In This Guide
Key takeaways
- The Essential Eight covers the biggest risk reducers: control apps, patch fast, harden settings, limit admin, use MFA, and back up well.
- Start with low‑effort wins: turn on MFA, patch browsers and Office, and test backups.
- Write short rules staff can follow: password manager use, update windows, report phish.
- Storms and NBN dropouts in SEQ make off‑site backups and power protection a must.
- Book a quick check when you see strange logins, failed backups, or admin sprawl.
$205/hr onsite · $125/hr remote · 4.9 stars across 100+ Google reviews · same-day booking · all 600+ Brisbane suburbs · no fix, no fee guarantee.
What a cyber security checklist is and core concept
Definition
A cyber security checklist is a short list of the key controls your business should have. It turns technical standards into clear actions like “turn on MFA” or “patch monthly.” It’s mapped here to the ACSC Essential Eight so small teams can track progress without guesswork.
Why it matters
Brisbane SMEs face phishing, invoice fraud, and ransomware. Storm season adds power cuts and hardware stress. A checklist helps owners and managers run a quick security audit, plan a risk assessment, and sort “do now” tasks from “book a specialist.” It saves time and money.
How it works and step-by-step
Process
Map your actions to the ACSC Essential Eight with these simple checks:
- Application control: Only allow approved apps. On Windows, use AppLocker or Windows Defender Application Control. Block unknown installers. Keep a list of “allowed” tools (accounting, CRM, PDF) and remove the rest.
- Patch applications: Update browsers, Office, Adobe Reader, Java, Zoom weekly. Turn on auto‑updates. Aim for under two weeks for security fixes. Track versions with an RMM or a simple spreadsheet.
- Configure Microsoft Office macros: Block macros from the internet. Only allow signed macros for trusted templates. Staff should save templates to a shared, safe folder.
- User application hardening: Disable Flash (retired), block ads and pop‑ups, turn off Java in browsers, and use modern PDF readers. Set browsers to block third‑party cookies and warn on downloads.
- Restrict admin privileges: Daily work accounts should not be admins. Create separate named admin accounts for IT tasks. Review admin rights each month and remove old access.
- Patch operating systems: Turn on automatic OS updates. For Windows, target Patch Tuesday + 7 days. Reboot machines weekly. Replace systems stuck on unsupported versions.
- Multi‑factor authentication (MFA): Turn on MFA for email, Microsoft/Google, Xero, CRMs, VPNs, and remote desktop. Use app‑based codes or FIDO security keys. Avoid SMS if you can.
- Regular backups: Keep at least one offline or off‑site copy. Follow 3‑2‑1: three copies, two media, one off‑site. Test restores monthly. Store data in an Australian region to keep latency low.
Featured answer
The fastest way to benchmark small business security is to map tasks to the ACSC Essential Eight: approve apps, patch apps and OS, lock down macros, harden browsers, limit admin, turn on MFA everywhere, and run tested off‑site backups. Track each item monthly and fix gaps first.
Need a hand?
Same-day onsite or remote support across Brisbane. No fix, no fee. Most jobs sorted in one visit.
Book a Geek — From $125/hrCommon problems in Brisbane
Weather and infrastructure
- Summer heat and storms: Power flickers in Logan, Ipswich, and Caboolture knock over PCs and NAS boxes. Use surge boards or UPS, and test backup power on key gear.
- Humidity: Garages and back rooms in Capalaba or North Lakes run hot and damp. Move servers/NAS off the floor, add airflow, and monitor temps.
- NBN quirks: FTTN dropouts in older blocks around Moorooka and Greenslopes break cloud backups and MFA prompts. Use a 4G/5G failover on your router.
- Older buildings: Fortitude Valley and Woolloongabba sites often have messy cabling and shared comms cupboards. Lock network gear and label ports.
Troubleshooting and quick checks
Short answer
If you can turn on MFA, apply pending updates, remove admin from day‑to‑day accounts, and confirm your backup can restore a file, you’re already cutting the biggest risks. Next, lock macros, harden browsers, and keep an “approved software” list to stop shadow IT.
Quick checks
Start with safe checks your team can do today:
- MFA: Is MFA on for email, Xero, Microsoft/Google, VPN, and remote tools?
- Patching: Are Windows, macOS, browsers, Office, and PDF readers up to date?
- Backups: Can you restore a single file from last week within 10 minutes?
- Admin rights: Do staff log in with standard accounts, not admin?
- Approved apps: Do you keep a short list of allowed software?
- Macros: Are Office macros from the internet blocked by default?
- Email rules: Any auto‑forward rules to outside addresses? Remove them.
- Passwords: Is a password manager in use? Are shared logins documented?
- Network: Is your router firmware current and default admin password changed?
- Incident basics: Do staff know who to call for a suspected phish or breach?
Low‑effort, high‑impact fixes you can do this week:
- Turn on MFA for Microsoft 365/Google Workspace and Xero.
- Enable automatic updates for OS, browsers, and Office.
- Set OneDrive/Google Drive desktop to back up Desktop/Documents.
- Create separate admin accounts; remove admin from daily users.
- Block macros from the internet via Microsoft 365 policy.
- Install a reputable endpoint security tool with ransomware rollback.
- Add a UPS to the modem, router, and NAS before storm season.
Quick self‑assessment questions for owners and managers:
- Could a fake invoice slip through your current process?
- Who can reset anyone’s password today, and how is that logged?
- How long to rebuild if the office floods tomorrow?
- When did we last test a full restore of our accounting data?
- Which staff have admin rights, and why?
Safety notes and when to call a pro
Red flags
Act fast and get help when you see:
- MFA fatigue prompts or login alerts from odd locations.
- Backups failing for more than two days or restore tests that fail.
- Staff report files renamed or locked, or antivirus keeps popping alerts.
- Unknown software on PCs, or new admins appearing in Microsoft 365.
- Email forwarding rules to external addresses you didn’t set.
- Compliance requests from customers you can’t meet (insurance, tenders).
Don’t power‑cycle a possibly infected server repeatedly. Isolate it from the network. Note times, save logs, and call a specialist. Swift, calm steps cut damage and downtime.
Local insights and examples
Brisbane/SEQ examples
What we often see across South Brisbane, Coorparoo, and Chermside:
- Tradie firms in Rocklea: Old NAS units on the floor, no UPS, and staff using admin accounts. Quick wins are UPS, MFA, and removing admin.
- Cafes in West End: Shared Wi‑Fi with the POS on the same network. Split guest and POS networks and update the router firmware.
- Real estate offices in Carindale: Cloud files but weak sharing rules. Tighten sharing, turn on conditional access, and review mailbox rules monthly.
- Medical allied health in Springfield Lakes: Legacy Windows boxes for specialist tools. Put them on a separate VLAN and add strict app control.
- Online retailers in Northgate: NBN HFC dropouts break backups. Add 4G/5G failover and schedule backups for off‑peak hours.
Timeframes most SMEs can handle:
- Same day: MFA, browser and Office updates, block macros, remove admin.
- 1–2 weeks: App allow‑list pilot, router segmentation, backup test and documentation.
- 1 month: Full patch cycle rhythm, incident plan, and staff phishing drill.
Budget thoughts: Focus spend where risk drops fast—MFA, reliable endpoint protection, and backup/restore. App control and network segmentation add strong value once the basics are in place.