Cyber Security Basics Every Australian Small Business Should Have
Cyber security advice tends to arrive either as fear or as jargon. Neither helps a busy owner decide what to actually do on a Tuesday. The practical truth is that a small number of unglamorous controls, done consistently, block the common attacks — and the Australian Cyber Security Centre (cyber.gov.au) publishes exactly this baseline for small business, free, and keeps it current. What follows is the plain-English version of the habits that matter.
1. Passwords and multi-factor authentication
Reused passwords are how one leaked account becomes ten compromised ones. The fix is a password manager for the business — unique passwords everywhere, shared vaults instead of shared spreadsheets — and multi-factor authentication (MFA) switched on for anything that matters: email first, then banking, accounting, cloud storage and social accounts. Email deserves special urgency because whoever controls your inbox can reset the password to almost everything else you use.
- Password manager installed, team trained, shared vaults set up
- MFA on email for every staff member — no exceptions
- MFA on banking, accounting, cloud drive, socials
- Old staff accounts disabled the day someone leaves
2. Updates
Most successful attacks exploit flaws that were fixed months earlier by an update nobody installed. Turn automatic updates on for operating systems, browsers and phones; for the systems you cannot auto-update — the point-of-sale, the website plugins — put a monthly recurring reminder in the calendar with a name attached to it.
3. Phishing habits
Phishing works by manufacturing urgency: the fake invoice, the “your account will be suspended” email, the text from the “CEO” needing gift cards. Training the team takes ten minutes and one rule:
Pay particular attention to changed bank details on invoices. Payment redirection scams are consistently among the most damaging reported by Australian businesses — a two-minute phone call before changing any payee details is the entire defence.
4. Backups
Backups are the control that turns ransomware from a catastrophe into a bad week. The short version: three copies, two media, one off-site or offline, and a restore you have actually tested. The full method is in our backups guide in this chapter.
Access: give people only what they need
Every account with more access than its owner needs is free ammunition for an attacker who compromises it. The principle is called least privilege and the small-business version is simple: staff get their own logins rather than sharing one, admin rights are reserved for the people who genuinely administer things, and access is reviewed when roles change — not just when people leave. Pair it with a leaver's checklist: the day someone finishes up, their email, cloud drive, socials and any shared vault access are disabled, and any passwords they knew that could not be individually revoked get rotated. Most businesses only discover this gap when a former staff member's account turns up in a breach dump two years after they left, still active, still holding the keys.
Putting it together
- This week: MFA on all email accounts; install the password manager.
- This month: MFA everywhere else; auto-updates on; run the ten-minute phishing conversation at a team meeting.
- This quarter: backup restore test; disable stale accounts; put updates and restore tests on the recurring calendar.
FAQ
Is antivirus still necessary?
Modern operating systems ship with capable built-in protection — keeping it enabled and updated matters more than buying additional products. The controls above prevent more real-world incidents than any add-on software.
We are tiny. Are we really a target?
Attacks are mostly automated and untargeted — bots try every business's email logins and send every business the fake invoice. Small businesses are hit precisely because attackers assume the basics are missing. Having them is what removes you from the easy pile.