flagged
Governance & Policy20 January 2025 · 6 min read

Does Your Small Business Need a Cyber Security Policy?

Most Australian small businesses don't have a written cyber security policy — and it's costing them. Here's why you need one and how to start.

If someone asked you right now, "What's your business's plan if a staff member clicks a dodgy link and your customer database gets stolen?" — could you answer? For most Australian small business owners, the honest answer is no. And that's completely understandable. You're busy running your business. But that gap — between knowing cyber threats exist and having a written plan to deal with them — is exactly where things go wrong.

What Is a Cyber Security Policy?

A cyber security policy is a written document that sets out the rules and expectations for how your business handles digital information and technology. Think of it like a workplace health and safety policy, but for your data and devices.

It doesn't need to be 50 pages long. For a small business, a well-written cyber security policy might cover just a handful of topics in a few pages. What matters is that it exists, that your team knows about it, and that it reflects how your business actually operates.

A good policy typically covers things like:

  • Who is responsible for cyber security in your business
  • Password rules (how long, how complex, how often to change them)
  • What to do if a device is lost or stolen
  • How to handle sensitive customer or financial information
  • What to do if something suspicious happens — who do you call?

Why Australian Small Businesses Are Targets

There's a common myth that cyber criminals only go after large corporations. The reality is quite different. According to the Australian Cyber Security Centre (ACSC), small businesses are among the most frequently targeted organisations in Australia. Cybercriminals know that small businesses often have less protection than large enterprises, yet still hold valuable data — customer records, payment details, employee information, and business contracts.

The average cost of a cyber incident for a small business in Australia is in the tens of thousands of dollars once you factor in lost productivity, recovery costs, potential fines, and damage to customer trust. Some businesses never recover at all.

The Legal and Compliance Angle

Australia's Privacy Act 1988 requires businesses that hold personal information to take reasonable steps to protect it. If your business has a turnover of more than $3 million, or operates in certain sectors like health or finance, these obligations are mandatory. But even if you're currently exempt from the Privacy Act, that's changing — the Australian Government has been progressively tightening privacy obligations for small businesses.

Under the Notifiable Data Breaches (NDB) scheme, covered businesses must report certain data breaches to the Office of the Australian Information Commissioner (OAIC) and notify affected individuals. Having a written policy in place — and following it — demonstrates that you've taken "reasonable steps" to protect data, which matters enormously if a breach ever occurs.

The Cyber Security Act 2024, which came into effect in January 2025, also introduced new obligations for certain types of businesses and critical infrastructure. While many small businesses won't be directly affected by all provisions, it signals the direction of travel: regulators expect businesses to take cyber security seriously.

Five Signs You Need a Written Policy Right Now

  1. You have staff. Even one employee means you need agreed rules about how technology is used in your business. Without a written policy, misunderstandings are inevitable.
  2. You store customer data. Names, emails, phone numbers, payment details — any of this creates an obligation to protect it.
  3. You use cloud services. Google Workspace, Microsoft 365, Xero, MYOB — these are all powerful tools, but they need configuration and access controls. A policy helps you manage who has access to what.
  4. Your staff use their own devices for work. Personal phones and laptops connecting to work systems is a significant risk without clear rules in place.
  5. You've never thought about what you'd do if you got hacked. If you don't have a plan, a policy is the starting point for creating one.

Common Objections (And Why They Don't Stack Up)

"I'm too small to be a target"

As mentioned above, small businesses are frequently targeted precisely because attackers know defences are often weaker. Automated attack tools don't discriminate by business size — they scan for vulnerabilities across millions of systems simultaneously.

"It's too technical for me"

A cyber security policy is primarily a business document, not a technical one. It's about decisions and rules, not code. You don't need an IT background to write one — just a clear head and a willingness to think through the "what ifs."

"I don't have time"

A basic policy for a small business can be drafted in an afternoon. The ACSC provides free templates and guidance specifically designed for small business owners. The time investment now is tiny compared to the time you'd spend dealing with an incident that a policy might have prevented.

What the ACSC Recommends

The Australian Cyber Security Centre offers a wealth of free resources for small businesses at cyber.gov.au. Their Small Business Cyber Security Guide outlines practical steps you can take, and their advice consistently starts with the basics: understand what you're protecting, establish clear rules, and make sure everyone in your business knows what's expected of them.

The ACSC's Essential Eight framework provides a baseline set of security controls that any business should aim to implement. A cyber security policy is the governance layer that sits above all of these controls — it's the "why" and "who" that makes the technical measures actually work.

Getting Started This Week

You don't need to create a perfect policy immediately. Start with a simple document that answers these five questions:

  1. Who is responsible for cyber security decisions in our business?
  2. What are the password rules everyone must follow?
  3. What are the rules for using personal devices for work?
  4. How do we handle sensitive customer information?
  5. What do we do — and who do we contact — if we suspect something has gone wrong?

Review it with your team, make sure everyone signs off that they've read it, and set a reminder to review it every 12 months or whenever something significant changes in your business.

Key Takeaways

  • A cyber security policy is a written document that sets the rules for how your business handles technology and data — it doesn't need to be complex.
  • Australian small businesses are frequent targets for cybercriminals, not large businesses exclusively.
  • The Privacy Act 1988, the Notifiable Data Breaches scheme, and the Cyber Security Act 2024 all create legal context that a written policy helps you navigate.
  • Common objections — "I'm too small", "it's too technical", "I don't have time" — don't hold up under scrutiny.
  • The ACSC offers free templates and guidance at cyber.gov.au to help you get started.
  • Start simple: answer five core questions, share with your team, and review annually.

Not sure where your business currently stands? Take the free cyber risk assessment at flagged.com.au to get a personalised picture of your security posture and see exactly where a policy would make the most difference for your business.

Tags

cyber security policysmall businessgovernanceACSCAustralia