The Australian Cyber Security Centre reports that one in four Australian small businesses experienced a cyber incident in 2025. The average cost of a cyber incident for a small business was over $46,000, and that figure doesn't account for lost productivity, reputational damage, or the time spent recovering.

Most small business cyber incidents are not sophisticated nation-state attacks. They are opportunistic: a staff member clicking a phishing link, a compromised password reused across multiple accounts, or unpatched software with a known vulnerability. The good news is that the basics, done consistently, prevent the vast majority of these incidents.

The Essential Eight for SMEs

The Australian government's Essential Eight framework provides a practical baseline. Here are the elements most relevant to small businesses:

1. Multi-Factor Authentication (MFA)

Enable MFA on every business account: email, accounting software, banking, cloud storage, and any system that holds customer data. This single step prevents the majority of account compromise attacks. Use an authenticator app, not SMS, where possible.

2. Regular Software Updates

Apply security patches within two weeks of release for all internet-facing software. Enable automatic updates where available. Unpatched software is the single most common entry point for cyber attacks.

3. Regular Backups

Back up critical business data at least daily. Store backups in a separate location (cloud or offline) that is not accessible from your main network. Test your backups quarterly — a backup that doesn't restore is not a backup.

4. Strong Password Management

Use a password manager for all business accounts. Every account should have a unique, complex password. Password reuse across accounts is how a single breach cascades into access to multiple systems.

5. Email Security

Configure SPF, DKIM, and DMARC records for your business email domain to prevent spoofing. Train staff to recognise phishing emails. Consider an email filtering service that flags suspicious messages before they reach inboxes.

What to Do If Something Goes Wrong

1. Isolate affected systems immediately — disconnect from the network.
2. Contact your IT provider or the ACSC (1300 CYBER1).
3. Preserve evidence — do not wipe or restore systems before they've been assessed.
4. Notify affected customers if personal data may have been compromised.
5. Report to the OAIC if required under the Notifiable Data Breaches scheme.

Cybersecurity is not a one-time project. It is an ongoing practice. But the basics are not expensive or complicated. They just need to be done consistently.