Cybersecurity for Small Business: The Five Things That Actually Matter

I’ve spent years working in cybersecurity — advising organisations, building systems, studying the threat landscape formally through a Graduate Certificate in Cyber Security at the University of Adelaide. And the thing that frustrates me most isn’t sophisticated attackers. It’s how consistently the advice given to small business owners is completely wrong for them.

The guides are written for enterprises. The checklists assume you have an IT team. The frameworks require a six-figure budget and a dedicated security officer. None of that is your reality if you’re running a five-person business in Adelaide or anywhere else in Australia.

So here’s what actually matters. Five things. Not fifty.

Why Small Businesses Are Targeted

Let me be direct about something: you are targeted because you’re easier, not because you’re less valuable. Attackers are running automated campaigns that sweep thousands of businesses at once. They’re not choosing between you and a large corporation — they’re hitting everyone, and small businesses respond to phishing emails, have weaker passwords, and often have no plan when something goes wrong.

A ransomware attack that forces you offline for two weeks doesn’t need to be catastrophic to a large enterprise to be worth running. It just needs to hit enough small businesses that can’t afford to lose two weeks. You are the target because the barrier to compromise is lower, not because your data or money is unimportant.

AI is making this worse. Attackers now use AI to write convincing phishing emails without spelling mistakes, impersonate voices on calls, and automate attacks at scale that previously required significant effort. The threat environment has shifted. Your response needs to shift with it.

1. Multi-Factor Authentication on Everything

If you do nothing else after reading this, turn on multi-factor authentication (MFA) on your email, your banking, and every cloud tool your business uses. Today.

A stolen password used to be enough to compromise an account. With MFA, a stolen password is useless without the second factor — the code from your phone, the authenticator app, the hardware key. This single control stops the overwhelming majority of credential-based attacks.

Email is first because it’s the master key to everything else. If an attacker gets into your email, they can reset every other password. Banking is second because the financial exposure is direct. Cloud tools — your accounting software, your CRM, your file storage — come next.

Use an authenticator app rather than SMS where possible. SMS can be intercepted. Google Authenticator, Microsoft Authenticator, or Duo all work. Set it up once, and you’ve just made yourself a significantly harder target than most.

2. Know What Data You Hold and Where It Lives

This one is less technical and more fundamental: do you actually know what personal information your business collects, stores, and processes?

If you handle personal data — names, addresses, health information, financial records — you likely have obligations under the Australian Privacy Act and the Australian Privacy Principles. The threshold is lower than most small business owners realise. A data breach involving personal information may require you to notify both the affected individuals and the Office of the Australian Information Commissioner.

Beyond compliance, you cannot protect what you don’t know you have. Spend an hour mapping it out. Where does customer data live? Is it in your email inbox, a spreadsheet on someone’s laptop, a cloud app, a paper filing cabinet? Once you know, you can make sensible decisions about how to protect it and how long to keep it.

3. Backups That Actually Work

Most businesses have backups. Very few have backups they’ve ever tested.

A backup that hasn’t been tested is not a backup — it’s a hope. Drives fail. Cloud sync services replicate deletions. Ransomware can encrypt backup drives that are permanently connected to your network. None of this matters if you’ve verified that you can actually restore your data when you need to.

The principle to follow is 3-2-1: three copies of your data, on two different types of storage, with one stored offsite or in the cloud. For most small businesses, that means your working files, an external drive, and a cloud backup service.

Test it. Pick one file, delete it, and restore it from your backup. Do this quarterly. If it doesn’t work in a drill, it won’t work in a crisis at 11pm on a Friday when you’ve just been hit with ransomware.

4. Your People Are Your Biggest Risk — and Your Best Defence

Technical controls matter. But the most common way attackers get in is through your people. A phishing email that looks like it’s from your bank. An invoice that looks like it’s from a supplier. A call from someone claiming to be from the ATO.

Your staff don’t need to become cybersecurity experts. They need to know a handful of things: how to spot a suspicious email, that it’s always safe to question a strange request, and who to tell when something looks off. No blame, no embarrassment — just a clear channel to raise concerns.

Run a quick team session. Walk through a couple of real phishing examples (the Australian Cyber Security Centre publishes them). Agree on a process: if you get an email asking you to transfer money or change banking details, you call the person directly on a known number before acting. That one process has stopped countless business email compromise attacks.

Culture matters more than any tool. A team that feels safe raising concerns will catch things that no software ever would.

5. An Incident Plan — Even a Simple One

You don’t need a forty-page incident response plan. You need the answer to two questions, written down, accessible when you’re panicking at 2am: who do you call, and what do you do first?

Write it down now. Who is your IT support contact? What is your bank’s fraud line? What systems do you isolate first if you suspect a breach? Do you have cyber insurance, and if so, what’s the claims number?

The Australian Cyber Security Centre’s ReportCyber portal (cyber.gov.au) is where you report cybercrime in Australia. Know that it exists before you need it.

The point of a plan isn’t to anticipate every scenario. It’s to preserve your ability to think clearly when you’re under pressure. Even a single page of contacts and first steps will help you respond faster and more effectively than if you’re starting from scratch in a crisis.

Where to Start

You don’t need a $50,000 security program. You need the basics done properly — and they’re within reach for any business.

If you’re looking at this list and feeling overwhelmed, do this: identify the single biggest gap. For most small businesses, it’s MFA or backups. Fix that one thing this week. Then fix the next one. Security isn’t a project with an end date — it’s a habit built one improvement at a time.

If you’d like a conversation about where your business sits and what to prioritise first, get in touch. No sales pitch — just a straight conversation about your situation.