Small Business Security Baseline

A practical, no-nonsense guide to the security controls that actually matter for Australian small businesses.

Aligned with the Australian Signals Directorate (ASD) Essential Eight framework.

Get a Security Review View the Baseline

Where Do I Start?

Most small businesses know they need to take cybersecurity seriously, but the volume of advice, frameworks, and vendor pitches makes it difficult to know where to begin. The reality is that a relatively small number of controls address the vast majority of threats facing Australian businesses.

It is important to understand that cybersecurity is about risk mitigation, not risk elimination. No business can eliminate all risk, and attempting to do so would make your business unprofitable and unable to operate. The goal is to reduce risk to an acceptable level — implementing the controls that have the greatest impact against the threats most likely to affect your business, while keeping your operations running.

The controls on this page are aligned with the Australian Signals Directorate (ASD) Essential Eight — the baseline mitigation strategies recommended by the Australian Government to protect organisations against cyber threats. They are also the controls that cyber insurers increasingly expect, and the controls that regulators like ASIC are beginning to hold businesses accountable for.

In November 2024, ASIC pursued a $2.5 million penalty against FIIG Securities for inadequate cybersecurity controls — a case that directly involved failures in patching, access management, and monitoring. These are not theoretical risks. This page covers the practical controls that would have prevented that outcome.

Difficulty

Easy
Medium
Hard
1

Multi-Factor Authentication (MFA)

Compromised passwords are the single most common way attackers gain access to business systems. MFA stops the majority of credential-based attacks, even when passwords are stolen through phishing or data breaches.

  • Enable MFA on all email accounts (Microsoft 365, Google Workspace)
  • Enable MFA on cloud and SaaS applications (accounting, CRM, file storage)
  • Enable MFA on VPN and remote access systems
  • Use authenticator apps or hardware keys — avoid SMS where possible
Easy
2

Patch Management

Unpatched software is how attackers get in without needing a password. Known vulnerabilities in operating systems, browsers, and applications are actively exploited within days of disclosure. Patching closes these gaps.

  • Apply critical and high-severity patches to internet-facing services within 48 hours
  • Patch operating systems (Windows, macOS, Linux) within two weeks
  • Patch productivity software (Office, browsers, PDF readers) within two weeks
  • Remove or replace software that is end-of-life and no longer receiving patches
Easy
3

Endpoint Detection & Response (EDR)

Traditional antivirus misses modern threats. EDR solutions monitor process behaviour, detect fileless attacks, and provide the visibility needed to identify and contain compromises before they spread. This is the single most impactful security investment for most small businesses.

  • Deploy EDR on all workstations and servers (CrowdStrike, SentinelOne, Microsoft Defender for Business)
  • Ensure agents are reporting to a central console with alerting configured
  • Enable tamper protection so malware cannot disable the agent
  • Review alerts regularly — an unmonitored EDR is an expensive antivirus
Medium
4

Email Security

Email is the primary attack vector for Australian businesses. Business email compromise (BEC), phishing, and credential theft all start in the inbox. Proper email authentication and security policies significantly reduce exposure.

  • Configure SPF, DKIM, and DMARC to prevent domain spoofing
  • Enable anti-phishing policies in Microsoft 365 or Google Workspace
  • Configure attachment and link scanning (Safe Attachments / Safe Links)
  • Restrict automatic forwarding rules to external addresses
Medium
5

Backups & Recovery

Ransomware can encrypt every file your business depends on. Without tested backups, you are left choosing between paying a ransom with no guarantee of recovery, or losing everything. Backups are your last line of defence.

  • Follow the 3-2-1 rule: 3 copies, 2 different media types, 1 offsite
  • Maintain at least one immutable or offline backup that ransomware cannot reach
  • Test backup restoration quarterly — untested backups are not backups
  • Include cloud data (Microsoft 365 mailboxes, SharePoint, OneDrive) in backup scope
Medium
6

Admin Privilege Management

When an attacker compromises an account with admin privileges, they own the environment. Restricting administrative access limits the damage any single compromised account can cause and makes lateral movement significantly harder.

  • No daily-use accounts should have admin privileges
  • Create separate admin accounts used only for administrative tasks
  • Remove local administrator rights from standard user workstations
  • Review who has admin access quarterly and remove accounts that no longer need it
Easy
7

Perimeter & Network Security

Internet-facing services are constantly scanned and probed. Misconfigured firewalls, unnecessary open ports, and exposed management interfaces are routinely exploited. A hardened perimeter reduces your attack surface significantly.

  • Review firewall rules and remove unnecessary inbound access
  • Disable unused services and close unnecessary ports
  • Implement VPN or Zero Trust Network Access (ZTNA) for remote access
  • Segment critical systems from general user networks where possible
Hard
8

SaaS & Cloud Configuration Review

Most businesses now run on SaaS platforms like Microsoft 365, Google Workspace, Xero, and various CRM tools. Default configurations are rarely secure. Misconfigurations in these platforms are a leading cause of data exposure and account compromise.

  • Review Microsoft 365 / Google Workspace security defaults and conditional access policies
  • Enable audit logging across cloud platforms
  • Restrict third-party app integrations and OAuth consent
  • Review sharing permissions and external access settings
Hard

How Do I Know If I'm Actually Secure?

A checklist tells you what to do. It does not tell you whether it has been done correctly. MFA can be enabled but configured with weak policies. Patches can be applied to workstations but missed on servers. Firewall rules can exist but contain overly permissive exceptions that negate their purpose.

The difference between having security controls and having effective security controls is validation. That is what a professional security review provides — an independent assessment of whether your controls are actually protecting you, or whether they are giving you a false sense of security.

This is also what cyber insurers and regulators are increasingly asking for. A completed checklist is not evidence of security. A documented assessment with findings, evidence, and remediation guidance is.

Fixed Scope, Fixed Price

SMB Security Baseline Review

We assess your environment against the controls on this page, identify gaps, and give you a prioritised remediation plan. You get a clear picture of where you stand and exactly what to fix first, in plain English, not a 100-page report full of jargon.

Endpoint & EDR Assessment

Review current endpoint protection, EDR configuration, and coverage gaps across your fleet.

Perimeter & Network Review

Firewall rules, exposed services, remote access configuration, and network segmentation assessment.

SaaS & Cloud Configuration Audit

Microsoft 365 / Google Workspace security settings, MFA policies, conditional access, and sharing controls.

Email Security Review

SPF, DKIM, DMARC validation, anti-phishing policies, and mail flow rules assessment.

Prioritised Remediation Report

A plain-English report with findings ranked by risk, actionable steps, and evidence you can provide to your cyber insurer.

Request a Quote Learn More About Essential 8

Further Reading

Compliance

Essential 8 Compliance Guide

What the Essential Eight controls are, how maturity levels work, and what's involved in achieving compliance.
Regulatory

ASIC's $2.5M Cybersecurity Penalty

How ASIC pursued FIIG Securities for inadequate cybersecurity controls and what it means for Australian businesses.
Insurance

Cyber Insurance Requirements

What Australian cyber insurers expect, the controls they assess, and how to prepare for the application process.
Incident Response

My Email Has Been Hacked — What To Do

Step-by-step response guide when a business email account is compromised. The most common incident Australian SMBs face.

Not Sure Where You Stand?

Talk to us about a security baseline review. We'll assess your environment, identify the gaps, and give you a clear path forward.

Get Started security@eviant.com.au
Get In Touch