Cyber security for small business in Sydney: where to start

Here is the short version, then the detail. You do not need a six-figure security programme to be genuinely safe. Five or six controls stop the overwhelming majority of attacks, most of them cost little or nothing, and you can have the first one running before lunch. Almost every attack on a small business is automated. Nobody hand-picked you. A script crawled the internet, found an open door, and walked in. So the whole game is not being the easy target, and that is cheaper than the ads and the fear make it sound.

Most advice on cyber security for small business is written either to scare you or to sell you a managed package you do not understand. This is the calmer version: what actually matters, in the order I would do it, with an honest word on cost.

Turn on MFA first, because it is free and it works

Multi-factor authentication is the highest-value thing you can do, and it costs nothing. Turn it on everywhere it is offered, in this order: email, then Microsoft 365 or Google Workspace, then your accounting software, then your bank, then anything else that holds money or client data. MFA means a stolen password is not enough on its own. The attacker also needs the code on your phone, and they do not have your phone.

This matters because passwords leak constantly. Staff reuse them across sites, one of those sites gets breached, and now the same password protects your email inbox. With MFA switched on, that leaked password is a dead end. The single most common way a small business gets breached is someone logging in with a password that was never theirs. MFA closes that door for free, so do it before you spend a dollar on anything else.

One caveat worth knowing. Use an authenticator app or a hardware key rather than text-message codes where you can. SMS codes are still far better than nothing, but they can be intercepted, and an app on the phone cannot. If SMS is all a service offers, use it anyway. Any MFA beats no MFA.

Keep everything patched, and let it update itself

Out-of-date software is the second open door. Windows, your browser, your PDF reader, your line-of-business app. When a vendor ships a security fix, the flaw it fixes becomes public knowledge, and automated tools start hunting for machines that have not applied it yet. An unpatched laptop is a known, published weakness sitting on your network.

The fix is boring and that is the point. Turn on automatic updates and stop fighting them. Let Windows restart overnight instead of clicking "remind me later" for three weeks. If you run an old machine that a supported version of Windows will not install on, budget to replace it, because an operating system past its support date will never get another security fix no matter how careful you are. Set it once, set it right, and let the machine keep itself current.

Run real endpoint protection, not just the free antivirus

The antivirus that came bundled with the laptop is fine for a home machine. For a business, step up to proper endpoint protection, the kind that watches for suspicious behaviour rather than only matching a list of known-bad files. Modern attacks do not always drop an obvious virus. They abuse legitimate tools that are already on the machine, so behaviour-based detection catches things a plain file scanner never will.

You do not need the most expensive tier on the market. You need something that covers every device, reports back to one place so you can actually see a problem, and is not quietly switched off on the one machine that matters. Coverage and visibility beat brand names.

Have backups that actually restore

This is the one people skip and the one that saves the business. The only reliable answer to ransomware is a clean backup you can roll back to. If your files get encrypted and you have a good backup from last night, ransomware is an annoyance and a lost afternoon instead of a company-ending event. If you do not, you are choosing between paying criminals and starting again from nothing.

Two rules make a backup worth having. First, keep a copy that is offline or otherwise out of reach of the machines it protects, because modern ransomware deliberately hunts down and encrypts the backups too. A backup sitting on a drive that is always plugged in gets encrypted right alongside everything else. Second, test a restore. A backup you have never restored from is a hope, not a plan. Pull a few files back once a quarter and confirm they actually open. I have seen too many "backups" that had been silently failing for months, and nobody knew until the day they needed them.

Train your people, because they are the real target

Most breaches start with a person, not a machine. Someone clicks a link, enters their password on a convincing fake, or approves an MFA prompt they did not trigger because it is easier than wondering why it popped up. No product fixes that on its own. A short, plain habit does: if an email creates urgency, asks for money or a password, or just feels slightly off, stop and check through a channel you already trust. Ring the supplier on the number you have on file, not the one in the email.

You do not need an expensive training platform for a team of ten. You need a five-minute conversation, a couple of real examples of the scams going around, and a clear message that nobody gets in trouble for asking "is this real?" The businesses that get caught are usually the ones where staff were too rushed or too afraid to pause. Make pausing the normal thing to do.

About the Essential Eight

You may have heard of the Essential Eight, a set of eight baseline strategies recommended by the Australian Cyber Security Centre. It covers patching, MFA, application control, backups and a few more. It is a genuinely useful checklist, and it is worth knowing it exists. It is not a wall you have to scale in one weekend. For a small business, treat it as a map: work out where you stand against it, and fix the highest-risk gaps first. Most of the protection comes from the first few items, which are the same free and cheap controls above. A good provider can map you against it honestly and tell you which gaps are actually worth closing for a business your size, rather than selling you the full enterprise treatment you do not need.

Why "small" does not mean "safe"

The myth that attackers only chase big companies is the one that costs small businesses the most. Automated attacks scan the whole internet and do not care how many staff you have. They care whether the door is unlocked. A ten-person accounting firm holds tax file numbers, bank details and client records, and it usually has weaker defences than a bank, which is exactly what makes it worth a script's time. Being small does not make you invisible. It often makes you the softer target.

The encouraging flip side is that locking the door is cheap. MFA is free. Automatic updates are free. Staff awareness costs a coffee and half an hour. Real endpoint protection and a proper backup cost money, but far less than one serious incident, and less than most businesses already spend on things that matter less. You do not need everything at once. You need the first few, done properly and left running.

If you want an honest read on where your business stands, what is already fine and the two or three things genuinely worth fixing, that is the kind of straight assessment we do at Alien IT Solutions. Tell us about your setup and we will give it to you plainly, with no fear in the sales pitch.

Frequently asked questions

What is the first thing a small business in Sydney should do for cyber security?

Turn on multi-factor authentication (MFA) everywhere it is offered, starting with email and Microsoft 365. It is free, takes minutes, and stops the most common way small businesses get breached: a stolen or guessed password. Everything else builds on top of that.

Does a small business really need cyber security, or is that just for big companies?

Small businesses are targeted precisely because they are assumed to have weaker defences. Most attacks are automated and do not care how big you are. The good news is that a small set of basic controls blocks the overwhelming majority of them, so meaningful protection is well within a small budget.

What does the Essential Eight mean for my business?

The Essential Eight is a set of eight baseline strategies recommended by the Australian Cyber Security Centre, covering patching, MFA, application control, backups and more. You do not have to implement all of it at once. It is a useful checklist, and a good provider can map where you stand and what to fix first.