Cyber attacks on small businesses aren’t rare events that happen to other people. They’re common, increasingly automated, and they don’t discriminate by industry. A one-person electrical business is as attractive a target as a mid-sized construction firm — arguably more so, because the attacker assumes it’s easier.

The good news is that the basics work. Most attacks succeed because of a small number of preventable failures. Fixing those failures doesn’t require a full-time IT person or an expensive security product.

The three things that stop most attacks

Multi-factor authentication on everything important

If you do one thing, do this. Multi-factor authentication (MFA) — also called two-step verification — means that even if someone gets your password, they can’t log in without also having access to your phone. It stops the overwhelming majority of account takeover attacks.

Turn it on for: your email, your cloud accounting software (Xero, MYOB, QuickBooks), your job management platform, your cloud storage, and any other account that holds client data or financial information. It takes ten minutes per account and is free on every major platform.

Backups you’ve actually tested

Ransomware — where an attacker encrypts your files and demands payment to restore them — is the most common serious attack on small businesses. The defence is simple: a backup that isn’t connected to your main system, taken regularly, that you’ve confirmed actually restores.

The “confirmed actually restores” part is what most people skip. A backup you’ve never tested is an assumption, not a safety net.

Cloud backup services like Backblaze, Acronis, or the built-in backup features in Microsoft 365 and Google Workspace handle this automatically once configured. If your files are in the cloud already (Google Drive, OneDrive, Dropbox), confirm that version history is turned on and that you can restore a previous version of a file.

Keeping software updated

A significant proportion of successful attacks exploit vulnerabilities in software that was already patched — meaning the vendor had already fixed the problem, but the target hadn’t installed the update. Turning on automatic updates for Windows, macOS, and your applications closes this gap without requiring you to think about it.

Email is where most attacks start

Phishing — emails designed to trick you into clicking a link or entering your credentials — is the most common entry point. The emails have gotten sophisticated. They no longer arrive from obviously fake addresses or contain obvious spelling errors.

The practical defence:

  • Be sceptical of any unexpected email asking you to log in, verify your account, or pay an invoice — even if it looks legitimate
  • If you’re not sure, go directly to the website rather than clicking the link in the email
  • Set your email to show sender email addresses in full, not just display names

What the law says

Under the Privacy Act 1988, any Australian business that holds personal information about clients has obligations around how that information is stored and protected. The Cyber Security Act 2024 introduced further requirements for critical infrastructure, but its baseline principles apply broadly.

If your job management software holds client names, addresses, and contact details — which it does — you have legal obligations around protecting that data. MFA and regular backups aren’t just good practice, they’re part of meeting those obligations.

The realistic starting point

  1. Turn on MFA for email and your main business software — today
  2. Confirm your cloud files have version history or an automatic backup running
  3. Make sure your devices are set to update automatically

If you’ve done those three things, you’re ahead of most small businesses. If you want a proper assessment of where you stand — or you’re not sure whether your current setup is adequate — get in touch and we’ll give you a straight answer.