Cyber Security for Small Business: The Basics

Cyber security for a small business comes down to getting a handful of fundamentals right: multi-factor authentication, managed endpoint protection, email filtering, tested backups, and staff who know how to spot a scam. You do not need an enterprise budget or a security team. You need the basics done properly and kept up to date, because the average cybercrime incident now costs an Australian small business AU$56,600. This guide is the practical starting list.

Key facts

• The average self-reported cost of cybercrime for an Australian small business was AU$56,600 per report in 2024-25, up 14 per cent in a year (ASD).
• ASD's ACSC received over 84,700 cybercrime reports in 2024-25, roughly one every six minutes.
• Most attacks on SMEs are automated and opportunistic, not hand-picked, so being small is no protection.
• Multi-factor authentication blocks more than 99.2 per cent of account compromise attacks (Microsoft).
• The ACSC's Essential Eight is the clearest free checklist of the controls that actually matter.

Why do cyber criminals target small businesses?

Cyber criminals target small businesses because they combine weaker defences with real money and useful data, and most attacks are automated enough that picking on the small fish costs nothing. The image of a hacker hand-selecting a victim is mostly wrong. The reality is automated tools spraying stolen passwords and phishing emails across millions of addresses, and SMEs are caught in the net like everyone else.

The difference is that a large enterprise usually survives an attempt because it has layered defences, while a small business that skipped the basics often does not. Attackers know SMEs are more likely to have one weak password, no MFA, or an unpatched server. The AU$56,600 average cost figure is what happens when one of those gaps gets found. Being too small to bother with is a comforting myth, not a security strategy.

What are the security basics every small business needs?

Every small business needs five fundamentals: multi-factor authentication, managed endpoint protection, email filtering, tested backups, and staff awareness. Get these right and you have closed the doors that the overwhelming majority of attacks come through.

MFA on every account stops stolen passwords cold. Managed endpoint protection defends every device and contains threats that get on. Email filtering keeps most phishing out of inboxes in the first place. Tested backups, ideally immutable, mean ransomware cannot hold you hostage because you can restore. And staff awareness turns your people from the weakest link into a line of defence. None of these is expensive, and most are partly covered if you already run Microsoft 365 Business Premium.

How much should a small business spend on cyber security?

A small business should spend enough to cover the five fundamentals well, which is far less than most owners fear and far less than a single incident costs. Most of the basics are per-user monthly costs that scale with headcount, and a good chunk of the capability is already bundled in Microsoft 365 licences you may hold.

The better way to think about it is risk versus cost. Set the modest monthly cost of MFA, managed endpoint protection, email filtering, backups, and training against the AU$56,600 average cost of one incident, or the far larger cost of a week offline from ransomware. Framed that way, the basics are some of the cheapest insurance a business can buy. The expensive mistake is spending nothing and discovering the gap the hard way.

Where should a small business start?

Start by turning on MFA everywhere today, then work through the rest in order of risk. MFA is the single highest-impact, lowest-cost control, so there is no reason to wait on it. After that, make sure every device has managed protection, your email is filtered, your backups are tested (not just running), and your staff have had real training.

If you want a structured way to know where you stand, the ACSC's Essential Eight is the benchmark, and a cyber security audit measures you against it and hands you a prioritised list. For most Sydney SMEs the sensible path is to get the fundamentals running as part of managed IT security, so they stay maintained rather than decaying the moment they are set up. The worst position is the common one: a few controls bought years ago, never reviewed, quietly out of date.

Frequently asked questions

Is my small business really at risk if we have nothing worth stealing?

Yes. Even if you think you hold nothing valuable, you have money, customer data, and email accounts that can be used to attack others. Most attacks are automated and do not care who you are. Ransomware in particular does not need your data to be valuable to anyone but you, because you are the one who has to pay to get it back.

Do I need to hire someone for cyber security?

No. Most SMEs get better, more affordable protection by using a managed IT provider than by hiring, because the cost of tooling and monitoring is shared across many clients. You get specialist capability without a specialist salary.

What is the single most important thing to do first?

Turn on multi-factor authentication across every account, starting with email and any remote access. It is quick, cheap, and blocks the most common attack route. If you do only one thing this week, do that.

How do I know if my current setup is any good?

A cyber security audit measures your real posture against the Essential Eight and gives you a prioritised list of gaps. It is the cheapest way to replace a vague worry with a clear answer, and it stops you spending money on the wrong things.

If you are a Sydney small business and you are not confident the five fundamentals are all in place, that is worth half an hour to check. We help SMEs get the basics right and keep them right through managed IT security, and we are happy to take a look.