In This Guide
Cyber attacks against Australian small businesses doubled between 2022 and 2025. The average ransomware ransom demanded in Australia now exceeds $1M. Yet the attackers behind those numbers are not elite — they exploit basic mistakes any Brisbane SME can fix in a weekend.
This 23-control checklist is the practical floor we recommend every Brisbane SME implement. It maps to the ACSC Essential Eight and the Privacy Act 1988 (NDB scheme). Tick what is done, plan what is not, and book a conversation if you are stuck.
Most SME breaches we see in Brisbane do not involve sophisticated attacks — they involve a missed MFA setup, a reused password, an unpatched browser, or a backup that was never tested. This checklist closes those gaps.
Why This Checklist, Right Now
Three things happened in 2024-25 that changed the risk equation for Brisbane SMEs:
- Privacy Act fines went up to $50M for serious or repeated breaches
- Cyber insurers tightened underwriting — they now refuse cover without MFA, EDR and offline backups
- AI-powered phishing made dodgy emails sound like your accountant
Treat this checklist like an annual roadworthy for your business — same logic, same value, same regulatory pressure.
Identity & Access (5 Controls)
- 1. Multi-factor authentication on every cloud account
Microsoft 365, Xero, MYOB, Dropbox, banking. Microsoft Authenticator with number-matching, not SMS. - 2. Strong unique passwords (password manager)
1Password, Bitwarden or Keeper. No reused passwords. No spreadsheets of credentials. - 3. Block legacy authentication
Old IMAP/POP/SMTP auth bypasses MFA. Block it in Microsoft Entra Conditional Access. - 4. Separate admin accounts from daily-use accounts
Admin work uses a dedicated account with hardware MFA, no email, no browsing. - 5. Off-board promptly when staff leave
Disable accounts within an hour, not a week. Documented checklist.
Email & Phishing (4 Controls)
- 6. SPF, DKIM, DMARC configured for your domain
Stops spoofing of your own brand. Free with M365 — just needs DNS records set correctly. - 7. Anti-phishing & safe-links policies enabled
Microsoft Defender for Office 365 (included in Business Premium). Real-time URL detonation. - 8. External email banner
Visual warning on every external email helps staff spot impersonation attempts. - 9. Annual phishing simulation
Run a controlled test, train anyone who clicks. Do not punish — coach.
Devices & Endpoints (4 Controls)
- 10. Modern EDR on every device
Microsoft Defender for Endpoint, SentinelOne, CrowdStrike. Not just free antivirus. - 11. Disk encryption (BitLocker / FileVault)
Mandatory for any laptop with company data. One stolen laptop without it = a breach. - 12. Auto-patching for OS & apps
Intune Autopatch, Action1, NinjaOne. Not 'sometime when staff click yes'. - 13. Remote wipe capability
Lost or stolen device — wipe instantly. Intune does this for Windows, iOS and Android.
Data & Backups (4 Controls)
- 14. M365 cloud-to-cloud backup
Microsoft does not back up your M365 data the way you think. Datto, Spanning, Veeam. - 15. Immutable backup copy
Ransomware cannot encrypt what it cannot change. Datto, Veeam Hardened Repository, S3 Object Lock. - 16. Quarterly restore tests
An untested backup is not a backup. Pull a random folder, restore it, document the test. - 17. Data classification & retention policy
Know where personal information lives. Privacy Act expects it. M365 sensitivity labels help.
Network & Wi-Fi (3 Controls)
- 18. Separate guest Wi-Fi from staff Wi-Fi
Visitors and personal phones never on the network with your file server. - 19. Modern firewall on the office NBN
Ubiquiti, Meraki, Fortinet. Not the ISP-supplied router on its own. - 20. WPA3 (or WPA2-AES at minimum)
WEP and WPA are broken. Update old access points.
People & Training (3 Controls)
- 21. Annual staff cyber training
30-minute video + quiz. KnowBe4, Hoxhunt, M365 Attack Simulation Training. - 22. Documented incident response plan
Who calls who when something goes wrong, in what order. Print and stick on the wall. - 23. Annual review & cyber insurance check
Renew controls every 12 months. Confirm insurance still meets your risk.
Suggested Schedule
Week 1-2
MFA, password manager, SPF/DKIM/DMARC, M365 cloud backup, EDR.
Week 3-4
Disk encryption, Intune, anti-phishing policies, guest Wi-Fi split, firewall.
Month 2
Restore test, phishing simulation, staff training, incident response doc.
Quarterly
Restore drills, off-board audit, patch compliance review, insurance check.
Costs in Brisbane
| Item | Effort | Cost |
|---|---|---|
| Initial security audit | 1-2hr | From $410 |
| MFA rollout (10-25 users) | 3-5hr | $410-$615 |
| SPF/DKIM/DMARC setup | 2hr remote | $250 |
| M365 cloud-to-cloud backup | 2hr setup + license | $250 + $5/user/mo |
| Phishing simulation campaign | 1-2 days | From $410 |
| Managed security plan | Ongoing | From $99/user/month |
| Onsite hourly | — | $205/hr |
| Remote hourly | — | $125/hr |
Pro tip: If you only have one weekend, knock off Identity (1-5) and Email (6-9). Those nine controls block over 80% of real-world Brisbane SME compromises.
Cyber insurance gotcha: Most policies now require 'enterprise-grade EDR' (not free Defender), MFA on email and remote access, and offline/immutable backups. If any of these are missing, your claim may be denied.
Want Us to Run This Checklist For You?
Half-day Brisbane onsite, full report, prioritised plan and pricing.
Book a Cyber Audit — From $410We walk every line of this checklist with you, score current state, and produce a prioritised plan with costs. Half-day from $820, includes M365 tenant review, device inventory, and a written report.