I’m going to skip the part where I scare you with statistics about how many small businesses get hacked each year. You’ve heard those numbers. They’re alarming, they’re cited in every cybersecurity vendor’s sales pitch, and they’re not particularly helpful in telling you what to actually do.

What is helpful: understanding the specific attacks that affect small businesses and implementing the practical defences that stop them. Most small business breaches aren’t sophisticated nation-state operations. They’re opportunistic attacks that exploit basic security gaps — gaps that are straightforward and inexpensive to close.

The Attacks You’ll Actually Face

Phishing emails. This is the number one attack vector for small businesses, and it’s not close. An employee receives an email that looks like it’s from a supplier, their bank, or the ATO. They click a link, enter credentials on a fake login page, and the attacker now has access to their email, cloud storage, or financial accounts.

The Australian Cyber Security Centre reports that phishing and business email compromise accounted for more than 60% of reported cyber incidents affecting Australian small businesses in 2024-25. These aren’t high-tech attacks — they’re social engineering that works because people are busy and emails are convincing.

Ransomware. Malicious software encrypts your files and demands payment (usually in cryptocurrency) for the decryption key. Ransomware typically arrives via phishing email, compromised remote desktop connections, or vulnerabilities in outdated software. Small businesses are particularly attractive targets because they’re less likely to have backups and more likely to pay.

Business email compromise (BEC). An attacker gains access to a business email account (usually through phishing) and then uses it to send fraudulent payment requests. The classic version: an email that appears to be from the CEO to the finance manager, requesting an urgent wire transfer to a “new supplier account.” The email is convincing because it genuinely comes from the CEO’s compromised email account.

Credential stuffing. If an employee uses the same password for their business email and a personal account that gets breached, attackers will try that password against business systems. It works more often than you’d think because password reuse is still rampant.

The Defences That Actually Work

Here are the practical steps, in order of impact. Do these before spending money on any security product.

1. Enable Multi-Factor Authentication (MFA) Everywhere

This is the single most impactful security measure you can take. MFA requires a second verification step — usually a code from an authenticator app or a push notification — in addition to your password. Even if an attacker steals your password through phishing, they can’t access your account without the second factor.

Enable MFA on:

• Email (Microsoft 365, Google Workspace)
• Cloud storage (OneDrive, Google Drive, Dropbox)
• Accounting software (Xero, MYOB, QuickBooks)
• Banking portals
• Social media accounts
• Any system containing customer data

Microsoft reports that MFA blocks 99.9% of automated account attacks. That one measure alone eliminates the most common attack pathway.

Use an authenticator app (Microsoft Authenticator, Google Authenticator, Authy) rather than SMS codes. SIM-swapping attacks can intercept SMS codes; authenticator apps are substantially more secure.

2. Keep Software Updated

This is boring advice. It’s also critically important. Software updates patch known vulnerabilities — the specific gaps that attackers use to get in. When you delay updates, you’re leaving known doors open.

Set everything to auto-update: operating system, browser, email client, and all business applications. For systems where auto-update isn’t available (some legacy business software), establish a monthly update schedule and actually follow it.

The 2017 WannaCry ransomware attack — which affected over 200,000 computers globally — exploited a Windows vulnerability that Microsoft had patched two months earlier. Every affected system was one that hadn’t installed the available update.

3. Back Up Your Data Properly

Backups are your insurance policy against ransomware. If your files get encrypted, you restore from backup and tell the attacker to pound sand. But “we have backups” isn’t sufficient — the backups need to be:

Separate from your main systems. If your backup is an external drive permanently plugged into your computer, ransomware will encrypt it too. Backups need to be either offline (physically disconnected) or immutable (can’t be modified once written).

Tested regularly. A backup you’ve never tested restoring from isn’t a backup — it’s a hope. Quarterly restore testing takes 30 minutes and confirms your backup actually works.

Following the 3-2-1 rule. Three copies of your data, on two different types of media, with one copy offsite. For a small business, this typically means: original data on your computer, a cloud backup (Microsoft OneDrive, Google Drive, Backblaze), and a periodic backup to an external drive stored offsite (at home, a safe deposit box, or a trusted location).

4. Train Your People

Technical controls catch most attacks, but some will get through. When they do, your staff are the last line of defence. They need to know:

• How to recognise phishing emails (urgency, unusual sender, requests for credentials or payments)
• Never to enter passwords on pages reached via email links — always navigate directly to the website
• To verify unexpected payment requests by phone (calling a known number, not the number in the email)
• To report suspicious emails immediately, without embarrassment — catching a phishing attempt isn’t a failure; clicking and not reporting is

You don’t need expensive security awareness training platforms. A 30-minute session with real examples of phishing emails targeting your industry, repeated twice a year, is more effective than most automated training programmes.

5. Use a Password Manager

Every business account should have a unique, strong password. Humans can’t remember dozens of unique passwords, so they either reuse passwords or use weak ones. A password manager — Bitwarden (free), 1Password ($36/user/year), or LastPass — generates and stores unique passwords for every account.

Deploy a business password manager, require all staff to use it, and disable the option to use browser-saved passwords. This eliminates credential reuse — the attack vector behind credential stuffing — across your entire organisation.

What You Don’t Need (Yet)

The cybersecurity industry is excellent at selling fear and complexity. For most small businesses, you don’t need:

• A $5,000/year endpoint detection and response platform
• A managed security operations centre
• Penetration testing
• Dark web monitoring services
• Cyber insurance (until you’ve done the basics above — insurers increasingly require these baseline controls anyway)

These services have legitimate value for larger organisations with complex IT environments and high-value data. For a small business with 5-20 employees, the five measures above will prevent the vast majority of attacks you’ll face.

Cybersecurity firms, including those doing business AI solutions, would generally agree that the fundamentals matter more than advanced tooling. You wouldn’t install a home security camera system while leaving your front door unlocked. MFA, updates, backups, training, and passwords are the locked doors. Start there.

The Cost of Getting This Right

MFA: Free (built into Microsoft 365 and Google Workspace) Software updates: Free (just do them) Cloud backup: $5-15/month per user Password manager: $0-36/user/year Staff training: A few hours of your time, twice a year

Total cost for a 10-person business: roughly $100-200/month. The average cost of a small business cyber incident in Australia is $46,000, according to the ACSC’s 2024 report. The maths isn’t complicated.

Do the basics. Do them consistently. That’s genuinely all most small businesses need.