Cyber security programs do not need to be complex to be effective. The controls that address the majority of cyber risk facing Australian small businesses are well understood, increasingly well-supported by the tools in the ecosystem, and achievable without enterprise resources. This checklist covers the essentials.
Identity and Access
enforced for all users on all systems — not just Microsoft 365. Legacy authentication protocols blocked. requiring compliant devices for corporate data. Administrative accounts separated from daily-use accounts. Privileged account access reviewed quarterly. Off-boarding procedures including same-day access revocation.
Endpoint Security
Microsoft Defender for Business or equivalent active on all managed devices. Disk enabled on all laptops. Endpoint patch compliance monitored and reported. (Intune) for all corporate mobile devices. Personal device MAM policies for staff using personal phones for work email.
Email Security
, , and configured and enforced. Safe Links and Safe Attachments active in . Anti- policies configured. Unified Audit Logging enabled with 180-day retention. Staff trained on current phishing techniques including AI-generated and QR code lures.
Backups
Daily backups of important data. At least one copy offline or immutable. Microsoft 365 data backed up by a third-party solution (not relying on Microsoft retention). Restoration tested at least quarterly with results documented.
Patching
Operating system patches applied within one month. Application patches applied within two weeks. Extreme-risk patches applied within 48 hours. Asset register maintained so nothing is missed. Network appliance firmware actively monitored for security updates.
Plan
Written . Key contacts documented (insurer, legal counsel, IT provider, report line). Plan tested annually with a tabletop exercise. Staff aware of their role in the plan.
Where do we start if we have none of this in place?
Start with MFA. It provides the most risk reduction for the effort. Then work through the identity and access controls before moving to endpoint and email. A structured gap assessment provides a prioritised roadmap calibrated to your specific environment. IronSights' Fortify service delivers exactly that — contact us to get started.



