The Australian Cyber Security Centre publishes a Small Business Cyber Security Guide targeted specifically at organisations without dedicated security staff. It is free, publicly available, and written in language that does not require a technical background. Most small business owners have not read it.
What the Guide Covers
The guide focuses on six practical areas: backing up data, updating devices and software, enabling MFA, using passphrases, recognising and responding to scams, and securing staff access. Each section provides specific, actionable guidance rather than abstract principles.
The Backup Guidance Is Better Than Most
The ACSC recommends the 3-2-1 rule: three copies of data, on two different media types, with one copy stored offsite. Critically, the guide emphasises testing restoration — a backup that has never been restored from is an unknown quantity. For ransomware resilience, at least one copy should be offline or immutable.
The MFA Section Understates Urgency
The guide recommends MFA for important accounts. This understates the situation. In 2023, MFA should be enforced for every account with access to business systems, not just the most important ones. The ACSC guidance is a floor, not a ceiling.
Where to Go Beyond the Guide
The Small Business Guide is a starting point. Businesses that have worked through its recommendations should move on to the Essential Eight — which addresses additional controls around application management, administrative privileges, and patching cadence that the Small Business Guide does not cover in depth.
Where can I find the ACSC Small Business Guide?
The guide is available at cyber.gov.au — the ACSC's public-facing portal. The same site hosts alerts and advisories for current threats, a breach reporting tool, and guidance specific to various sectors and business types.
