Remote Support Client PortalClient Portal Report CybercrimeCall: 1300 85 99 10

Cyber Security Basics

Five things every Australian business should have in place

You do not need to be a security expert to close most of the gaps attackers actually exploit. Five practical basics, passphrases, MFA, updates, backups, and spotting scams, in plain English, for business owners and their teams.

Why this matters

Most attacks succeed by exploiting basics, not by being sophisticated

The picture of a hacker breaking through advanced defences is a movie scene, not the typical attack on an Australian small or medium business. The real attacks are dull and effective: a guessed password, an unpatched system, a phishing email someone clicked, a backup that was never tested. Closing these five basics removes the most common attack paths and dramatically reduces the chance of a damaging incident.

The five basics on this page are the same foundation recommended by the Australian Cyber Security Centre. We have rewritten the guidance for business owners in plain English, with the practical implications a business needs to act on.

The five

The cyber security basics, in order

Each of these is meaningful on its own. Together they close most of the common attack paths.

01

Use passphrases, not passwords

A passphrase is four or more random words strung together, for example, cricket bridge yellow taxi. It is longer than a complex password, far harder for software to crack, and far easier to remember than a string of symbols.

The business action:

  • Require passphrases of at least 14 characters on staff accounts
  • Never reuse passphrases across business and personal services
  • Use a password manager so people do not have to remember dozens of them
02

Turn on multi-factor authentication (MFA)

MFA asks for a second proof of identity when you log in, usually a code from an authenticator app or a tap on your phone. It defeats most common attacks even if your password is stolen. It is the single highest-impact security control most businesses have not yet enabled everywhere.

The business action:

  • Enable MFA on email, Microsoft 365 / Google Workspace, banking, payroll
  • Use an authenticator app (Microsoft Authenticator, Google Authenticator) over SMS where possible
  • Make it a requirement for every staff account, not an opt-in
03

Keep everything updated

Most successful attacks exploit known vulnerabilities that already have a patch available. The window between a vulnerability being publicly known and being weaponised is often days, sometimes hours. Updates close the door before attackers walk through it.

The business action:

  • Turn on automatic updates for operating systems and applications
  • Apply critical patches to internet-facing systems within 48 hours
  • Replace devices and software that are no longer receiving security updates
04

Back up regularly, and test the restore

A backup you have never restored from is a hope, not a backup. When ransomware or hardware failure hits, the difference between a few hours of disruption and a multi-day business-stopping incident is the quality of your backups and whether you can actually recover from them.

The business action:

  • Back up everything important at least daily
  • Follow the 3-2-1 rule: three copies, two different media, one offsite or offline
  • Test a restore quarterly. If you have never done one, do one now.
05

Recognise scams and phishing

Phishing emails, fake invoices, business-email-compromise calls and SMS scams are still the easiest way attackers get in. The technical controls help, but a team that recognises a suspicious message and knows what to do is the difference between a click that costs nothing and a click that costs a six-figure incident.

The business action:

  • Brief the team on red flags: urgency, unexpected payment requests, sender addresses that look slightly off
  • Verify any payment-detail change request by phone, on a known number, never by reply
  • Make it safe to report a suspicious message without blame
06

When the basics are not enough

The five above are foundational. For a business with employees, client data, regulatory obligations or cyber-insurance requirements, you also need a defined policy, technical controls implemented and maintained, and alignment to a framework. That is where ASD Essential Eight and SMB1001 come in.

How Agile IT helps

The basics, deployed and maintained, not just listed

Reading a list of cyber security basics is one thing. Having all five reliably in place across every staff member, every device, every system the business depends on, week after week, is a different exercise.

Within every AgileSECURE engagement, we deploy and manage the technical side of these basics, MFA enforcement, patching, backups, email filtering, and provide the policy and team training that makes the human side stick. The basics get put in once and stay in place, even as your team grows and the threat landscape changes.

The basics are not "set and forget". They are "set, maintained, and measured", that is the difference between knowing what good looks like and actually having it.

Questions

Common questions about the basics

What is a passphrase and why is it better than a complex password?
A passphrase is four or more random words strung together (for example "cricket bridge yellow taxi"). It is far longer than a complex password, far harder for software to guess, and far easier for a human to remember. The Australian Cyber Security Centre recommends passphrases over short complex passwords as the more secure approach.
Where should we turn on MFA first?
Email, Microsoft 365 or Google Workspace, banking, payroll, accounting software, and any cloud platform that holds client data. Email is the highest priority because email access often allows an attacker to reset other passwords.
How often should we back up our data?
At least daily for anything you cannot afford to lose. More frequent backups for high-change data such as accounting and CRM systems. The backup must be tested, a backup that has never been restored from is a hope, not a backup.
Are these basics enough on their own?
For an individual or a very small team, yes, these five basics close most of the common attack paths. For a business with staff, client data, or regulatory obligations, the basics are necessary but not sufficient. You also need a documented policy, technical controls deployed and maintained by someone accountable, and ideally alignment to a recognised framework like SMB1001 or the ASD Essential Eight.
How is this different from the ASD Essential Eight or SMB1001?
The basics on this page are the foundation that everyone, individual or business, should have in place. The ASD Essential Eight is a more technical framework of eight specific mitigation strategies with three maturity levels, derived from Australian government practice. SMB1001 is a broader maturity framework built specifically for Australian small and medium business. The basics get you started; the frameworks give you a measurable, structured posture.
We use Microsoft 365, does it have these controls built in?
Yes, Microsoft 365 includes the technical controls for every one of these basics, MFA, conditional access, OneDrive backup, Defender for email, automatic updates. The platform has them. Whether they are configured correctly, enforced across every account, and actually working is a different question, and the most common gap we find in environments we audit.

Want to know where your business stands?

The free 30-minute Security Review walks through where you are against SMB1001 Silver, no tools, no system access, no jargon. A practical way to find out which basics are in place and which are not.

Book a Security Review
1300 859 910 Book a Conversation