The Small Business IT Bible

TL;DR: This guide is the single most comprehensive free IT resource for Australian SMBs. It covers everything from choosing an IT provider and setting up essential security controls, to cloud migration, policies, and building a technology roadmap. If you read one IT guide this year, make it this one.

Why Most Small Business IT Advice Is Useless

Most IT advice written for small businesses falls into one of two traps. Either it is so high-level it gives you nothing actionable (“make sure you back up your data”), or it is written by a vendor trying to sell you something specific. This guide is neither.

What follows is a practical, opinionated guide to IT for Australian businesses with 10 to 200 staff. It is based on over 26 years of supporting Melbourne businesses across every industry - law firms, medical practices, construction companies, accounting practices, schools, and retail businesses. It covers the things that actually matter, in the order they actually matter.

---

Part 1: The IT Foundation Every Business Needs

Email and Identity

Everything in your business IT starts with email and identity. Before you think about anything else, make sure you have:

A business email domain. Not yourname@gmail.com - yourname@yourcompany.com.au. This is the foundation of professional credibility and the anchor for all your other IT systems. If you are using a free email address for business, fix this first.

Microsoft 365 or Google Workspace. These are the two cloud productivity platforms that everything else is built around. For most Australian businesses with 10 or more staff, Microsoft 365 Business Premium is the right choice - it includes email, Office applications, Teams, SharePoint, OneDrive, and the security and device management tools your IT provider needs to properly protect your environment.

Multi-factor authentication on every account. This single control stops approximately 99% of account takeover attacks. It costs nothing extra in Microsoft 365. There is no acceptable reason not to have it enabled. If it is not enabled on your Microsoft 365 or Google Workspace accounts right now, stop reading and enable it.

Devices and Endpoints

Every device your staff use for work is a potential entry point for attackers. The device management baseline for any business should include:

• Modern endpoint protection (not just antivirus - a proper Endpoint Detection and Response tool like Microsoft Defender for Endpoint)
• Encrypted storage on every device
• Automatic screen lock after 15 minutes
• Full disk encryption on laptops (BitLocker for Windows, FileVault for Mac)
• Mobile Device Management (MDM) for all company devices via Microsoft Intune

Standardise your devices. Ad-hoc hardware procurement - everyone buys whatever laptop they want - creates a support nightmare and security inconsistency. Define a standard device specification, buy from it, and manage all devices from a central platform.

Network and Connectivity

Business-grade internet is not optional. Residential NBN shared among 20 staff will fail you during critical periods. Business NBN or a dedicated ethernet service with a service level agreement is the minimum for any business that depends on cloud services to operate.

A managed firewall, not a consumer router. Your internet connection enters your office through a device. If that device is a $100 consumer router, your network perimeter has exactly the protection that $100 buys. A business-grade firewall (Cisco Meraki, Fortinet, or equivalent) provides content filtering, intrusion detection, and granular network segmentation.

Separate your guest Wi-Fi from your business network. If clients or visitors can connect to the same Wi-Fi as your staff computers, a compromised visitor device can reach your internal systems. This is a basic network segmentation requirement that many small businesses miss.

---

Part 2: Cybersecurity Essentials

The Australian Cyber Security Centre Essential Eight

The ACSC Essential Eight is the best starting framework for Australian SMB cybersecurity. It defines eight controls that, together, prevent the majority of cyber attacks:

1. Application control - only allow approved applications to run
2. Patch applications - keep software up to date, especially internet-facing applications
3. Configure Microsoft Office macros - restrict or block macros from the internet
4. User application hardening - configure browsers and apps to reduce attack surface
5. Restrict administrative privileges - limit who has admin access and how it is used
6. Patch operating systems - keep Windows and other operating systems current
7. Multi-factor authentication - require a second factor for all important accounts
8. Regular backups - encrypted, tested, and isolated from the main network

Of these eight, MFA and regular backups are the two highest-priority controls for most SMBs. Start there if you have not already.

See our detailed Cyber Security Checklist for Australian SMBs for a full implementation guide against each of the eight controls.

Email Security: Your Most Critical Attack Surface

Business Email Compromise (BEC) cost Australian businesses hundreds of millions of dollars last year. The attacks succeed because email is insecure by default and most businesses have not implemented the technical controls that close the obvious gaps.

SPF, DKIM, and DMARC are three DNS-based email authentication records that, together, prevent attackers from sending emails that appear to come from your domain. If these are not configured on your domain, any attacker can send emails impersonating your CEO, your accountant, or your bank. Check whether they are configured right now - any DNS lookup tool will tell you.

Advanced email filtering goes beyond spam filtering. Microsoft Defender for Office 365 (included in Microsoft 365 Business Premium) includes Safe Links, Safe Attachments, and anti-phishing policies that analyse emails in real time and block sophisticated attacks that basic spam filters miss.

For a comprehensive guide to email security, see Email Security for Australian Businesses: Stopping Spoofing and BEC.

Backups: The Last Line of Defence

A backup strategy that will actually save you in a ransomware incident needs to meet these criteria:

• 3-2-1 rule: Three copies of data, on two different media types, with one copy off-site
• Immutable backups: At least one backup copy that cannot be deleted or encrypted by ransomware
• Tested restores: A backup that has never been tested is not a backup - it is an assumption
• Recovery time documented: You should know before a disaster how long recovery will take

Cloud backup services like Microsoft 365 backup, Veeam, or Acronis provide immutable, tested backup capability for most SMB environments. If your backup strategy is “we back up to a drive that sits next to the server”, you will lose everything in a ransomware attack.

---

Part 3: Choosing an IT Provider

What a Managed IT Provider Actually Does

A managed IT provider (MSP) is not a break-fix contractor you call when something breaks. A proper MSP proactively monitors your environment, applies patches before they become vulnerabilities, responds to alerts before they become incidents, and advises on technology strategy before you are forced to make reactive decisions.

The difference between a reactive break-fix IT provider and a proactive managed IT provider is the difference between a car that goes to the mechanic when it breaks down, and a car that has scheduled services, gets its oil checked, and has its tyres rotated before they wear out.

The Questions That Separate Good Providers From Average Ones

When evaluating an IT provider, these are the questions that actually matter:

“What is your average first response time, and can you show me actual data?” Any provider can quote an SLA. An honest provider shows you real performance data. CX IT Services averages under 15 minutes first response time - and we can prove it.

“Give me three examples of issues you caught proactively last month, before the client noticed.” This is the single best question for distinguishing a truly managed service from a break-fix provider with a monthly retainer.

“Where is your helpdesk based?” Offshore first-line support creates delays, communication friction, and a lack of local business context. Australian-based helpdesk matters.

“What is your process if we decide to leave?” A confident provider makes it easy to leave. Reluctance to discuss offboarding is a red flag.

For a complete evaluation guide, see our 20 Questions to Ask Your IT Provider resource.

For a detailed guide to switching IT providers without downtime, see How to Switch IT Providers Without Downtime.

Red Flags to Walk Away From

• Long lock-in contracts (more than 12 months) without performance guarantees
• Offshore helpdesk for first-line support
• Cybersecurity sold as an optional add-on rather than a baseline
• Inability to provide documentation of your IT environment
• Reluctance to discuss exit procedures and documentation handover
• One-size-fits-all proposals that do not reflect your actual environment

---

Part 4: Cloud Strategy for Small Business

What Should Go to the Cloud

Most SMBs should be cloud-first by default. The cost, reliability, and security advantages of cloud services over on-premise infrastructure are overwhelming for businesses under 200 staff. Specific workloads that should be cloud by default:

• Email and calendar: Microsoft 365 or Google Workspace
• File storage and collaboration: SharePoint, OneDrive, or Google Drive
• Backups: Cloud backup eliminates the on-site single point of failure
• Phone system: Teams Phone or another cloud PBX replaces physical PBX hardware
• Line-of-business applications: Most modern business software is SaaS by default

For a detailed guide to cloud migration planning, see our Cloud Services Guide for Business.

What Might Stay On-Premise

A small number of workloads have legitimate reasons to stay on-premise, at least temporarily:

• Specialised hardware-dependent applications (certain medical devices, industrial control systems)
• Applications with very high latency sensitivity that cannot tolerate cloud round-trips
• Regulatory requirements that mandate onshore data sovereignty (though most Australian cloud providers address this)
• Very large data sets where cloud transfer costs are prohibitive

The default should be cloud. On-premise should require justification.

---

Part 5: IT Policies Every Business Needs

A business without documented IT policies is a security risk and a compliance liability. The minimum set of policies every SMB needs:

1. Acceptable Use Policy - what employees can and cannot do with company technology
2. Password Policy - minimum password requirements and MFA requirements
3. Data Classification Policy - what data is confidential and how it must be handled
4. Bring Your Own Device (BYOD) Policy - rules for personal devices used for work
5. Remote Work Policy - security requirements for working outside the office
6. Incident Response Policy - what to do when a security incident occurs
7. Software Installation Policy - what software employees can install on company devices
8. Email and Communication Policy - rules for business communication
9. Social Media Policy - guidelines for employee use of social media
10. Data Retention and Disposal Policy - how long data is kept and how it is deleted

Download our Top 10 IT Policies Template for professionally drafted versions of all ten policies, ready to customise for your business.

---

Part 6: Building a Technology Roadmap

The Problem with Reactive IT

Most SMBs manage IT reactively. They replace hardware when it breaks. They upgrade software when the vendor forces them to. They improve security after an incident. This approach is expensive, disruptive, and creates compounding technical debt.

A technology roadmap maps where your IT is today, where it needs to be to support your business goals, and the specific steps to get there - sequenced to minimise disruption and maximise value.

The Four Phases of IT Maturity

Phase 1: Foundation and Security Baseline This is where most SMBs need to start. Proper device management, email security, MFA, patching, and backup. The security controls that prevent the most common and most damaging attacks.

Phase 2: Productivity and Collaboration Once the foundation is solid, focus on the tools that make your team more productive. Modern communications (Teams Phone), proper file management (SharePoint), and device standardisation (Autopilot).

Phase 3: Compliance and Governance Industry-specific compliance requirements, data governance, access reviews, and audit documentation. This phase varies significantly by industry.

Phase 4: Optimisation and Growth AI tools, automation, advanced analytics, and the CX365 platform. Technology that actively drives business performance, not just maintains it.

For a detailed roadmap framework, see our Technology Roadmap page.

---

The Bottom Line

Good IT for a small business is not complicated, but it does require deliberate attention. The businesses that get it right:

• Start with a solid foundation (email, devices, network, backups)
• Implement security as a baseline, not an afterthought
• Work with a proactive MSP who knows their environment
• Document their systems and policies before they need to use that documentation
• Plan technology changes proactively rather than reacting to crises

If you want to know how your current IT measures up against this framework, book a Right Fit Call with CX IT Services. In 15 minutes we can give you an honest assessment of where you stand and what the priority improvements should be.