Cyber security lock on digital background
Cybersecurity Featured

Cyber Security Checklist for Australian SMBs: 2026 Edition

PN
Peter Nelson
· · 8 min read

A practical, no-jargon cyber security checklist for Australian small and medium businesses. Based on the ACSC Essential Eight with real-world implementation guidance.

Australian SMBs are the primary target of cyber attacks in 2026. That is not hyperbole - the Australian Cyber Security Centre’s annual threat report consistently shows that small and medium businesses account for a disproportionate share of reported incidents. The reason is simple: they have valuable data, limited security investment, and attackers know it.

This checklist is based on the ACSC Essential Eight, adapted for businesses with 10 to 200 staff. It is not exhaustive, but if you can tick every item on this list, you are significantly better protected than the majority of Australian SMBs.

Before You Start: Understand Your Crown Jewels

Before implementing any controls, identify what you are actually protecting:

  • Client data - names, contact details, financial information, health records
  • Financial systems - banking access, accounting software, payroll
  • Operational systems - the software your business cannot function without
  • Intellectual property - client work, proprietary processes, competitive intelligence

The controls below protect all of these, but understanding your highest-value targets helps you prioritise when resources are limited.

Section 1: Application Control

What it means: Only allow approved applications to run on your computers.

  • Maintain an approved application list for all workstations
  • Block execution of unapproved software, particularly from user-writeable directories
  • Prevent Microsoft Office macros from running in documents downloaded from the internet
  • Block macros in documents received via email

Why it matters: Most ransomware and malware runs as an executable. If only approved applications can run, the attacker’s code never executes. This single control stops the majority of ransomware attacks.

Melbourne SMB reality: Application control is not difficult with Microsoft Intune or Windows Defender Application Control. A managed IT provider should have this as a standard component of your endpoint configuration.

Section 2: Patch Applications

What it means: Keep all software up to date, particularly internet-facing applications.

  • Internet-facing applications patched within 48 hours of a critical patch release
  • All other applications patched within one month of patch release
  • Automated patch management in place for operating systems and common applications
  • Monthly patch compliance reporting reviewed by management

Why it matters: The majority of successful cyber attacks exploit known vulnerabilities for which patches exist. Timely patching removes the vulnerability before attackers can use it.

Common SMB failure point: “We’ll do it next month” - patching deferred becomes patching never. A managed IT provider with automated patching eliminates this failure mode.

Section 3: Configure Microsoft Office Macro Settings

What it means: Restrict or block macros in Office documents, particularly from external sources.

  • Macros disabled for documents from the internet
  • Only macros from trusted, digitally signed sources allowed to run
  • Users cannot override macro settings
  • Anti-virus scanning of all macros before execution (where technically feasible)

Why it matters: Macro-based malware delivered via phishing emails is one of the most common initial access vectors. Restricting macros closes this pathway.

Section 4: User Application Hardening

What it means: Configure browsers and applications to reduce their attack surface.

  • Web advertising blocked on all workstations (malvertising is a real attack vector)
  • Flash disabled (or removed - it should no longer be installed anywhere)
  • Web browser extensions controlled and audited
  • Java disabled in web browsers unless specifically required
  • PDF reader configured to block access to external resources

Section 5: Restrict Administrative Privileges

What it means: Limit who has administrator access, and use it only when needed.

  • Every user has a standard account for daily work
  • Admin accounts are separate, not used for email or browsing
  • Number of users with domain admin privileges minimised (ideally 2-3 people)
  • Admin account usage is logged and reviewed
  • Service accounts have minimum required permissions

Why it matters: If a standard user account is compromised, the attacker has limited access. If an admin account is compromised, they own your network. Privilege minimisation limits the blast radius of any successful attack.

Melbourne SMB reality: Many SMBs run with everyone as local admin “because it’s easier”. This is the single most common security misconfiguration we find in new client environments.

Section 6: Patch Operating Systems

What it means: Keep Windows and other operating systems up to date.

  • Critical OS patches applied within 48 hours
  • All other OS patches applied within one month
  • End-of-life operating systems (Windows 10 after October 2025, Windows Server 2012) removed from the environment
  • Automated OS patching in place and monitored for compliance

Critical note for 2026: Windows 10 reached end of life in October 2025. If you are still running Windows 10 in your business, you are running an unpatched operating system that will receive no further security updates. This is a significant and worsening risk.

Section 7: Multi-Factor Authentication

What it means: Require a second form of verification beyond a password for all important accounts.

  • MFA enforced on all Microsoft 365 / Google Workspace accounts
  • MFA enforced on all accounts with access to financial systems
  • MFA enforced on remote access (VPN, remote desktop)
  • MFA enforced on cloud storage (OneDrive, SharePoint, Google Drive)
  • Phishing-resistant MFA (hardware keys or authenticator apps) preferred over SMS

Why it matters: MFA stops approximately 99% of credential-based account takeover attacks. A stolen or phished password is useless without the second factor. This is the single highest-value control for most SMBs.

What counts as MFA: An authenticator app (Microsoft Authenticator, Google Authenticator) or hardware key (YubiKey). SMS is better than nothing but is susceptible to SIM-swap attacks for high-value accounts.

Section 8: Regular Backups

What it means: Maintain encrypted, tested backups that cannot be deleted by ransomware.

  • Critical data backed up daily
  • Backups stored in at least three locations (production, on-site backup, off-site/cloud)
  • Backups are encrypted
  • Backups are isolated from the main network (immutable or air-gapped)
  • Backup restoration tested quarterly - not just assumed to work
  • Recovery time objective (RTO) and recovery point objective (RPO) documented and tested

The most important item on this list: An untested backup is not a backup. We regularly encounter businesses that discover their backup has not been working for months only when they need to restore from it.

Email Security Checklist

Email is the primary attack vector for Australian businesses. These controls are not part of the Essential Eight but are essential for any business.

  • Advanced email filtering (Microsoft Defender for Office 365, Proofpoint, or equivalent)
  • SPF, DKIM, and DMARC records configured for your domain
  • Anti-phishing and anti-spoofing policies configured
  • Suspicious email links are scanned before delivery (safe links)
  • Attachments are analysed before delivery (safe attachments)
  • Users trained to report suspicious emails

Physical Security Checklist

Often overlooked, physical access controls are part of a complete security posture.

  • Server room or network equipment room is locked
  • Visitor access to office controlled and logged
  • Clean desk policy for documents containing sensitive information
  • Screen lock configured on all workstations (timeout of 15 minutes or less)
  • Remote wipe capability on all laptops and mobile devices

Incident Response Checklist

Having a plan before you need it is what separates businesses that recover quickly from those that don’t.

  • IT incident response contact numbers documented and accessible offline
  • Basic incident response plan documented: who to call, what to isolate, who to notify
  • Cyber insurance policy in place and reviewed annually
  • Critical system recovery procedures documented and tested
  • Staff know how to report a suspected security incident

What to Do with This Checklist

Rate yourself against each section. If you have fewer than three ticks in any section, that section should be your first priority.

If you find this checklist confronting - if there are whole sections you cannot even assess because you do not know what your current configuration is - that is itself important information. It means your IT environment lacks the documentation and visibility that a managed IT service would provide.

A good managed IT provider should be able to give you a current state assessment against this checklist within a few weeks of onboarding. If your current provider cannot do this, that tells you something about how well they actually know your environment.

At CX IT Services, we conduct an Essential Eight assessment for every new client as part of onboarding, and we provide quarterly updates against each control. If you would like to know where your business currently sits, book a Right Fit Call and we can walk you through what we would assess.

Related Articles

Free Clarity Call

Want to Talk Through What This Means for Your Business?

Book a free 15-minute Right Fit Call. No obligation - just a straight conversation about your IT situation.

  • No lock-in contracts - ever
  • Valued at $250 - completely free
  • 4.5-star Google rated
  • Answer in 60 seconds or less

See If You Qualify

Takes 2 minutes · No obligation · Free

Apply Now
4.5 Google Rated No Lock-In Contracts