Cyber security is only going to get tougher. That’s one of the “benefits” of the AI wave we’re in. But there are things you can do to reduce risk – thousands of things.
But here’s a list of the quick wins you can implement that will bring you the biggest step changes to your risk profile – the 20% effort that will bring you 80% of the benefit. And most of them are set once or automated or only require periodic check-ups.
1. Locking Down Access and Authentication
Unauthorized access is still a primary path attackers use to get inside. Strong authentication and tight access controls are your foundational defences.
Turn On Multi-Factor Authentication (MFA)
- What: Activate MFA on all important business accounts.
- Why: This directly stops attacks that rely on stolen or weak passwords (like phishing, credential stuffing, brute-force). Adding that second check makes it much harder for attackers to take over accounts, even if they have the password.
- How: Prioritise MFA for email (Microsoft 365, Google Workspace), banking, cloud platforms (AWS, Azure, GCP), VPNs, and all admin accounts. Use authenticator apps (Google Authenticator, Microsoft Authenticator, Okta Verify) over SMS whenever possible, as they’re generally more secure. Follow best practices outlined in the Australian Cyber Security Centre (ACSC)’s MFA guidance.
- Tools: Many platforms offer built-in MFA. For broader control, consider Identity and Access Management (IAM) solutions:
Use Strong, Unique Passphrases & a Password Manager
- What: Require long, unique passphrases for every single account, and use a password manager to handle them.
- Why: Stops attackers from easily guessing weak passwords or using credentials stolen from one breach to access other unrelated accounts (credential stuffing).
- How: Set a minimum passphrase length of 14 characters; using 4+ random words is a good technique. Roll out a solid business password manager to generate, store, and fill strong credentials securely. Make sure the manager itself is locked down with a strong master passphrase and MFA. Train your team on using it properly. Check the ACSC’s advice on passphrases.
- Tools: Look at well-regarded password managers with strong security:
Apply the Principle of Least Privilege (Limit Admin Rights)
- What: Tightly control and minimise who gets administrator privileges.
- Why: Radically reduces the damage if an account gets compromised. If a standard user account is breached, the attacker’s reach is limited, preventing system-wide damage compared to when an admin account is hit. It also makes privilege escalation attacks harder.
- How: Give users only the permissions they absolutely need for their job. Use separate, dedicated accounts for admin tasks – never use an admin account for everyday things like email or Browse. Review admin rights regularly. This lines up with the ‘Restrict Administrative Privileges’ strategy in the ACSC’s Essential Eight.
Manage Staff Access Changes Swiftly
- What: Have solid processes to immediately remove access for people leaving the company or changing roles.
- Why: Stops potential data theft or system misuse by former employees (an insider risk) and cleans up unused accounts that pose a lingering security risk.
- How: Make sure your HR off-boarding and role-change processes directly trigger IT access removal. Disable accounts and revoke permissions right away. Run regular checks on active user accounts to find and disable any orphaned or unnecessary ones.
2. Setting Up Robust Data Protection
Protecting your business and customer data is vital for keeping the lights on, meeting legal duties, and holding onto your reputation.
Set Up Regular, Automated Data Backups
- What: Run frequent, automated backups of all data that’s critical to your business.
- Why: Gives you a way to recover data and get back to business after major disruptions like ransomware, hardware meltdowns, accidental deletions, or even fires and floods.
- How: Pinpoint your critical data (financials, customer lists, operational files, system configs, cloud data like M365 backups – check provider options). Set up automatic daily backups using dependable backup software or services. This is a key part of the ACSC Essential Eight’s ‘Regular Backups’ strategy.
- Tools: Look into business-grade backup solutions:
Keep Backups Separate and Test Your Restores
- What: Store backup copies somewhere separate (physically or logically) from your live data, and regularly test that you can actually restore from them.
- Why: Stops your backups from being wiped out by the same attack (especially ransomware) that hits your main systems. Untested backups might fail you when you need them most.
- How: Follow the 3-2-1 rule: at least 3 copies of data, on 2 different media types, with 1 copy offsite. For extra ransomware defence, make sure one copy is offline (air-gapped) or immutable (can’t be changed – via cloud storage with products like AWS S3 with Object Lock, Azure Blob Storage, and Google Cloud Storage with Bucket Lock). Schedule regular restore tests (maybe quarterly) to prove the backups work and your team knows the drill.
Secure Customer Information (Privacy Act Compliance)
- What: Know and meet your obligations for handling personal information under the Australian Privacy Act 1988.
- Why: Helps prevent costly data breaches involving customer info, keeps you compliant with the law, protects your reputation, and avoids fines.
- How: Only collect the personal data you actually need. Store it securely using good technical controls (encryption, access controls). Use secure methods for any transactions. Have a clear, easy-to-find privacy policy. Check guidance from the OAIC.
3. Keeping Systems Healthy and Networks Secure
Updated, well-configured systems and networks are fundamental defences.
Patch Software and Operating Systems Quickly
- What: Regularly apply security patches and updates for all your software and operating systems.
- Why: Closes security holes that attackers know about and actively try to exploit. Patching quickly shuts these doors before attackers get in.
- How: Turn on automatic updates where it makes sense. Jump on patches for known exploited vulnerabilities fast, especially for systems facing the internet (aim for under 48 hours). Get other critical patches done promptly (e.g., within weeks). Get rid of any software or OS versions that are no longer supported and don’t get security updates. This directly supports the ACSC Essential Eight’s ‘Patch Applications’ and ‘Patch Operating Systems’ strategies.
Use and Maintain Endpoint Security Software
- What: Install, configure, and keep up-to-date endpoint security software (like Endpoint Detection and Response (EDR) and Endpoint Protection Platform (EPP) including antivirus/anti-malware) on all computers, servers, and work mobile devices.
- Why: Provides defence against malware like viruses, trojans, ransomware, and spyware by spotting and blocking known threats. Modern EDR tools also help catch new threats and give you tools to respond.
- How: Use solid built-in tools (like Microsoft Defender for Endpoint) or pick trusted third-party options. Make sure the software is always on, updating its threat intelligence constantly, and configured correctly.
- Tools: Top players in endpoint security include:
Secure Your Office Wi-Fi and Router
- What: Lock down the basic security settings on your office wireless network and internet router.
- Why: Stops outsiders from jumping onto your network, listening in on wireless traffic, or using your internet connection for shady activities.
- How: Change the router’s default admin password immediately. Use strong Wi-Fi encryption (WPA2 minimum, WPA3 preferred) with a strong passphrase. If you offer guest Wi-Fi, put it on a separate, isolated network. Check ACSC advice for network security.
4. Managing Cloud and Third-Party Risks
Using external services means managing the security risks that come with them.
Use MFA and Secure Configurations for Cloud Services
- What: Mandate MFA for all cloud service access (SaaS, PaaS, IaaS) and make sure you understand and apply basic secure setup within those platforms.
- Why: Protects your cloud accounts and data from being accessed by attackers with stolen credentials. Also tackles the common problem of data exposure due to simple cloud misconfigurations.
- How: MFA for cloud access isn’t optional. Understand the Shared Responsibility Model for each service – the provider secures the base infrastructure, you secure your data, users, and how you configure things inside the service. Apply essential settings like tight access controls, correct permissions, and logging within your cloud platforms. Use the ACSC’s cloud security guidance.
Be Smart About Third-Party Providers
- What: Do some basic security checks on your key suppliers, especially if they handle your sensitive data or provide critical IT functions (like IT support, payroll, SaaS tools).
- Why: Reduces your supply chain risk – where a security slip-up at your vendor becomes your problem, potentially leading to a breach impacting you.
- How: Ask potential vendors about their security practices before you sign up. Make sure contracts clearly spell out security duties, how data will be handled, and what happens if they have a breach.
5. Empowering Your People and Preparing for Incidents
Much of your tech defences can be automated, but your team and your preparedness plan are a big part of your business’s security resilience.
Train Your Staff on Security Fundamentals
- What: Run regular, practical security awareness training for everyone.
- Why: Cuts down on security incidents caused by human mistakes, like clicking phishing links, falling for Business Email Compromise (BEC) scams, or accidentally installing malware.
- How: Focus training on real-world skills: spotting suspicious emails/links, password safety, safe Browse, and recognizing common scams. Keep it short, regular, and interesting. Use resources available from the ACSC. Build a culture where people feel safe reporting anything suspicious.
- Tools: Consider security awareness training platforms:
Have a Simple Incident Response Plan
- What: Create a clear, straightforward plan for what to do if you suspect a cyber incident.
- Why: Helps you react faster, stay calmer, and respond more effectively during a crisis, which minimises the damage, downtime, and cost. Being prepared prevents panic and leads to better decisions.
- How: Your plan should list: key internal contacts (IT, management), first steps for containing the problem (like isolating machines if possible), where backups are and how to restore them, and essential external contacts (cyber insurance, legal, ACSC hotline: 1300 292 371). Keep a printed copy somewhere safe – your network might be down when you need it.
Set Up Clear Incident Reporting Channels
- What: Make sure every employee knows who to tell internally if they see something suspicious or think an incident might be happening.
- Why: Allows for quick internal action to stop a potential threat. Also ensures serious incidents get reported externally to the right places (like the ACSC via ReportCyber) when required, helping everyone by improving threat intelligence and potentially involving law enforcement.
- How: Define a clear internal reporting point (e.g., their manager, IT helpdesk, security contact). Make sure relevant people know about the ACSC’s ReportCyber portal for reporting incidents affecting the business.
Lock those cyber doors
By implementing these security measures, your business establishes interlocking defences against common cyber threats. This protects your operations, your data, and your reputation.
The list is pretty much in order of priority. We’d recommend starting on 1 and 2 today, then keep working your way down through every item. Once everything is in place security will become second nature to your team.
