4iT IT Support Sydney | Your Reliable Sydney IT Support Partner

Cybersecurity

Cyber Security for Small Business: The Basics

Insights & News Cyber Security for Small Business: The Basics June 8, 2026 Cyber security for a small business comes down to getting a handful of fundamentals right: multi-factor authentication, managed endpoint protection, email filtering, tested backups, and staff who know how to spot a scam. You do not need an enterprise budget or a security team. You need the basics done properly and kept up to date, because the average cybercrime incident now costs an Australian small business AU$56,600. This guide is the practical starting list. Key facts The average self-reported cost of cybercrime for an Australian small business was AU$56,600 per report in 2024-25, up 14 per cent in a year (ASD). ASD’s ACSC received over 84,700 cybercrime reports in 2024-25, roughly one every six minutes. Most attacks on SMEs are automated and opportunistic, not hand-picked, so being small is no protection. Multi-factor authentication blocks more than 99.2 per cent of account compromise attacks (Microsoft). The ACSC’s Essential Eight is the clearest free checklist of the controls that actually matter. Why do cyber criminals target small businesses? Cyber criminals target small businesses because they combine weaker defences with real money and useful data, and most attacks are automated enough that picking on the small fish costs nothing. The image of a hacker hand-selecting a victim is mostly wrong. The reality is automated tools spraying stolen passwords and phishing emails across millions of addresses, and SMEs are caught in the net like everyone else. The difference is that a large enterprise usually survives an attempt because it has layered defences, while a small business that skipped the basics often does not. Attackers know SMEs are more likely to have one weak password, no MFA, or an unpatched server. The AU$56,600 average cost figure is what happens when one of those gaps gets found. Being too small to bother with is a comforting myth, not a security strategy. What are the security basics every small business needs? Every small business needs five fundamentals: multi-factor authentication, managed endpoint protection, email filtering, tested backups, and staff awareness. Get these right and you have closed the doors that the overwhelming majority of attacks come through. MFA on every account stops stolen passwords cold. Managed endpoint protection defends every device and contains threats that get on. Email filtering keeps most phishing out of inboxes in the first place. Tested backups, ideally immutable, mean ransomware cannot hold you hostage because you can restore. And staff awareness turns your people from the weakest link into a line of defence. None of these is expensive, and most are partly covered if you already run Microsoft 365 Business Premium. How much should a small business spend on cyber security? A small business should spend enough to cover the five fundamentals well, which is far less than most owners fear and far less than a single incident costs. Most of the basics are per-user monthly costs that scale with headcount, and a good chunk of the capability is already bundled in Microsoft 365 licences you may hold. The better way to think about it is risk versus cost. Set the modest monthly cost of MFA, managed endpoint protection, email filtering, backups, and training against the AU$56,600 average cost of one incident, or the far larger cost of a week offline from ransomware. Framed that way, the basics are some of the cheapest insurance a business can buy. The expensive mistake is spending nothing and discovering the gap the hard way. Where should a small business start? Start by turning on MFA everywhere today, then work through the rest in order of risk. MFA is the single highest-impact, lowest-cost control, so there is no reason to wait on it. After that, make sure every device has managed protection, your email is filtered, your backups are tested (not just running), and your staff have had real training. If you want a structured way to know where you stand, the ACSC’s Essential Eight is the benchmark, and a cyber security audit measures you against it and hands you a prioritised list. For most Sydney SMEs the sensible path is to get the fundamentals running as part of managed IT security, so they stay maintained rather than decaying the moment they are set up. The worst position is the common one: a few controls bought years ago, never reviewed, quietly out of date. Frequently asked questions Is my small business really at risk if we have nothing worth stealing? Yes. Even if you think you hold nothing valuable, you have money, customer data, and email accounts that can be used to attack others. Most attacks are automated and do not care who you are. Ransomware in particular does not need your data to be valuable to anyone but you, because you are the one who has to pay to get it back. Do I need to hire someone for cyber security? No. Most SMEs get better, more affordable protection by using a managed IT provider than by hiring, because the cost of tooling and monitoring is shared across many clients. You get specialist capability without a specialist salary. What is the single most important thing to do first? Turn on multi-factor authentication across every account, starting with email and any remote access. It is quick, cheap, and blocks the most common attack route. If you do only one thing this week, do that. How do I know if my current setup is any good? A cyber security audit measures your real posture against the Essential Eight and gives you a prioritised list of gaps. It is the cheapest way to replace a vague worry with a clear answer, and it stops you spending money on the wrong things. If you are a Sydney small business and you are not confident the five fundamentals are all in place, that is worth half an hour to check. We help SMEs get the basics right and keep them right through managed IT security, and we

What Is SIEM? A Plain-English Guide for SMEs

Insights & News What Is SIEM? A Plain-English Guide for SMEs June 8, 2026 SIEM stands for security information and event management: software that collects logs and events from across your systems, correlates them, and raises alerts when the combined picture looks like an attack. Think of it as the central nervous system for security monitoring, pulling signals from many sources into one place so threats that would be invisible in isolation become obvious together. For most SMEs, SIEM is something you consume through a managed service rather than run yourself. Key facts SIEM aggregates logs and events from endpoints, servers, identities, firewalls, and cloud services into one place. Its value is correlation: spotting a pattern across sources that no single log would reveal on its own. A SIEM on its own only generates alerts; the value comes from people acting on them, which is where managed services and SOCs come in. The ACSC lists event logging among its top recommended actions, and SIEM is how logging becomes useful at scale. Most SMEs access SIEM capability through managed detection and response rather than building and staffing their own. What is SIEM, and what does it actually do? SIEM is software that gathers security-relevant data from across your environment and analyses it centrally to detect threats. Every system you run, laptops, servers, Microsoft 365, firewalls, generates logs. On their own, those logs are scattered, voluminous, and unread. SIEM pulls them together and looks for the patterns that matter. The real power is correlation. A single failed login means nothing. A failed login in Sydney followed by a successful one from overseas two minutes later, then a mailbox rule that forwards all email to an external address, is an attack in progress, and only a system watching all three sources at once can see it. That is what SIEM does: it turns a flood of disconnected events into a small number of meaningful alerts. Does a small business need a SIEM? Most small businesses do not need to run their own SIEM, but they do benefit from the capability, which they get through a managed service. Standing up a SIEM in-house means licensing the platform, tuning it so it does not drown you in false positives, and staffing people to watch it around the clock. For an SME that is rarely justified on its own. What an SME genuinely needs is the outcome: threats across the whole environment detected and acted on quickly. That outcome is delivered by managed detection and response, which uses SIEM and similar tooling under the hood, run by a monitoring team whose cost is shared across many clients. You get the correlation and the 24/7 eyes without buying, tuning, and staffing the platform yourself. Buying a SIEM and having nobody watch it is one of the more expensive ways to feel secure without being secure. How is SIEM different from antivirus or a firewall? Antivirus and firewalls are controls that try to block threats; SIEM is the monitoring layer that watches everything, including those controls, and detects what gets through. They do different jobs. A firewall decides what traffic is allowed in and out. Endpoint protection stops malicious files on a device. SIEM sits above both, collecting their logs alongside everything else and spotting the attacks that no single control noticed. Put simply, firewalls and antivirus are the locks and walls; SIEM is the alarm system wired to every room. You want both. The controls reduce what gets through, and the monitoring catches whatever does. Relying only on blocking controls leaves you blind to the attacker who is already inside, which is exactly the scenario the ACSC’s “assume compromise” guidance warns about. How does an SME get SIEM-level monitoring affordably? An SME gets SIEM-level monitoring affordably by buying it as part of a managed security service rather than building it. The monitoring platform, the tuning, and the analysts who watch it are shared across many businesses, so the per-client cost is a fraction of doing it alone. In practice this means engaging an MDR service that includes log collection and correlation, so your endpoints, Microsoft 365, and key infrastructure all feed into monitoring that someone is actually watching. The capability is the same one large enterprises pay heavily for; the delivery model is what makes it affordable for a Sydney SME. We fold this into managed IT security so the monitoring connects back to hardening and response rather than sitting in a silo. Frequently asked questions What is the difference between SIEM and MDR? SIEM is the technology that collects and correlates security data. MDR is the managed service that uses SIEM and other tooling, with a human team monitoring and responding 24/7. SIEM without people watching it produces alerts nobody reads; MDR is the people and process that make the technology useful. Is SIEM only for large enterprises? Running a SIEM in-house is usually only practical for larger organisations. The capability, however, is valuable at any size, which is why SMEs access it through managed services rather than building their own. The threats SIEM detects do not skip small businesses. What logs does a SIEM collect? Typically logs from endpoints, servers, identity systems such as Microsoft 365 or Entra ID, firewalls, and key cloud services. The more relevant sources it sees, the better its correlation, because attacks usually leave traces across several systems rather than just one. Do we still need endpoint protection if we have SIEM monitoring? Yes. SIEM detects; it does not block. You still need endpoint protection, email filtering, and firewalls to stop threats, with SIEM watching across all of them to catch what slips through. They are complementary layers, not alternatives. If you are weighing up whether your Sydney business needs SIEM, the more useful question is usually whether anyone is watching your systems at all, and that is what managed monitoring solves. We are happy to explain how it would work for you as part of managed detection and response.

What Is Zero Trust? A Guide for Australian SMEs

Insights & News What Is Zero Trust? A Guide for Australian SMEs June 8, 2026 Zero trust is a security approach built on one blunt principle: never automatically trust anything, inside or outside your network, and verify every request before granting access. Instead of assuming that being on the office network makes you safe, zero trust checks who you are, what device you are on, and whether the request makes sense, every time. For Australian SMEs it is less a product to buy than a direction to move in, and most of the building blocks are already in Microsoft 365. Key facts Zero trust replaces “trust everything inside the network” with “verify every request, every time”. Its core principles are verify explicitly, use least-privilege access, and assume breach. It is a model and a journey, not a single product you install. For most SMEs, the practical foundations are MFA, conditional access, and least-privilege admin rights, much of which ships with Microsoft 365. The ACSC’s standing advice to “assume compromise” is the same instinct that drives zero trust. What does zero trust actually mean? Zero trust means no user, device, or connection is trusted by default, and every access request is verified on its merits before it is allowed. The name is literal: the system starts from zero trust and grants access only when the request proves itself. This is a deliberate break from the old model, which treated the network like a castle: a hard wall around the outside, and free movement once you were in. That worked when everyone sat in one office on one network. It falls apart the moment staff work from home, use cloud apps, and connect from personal devices, because the “inside” is now everywhere and the wall has gaps all over it. Zero trust assumes the attacker may already be inside and checks every door regardless. What are the core principles of zero trust? Zero trust rests on three principles: verify explicitly, use least-privilege access, and assume breach. Each one translates into practical settings an SME can actually apply. Verify explicitly means authenticating and authorising every request based on all available signals: identity, device health, location, and behaviour. In practice that is MFA plus conditional access. Least-privilege access means giving people only the access they need to do their job, and nothing more, so a compromised account cannot reach everything. Assume breach means designing as if an attacker is already in, which leads to segmenting access, monitoring continuously, and limiting how far any single compromise can spread. That last principle is exactly the ACSC’s “assume compromise” advice in different words. How does an SME move toward zero trust without a huge project? An SME moves toward zero trust by tightening identity first, because identity is where most of the value is and most of the tooling already exists. You do not need to rip anything out or buy a platform with “zero trust” on the box. You need to use what you have well. The sensible order looks like this. Turn on MFA everywhere. Add conditional access so sign-ins are judged on device and location, not just password. Strip back admin rights to least privilege and remove standing access nobody uses. Make sure devices are managed and healthy before they get access to company data. If you run Microsoft 365 Business Premium, you already own most of the controls to do all of this, which is the point we make to Sydney clients constantly: zero trust for an SME is mostly configuration discipline, not new spend. We bring these controls together as part of managed IT security. Is zero trust overkill for a small business? No, because the principles scale down cleanly and the threats apply regardless of size. A 10-person firm does not need an enterprise zero-trust architecture, but it absolutely benefits from MFA, conditional access, and least privilege, which are zero trust in practice. The mistake is treating zero trust as an all-or-nothing enterprise programme. It is a direction. Every step you take, every default-trust you remove, reduces how far an attacker gets if they compromise one account or device. For a small business, even reaching the identity-first foundations puts you ahead of most of your peers and closes the routes attackers use most. Frequently asked questions Is zero trust a product I can buy? No. Zero trust is a security model, not a single product. Vendors sell tools that help you implement it, but you cannot buy “zero trust” off the shelf. For most SMEs the journey is configuring identity, access, and device controls you already have, mainly within Microsoft 365. What is the difference between zero trust and a VPN? A traditional VPN extends your trusted network to a remote user, which is the opposite of zero trust: once connected, the user is often trusted broadly. Zero trust verifies each request to each resource regardless of how the user connected, granting access app by app rather than handing over the whole network. Where should an SME start with zero trust? Start with identity: MFA on every account, then conditional access, then least-privilege admin rights. Identity is where most attacks land and where the biggest, cheapest wins are. Device and network controls follow once the identity foundation is solid. Do we need to replace our systems to adopt zero trust? Usually not. Most SMEs can make strong progress by configuring tools they already own, particularly Microsoft 365. Zero trust is far more about how access is granted and verified than about buying new infrastructure. If you want to move your Sydney business toward zero trust without turning it into a year-long project, the identity-first foundations are the place to start, and you may already own the tools. We are happy to map out a sensible path as part of managed IT security. About the author Brett Muscio is the Director of 4iT Support Pty Ltd, a managed services provider based in Castle Hill, NSW. He works with SME clients across

What Is Multi-Factor Authentication (MFA)?

Insights & News What Is Multi-Factor Authentication (MFA)? June 8, 2026 Multi-factor authentication (MFA) is a sign-in method that asks for more than just a password, usually a code or a tap on your phone, so a stolen password alone is not enough to get into your account. It is the single most effective security control most Australian SMEs can turn on, and Microsoft’s own research shows it blocks more than 99.2 per cent of account compromise attacks. If you do nothing else on this page, the takeaway is simple: turn MFA on everywhere you can. Key facts MFA requires two or more proofs of identity: something you know (password), something you have (phone or key), or something you are (fingerprint or face). Microsoft research shows MFA blocks more than 99.2 per cent of account compromise attacks. Microsoft now enforces mandatory MFA for sign-in to the Azure portal and Microsoft 365 admin centre, rolled out through 2024 and 2025. Not all MFA is equal: an authenticator app or passkey is significantly stronger than an SMS code. Cyber insurers now routinely require MFA before they will quote or renew a policy. What is multi-factor authentication, in plain English? Multi-factor authentication means proving who you are with at least two different types of evidence, so that compromising one does not hand over your account. The classic three categories are something you know (a password or PIN), something you have (a phone running an authenticator app, or a physical security key), and something you are (a fingerprint or face scan). In everyday use it looks like this: you enter your password as usual, then approve a prompt in an app on your phone or type in a short code. The password is the factor attackers can steal in bulk through phishing and data breaches. The second factor is the one they almost never have, because it lives on a device in your pocket. That is the whole idea: make a stolen password useless on its own. Why is MFA the most important control for an SME? MFA matters more than almost anything else because stolen passwords are the most common way SMEs get breached, and MFA neutralises them. Attackers buy leaked credentials in bulk, guess weak passwords with automated tools, and phish them out of unsuspecting staff. Every one of those routes ends at a login screen, and MFA is the wall waiting there. The Microsoft figure, that MFA blocks more than 99.2 per cent of account compromise attacks, is striking precisely because the control is so cheap and quick to turn on. There is almost no other security measure with that ratio of effort to protection. When we onboard a new Sydney client, enabling MFA across Microsoft 365 is one of the very first things we do, because it closes the most common door before we do anything else. (It is also one of the eight controls in the ACSC’s Essential Eight, for the same reason.) Is all MFA equally secure? No. MFA is far better than no MFA, but the method matters, and SMS text-message codes are the weakest common option. SMS can be intercepted or redirected through SIM-swapping, and attackers have tools to trick users into handing over codes in real time. It still beats a password alone, but it is the floor, not the goal. An authenticator app (such as Microsoft Authenticator) is stronger, especially with number-matching that makes blind approval harder. Stronger still are passkeys and hardware security keys, which are resistant to phishing because they will not authenticate to a fake site at all. For most SMEs, moving staff from SMS to an authenticator app, then to passkeys where practical, is the sensible progression. We covered the move toward passwordless sign-in in our guide to passkeys for Australian SMEs. How does an SME roll out MFA without chaos? A clean MFA rollout comes down to planning the order, communicating early, and using conditional access so the prompts are sensible rather than constant. The technical switch is easy; the friction is human, and it is entirely manageable with a bit of preparation. In practice we start by enabling MFA for administrators immediately, because those accounts are the highest-value targets. Then we roll it out to all staff with clear instructions and a short window to enrol, set up the Microsoft Authenticator app rather than SMS, and use conditional access so trusted situations do not trigger a prompt every five minutes. Done this way, a rollout across a typical Sydney SME is a quiet few days, not a revolt. The most common mistake we see is leaving a handful of accounts exempt “just for now”, because those exemptions are exactly what gets exploited later. Frequently asked questions Is two-factor authentication (2FA) the same as MFA? Effectively yes. Two-factor authentication is MFA with exactly two factors. MFA is the broader term covering two or more. In day-to-day business use the words are used interchangeably, and for most SMEs two well-chosen factors is the practical standard. What happens if a staff member loses their phone? They use a backup method or get their MFA reset by an administrator after verifying their identity. This is why setting up more than one method, and having a clear reset process, matters. It is a routine helpdesk task, not a crisis, when the setup is done properly. Does MFA slow staff down? Barely, when it is configured well. With conditional access, staff are not prompted constantly from trusted devices and locations; they approve a prompt occasionally rather than every login. The few seconds it costs are trivial against the protection it provides. Is MFA required for cyber insurance in Australia? Increasingly, yes. Most insurers now ask whether MFA is in place across email and remote access before they will quote or renew, and some will decline cover without it. Honest answers matter here, because a claim can be challenged if the controls described in the application were not actually in place. If you are

Phishing simulation for Australian SMEs: how to set up a programme that actually works

Insights & News Phishing simulation for Australian SMEs: how to set up a programme that actually works June 4, 2026 A phishing simulation is a controlled exercise where a business sends realistic-looking but harmless phishing emails to its own staff to measure how many people click suspicious links, enter credentials into fake login pages, or download attachments they shouldn’t. It’s a behavioural test of the human layer of cybersecurity, run continuously rather than as a one-off, and tied directly to targeted training for the staff who get caught. For Australian SMEs in 2026, phishing remains the single most successful initial-access technique used by attackers. Multi-factor authentication, endpoint protection, and email filtering all help, but a meaningful share of incidents still start with a staff member clicking something they shouldn’t have. Phishing simulation is the discipline that systematically reduces that share over time. This guide explains how simulations actually work, what they cost, which tools are commonly used in the Australian market, and how to set up a programme that delivers measurable behavioural change rather than just compliance theatre. Key facts A phishing simulation sends staged phishing emails to staff under controlled conditions to measure click rates, credential-entry rates, and reporting behaviour. For Australian SMEs, phishing simulation tools cost AU$3 to AU$8 per user per month ex GST when run continuously, depending on the platform and the training content included. The major phishing simulation platforms used in Australia include KnowBe4, Proofpoint Security Awareness, Microsoft Defender for Office 365 Attack Simulation Training, and Hoxhunt. A new phishing simulation programme typically shows a 60 to 80 percent reduction in click rates over the first 6 to 12 months, then plateaus at a sustained baseline. The right success metric is not click rate alone but reporting rate. A workforce that reports 40 percent of simulated phishing emails is meaningfully safer than one that clicks 5 percent and ignores the rest. Phishing simulation works best as one component of a broader security awareness programme, not as a standalone control. What does a phishing simulation actually do? A phishing simulation programme runs in a continuous cycle. The platform sends realistic phishing emails to staff on a regular schedule (typically every 2 to 4 weeks for each staff member, rotated so the entire workforce gets tested across a quarter). The emails are designed to look like genuine phishing attempts: fake password reset notices, fake invoice notifications, fake delivery alerts, fake internal communications from leadership. When a staff member clicks a link in a simulation email, the platform records the click and either lands them on an immediate “this was a test” training page, or proceeds to a fake login page that records the credentials they enter. The credentials aren’t actually captured for malicious use; they’re recorded as a behavioural signal. After the click, the staff member is presented with short targeted training explaining what they missed and how to recognise the next attempt. The platform also tracks two other behaviours alongside clicks: did the staff member report the email as suspicious (using a “report phish” button in their email client), and how quickly did they report it. Reporting behaviour is the leading indicator of a security-aware workforce, more so than the absence of clicks. A staff member who reports a sophisticated phishing email in 30 seconds is more valuable to the business’s security posture than one who simply never clicks. How is a phishing simulation different from generic cyber awareness training? Cyber awareness training is the content layer (videos, quizzes, modules) that teaches staff the principles of cyber hygiene. Phishing simulation is the behavioural layer that tests whether the training actually changed how staff respond to real-looking threats. The two are complementary, not interchangeable. Generic awareness training without simulation tends to underperform for a predictable reason: people pass the quiz, then return to their inbox and click the next phishing email regardless. The training measures comprehension; comprehension doesn’t always translate to behaviour. Phishing simulation measures the behaviour directly and surfaces the gap between what people know and what they actually do. The strongest programmes combine both. Initial cyber awareness training establishes the baseline knowledge. Continuous phishing simulation tests and reinforces the behaviour. When a staff member clicks a simulated phishing email, the just-in-time training they receive is specifically targeted to the technique that fooled them, which is several times more effective than generic training delivered before any specific failure has happened. What does phishing simulation cost for an Australian SME? Phishing simulation platforms typically charge per user per month, with the price varying based on the platform tier, the amount of training content included, and whether the platform includes additional features like email filtering or threat intelligence. For a 30 to 100 staff Australian SME, typical pricing in 2026 ranges from AU$3 to AU$8 per user per month ex GST. The lower end is generally what KnowBe4’s basic tier or Hoxhunt’s introductory pricing delivers for a small business. The higher end reflects Proofpoint’s Enterprise tier or platforms that bundle additional security capabilities. Microsoft Defender for Office 365 Attack Simulation Training is included in Microsoft 365 E5 and Defender for Office 365 Plan 2 licences, which means many businesses already on those licences have the capability without additional cost. The implementation cost is usually small, AU$2,000 to AU$5,000 for an initial setup engagement with a managed services partner if the business doesn’t self-implement. The setup work covers integrating the platform with the email system, configuring the simulation campaigns, setting up the reporting button in Outlook or Gmail, and initial baseline training for staff. After that, ongoing operation can be self-managed or co-managed depending on the SME’s internal capacity. For most Australian SMEs we work with, the combined first-year cost (licensing plus implementation) for a 30-person business lands at AU$3,000 to AU$6,000. Subsequent years drop to the licensing cost only, typically AU$1,200 to AU$2,800 per year for the same business. Compared to the cost of a single successful phishing-driven incident (typically tens to hundreds of thousands of dollars

Endpoint Detection and Response (EDR) explained: a guide for Australian SMEs

Insights & News Endpoint Detection and Response (EDR) explained: a guide for Australian SMEs June 2, 2026 Endpoint detection and response (EDR) is a category of security software that monitors laptops, desktops, and servers in real time, looking for the patterns that indicate a cyber attack in progress. Unlike traditional antivirus, which checks files against a list of known threats, EDR watches what programs actually do and flags suspicious behaviour even when the software responsible has never been seen before. For Australian SMEs in 2026, EDR has shifted from a nice-to-have to an expected baseline control. Cyber insurance underwriters now ask for it. Microsoft, Sophos, CrowdStrike, and SentinelOne all sell business-grade EDR at SME-accessible price points. This guide explains what EDR actually does, how it differs from antivirus, what to look for in an EDR product, and how it fits with managed detection and response (MDR) for businesses that don’t have a 24/7 security team. Key facts EDR (endpoint detection and response) is behaviour-based security software that watches what programs do on a device, not just what files look like. EDR catches threats that traditional antivirus misses: fileless attacks, living-off-the-land techniques, novel malware, and lateral movement after a phishing compromise. Business-grade EDR for Australian SMEs typically costs AU$10 to AU$30 per endpoint per month ex GST, depending on the product and whether managed response is included. MDR (managed detection and response) layers a 24/7 security operations team on top of EDR, taking action on alerts the SME’s internal team would otherwise have to handle. Cyber insurance underwriters in Australia now commonly require EDR (or specifically next-gen antivirus with behavioural capabilities) as a precondition for coverage. The ACSC Essential Eight does not name EDR directly, but achieving Maturity Level 2 across the eight controls effectively requires EDR-class capability. What is endpoint detection and response (EDR)? EDR is the generational shift from signature-based antivirus to behaviour-based threat detection. Traditional antivirus works by maintaining a database of known malicious files (signatures) and checking every file on the device against that database. If a file matches a known signature, the antivirus blocks or quarantines it. The model worked well in the 1990s and 2000s when malware was a relatively small set of identifiable files. It works poorly in 2026 when modern attacks rarely involve files that look obviously malicious. EDR takes a different approach. Instead of asking “is this file on the bad list”, it asks “is this program doing something a legitimate program shouldn’t do”. A Microsoft Word process that starts a PowerShell session, downloads a script from the internet, and tries to encrypt the user’s documents is doing something Word should never do, even if every file involved looks technically clean. EDR sees the behaviour pattern and stops it. The “response” half of EDR is the action taken when something suspicious is detected. EDR products can quarantine the affected device automatically, kill the malicious process, roll back changes the process made, and alert security analysts. The level of automated response varies by product and configuration, with more aggressive automation reducing time-to-contain but increasing the risk of disrupting legitimate work. How is EDR different from antivirus? The simplest way to think about it: antivirus is reactive (block known threats), EDR is proactive (detect unknown threats by behaviour). Most modern security products marketed as antivirus are actually hybrid products that include both capabilities, but the underlying distinction matters because it tells you what the product actually catches. Aspect Traditional antivirus EDR Detection method File signatures against known bad list Behavioural analysis of running programs Catches novel malware Only after signatures are updated Yes, based on suspicious behaviour Catches fileless attacks No (no file to scan) Yes (watches process behaviour) Catches living-off-the-land techniques No (legitimate tools used) Yes (anomalous use of legitimate tools) Forensic capability Minimal (file list) Extensive (process trees, network connections, timeline) Storage requirements Small (signature database) Larger (behavioural telemetry) Typical cost per endpoint AU$3 to AU$8 per month AU$10 to AU$30 per month Suits Almost no SME alone in 2026 Every SME running business-critical workloads The honest commercial picture in 2026: standalone traditional antivirus is no longer sufficient for any Australian business handling customer data or running business-critical workloads. The price difference between basic antivirus and EDR has narrowed enough that the cost case for sticking with signature-only protection has effectively disappeared. What does EDR catch that antivirus misses? Four attack patterns explain most of what EDR detects and antivirus misses. Understanding them is the easiest way to see why EDR has become the baseline expectation. Fileless attacks. An increasing share of modern attacks doesn’t drop a malicious file to disk at all. The attack code runs entirely in memory, often inside a legitimate process the user already trusts (PowerShell, Microsoft Office macros, browser memory). Antivirus has nothing to scan because there’s no file. EDR sees the anomalous behaviour of the process and responds. Living-off-the-land techniques. Attackers increasingly use tools that are already installed on the target system: PowerShell, Windows Management Instrumentation, Microsoft Sysinternals utilities. These tools are legitimate and present on every Windows system. Antivirus can’t block them without breaking Windows. EDR distinguishes between routine administrative use of these tools and anomalous patterns that suggest an attacker is using them for reconnaissance or lateral movement. Novel malware. Ransomware groups now generate unique malware variants for each campaign, sometimes for each victim. Signature-based antivirus cannot keep pace with the volume of new variants. EDR detects the encryption behaviour, the privilege escalation, the lateral movement, regardless of which specific malware variant is involved. Lateral movement after initial compromise. The vast majority of significant breaches involve a successful initial compromise (often phishing) followed by attacker movement through the environment. The initial compromise might be just a credential theft, with no malware involved. EDR sees the subsequent behavioural patterns (Remote Desktop connections to systems the user has never accessed, mass file access patterns, suspicious authentication attempts) and raises alerts that surface the broader campaign before encryption or exfiltration begins. What is MDR (managed detection

The ASD Essential Eight for Australian SMEs: a practical 2026 guide

Insights & News The ASD Essential Eight for Australian SMEs: a practical 2026 guide May 4, 2026 The Australian Signals Directorate’s Essential Eight is the country’s de facto baseline cybersecurity maturity standard. It defines eight technical controls that mitigate the most common cyber attacks against Australian organisations, with three maturity levels from “starting point” to “advanced.” For Australian SMEs, hitting Maturity Level 1 across all eight controls typically requires moderate investment and addresses the bulk of practical cyber risk. Maturity Level 1 is also increasingly the threshold at which cyber insurance becomes available at reasonable rates and government and large enterprise contracts become winnable. Key facts The Essential Eight is published by the Australian Signals Directorate (ASD) Australian Cyber Security Centre (ACSC) and is freely available at cyber.gov.au. Three maturity levels: ML1 (mitigates adversaries with basic capabilities), ML2 (mitigates adversaries with moderate capabilities), ML3 (mitigates state-sponsored adversaries). ML1 is the baseline expectation for most Australian SMEs in 2026. The eight controls: application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, regular backups. Federal government non-corporate Commonwealth entities are required to implement Maturity Level 2 as a minimum. Most Australian cyber insurers and large enterprise customers reference Essential Eight in their vendor due diligence processes. What is the Essential Eight? The Essential Eight is a set of eight prioritised mitigation strategies developed by the ASD’s Australian Cyber Security Centre. The strategies were originally distilled from the Top 35 Strategies to Mitigate Cyber Security Incidents and represent the controls ASD considers most effective against common cyber attack patterns. The Essential Eight was originally published in 2017 and has been refined multiple times since, including the introduction of the Maturity Model in 2018 and significant revisions through 2022 and 2023 to address contemporary threats. The current version focuses on Microsoft Windows-based environments, though most controls have direct equivalents in Mac, Linux, and cloud-native contexts. The eight controls cover three categories: prevent malicious code execution (application control, patch applications, configure macros, user application hardening), limit the extent of incidents (restrict admin privileges, patch operating systems, MFA), and recover data and system availability (regular backups). Together, they address the most common entry points and lateral movement techniques used in real-world attacks. What are the eight controls? Each of the eight controls has specific Maturity Level requirements. The summary below covers what ML1 looks like for an Australian SME. 1. Application control. Block executable files, software libraries, scripts, installers, compiled HTML, HTML applications, and control panel applets from running on workstations and servers. ML1 typically uses Microsoft AppLocker, Windows Defender Application Control, or third-party tools like AirLock or ThreatLocker. 2. Patch applications. Identify missing patches and update applications, particularly internet-facing ones, within strict timeframes. ML1 requires patching exploitable vulnerabilities in internet-facing applications within two weeks (or 48 hours if exploit code exists), and other applications within one month. 3. Configure Microsoft Office macro settings. Block macros from the internet, validate macros only from trusted locations, and disable macros for users that don’t need them. Macro-based attacks remain a significant vector, particularly for Australian SMEs where Microsoft Office is ubiquitous. 4. User application hardening. Web browsers configured to block ads, Java, Flash (now legacy), and unnecessary features that introduce risk. Microsoft Office configured to block OLE packages and similar high-risk content. PDF readers configured to block JavaScript. 5. Restrict administrative privileges. Privileged accounts limited to specific tasks, separated from user accounts, with strong authentication. Domain admins shouldn’t browse the web or read email. Standard users shouldn’t have local admin rights on their workstations. 6. Patch operating systems. Same approach as patching applications: identify, test, and apply OS patches within strict timeframes based on severity and exploit availability. For SMEs, Microsoft Intune or Windows Autopatch handles this for managed Windows fleets. 7. Multi-factor authentication. MFA on remote access (VPN, RDP), privileged accounts, important data repositories, and external services accessing sensitive data. ML1 expects MFA on the obvious accounts; ML2 and ML3 expand the scope. 8. Regular backups. Backups of important data, software, and configuration settings; backups stored offline, online, or remotely; backups tested for integrity and accessibility. Recovery testing is the bit most SMEs skip and most regret skipping. Why does Maturity Level 1 matter for SMEs? Three reasons. It’s the practical security floor. An SME at ML1 has addressed the bulk of common cyber attacks. The remaining gap to ML2 and ML3 is mostly diminishing returns for typical SME threat models. ML1 is enough to make your business a substantially harder target than the unhardened SME next door. Cyber insurance and customer contracts. Most Australian cyber insurers map their underwriting questions to Essential Eight controls. Hitting ML1 typically unlocks reasonable cyber cover at standard premiums; below ML1, cover gets expensive or unavailable. Government and large enterprise customers increasingly require ML1 or ML2 attestation in vendor due diligence. Regulatory alignment. The Essential Eight aligns with the “reasonable steps” expectation under the Privacy Act’s APP 11. An SME implementing ML1 has documented evidence of technical and organisational measures meeting current security standards, which materially helps if the OAIC investigates after a breach. What does it actually cost an SME to hit Maturity Level 1? For most Australian SMEs already on Microsoft 365, the cost is moderate. The bulk of ML1 controls are achievable using tools the organisation already pays for: Microsoft Intune for endpoint management, Microsoft Defender for application control, Microsoft Entra for MFA, Microsoft 365 backup for SaaS data backup. The investment is mostly configuration and process, not new license fees. For SMEs with mature M365 Business Premium or E3/E5 subscriptions, achieving ML1 typically takes 2-4 months of configuration work, mostly focused on application control rollout, macro policy, OS patching cadence, and user application hardening. Costs are mostly internal time or partner advisory fees, with some hardware refresh for older Windows fleets that don’t support modern controls. For SMEs not yet on M365 Business Premium or with older or third-party stacks, the investment is higher: M365

Passkeys for Australian SMEs: a practical 2026 rollout guide

Insights & News Passkeys for Australian SMEs: a practical 2026 rollout guide May 4, 2026 Passkeys are FIDO2-based phishing-resistant credentials that replace passwords for sign-in. They’re now mainstream across Microsoft 365, Google Workspace, all major Australian banks, and most enterprise SaaS, and represent a meaningful security upgrade over password+SMS or password+TOTP authentication. For Australian SMEs in 2026, the practical question isn’t whether to adopt passkeys but how to roll them out without breaking the workforce. The straightforward path: enable passkeys alongside existing multi-factor authentication on Microsoft Entra and Google Workspace, train staff to enrol their devices as passkey authenticators, and gradually phase out SMS-based MFA over 6-12 months. Key facts Passkeys are based on FIDO2 / WebAuthn standards and replace passwords with cryptographic keys stored on the user’s device. Passkeys are phishing-resistant: a passkey for one site cannot be used on a fake version of that site, unlike passwords or even TOTP codes. Microsoft, Google, Apple, and the four major Australian banks all support passkeys as of late 2025. Microsoft Entra (formerly Azure AD) supports passkeys for Microsoft 365 sign-in via the Microsoft Authenticator app or hardware keys. SMS-based MFA is deprecated in security guidance from ASD, NIST, and most security frameworks; passkeys are the recommended replacement. Passkey adoption requires device-level support: iOS 16+, Android 9+, Windows 10/11 with Windows Hello, or macOS Ventura+. What is a passkey and how is it different from a password? A passkey is a cryptographic credential pair: a public key registered with the service you’re signing into, and a private key that stays on your device. When you sign in, your device proves it has the private key without ever sending it. There’s no password to type, no code to enter, no shared secret that can be phished. Passkeys solve the two biggest problems with passwords. They can’t be reused across sites (each passkey is unique to one service), and they can’t be phished by a fake version of the legitimate site (the cryptographic challenge only works against the genuine domain). From a user perspective, a passkey sign-in looks like Touch ID, Face ID, or a Windows Hello PIN prompt. The user proves they’re physically present with their device, and the device handles the cryptographic conversation with the service. No typing of long random strings, no fishing through SMS messages. Why are passkeys better than password plus MFA? Most SMEs in 2026 use password + MFA via SMS, TOTP authenticator app, or push notification. Each of these has known phishing-vulnerable failure modes. SMS MFA can be phished via real-time relay attacks (the attacker collects the password and SMS code and uses them within seconds), bypassed via SIM swap fraud, or intercepted via SS7 telecom vulnerabilities. ASD’s guidance has discouraged SMS MFA for sensitive accounts since 2022. TOTP codes from Google Authenticator or similar are phished the same way SMS codes are: a malicious site asks for the password and the code, then uses both immediately on the legitimate service. Push notifications are slightly better but vulnerable to MFA fatigue attacks (the attacker spams the user with login prompts until the user accidentally approves one). Microsoft introduced number-matching to mitigate this, but it’s still possible. Passkeys close all of these attack paths. The cryptographic challenge is bound to the legitimate domain, so a phishing site can’t generate a valid prompt. There’s nothing for the user to “type wrong” or accidentally approve. The credential is never transmitted, even encrypted, so SS7 or SIM swap attacks don’t apply. For SMEs with valuable data, the upgrade is genuinely meaningful. How do you roll out passkeys for a Microsoft 365 SME? For Microsoft 365 environments (which covers the bulk of Australian SMEs), the rollout sequence is well-defined. 1. Enable passkeys in Microsoft Entra. In the Microsoft Entra admin centre, under Authentication methods, enable Passkey (FIDO2) for the relevant user groups. Microsoft Authenticator can act as a passkey authenticator on iOS and Android devices, and physical FIDO2 keys (YubiKey, Feitian) work for hardware-key scenarios. 2. Pilot with technical staff first. Roll out to IT, security, and one or two engaged users from each business team. They’ll discover the edge cases (legacy applications, third-party SaaS that doesn’t yet support passkeys, devices that fail to enrol) before the broader rollout. 3. Update conditional access policies. Configure Entra Conditional Access to require passkey for high-risk sign-ins, sensitive applications, and admin accounts. Keep password+MFA as a fallback during transition. Once passkey adoption is high, tighten policies to require passkey for the full user population. 4. Communicate and train. Most users adapt quickly to passkeys (it’s easier than passwords once enrolled), but the enrolment moment needs explanation. A 5-10 minute walkthrough video, plus desk-side support during the rollout week, makes the difference between a smooth rollout and a frustrated workforce. 5. Phase out SMS MFA. Once 80%+ of users have enrolled at least one passkey, start the SMS MFA deprecation. Some users will need exceptions (devices that don’t support passkeys, legacy applications), but the goal is to get SMS-based authentication off the standard path within 12 months. What are the practical challenges of passkey rollout? Three real-world challenges that catch SMEs off guard. Cross-device sync. Passkeys can sync across a user’s devices via iCloud Keychain (Apple), Google Password Manager (Android), or Microsoft Authenticator (cross-platform). The challenge is that users mixing ecosystems (iPhone with Windows desktop, or Android with Mac) sometimes have surprising sync gaps. The pragmatic answer is to enrol two passkeys per user, one per primary device, rather than relying on sync. Shared accounts. Passkeys are designed for individual users, not shared accounts. SMEs that have a shared “info@” or “accounts@” mailbox accessed by multiple staff need to migrate to delegated access (Microsoft 365 shared mailboxes) before rolling out passkeys, or maintain a fallback authentication method for those accounts. Most organisations should be doing this anyway, since shared passwords are a security and audit problem regardless. Account recovery. If a user loses their passkey-enrolled device and has no backup authenticator, they’re locked out.

Cyber insurance for Australian SMEs in 2026: what insurers expect

Insights & News Cyber insurance for Australian SMEs in 2026: what insurers expect April 30, 2026 Australian cyber insurance underwriting has tightened significantly through 2024 and 2025, and most insurers will now decline cover or apply ransomware sub-limits to SMEs that don’t have multi-factor authentication, EDR on every endpoint, immutable backups, and basic Essential Eight maturity. Premiums have stabilised after the 2022-23 spike but cover is more conditional. The “tick-and-flick” application form has been replaced by detailed technical questionnaires and, for higher cover, evidence of controls. SMEs that haven’t invested in security controls increasingly find that cyber insurance is either expensive or unavailable. Key facts Australian cyber insurance premiums increased 50-100%+ between 2021 and 2023, driven by ransomware loss ratios; pricing has stabilised through 2024-2025. Most insurers now require MFA on email and admin accounts, EDR on every endpoint, and immutable or offline backups as minimum underwriting conditions. Ransomware sub-limits (cover capped well below the policy aggregate) are now common, particularly for SMEs without strong controls. War exclusions following Lloyd’s market changes have tightened, with state-sponsored attack scenarios sometimes excluded entirely. Reporting under the Cyber Security Act 2024 is now a policy condition for many insurers; non-reporting can void cover. Insurers increasingly request third-party security attestations (Essential Eight maturity assessment, ISO 27001, cyber security ratings) for cover above AU$1 million. What is cyber insurance and what does it cover? Cyber insurance covers financial losses and third-party liabilities arising from cyber incidents: ransomware, business email compromise, data breaches, business interruption following an attack, regulatory investigation costs, customer notification expenses, and legal liability arising from data exposure. Specific cover varies by policy, but most Australian SME cyber policies include first-party costs (incident response, forensics, business interruption) and third-party liability (claims by customers or regulators). What cyber insurance typically does not cover: pre-existing breaches not yet discovered, intentional acts by directors and officers, war and terrorism (where excluded), failure to maintain stated security controls (where the application form misrepresented the actual position), and claims arising from countries on sanctions lists. For Australian SMEs, typical 2026 policy aggregates run from AU$500,000 to AU$5 million for small and mid-market businesses, with annual premiums anywhere from AU$3,000 to AU$50,000+ depending on revenue, sector, controls, and claims history. Why is cyber insurance harder to get in 2026? Three forces have reshaped the market over the past four years. Ransomware loss ratios. Cyber insurers paid out aggressively on ransomware claims in 2020-2022, with global loss ratios in the 70-90% range across multiple years. The market response was inevitable: tighter underwriting, sub-limits on ransomware specifically, premium increases, and refusal to cover applicants without baseline controls. State-sponsored attribution complexity. Following the 2022 Lloyd’s market bulletin requiring revised war exclusions, most insurers tightened the language around state-sponsored attacks. The practical effect is that some major incidents that would have been covered in 2020 may now fall in the war exclusion, particularly if attribution to a state actor or state-sponsored group is established. Evidence-based underwriting. Insurers learned that application forms self-attesting to security controls didn’t predict claims accurately. The current generation of underwriting uses external security ratings, Essential Eight maturity assessments, and detailed technical questionnaires that are harder to bluff. Several insurers will require external scans of the applicant’s public-facing infrastructure as part of the application. What controls do cyber insurers require for SMEs in 2026? The required controls vary by insurer, but a common 2026 baseline for Australian SME cyber cover is: MFA on email, remote access, and admin accounts. This is universal. No serious insurer will issue cyber cover to an SME without MFA on Microsoft 365 or Google Workspace, on remote access (VPN, RDP, RMM), and on privileged accounts. Some insurers now also require MFA on customer-facing portals and finance system logins. EDR or next-generation antivirus on every endpoint. Traditional signature-based AV no longer satisfies most underwriting requirements. The expectation is behavioural detection (Sophos Intercept X, Microsoft Defender for Endpoint, SentinelOne, CrowdStrike) rather than signature-based. Immutable or offline backups. Insurers want evidence that ransomware can’t encrypt or delete the backups. The technical bar is typically immutable backups (Proxmox Backup Server with immutability, Veeam with hardened repositories, cloud backup with object lock) or air-gapped backups, with documented restore testing. Email security and phishing awareness. Email gateway protection (Mimecast, Microsoft Defender for Office 365), phishing simulation training, and DMARC/DKIM/SPF properly configured. Around 85% of Australian SME cyber incidents start with email. Patching discipline. Some insurers ask for evidence of patching cadence, particularly for internet-facing systems. Patching critical vulnerabilities within 14 days of vendor release is becoming common as a written requirement. How does Essential Eight maturity affect cyber insurance? The ASD Essential Eight has become a useful shorthand for cyber maturity in Australian insurance underwriting. Insurers don’t necessarily require formal Essential Eight assessments, but most ask questions that map directly onto the eight controls: application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups. For SMEs, hitting Maturity Level 1 across the Essential Eight typically satisfies most underwriting requirements. Maturity Level 2 (still affordable for an SME) typically improves premium pricing or unlocks higher cover. Maturity Level 3 is largely an enterprise concern but signals strong underwriting. For SMEs servicing government clients or regulated industries, an Essential Eight maturity assessment is increasingly contractually required, separately from cyber insurance. Doing the assessment once and using it for both insurance and customer due diligence is efficient. What should an SME do before applying for cyber insurance? Six practical steps that improve both insurability and security posture. 1. Document your controls before the application form arrives. Insurers ask the same 50-100 questions about MFA coverage, EDR deployment, backup architecture, patching cadence, and incident response plans. Writing these answers down once, accurately, is a one-week project that pays back across multiple insurance applications. 2. Close the obvious gaps before applying. If MFA isn’t on every email account, fix that first. If admin accounts are still using shared passwords, fix that. If

Mandatory ransomware reporting in Australia: what SMEs need to know

Insights & News Mandatory ransomware reporting in Australia: what SMEs need to know April 30, 2026 Australia’s Cyber Security Act 2024 requires businesses with annual turnover of AU$3 million or more to report ransomware payments to the Australian Signals Directorate within 72 hours of paying or being aware that payment has been made. The reporting obligation came into force on 30 May 2025, with civil penalties of up to AU$19,800 for non-reporting. Reports go to ASD via the cyber.gov.au portal and include the entity, the cybercriminal demand, and the payment details. The intent is intelligence sharing, not prosecution of victims. Key facts The Cyber Security Act 2024 received Royal Assent in late November 2024 and the ransomware reporting provisions commenced 30 May 2025. The reporting obligation applies to businesses carrying on a business in Australia with annual turnover of AU$3 million or more, plus all entities responsible for critical infrastructure assets. Reports must be lodged within 72 hours of making a ransomware payment or becoming aware that one has been made. Civil penalty for non-compliance: up to 60 penalty units (~AU$19,800). Reports are made via the Australian Signals Directorate at cyber.gov.au, with limited use protections meaning the report can’t be used to prosecute the entity. Paying ransoms is not illegal in Australia, but it does create the reporting obligation. What does the Cyber Security Act 2024 actually require? The Cyber Security Act 2024 introduces Australia’s first mandatory ransomware payment reporting regime. Where a covered entity makes a ransomware or cyber extortion payment (or where one is made on its behalf), the entity must report the payment to ASD within 72 hours. The report includes the entity’s details, the nature of the demand, the type of cybercriminal involved, the amount paid, and how the payment was made. The Act sits alongside several other obligations introduced by the same legislation: a national Cyber Incident Review Board, mandatory security standards for smart devices, and limited use protections that prevent ASD from sharing reported information with most regulators for enforcement. The intent is to encourage reporting rather than punish it. Where the entity makes the payment but isn’t itself the direct victim (for example, a cyber insurer or incident response firm pays on behalf of the insured), the obligation still falls on the entity that benefited from the payment, not the payer. This catches arrangements where the actual policyholder might otherwise hide behind a third party. Who has to report and who’s exempt? The reporting obligation applies to two categories. First, businesses carrying on a business in Australia with annual turnover of AU$3 million or more in the previous financial year. Second, entities responsible for critical infrastructure assets under the Security of Critical Infrastructure Act, regardless of turnover. Most Australian SMEs by count fall under the AU$3 million threshold and are exempt from the reporting obligation. But the exemption is narrower than it sounds. It applies only to ransomware reporting under the Cyber Security Act. Other obligations (Notifiable Data Breaches scheme, Privacy Act, ASIC reporting, banking and financial services rules) apply regardless of turnover and can each create their own reporting triggers. If your turnover is over AU$3 million, treat the reporting obligation as in scope. If your turnover is close to the threshold, get specific advice rather than guessing, because the way “annual turnover” is defined in the Act includes some related-entity revenue that’s easy to miss. What happens if you don’t report? The civil penalty for failing to report a ransomware payment is up to 60 penalty units, currently AU$19,800. The penalty applies to the entity, not individuals, and is enforced by the Department of Home Affairs. The penalty is deliberately set lower than the cost of paying a ransom in the first place. The Government’s policy logic is that the marginal incentive to report should outweigh the perceived benefit of staying silent. Combined with the limited use protections (ASD cannot share the report with most regulators for enforcement), the legislative design is “report and we won’t use this against you” rather than “report or we’ll punish you harder.” That said, the reputational and contractual consequences of non-reporting can be material. Customers, insurers, and lenders increasingly require certification that the business is meeting its statutory obligations. Failure to report a ransomware payment can void cyber insurance cover and create disclosure obligations to customers. What should an SME do before a ransomware incident? Three things matter, all preventative. Immutable backups, tested. The single most important defence against ransomware extortion is a backup that the attacker cannot encrypt or delete. We use Proxmox Backup Server with immutability enabled and backup retention policies that survive ransomware actor dwell time of weeks rather than days. The backup is only useful if it’s been tested, ideally with a quarterly restore exercise. Endpoint Detection and Response (EDR) on every endpoint. Modern ransomware operators are inside networks for an average of two to three weeks before they trigger encryption. EDR catches their behavioural signatures (lateral movement, credential dumping, mass file access) much earlier than traditional antivirus. For SMEs, Sophos Intercept X, Microsoft Defender for Endpoint, or SentinelOne are all reasonable choices. Multi-factor authentication on everything that matters. Email, remote access, admin accounts, financial systems, document repositories. Roughly 80% of the SME ransomware incidents we see in Sydney start with credentialed access (phishing, password reuse, leaked credentials from other breaches). MFA closes most of those entry points. What should an SME do during a ransomware incident? This is when the incident response plan matters. If you don’t have one, the first 24 hours of any incident will be chaos and decisions will be made under pressure that you’ll regret later. The decisions that need to have been pre-made before an incident hits include: who has authority to take systems offline, who talks to insurance, who notifies customers, who notifies the OAIC, and (for in-scope entities under the Cyber Security Act) who lodges the ASD report. Pre-decided answers save days at exactly the point you don’t have them. During an

Scroll to Top