New Business IT Starter Kit

TL;DR: The IT decisions you make when starting a business are disproportionately important — they are much harder to undo later. This guide covers what to set up first, what to get right from day one, and what to avoid. It takes most new businesses about a day to implement everything here. The cost of not doing it correctly can be years of technical debt and security risk.

Why Getting IT Right at the Start Matters More Than You Think

Most new businesses make their IT decisions under time pressure and with limited information. The result is a patchwork of personal Gmail accounts, consumer-grade cloud storage, no backups, and a technology setup that was fine for two people but creates significant problems at fifteen.

The good news: if you are setting up IT for a new business right now, you can avoid all of this. The right decisions at the start cost almost nothing more than the wrong decisions. The difference is knowing what those right decisions are.

This guide covers the ten most important IT foundation decisions for a new Australian business.

---

Step 1: Register Your Domain Name

Your domain name is the foundation of your business’s digital identity. Everything else is built on it: email, website, and eventually your Microsoft 365 tenant.

What to do:

• Register yourbusiness.com.au — this is the most trusted domain extension for Australian businesses
• Also register yourbusiness.com — to prevent competitors or bad actors from registering it
• Register through a reputable Australian registrar: VentraIP, Crazy Domains, or Netregistry
• Register the domain in your name and under an email you control — not through a web agency or IT provider who may hold the domain on your behalf

What not to do:

• Do not use a free subdomain (yourbusiness.wix.com or yourbusiness.wordpress.com) as your primary business address
• Do not register through a web builder that makes it difficult to transfer the domain later
• Do not give your domain registrar access to anyone who might one day leave the business or take the domain with them

Cost: Approximately $30–50/year for a .com.au + .com pair.

---

Step 2: Set Up Microsoft 365 (Not Gmail)

For a new business, Microsoft 365 Business Premium is the right choice for cloud productivity. At approximately $28/user/month in Australia, it includes:

• Exchange Online: Professional email at your domain (@yourbusiness.com.au)
• Microsoft Teams: Chat, video conferencing, and file sharing
• SharePoint and OneDrive: Document storage and collaboration
• Office applications: Word, Excel, PowerPoint, Outlook (desktop + web)
• Microsoft Defender for Business: Endpoint security (not just antivirus)
• Microsoft Intune: Device management
• Azure AD P1: Identity and access management including Conditional Access

This is not just email — it is the entire IT foundation for your business in one subscription.

Why not Google Workspace? Google Workspace is a legitimate alternative, particularly for businesses with strong Google preferences. But Microsoft 365 dominates Australian business, particularly in professional services industries, and the security and device management tools included in Business Premium (Defender + Intune) are significantly more comprehensive than Google Workspace equivalents.

Setup steps:

1. Create your Microsoft 365 tenant at admin.microsoft.com
2. Add and verify your custom domain
3. Set up user accounts (yourself plus any initial staff)
4. Configure your domain’s MX records to point to Microsoft’s mail servers
5. Enable multi-factor authentication — do this on day one, before adding any data to the system

---

Step 3: Configure Email Authentication Records

This is a technical step that most new businesses skip and later regret. Without these records, anyone can send emails that appear to come from your domain.

Three DNS records to add:

SPF (Sender Policy Framework): Tells receiving mail servers which servers are allowed to send email from your domain. Prevents your domain from being spoofed.

DKIM (DomainKeys Identified Mail): Adds a cryptographic signature to your outbound emails that receivers can verify. Proves emails actually came from you.

DMARC (Domain-based Message Authentication, Reporting and Conformance): Tells receiving servers what to do with emails that fail SPF or DKIM. Start with p=quarantine — emails that fail authentication go to spam rather than the inbox.

Microsoft 365 provides the DKIM keys for you automatically. SPF and DMARC require adding TXT records to your domain’s DNS. Your IT provider or domain registrar can help with this — it takes about 30 minutes to configure.

For detailed configuration guidance, see Email Security for Australian Businesses.

---

Step 4: Enable Multi-Factor Authentication on Everything

This is the single highest-value security action you can take. MFA prevents account takeover even when passwords are compromised. It stops approximately 99% of automated credential attacks.

Enable MFA on:

• Microsoft 365 (all users, from day one)
• Any banking or financial portals
• Domain registrar account
• Hosting account
• Any CRM or business application

How to enable MFA in Microsoft 365:

1. Go to Microsoft 365 admin centre > Users > Active Users
2. Select a user > Manage Multifactor Authentication
3. Enable for all users, or use Security Defaults in Azure AD settings

Authenticator app, not SMS: The Microsoft Authenticator app is more secure than SMS codes. Configure users to use the app. SMS is acceptable as a fallback but not as the primary method.

---

Step 5: Set Up Backups From Day One

Before you store anything important in your new business IT systems, set up backups. This is the step most businesses defer and regret.

What to back up:

• Microsoft 365 data (email, SharePoint, OneDrive, Teams) — Microsoft does not back up your data, they back up their infrastructure. These are different things.
• Any on-premise files or servers

Microsoft 365 backup tools: Veeam Backup for Microsoft 365, Acronis Cyber Protect, or Dropsuite. These are typically $3–6/user/month and provide point-in-time recovery of email, SharePoint, and OneDrive.

The 3-2-1 rule: Three copies of data, on two different media types, with one copy off-site. For a cloud-first new business: your live Microsoft 365 data (copy 1), your Microsoft 365 backup in a separate cloud location (copy 2 off-site), and a periodic export to an external drive or secondary cloud storage (copy 3).

---

Step 6: Set Up Your Document Structure in SharePoint Before You Need It

One of the most common IT regrets for growing businesses is a disorganised file structure that was never fixed. Files accumulate in random locations, names become meaningless, and finding anything requires asking someone who remembers where they saved it.

The best time to design your SharePoint structure is when you have almost no files to organise. Do it now.

A simple starting structure:

• Company Name > Admin — Policies, procedures, templates, contracts
• Company Name > Finance — Invoices, statements, payroll (restricted access)
• Company Name > Clients — Client folders, each with a sub-structure appropriate to your work
• Company Name > Projects — Project folders with consistent naming
• Company Name > HR — Staff records (restricted access)

Keep it simple. You can add complexity later. You cannot easily simplify a complex structure that has grown organically.

---

Step 7: Choose and Set Up Your Line-of-Business Software

Every business has specialised software beyond email and file storage. The choices you make here have long-term implications — changing accounting software after four years of data is painful.

Accounting (essential):

• Xero: Best for most Australian SMBs. Cloud-native, excellent bank feeds, strong ecosystem of add-ons.
• MYOB Business: Strong alternative, particularly for businesses with more complex payroll requirements.

CRM (if client relationships are central to your business):

• HubSpot CRM: Free tier is genuinely useful for small businesses; paid tiers scale well.
• Salesforce: Overkill for most SMBs under 50 staff, but the industry standard.

Project management:

• Microsoft Planner — included in Microsoft 365, good for simple project tracking
• Monday.com, Asana, or ClickUp — for more complex project management needs

Payroll:

• KeyPay / Employment Hero Payroll — modern, compliant with Australian Single Touch Payroll requirements
• MYOB Payroll, Xero Payroll — integrated with their accounting platforms

---

Step 8: Define Your Password Policy From Day One

A password policy written before the business has any staff is infinitely easier to enforce than one retrofitted after bad habits have formed.

Minimum requirements for 2026:

• Minimum 14 characters
• Unique password for every business system
• Mandatory MFA on all business systems
• Password manager for all staff — 1Password, Bitwarden, or Microsoft Authenticator (for Microsoft accounts)
• Immediate password reset required if any account is suspected of compromise

Document this in a simple one-page Password Policy and make it part of every new staff member’s onboarding.

See Top 10 IT Policies Template for a ready-to-use Password Policy template.

---

Step 9: Register Your Business on Google Business Profile

This is not strictly an IT step, but it has significant implications for your business’s digital presence and security:

• Claim your Google Business Profile at business.google.com
• Verify your business address and phone number
• Add accurate business hours, services, and a description
• Monitor and respond to reviews from day one

A claimed Google Business Profile prevents someone else from claiming your business, provides your customers with accurate information, and is the foundation of local SEO.

---

Step 10: Find an IT Provider Before You Need One

The worst time to find an IT provider is when something has gone wrong. An IT provider engaged proactively knows your environment, has set it up correctly, and can respond quickly when issues arise.

What to look for in a provider for a new/growing business:

• Experience with businesses of your current size and your target size
• Microsoft 365 certified partner status (indicates genuine expertise)
• Flat-rate monthly pricing so you know what IT costs
• Proactive monitoring — they find problems before you call them
• Australian-based helpdesk

See 20 Questions to Ask Your IT Provider before signing any contract.

If you would like to discuss what managed IT looks like for a new or growing Melbourne business, book a Right Fit Call with CX IT Services.

For related resources:

• Small Business IT Bible
• Top 10 IT Policies Template
• Microsoft 365 Hidden Features Guide