Cyber security programs do not need to be complex to be effective. The controls that address the majority of cyber risk facing Australian small businesses are well understood, increasingly well-supported by the tools in the Microsoft 365 ecosystem, and achievable without enterprise resources. This checklist covers the essentials.
Identity and Access
MFA enforced for all users on all systems — not just Microsoft 365. Legacy authentication protocols blocked. Conditional Access policies requiring compliant devices for corporate data. Administrative accounts separated from daily-use accounts. Privileged account access reviewed quarterly. Off-boarding procedures including same-day access revocation.
Endpoint Security
Microsoft Defender for Business or equivalent EDR active on all managed devices. Disk encryption enabled on all laptops. Endpoint patch compliance monitored and reported. Mobile Device Management (Intune) for all corporate mobile devices. Personal device MAM policies for staff using personal phones for work email.
Email Security
SPF, DKIM, and DMARC configured and enforced. Safe Links and Safe Attachments active in Defender for Office 365. Anti-phishing policies configured. Unified Audit Logging enabled with 180-day retention. Staff trained on current phishing techniques including AI-generated and QR code lures.
Backups
Daily backups of important data. At least one copy offline or immutable. Microsoft 365 data backed up by a third-party solution (not relying on Microsoft retention). Restoration tested at least quarterly with results documented.
Patching
Operating system patches applied within one month. Application patches applied within two weeks. Extreme-risk patches applied within 48 hours. Asset register maintained so nothing is missed. Network appliance firmware actively monitored for security updates.
Plan
Written incident response plan. Key contacts documented (insurer, legal counsel, IT provider, ACSC report line). Plan tested annually with a tabletop exercise. Staff aware of their role in the plan.
Where do we start if we have none of this in place?
Start with MFA. It provides the most risk reduction for the effort. Then work through the identity and access controls before moving to endpoint and email. A structured Essential Eight gap assessment provides a prioritised roadmap calibrated to your specific environment. IronSights' Fortify service delivers exactly that — contact us to get started.
