Cyber Security Starter Guide for Melbourne SMBs

Why Most SMB Security Advice Fails

Most cybersecurity advice written for small businesses falls into one of two failure modes. Either it is so technical that a business owner cannot act on it without a dedicated IT team, or it is so vague — “use strong passwords!” “keep software updated!” — that it provides no real guidance at all.

This guide attempts something different: ten concrete things, each explained in plain language, with enough context to understand why it matters and what “done” actually looks like. No vendor pitches. No scare tactics. Just the honest picture of what actually makes a difference for a Melbourne business under 50 staff.

Before we get into the list, one framing point worth holding in mind: perfect security does not exist. The goal is not to become unhackable — it is to become a significantly harder target than you currently are, so attackers move on to easier victims. Most cyberattacks against SMBs are opportunistic. They are not targeting you specifically; they are running automated tools looking for easy wins. The controls below make you a hard target.

---

How Australian SMBs Actually Get Compromised

Understanding the real threat picture helps you prioritise. The Australian Cyber Security Centre’s most recent report identifies these as the most common initial access vectors for Australian businesses:

Phishing emails remain the number one entry point. A staff member clicks a link or opens an attachment, credentials are harvested or malware is installed, and the attacker has a foothold in your environment.

Credential stuffing — attackers taking username and password combinations leaked from other breaches and trying them on your systems. If your staff reuse passwords, this works at scale.

Exploiting unpatched software — particularly internet-facing systems running outdated software with known vulnerabilities. This is how most ransomware enters managed service provider environments and works its way down to their clients.

Business Email Compromise (BEC) — attackers who have gained access to an email account, or who can convincingly impersonate one, divert payments or extract sensitive information.

Social engineering — phone calls impersonating IT support, ATO, or Microsoft asking staff to provide access or transfer funds.

Nearly every one of these vectors is addressed by the ten controls below.

---

The 10 Things Every Melbourne SMB Should Have in Place

1. Multi-Factor Authentication on Everything Important

If you do nothing else on this list, do this. Multi-factor authentication (MFA) adds a second verification step to the login process — typically a code from an authenticator app, a push notification, or a biometric check. Even if an attacker obtains your password through a phishing attack or a data breach, they cannot access your account without the second factor.

Where to enable it:

• Microsoft 365 (email, SharePoint, Teams, OneDrive) — this is the highest priority
• Google Workspace if you use it instead
• Your accounting software (Xero, MYOB, QuickBooks)
• Your banking and payment portals
• Your domain registrar
• Any application with access to client data or financial information

What type of MFA to use: Authenticator app codes (Microsoft Authenticator, Google Authenticator) are significantly more secure than SMS codes. SMS MFA is vulnerable to SIM-swapping attacks. Start with authenticator apps and push notifications.

What “done” looks like: MFA is enforced via policy, not just enabled as an option. Staff cannot bypass it by choosing not to set it up. In Microsoft 365, this is configured through Conditional Access policies in Entra ID.

This single control defeats the majority of credential-based attacks. The Australian Cyber Security Centre estimates MFA blocks over 99% of account compromise attacks.

---

2. A Password Manager for Your Entire Team

Most data breaches start with a compromised password. The reason passwords get compromised is almost never that someone cracked a complex password through brute force — it is that people reuse passwords across multiple sites, and when one site is breached, the same credential works everywhere else.

A business password manager solves this by generating and storing unique, complex passwords for every account. Staff do not need to remember them — they remember one strong master password, and the manager handles the rest.

Recommended options for Melbourne SMBs:

• 1Password Teams — excellent user experience, strong admin controls, good browser integration
• Bitwarden for Business — open-source, lower cost, strong security track record
• Keeper Business — good for teams with compliance requirements

What “done” looks like: Every staff member has a password manager account. The IT admin can audit which accounts staff have stored, enforce master password strength requirements, and remove access when someone leaves the business. Critically, staff are not storing passwords in browser password managers that sync to personal accounts.

The shared password problem: Many businesses have shared credentials for systems that do not support individual accounts. A password manager with a shared vault feature — available in all three options above — solves this. The password is stored centrally, shared securely with only the staff who need it, and can be changed when someone leaves without needing to notify everyone individually.

---

3. Automated, Tested Backups

Your backup is only as good as your last successful restore test. Many businesses discover their backups are misconfigured, corrupt, or incomplete at exactly the worst possible moment — when they need to recover from ransomware or hardware failure.

The 3-2-1-1-0 rule for modern backups:

• 3 copies of your data
• 2 different storage media types
• 1 copy off-site
• 1 copy offline or immutable (ransomware cannot encrypt what it cannot access)
• 0 errors on the last backup verification test

What needs to be backed up:

• Microsoft 365 data (Exchange email, SharePoint, OneDrive, Teams) — Microsoft provides infrastructure resilience but does not protect against user error, ransomware, or deliberate deletion. A third-party M365 backup (Veeam, Datto SaaS, Backupify) is required.
• Any on-premises servers or network-attached storage
• Any business-critical data on individual workstations

What “done” looks like: Backups run automatically daily (or more frequently for critical data). You receive a daily email confirming backup completion and any errors. A quarterly restore test is scheduled and completed — an actual restore of actual files to confirm the backup is usable, not just a check that the backup ran.

Recovery time matters too: Know your Recovery Time Objective (RTO) — how quickly you need to be operational after a failure — and confirm your backup solution can meet it. A backup that takes 72 hours to restore is not adequate if your business cannot function for 72 hours.

---

4. Endpoint Detection and Response on Every Device

Basic antivirus is not enough in 2026. Modern threats — fileless malware, ransomware, living-off-the-land attacks that use legitimate Windows tools — do not behave like traditional viruses and are not caught by signature-based antivirus alone.

Endpoint Detection and Response (EDR) goes beyond signature matching to monitor behavioural patterns: what processes are running, what files are being accessed, what network connections are being made. When a pattern is consistent with malicious activity, EDR alerts and can automatically isolate the affected device before damage spreads.

Options for Melbourne SMBs:

• Microsoft Defender for Endpoint — included in Microsoft 365 Business Premium. Fully functional EDR when properly configured. The default out-of-box settings are not optimal; attack surface reduction rules and advanced features need to be explicitly enabled.
• CrowdStrike Falcon Go — purpose-built EDR, excellent detection rates, cloud-native. Approximately $8–15/endpoint/month.
• SentinelOne Singularity — strong autonomous response capability, good for businesses wanting hands-off protection.

The key word is every device. One unprotected laptop is all an attacker needs. If staff use personal devices for work, those devices either need to be enrolled in management with EDR deployed, or access to business systems from unmanaged devices needs to be blocked via Conditional Access.

---

5. Email Filtering and Anti-Phishing

Phishing remains the most common initial access vector for both business email compromise and ransomware. A dedicated email security layer filters malicious links and attachments before they reach your staff’s inboxes.

For Microsoft 365 users, Microsoft Defender for Office 365 Plan 1 (included in Business Premium) provides:

• Anti-phishing policies with impersonation detection
• Safe Links — real-time URL scanning that re-evaluates links at click time, not just at delivery
• Safe Attachments — detonation sandbox for attached files
• Anti-spoofing controls that block email that impersonates your domain

This is not a replacement for staff awareness — it is a complement to it. Even the most security-conscious staff click bad links occasionally when they are busy or distracted. Email filtering reduces the volume of threats that reach your team and provides a safety net.

Check your email authentication records: SPF, DKIM, and DMARC records in your DNS determine whether your domain can be spoofed. Use MXToolbox (mxtoolbox.com) → Email Health Check to test your current configuration. Many Melbourne businesses have misconfigured or missing DMARC records, meaning their domain can be freely spoofed by attackers.

---

6. Patching — Operating Systems and Applications

Unpatched software is the primary entry point for ransomware. The WannaCry ransomware attack in 2017 — which affected organisations in 150 countries — exploited a Windows vulnerability that had been patched by Microsoft two months earlier. Every device it hit was running software Microsoft had already fixed.

The patching timeline:

• Critical OS patches: Apply within 14 days of release (Essential Eight Maturity Level 2 requirement)
• Critical application patches: Apply within 48 hours for internet-facing applications
• Standard updates: Apply within 30 days

What gets patched:

• Windows operating system (via Windows Update or Intune)
• Microsoft 365 apps
• Browsers (Chrome, Edge, Firefox) — browsers are a major attack surface
• Third-party applications: Adobe Acrobat, Java, 7-Zip, and similar
• Firewall and network device firmware
• Any server software

What “done” looks like: Patch compliance is monitored, not assumed. A centralised patch management tool (Microsoft Intune, N-able, Ninja RMM) reports on which devices are compliant and flags overdue patches. Devices more than 30 days behind on critical patches are blocked from accessing corporate resources.

---

7. Restrict Administrator Access

Most staff do not need administrator access to their own computers to do their jobs. Administrator access allows software to be installed, system settings to be changed, and — critically — gives malware the elevated privileges it needs to spread across your network and disable your security tools.

The standard-user principle: Run a standard user account for day-to-day work. Have a separate administrator account used only when administrative tasks are genuinely required. This one change significantly limits the damage any single infection can cause.

In Microsoft 365: Review who has Global Administrator roles. Most businesses give far too many people admin roles because it is easier than managing permissions correctly. A 20-person business typically needs two Global Admins (for redundancy) and nothing more.

Local admin rights: In Windows environments managed by Microsoft Intune, you can enforce standard user accounts across all devices via policy. Staff who legitimately need to install software can use a Windows LAPS (Local Administrator Password Solution) account with a rotating password, preventing shared local admin credentials.

---

8. Secure Your Business Wi-Fi

Your office Wi-Fi is a physical entry point into your network. Anyone in range — including people in the car park, in adjacent offices, or in the street — can attempt to connect. Most business Wi-Fi networks are not configured with this threat in mind.

Minimum Wi-Fi security requirements:

• WPA3 encryption (or WPA2-Enterprise if your equipment does not support WPA3)
• Change the router and access point admin passwords from manufacturer defaults
• Separate guest Wi-Fi on its own isolated network segment
• VLAN segmentation for IoT devices (printers, smart TVs, building systems)

Guest Wi-Fi: Any visitor, client, or contractor connecting to your Wi-Fi should be on a network that has no visibility of your internal systems. A guest SSID that routes directly to the internet with no access to the business network is the correct architecture.

IoT devices — printers, smart building systems, security cameras, air conditioning controllers — are frequently running unpatched firmware and have known vulnerabilities. Isolating them on a separate VLAN means a compromised printer cannot be used as a pivot point into the rest of your network.

---

9. A Written Incident Response Plan

What do you do when something goes wrong? If the answer is “figure it out at the time,” you will lose hours — sometimes days — to confusion and miscoordination during what is already a stressful, high-stakes situation.

Your incident response plan does not need to be complex. It needs to answer four questions:

1. Who do you call first? Your IT provider’s emergency number. Is it in your phone right now? Print it on a card in your server room and on your desk.
2. Who has authority to take systems offline? Identify this person in advance. In a ransomware incident, the decision to disconnect systems needs to happen in seconds, not after a committee discussion.
3. Who notifies clients, suppliers, and regulators? Under the Australian Privacy Act, notifiable data breaches must be reported to the OAIC. Know who in your business is responsible for this and what the threshold is.
4. Where is critical documentation stored offline? Your incident response plan, IT provider contacts, and cyber insurance policy details need to be accessible without your computer — because during a ransomware incident, you may not be able to use it.

Write it down. Print it out. One page is enough. Laminate it if you want. The value is not in its sophistication — it is in having the information available when you are stressed, rushed, and cannot think clearly.

---

10. Continuous Security Awareness Training

Technology controls only go so far. The person who clicks the phishing link, responds to the fake invoice, or opens the malicious attachment is the most common point of failure in any security posture. No technical control eliminates human risk — you reduce it.

Annual security training is a starting point, not an endpoint. Research on the forgetting curve consistently shows that 70–90% of information from a one-off training session is forgotten within a month. Annual training produces annual awareness — for about four weeks.

What works better:

• Monthly 5–10 minute micro-training on specific current threats
• Quarterly simulated phishing exercises with immediate, contextual feedback for staff who click
• Just-in-time training when staff report a suspicious email or call

The simulated phishing point: When a staff member clicks a simulated phishing link, they are immediately redirected to a brief training module — not publicly shamed or disciplined. The goal is a teachable moment, not punishment. Over time, simulated phishing click rates go from 30–40% in untrained organisations to below 5–10% in well-trained ones.

Platforms for Melbourne SMBs: KnowBe4, Proofpoint Security Awareness, and Microsoft Defender for Office 365’s Attack Simulator (included in Business Premium) all provide the combination of training and simulated phishing.

---

Building Your Security Roadmap

If fewer than half of these ten items are fully in place for your business, you have meaningful work to do. Here is how to prioritise.

Start immediately (this week):

1. Enable MFA on Microsoft 365 for all users
2. Check your domain’s SPF, DKIM, and DMARC records at MXToolbox

Complete within 30 days: 3. Deploy a business password manager 4. Ensure all devices have EDR deployed and active 5. Confirm backups are running and tested

Complete within 90 days: 6. Review and restrict administrator accounts 7. Audit Wi-Fi security and implement VLAN segmentation 8. Write and distribute an incident response plan (one page is enough) 9. Start a security awareness training programme

Ongoing: 10. Patch compliance monitoring 11. Simulated phishing exercises (monthly or quarterly)

---

What This Looks Like as a Managed Service

For a 20-person Melbourne business, all ten of these controls can be in place and actively managed for approximately $80–140 per user per month as part of a managed IT service. This includes:

• Microsoft 365 Business Premium licence ($28.10/user/month) — covers email, Office apps, Intune device management, and Defender for Endpoint
• Managed IT service with proactive monitoring, patch management, and helpdesk — approximately $50–80/user/month depending on scope
• Security awareness training platform — approximately $5–15/user/month

The total is less than the cost of a single day of downtime for most businesses. The ACSC estimates the average cost of a cyber incident for a small business is $46,000. For medium businesses, it is significantly higher.

---

CX IT Services implements and manages all ten of these controls for Melbourne businesses. Book a Right Fit Call to discuss where your business currently sits and what it would take to get all ten in place.