Why Do Small Businesses Need Better Cybersecurity? The Essential 8 Explained

We hope you like reading this blog post.
If you would like the Boost IT team to just do your Essential 8 implementation and business cybersecurity for you, click here.

Table of Contents

Click the links below to move quickly to that section.



90% of cyber attacks impact small businesses, while 70% of SMBs have weak to no security at all. It’s obvious why small businesses are specifically targeted. They will continue to be as long as they have no defence. 

It’s time to stand back, evaluate your position and take the cost-effective measures that might prevent a very pricy breach.

This article will showcase what the real costs of a cyber breach are to a small business. It might surprise you that the biggest threat is not the immediate monetary loss from a phishing scam. 

We will walk you through the essential 8 mitigation strategies advised by the Australian Government and last but not least we will pinpoint the minimum IT measures you should take.

First, some key stats from the Australian Cyber Security Centre (ACSC) 2020/2021 Annual Cyber Report:

Key statistics from Cybersecurity annual report 2021

Produced jointly with the ACSC, the Australian Federal Police, and the Australian Criminal Intelligence Commission, the Annual Cyber Threat Report provides advice to help Australian organisations and individuals protect themselves online.

What can a cyber breach cost a small business?

IT support and cybersecurity are not urgent issues on most agendas. Sadly, even after suffering a cyber incident, the Australian Cyber Security Centre found that 72% of breached small businesses thought it unlikely they would get attacked again and took no real measures. 

But inadequate security puts small business’ reputation on the line.

Your reputation is at stake 

Since 2018, the law has become stricter regarding the reporting of theft or loss of private data via cyber incidents. The current regime dictates businesses to inform both the Office of the Australian Information Commissioner (OAIC) and any individuals that may be seriously harmed by the breach.

Of course “serious harm” is relative, it includes physical, financial, psychological, reputational and emotional harm. The seriousness is judged on a case by case basis studying such things as: 

  • The sensitivity of private information that was compromised (from name, date of birth, email, address, health information, payment details)
  • The security protections put in place to protect the data
  • The type of people who stole the data
  • The nature of the harm caused to the people whose data was compromised.
  • How much of the harm can be prevented by remedial actions from your business


In all those cases, you have to notify your customer. If your site has been hacked and all the contact details, names and passwords of your clients have been stolen, you have to send a warning to every person at risk and advertise the breach on your site. 

This kind of publicity can be hard to recover from as trust is the most important and the hardest feeling to foster in customers.

How to Notify Affected People of a Cyber Breach

Human errors can cause data breaches

It’s important to note that breaches are not limited to Malicious Attacks but also include Human and System negligence. Common problems that you might have to inform clients about, and that could greatly diminish your trustworthiness are:

  • Losing your laptops or getting your hard drives stolen
  • Giving access to sensitive data to unauthorised employee
  • Sending an email or forwarding information to the wrong person

In some cases, you can take action to stop the breach in its tracks. But for that, you need fast thinking and a plan can help you there.

Do you have a plan to mitigate the risks of data breaches?

Accidents happen. Cyber attacks will prod at your business and test your defences. What is essential is to know where you stand, see how much you can prevent and be prepared. 

For that you want to:

  • Get a Cyber Security Audit
  • Hold regular training for staff
  • Assign a person or team to the responsibility of updating security plans, training and keeping informed with the ACSC.
  • Create various case scenarios “Data Breach Response Guidelines” in clear language.

What A Data Breach Plan Should Outline

Upgrade your defences.

The first step is to ask us for an Essential 8 Cybersecurity Audit.

Contact us

What is the Essential Eight?

There is a wide range of technical solutions to prevent malicious software attacks on your business and the government prescribes an essential 8 mitigation strategies.

Essential 8 Mitigation Strategies For Cyber Security


The first phase of cybersecurity acts like a shield to block the brunt of the attack. Whether they start as phishing attacks, hacking or malware there are 4 protections to put in place:

1. Application control: This prevents unapproved and possibly harmful programs from installing and running on your computer system.

2. Configure Microsoft Office macro settings: With proper configuration, you should only allow trusted machines and individuals from accessing your business’ data from the internet.

3. Patch applications: Always use the latest version of an application. Patches serve to protect your technology from newly identified threats.

4. User application hardening: Block ads and such on the internet. Disable unneeded features over the various platforms you use such as your web browser and Microsoft Office. The less open you are, the fewer points of attack entry into your business there is.


Limit Security Incidents

Sometimes you can’t prevent an attack, but you can make sure it doesn’t expend too far or results in stolen data. There are 3 mitigation strategies to put in place:

5. Restrict administrative privileges: Your operating system should be programmed to only allow certain individuals to access sensitive information. Those administrative privileges should be regularly revalidated and those privileged accounts should not be used for casual web browsing, email checking, or while working remotely in an insecure WIFI environment. 

6. Multi-factor authentication: Passwords are easily hacked. All of them should be made secure with extra identification proof, especially when working remotely or when trying to access important/sensitive data.

7. Patch operating systems: Always patch and update your computer and network devices to the latest operating system so they can be protected from the newest threats.


Data and System Recovery  

In last resorts, when you are attacked by ransomware or your data has been corrupted, all you can do is cut the losses and recover a previous version of your data. For that recovery to be successful you need:

8. A daily backup system: All your important new and changed data should be backed up. You want your software and configuration settings to be stored safely, disconnected from your system, so as not to be at risk. Establish what are your important/private data and what the retention period should be for each (finance might need to be stored for at least 7 years while configuration settings only 3 months). Regularly test your restoration backup. 

The 8 strategies are proven to be effective and the government recommends them to all businesses, no matter their size. Small businesses might not have the means to have all 8 at their peak but there are a few protections you should privilege.


What are the 3 protections you cannot do without? 

1. Use Microsoft 365 to mitigate risks

Microsoft 365 offers a sophisticated and comprehensive range of cybersecurity tools. It can become your most effective protection if properly configured. An IT specialist should set it up to fit your business’ needs.

2. A Cloud-managed antivirus with patch management

Everybody is now on the cloud and if you don’t have the appropriate antivirus you are at greater risk. Keeping your software updated is also essential as any machines not up to date are more vulnerable to malicious code.

3. Multifactor authentication

Relying on a single password is not safe anymore. It only takes 5 seconds to hack an 8 lower case letter password with brute technical force. Since most people often use the same password over a variety of platforms. But adding an extra authentication method makes it almost impossible to break through.

3 key small business cyber security steps

What should you do if your small business is compromised?

If you should take out anything from this article it’s the following recommendation: prevention and planning ahead can save you a costly recovery. 

No matter how big your business is, you should be prepared for malicious or human error data breaches. Always have backups and plans in place for the eventuality of a cyber threat. 

And if something goes wrong tell your customers honestly. Transparency is key to trust. Rebuilding confidence in your brand is possible when people know you are working at improving and see you get out of your way to ensure their safety. 

Be reactive when there is an issue you cannot solve. Call a specialist to make sure your business is adequately protected and you are covering all your bases. 


Do you need help securing your systems?

Boost IT can help you identify the weak points of your IT and draft a plan of action.

Contact us