario, vendor security-question refresh
  • Annually: full Essential Eight deep audit, incident response plan update, cyber insurance policy review, external penetration test if budget allows

Deeper reading on specific SMB topics

The broader business-security cluster goes deeper on specific controls:

Official references

The practical summary

SMBs do not fail at cybersecurity because they can't afford the right tools. They fail because nobody is accountable for the pile of small, boring decisions that add up. The small businesses that do not have incidents are the ones that turned MFA on, kept backups restorable, and wrote down who is responsible.

Do the Essential Eight self-assessment this quarter. Implement MFA and backups this month. Appoint someone. That gets you ahead of the vast majority of Australian small businesses and makes the worst-case incident survivable rather than terminal.

The free 193-page book below walks each of these steps through with specific tools, screenshots, and exact settings. It is free with the newsletter signup, which also gets you one practical security briefing every Friday.

Frequently Asked Questions

What is the most important cybersecurity control for a small business?

Multi-factor authentication (MFA), by a wide margin. It stops over 99% of automated account-takeover attacks and costs nothing to implement in Microsoft 365 or Google Workspace. If you implement only one control, make it MFA on every staff account. Backups following the 3-2-1 rule is the second priority.

What is the Essential Eight and does it apply to small business?

The Essential Eight is the Australian Cyber Security Centre's prioritised list of eight mitigation strategies: application control, patch applications, configure macros, user application hardening, restrict admin privileges, patch operating systems, MFA, and regular backups. It was designed for government and enterprise but maps well onto small business and is the most practical SMB checklist available, even for non-Australian businesses.

Does the Notifiable Data Breach scheme apply to my small business?

Usually yes if your annual turnover exceeds AU$3M, or if you handle health information, credit data, or TFNs regardless of size. Under NDB, you must notify the OAIC and affected individuals when a data breach is likely to result in serious harm. Penalties for non-notification can reach AU$50M or 30% of adjusted turnover.

What is the cheapest way to improve our small business security?

Four things, all free: (1) enable MFA on Microsoft 365 / Google Workspace, (2) turn on BitLocker / FileVault full-disk encryption on every laptop, (3) configure OneDrive / Google Drive backup for all business files, (4) enable auto-updates on every device. These four controls eliminate the vast majority of real SMB incidents I see.

Should my small business hire an MSP or manage security in-house?

DIY tends to work under 20 staff with a capable operations lead and a simple tech stack (primarily M365 or Workspace). MSP makes sense over 20 staff, in regulated industries, or where the business could not survive a week of ransomware downtime. Ask prospective MSPs how they handle the Essential Eight, MFA, backups, and incident response - vague answers are a red flag.

What should we do if we're ransomware-attacked?

Preserve the evidence (don't wipe or power off), contain the blast radius (isolate infected systems, rotate credentials), activate your incident response plan, notify your cyber insurer (they often require this), and seek professional advice before paying a ransom. Paying is often illegal depending on who the attacker is and rarely restores data cleanly. The NDB 30-day assessment clock starts from when you became aware.

How much does cyber insurance cost for a small business in Australia?

Typical SMB premiums range from AU$1,500 to AU$8,000 per year depending on revenue, industry, and existing security controls. Most insurers now require MFA, patching, and backups as preconditions - without them, cover may be refused or claims denied. A specialist cyber broker will get a better outcome than a general business broker.

What is the most common cyber attack against small businesses?

Email compromise: a staff member clicks a phishing link, enters their email credentials on a fake login page, and the attacker takes over the mailbox. From there: invoice fraud, lateral movement, data exfiltration. MFA stops this attack outright in 99% of cases. Business email compromise (invoice fraud variant) is the highest-cost incident pattern, with an ACCC-reported average loss of AU$84,000.

Share:

Related pillar guides

The other cornerstone guides on Secure in Seconds.

Pillar guide

Microsoft Copilot Security

The complete guide for IT teams deploying M365 Copilot

Pillar guide

Family Cybersecurity Essentials

Protect your family online in a weekend, no jargon

Pillar guide

AI Security for IT Teams

Three threat categories and five controls for AI deployments