Why small businesses are targeted

There's a persistent myth that cyber criminals only chase big companies. The reality is the opposite: attacks on small businesses are mostly automated and indiscriminate. Software scans the internet for reused passwords, accounts without multi-factor authentication and unpatched systems, then compromises whatever it finds: a 6-person accounting firm in Logan just as happily as a multinational. Small businesses get hit more often because they're the easier automated catch, and they recover more slowly because there's no IT department waiting.

The good news: because most attacks are opportunistic, basic controls block the overwhelming majority of them. That's what this checklist is. It's aligned with the guidance from the Australian Cyber Security Centre (cyber.gov.au) and its Essential Eight, translated into actions you can actually schedule.

Identity and access

1. Turn on multi-factor authentication (MFA) everywhere. Email first, then Microsoft 365/Google Workspace, accounting software, banking and remote access. This is the single most effective control on this page; a stolen password stops being a stolen account.

2. Use a password manager and kill password reuse. One reused password plus one breached website equals attackers holding a working key to your systems. A business password manager makes unique passwords the path of least resistance.

3. Remove admin rights from daily-use accounts. Everyone, including the owner, works from a standard account. Admin accounts exist separately and get used only when needed.

4. Offboard departing staff the same day. Disable accounts, revoke access to shared systems, and change any shared passwords. Dormant accounts of ex-employees are a classic, entirely avoidable way in.

Devices and updates

5. Turn on automatic updates, and verify them. Windows, macOS, browsers, and your line-of-business apps. The verification step matters: machines that quietly stopped updating months ago are common, and they're exactly what attackers scan for.

6. Retire unsupported systems. Software past its end of support receives no security fixes, ever. If a machine can't be upgraded, isolate it or replace it.

7. Encrypt and protect every device. Disk encryption (BitLocker/FileVault) on, screen locks on, and reputable endpoint protection on every computer. A laptop left in an Uber should be an inconvenience, not a data breach.

Email and phishing

8. Add business-grade email filtering. The default spam filter catches spam; it's weaker against targeted phishing and malicious attachments. Dedicated filtering in front of your mailboxes blocks most threats before a human can click them.

9. Block Office macros from the internet. "Enable macros to view this invoice" remains one of the most common attacks against Australian businesses. Almost nobody needs internet-sourced macros; block them centrally.

10. Make payment changes phone-verified, always. Business email compromise, where a convincing email asks to change bank details for an invoice, costs Australian businesses more than ransomware does. The fix is procedural, not technical: any change to payment details is confirmed by phone, on a number you already had.

Backups

11. Follow the 3-2-1 rule. Three copies of your data, on two different types of storage, one of them off-site (and ideally offline or immutable, so ransomware can't reach it). Full details in our cloud vs local backup guide.

12. Test a restore quarterly. Pick a file, a folder, a mailbox. Restore it, time it, note what went wrong. An untested backup is a hope, not a plan.

People and process

13. Run short, regular security awareness training. Ten minutes a quarter beats a two-hour annual lecture. Staff who've seen simulated phishing emails recognise real ones.

14. Write a one-page incident plan. Who do staff call when something looks wrong? Who can authorise shutting systems down? Where are the cyber insurance and IT provider numbers? Deciding this during an incident is the expensive way.

15. Know your legal obligations. If your business is covered by the Privacy Act (generally turnover above $3 million, plus health providers and some others regardless of size), the Notifiable Data Breaches scheme requires you to assess suspected breaches and notify the OAIC and affected individuals when a breach is likely to cause serious harm. Knowing this before an incident changes how you respond.

If something goes wrong

  1. Contain first: disconnect affected machines from the network, but don't wipe them; evidence matters.
  2. Call for help: your IT provider, your bank if money moved, and your cyber insurer (early, as policies often require it).
  3. Report it: via ReportCyber at cyber.gov.au; scams also go to Scamwatch.
  4. Assess notification obligations under the NDB scheme if personal information was involved.
  5. Recover from clean backups, reset credentials, and fix the hole that let the attacker in before going back to business as usual.

Honest scoring: most small businesses we audit pass four or five of these fifteen. If that's you, don't panic. Items 1, 5 and 11 alone eliminate most of your real-world risk, and all three can be done inside a fortnight. If you'd rather have it handled for you, that's literally our job: managed IT support in Brisbane and the Gold Coast includes this entire checklist as standard.