The Australian Small Business Cyber Security Checklist for 2025

Cyber security doesn't have to be overwhelming. For most Australian small businesses, the gap between where you are now and a genuinely defensible security posture comes down to implementing a focused set of practical controls — consistently and completely. This checklist cuts through the noise and tells you exactly what to do, based on guidance from the Australian Cyber Security Centre (ACSC) and the ASD's Essential Eight framework.

Work through each section, check off what you have in place, and note what needs attention. At the end, you'll have a clear picture of where your priorities lie.

Section 1: Access and Identity

Most cyber incidents begin with compromised credentials. Getting access management right is the single highest-impact place to start.

• MFA enabled on all email accounts (Microsoft 365, Google Workspace, or your email provider)
• MFA enabled on all cloud services — accounting software (Xero, MYOB), file storage (SharePoint, Google Drive), CRM, project management tools
• MFA enabled on remote access — VPNs, Remote Desktop, TeamViewer, or any other remote access tools
• Unique, strong passwords for every account — no shared passwords, no reuse across services
• Password manager in use by all staff (1Password, Bitwarden, or equivalent)
• Admin accounts separated from daily-use accounts — staff don't use their admin credentials for browsing or email
• Former staff access revoked immediately upon departure — accounts disabled within 24 hours
• Guest or contractor access limited and time-bound — access granted only for what's needed, only for as long as needed

Section 2: Devices and Endpoint Protection

Every device that connects to your business data is a potential entry point. Securing endpoints is essential — particularly as remote work has expanded the number of devices accessing business systems.

• All devices running supported operating systems — Windows 10 minimum (Windows 11 preferred), macOS Ventura or later
• Automatic updates enabled on all operating systems and major applications
• Endpoint protection (antivirus/EDR) installed on all business devices — Windows Defender (built-in) at minimum, business-grade EDR preferred
• Screen lock enabled on all devices — auto-lock after 5 minutes of inactivity
• Disk encryption enabled — BitLocker on Windows, FileVault on Mac
• Clear policy on personal devices used for work — what's permitted, what's not, and minimum security standards
• Lost or stolen device procedure documented — who to call, how to remotely wipe the device

Section 3: Software and Application Management

Unpatched software is one of the most exploited attack vectors in Australia. Keeping your applications current is not optional — it's foundational.

• All critical applications up to date — web browsers, office productivity suites, PDF readers, accounting software
• No end-of-life software in use — software that no longer receives security updates should be replaced
• Browser security settings reviewed — extensions minimised, automatic updates enabled
• Office macro execution restricted — macros disabled by default or limited to digitally signed macros only (a key Essential Eight control)
• Software installation restricted — staff cannot install unapproved software on business devices

Section 4: Email Security

Email is the number one vector for phishing, business email compromise, and malware delivery. These controls significantly reduce your exposure.

• SPF record configured on your domain — prevents others from spoofing your email address
• DKIM configured — authenticates your outbound emails
• DMARC policy set to at minimum "none" with monitoring — ideally "quarantine" or "reject"
• Spam and phishing filtering active — Microsoft Defender for Office 365, Google Workspace Advanced Protection, or third-party equivalent
• External email warnings enabled — emails from outside your organisation are flagged for staff
• Staff trained to recognise phishing — at least annually, including examples of current Australian scams

Section 5: Backup and Recovery

A tested backup is your best protection against ransomware and your insurance policy against accidental data loss. Without it, a single incident can be catastrophic.

• Regular backups of all critical business data — daily or as frequently as you can afford to lose
• Backups stored off-network — not on the same device or same network as your primary data (cloud backup or external drive stored off-site)
• Backups use immutable or versioned storage — so ransomware can't encrypt or delete your backup copies
• Backup restore tested within the past 6 months — you've actually restored files from backup, not just assumed it works
• Recovery time understood — you know how long it would take to fully restore your systems and data
• Cloud service data backed up — Microsoft 365 and Google Workspace are NOT automatically backed up by Microsoft or Google — third-party backup tools are required

Section 6: Network Security

• Business Wi-Fi uses WPA2 or WPA3 encryption with a strong, unique password
• Guest Wi-Fi network is separate from the business network
• Default router admin credentials changed — not using the factory default username and password
• Router firmware up to date
• Firewall active on all devices and the network perimeter
• Remote access secured with MFA and limited to authorised users only

Section 7: Governance and Policies

• Written cyber security policy — even a one-page document covering password rules, device use, and incident reporting
• Incident response procedure documented — who does what, who to call, how to preserve evidence, when to notify the OAIC
• Staff onboarding includes cyber security — new starters understand the rules from day one
• Data register maintained — you know what personal information you hold, where it is, and who can access it
• Third-party and supplier access reviewed — vendors with access to your systems have appropriate controls in place
• Cyber insurance assessed — you understand your cover, its security requirements, and whether your posture meets those requirements

Section 8: Staff and Security Culture

• Annual security awareness training completed by all staff
• Staff know how to report a suspicious email or incident — there's a clear, non-punitive reporting process
• Business email compromise (BEC) risks addressed — staff are trained on verifying unusual payment requests by phone before acting
• Social media and personal information sharing policy in place — staff understand what business information should not be shared publicly

Interpreting Your Results

If you've checked off most items in Sections 1–3, you're in better shape than a significant proportion of Australian small businesses. These sections — access management, device security, and patching — address the controls the ACSC consistently identifies as having the highest impact on reducing cyber risk.

If you have significant gaps across multiple sections, prioritise in this order:

1. Enable MFA on email and cloud accounts immediately
2. Ensure all software is on supported, updated versions
3. Implement and test a backup process
4. Deploy endpoint protection on all devices
5. Document a basic incident response procedure

Key Takeaways

• The most impactful cyber security controls for Australian small businesses are MFA, patching, and tested backups — start there if you haven't already.
• Email security (SPF, DKIM, DMARC) is frequently overlooked but critical for preventing phishing and email spoofing.
• Cloud services like Microsoft 365 and Google Workspace are not automatically backed up — you need a third-party tool.
• Governance matters: a one-page policy and a written incident response procedure can make a significant difference in how well your business handles a real incident.
• Review your checklist at least annually — and whenever your business changes significantly.

Want a personalised assessment of your security posture rather than a generic checklist? Take the free cyber risk assessment at flagged.com.au — it benchmarks your business against the Essential Eight and gives you a prioritised list of recommendations specific to your situation.