Why Small Businesses Are Prime Targets for Cyber Attacks
Plenty of small business owners assume they are too small to be a target. The opposite is true. Attackers run automated scanners across the whole internet, so they find you by your open ports and unpatched software, not your size — and smaller firms usually have fewer defences and no dedicated security staff. The ACSC's annual Cyber Threat Report has consistently put small businesses among the hardest hit, with business email compromise (BEC) and ransomware causing the largest financial losses. Many incidents also arrive through a trusted supplier or managed service provider, so "we outsource our IT" is not the same as "we're covered".
Key Cyber Security Principles from the ACSC
The ACSC's Small Business Cyber Security Guide boils good practice down to a short list of high-impact actions, and the Essential Eight gives you a prioritised baseline beyond that. If you do nothing else this quarter, do the ACSC's three quick wins: turn on multi-factor authentication, keep software automatically updated, and set up tested backups. In our assessments the gap is rarely awareness of these — it is that they are half-implemented: MFA on email but not the accounting system, or backups that have never been restore-tested.
Practical Tips for Password Security and Multi-Factor Authentication
Use a password manager and long passphrases — the ACSC recommends four or more random words — so every account has a unique credential and your team is not reusing one password everywhere. For MFA, prefer phishing-resistant methods: an authenticator app or a FIDO2 hardware key beats SMS codes, which can be intercepted via SIM-swap. Put MFA on email, remote access (VPN/RDP), and any finance or admin system first, since those are what attackers actually go after. These controls underpin your broader continuous compliance efforts.
Securing Your Devices and Networks: Easy Steps
Turn on automatic updates for operating systems, browsers, and applications — unpatched software is the most common way in. Secure Wi-Fi with WPA3 (or WPA2 at minimum), and put guests and untrusted devices on a separate network from your business systems. Disable Microsoft Office macros unless a specific role needs them — they are a frequent malware delivery route — run reputable endpoint protection, and retire any hardware or operating system that is past end-of-life and no longer receiving security updates.
Best Practices for Data Backups and Recovery
Ransomware's whole business model is locking you out of your data, so backups are what let you say no to a ransom. Follow the 3-2-1 rule: three copies, on two types of media, with one kept offline or immutable so an attacker who reaches your network cannot encrypt the backups too. Then test a real restore on a schedule — quarterly is a sensible minimum — because an untested backup is a hope, not a recovery plan.
Employee Training and Awareness: Your First Line of Defence
Most breaches start with a person clicking something, so treat your team as a control you can strengthen. Run periodic phishing simulations, and make reporting a suspect email quick and blame-free — people hide mistakes when they fear consequences. Brief finance staff specifically on business email compromise and invoice-redirection fraud, which hit SMBs hard, and agree one simple rule: verify any change to payment details by a second channel, such as a phone call to a known number, never by replying to the email.
Resources and Further Support from ACSC
Start with the ACSC's free resources: the Small Business Cyber Security Guide, the Essential Eight, and the ACSC Alert Service for current threats. If you suspect an incident, report it through ReportCyber. Our advice is to sequence the work — lock in MFA, automatic updates, and tested backups this month, then build towards the Essential Eight. For more, read our cybersecurity insights, or talk to us about where to start.