In our increasingly connected world, small businesses are no longer immune to cyber threats. In fact, many attackers see small businesses as “low-hanging fruit”: less IT overhead, often weaker security, but still with valuable data. If you haven’t thought through your cyber-preparedness, now’s the time. Here are three foundational steps to help you protect your sensitive data and give you peace of mind.
Step 1: Lock down access – use strong credentials & multi-factor authentication
The first line of defence in many cyber breaches is weak or compromised credentials. It doesn’t have to be sophisticated; often, hackers exploit reused passwords, predictable login details, or unprotected accounts. To strengthen this:
- Strong, unique passwords – Encourage (or enforce) that every user/account has a robust password or passphrase. Use a mix of upper/lower-case, numbers, symbols, and avoid reuse across different systems.
- Multi-factor authentication (MFA) – Wherever possible, enable MFA. An extra layer such as an SMS or authenticator app makes it far harder for someone to gain access even if they have a password.
- Limit shared accounts – If multiple people are using the same login, you lose visibility over who did what. Create individual user accounts, and regularly review permissions especially when someone leaves.
- Least privilege – Only grant access that is necessary for people to do their job. Admin or privileged access should be tightly controlled.
These are fairly low-cost changes but very high value when it comes to reducing your risk. They’re also in line with what the Australian Cyber Security Centre recommends for small businesses.
Step 2: Keep everything up-to-date & back up your data.
Vulnerabilities in software, operating systems, apps, or devices are one of the most common ways attackers gain entry. Without regular updates, you’re leaving doors unlocked. Likewise, even with the best prevention, things can still go wrong, so backups are essential.
- Apply software & firmware updates promptly – This includes operating systems (Windows, macOS, Linux), business-critical applications (e.g. accounting, CRM), and even less obvious software like browser plugins or firmware on network devices (routers, firewalls) etc. Automate updates where possible.
- Patch known vulnerabilities – Keep an eye on vendor or security alerts for tools you use. If patches are available, schedule them so your systems aren’t left exposed.
- Regular backups – Use the 3-2-1 rule: three copies of your data, stored on two different media, with one copy offsite (or offline). For example: your live data, a local backup to an external hard drive or NAS, and a cloud-backup or offsite physical backup.
- Test restore from backup – A backup is only good if you can restore from it. Regularly test that you can recover your data so you’re not caught out in an emergency.
These practices protect you not just in the event of a malicious attack, but also in hardware failures, accidental deletion, or natural disasters.
Step 3: Make sure people know what to look for & plan for when things go wrong.
Even the best tech controls can be undermined if your team doesn’t know about risks, or if you don’t have a plan for a breach. Building awareness + having a response plan are often what separates businesses that recover quickly from those that suffer long-term damage.
- Staff training / awareness – Teach your people to spot phishing emails, suspicious attachments/links, verify bank-detail change requests etc. Regular refreshers are useful; don’t make it a “one-off”.
- Establish policies & procedures – Define what “secure use” means in your business: rules around email, remote work, device usage, password sharing, data storage etc. Having clear processes helps everyone know what’s expected.
- Incident response plan – Assume “when”, not “if”: plan in advance for how you’d respond to a cyber incident. Include things like:
- Who to contact first (internal + external: IT support, lawyer, insurer)
- How to contain the incident (e.g. isolate affected devices, shut down compromised accounts)
- How to restore from backup, how to communicate with customers, regulators etc.
- Roles and responsibilities (who does what)
- Stay informed – Keep up-to-date with threat alerts, cybersecurity guidelines (e.g. from ACSC, business.gov.au). Laws and obligations (e.g. data breach notification, privacy) may change, so being current helps you avoid surprises.
Why make these your priorities now!
- Small breaches can escalate fast: loss of sensitive data, customer trust, legal/regulatory liability, service downtime, financial costs.
- Many common attacks are opportunistic: they target easy vulnerabilities. If you close those off, you reduce your risk greatly.
- Improving cyber resilience is not just defensive—it can be a competitive advantage. Clients & partners increasingly expect businesses to take data protection seriously.
- Many of these steps are proportionate: you don’t need huge budgets. What matters is consistency and planning.
How Granite IT can help?
At Granite IT we specialise in helping businesses throughout Forrestdale and the Perth region build robust, reliable and secure IT systems. Whether you need help auditing current systems, implementing backup strategies, setting up MFA, or putting together incident response plans, our team can guide you through practical, cost-effective solutions.
If you’d like, we can prepare a cybersecurity readiness check for your business to identify where you stand, what gaps exist, and how to address them. Contact us today to discuss how to make your business more resilient.
