Ransomware. Business email compromise. Data theft. These aren't just problems for large corporations. In fact, small and medium-sized businesses are now the primary target for cybercriminals, precisely because they're seen as easier to compromise than enterprise organisations with dedicated security teams.
The good news: the vast majority of successful attacks on SMBs exploit basic, fixable problems. You don't need a $200,000 security team to stop most threats. You need a handful of controls done properly.
Here are the fundamentals we check on every engagement.
1. Multi-Factor Authentication on Everything
If you do nothing else from this article, do this: turn on multi-factor authentication (MFA) for every account your team uses, especially email.
Business email compromise (BEC) is the most financially damaging cyber crime category in Australia. Attackers compromise an email account, monitor conversations, then redirect payments or request fraudulent transfers. The total amount lost by Australian businesses to BEC runs into tens of millions per year.
MFA stops the overwhelming majority of these attacks. Even if an attacker has your password, they can't log in without the second factor.
Where to enable it:
- Microsoft 365 and Google Workspace (start here - this is your most critical system)
- Any financial or banking platforms
- Your accounting software (MYOB, Xero, etc.)
- Cloud storage (SharePoint, OneDrive, Google Drive)
- Remote access tools (VPN, Remote Desktop, TeamViewer)
Use an authenticator app (Microsoft Authenticator, Google Authenticator) rather than SMS where possible. SMS-based MFA is better than nothing but can be bypassed by SIM-swapping attacks.
2. Separate Admin Accounts for Admin Tasks
Most people use the same account for everything: reading email, browsing the web, and managing systems. This is a significant risk.
If that account gets compromised, through a phishing email, a malicious download, or a compromised website, the attacker has the same level of access you do. If you're an administrator, that means they have administrator access to everything.
The fix is simple: use a standard, unprivileged account for day-to-day work. Only use an admin account when you're specifically performing an administrative task, and log out when you're done.
For small businesses, this typically means:
- A standard user account you use to check email, use Office apps, browse the web
- A separate admin account (different username and password) used only for things like adding users, changing settings, or installing software
3. Proper Backup with Tested Recovery
Ransomware works by encrypting your data and demanding payment to decrypt it. If you have a clean, tested backup that the attacker can't reach, ransomware becomes an operational problem rather than an existential one.
The key word is tested. We regularly find businesses that believe they have good backups, but have never actually verified whether those backups can be restored. Some have never been tested at all. Others haven't tested recovery in years and their backup system changed in the meantime.
A solid backup strategy includes:
- The 3-2-1 rule: 3 copies of your data, on 2 different media types, with 1 copy offsite (cloud counts)
- Immutability: At least one backup copy should be write-protected so ransomware can't encrypt it. Most cloud backup services offer this
- Regular test restores: At minimum, restore a sample of files every quarter and verify they're intact
- Air-gap or offline copy: If all your backups are always connected to your network, ransomware can reach them
4. Patch Management: Keep Everything Updated
Software vulnerabilities are one of the most common ways attackers gain initial access. When a vulnerability is discovered and a patch is released, attackers start targeting unpatched systems immediately, often within 24-48 hours of a public disclosure.
This applies to:
- Operating systems (Windows, macOS) - turn on automatic updates
- Web browsers - Chrome, Firefox, Edge all auto-update by default, but verify this
- Applications - Office, Adobe, browsers, and any other software staff use
- Network equipment - routers and firewalls often go years without firmware updates. Check yours
The most common version of this problem we see: a business has a Network Attached Storage (NAS) device or an old server that hasn't been patched in years. These become easy entry points.
5. Email Security: SPF, DKIM, and DMARC
These three protocols work together to reduce phishing and email spoofing. They tell receiving mail servers how to verify that email claiming to be from your domain actually came from your systems.
- SPF (Sender Policy Framework): Specifies which mail servers are authorised to send email on behalf of your domain
- DKIM (DomainKeys Identified Mail): Adds a digital signature to outgoing email that receiving servers can verify
- DMARC (Domain-based Message Authentication, Reporting and Conformance): Tells receiving servers what to do when SPF or DKIM checks fail
Without DMARC enforcement, attackers can send email that appears to come from your domain. This is used in vendor impersonation scams and customer fraud.
Check whether your domain has these configured using a free tool like MXToolbox. If DMARC is missing or set to p=none, it's not protecting you.
6. Endpoint Detection and Response (EDR)
Basic antivirus is no longer sufficient on its own. Modern malware is designed to evade signature-based detection. EDR tools go further: they monitor behaviour patterns, detect suspicious activity even if the malware hasn't been seen before, and enable investigation and response when something is detected.
For Australian SMBs, Microsoft Defender for Business (included with Microsoft 365 Business Premium) is a cost-effective starting point that provides genuine EDR capability. CrowdStrike Falcon Go and SentinelOne are stronger options if you have the budget.
Whatever you choose, ensure:
- It's deployed on every endpoint (laptops, desktops, servers)
- Alerts are being monitored by someone
- Real-time protection is turned on and not being bypassed by staff
Where to Start
If you're starting from zero, don't try to do everything at once. Prioritise in this order:
- MFA on Microsoft 365 or Google Workspace
- Test your backups - can you actually restore from them?
- Admin account separation
- Check DMARC configuration on your domain
- Ensure Windows/macOS automatic updates are enabled
- Review your antivirus and consider upgrading to EDR
These six steps will put you significantly ahead of the average Australian SMB in terms of security posture.
To understand where your business stands, we offer a free initial consultation - get in touch.