Most cyberattacks don't target large enterprises. They target businesses that haven't covered the basics. Here's what every Tasmanian SMB should have in place and how to find out where you actually stand.
Cybersecurity has a reputation for being complicated, expensive, and the domain of large organisations with dedicated IT teams. That reputation is both outdated and dangerous. The businesses that suffer most from cyber incidents are small and mid-sized ones, precisely because they assume they aren't worth targeting.
The reality in 2026 is that the majority of attacks are automated and opportunistic. Attackers aren't singling out your business. They're scanning for gaps at scale, and acting on whatever they find. The good news is that closing the most common gaps doesn't require an enterprise budget. It requires discipline and the right fundamentals.
This checklist covers the areas that matter most for a Tasmanian SMB.
1. Identity and Access Management
The most common entry point for a breach isn't malware. It's a compromised credential. A staff member's password gets phished, purchased from a data breach list, or simply guessed, and an attacker walks in through the front door.
The baseline here is straightforward:
- Multi-factor authentication (MFA) should be enforced on every account that has access to business data: email, cloud storage, finance systems, everything. A stolen password is useless without the second factor.
- Unique passwords for every system, managed through a business password manager. Shared passwords and recycled credentials are among the most persistent risks in small business environments.
- Principle of least privilege: staff should only have access to the systems and data their role requires. An accounts payable officer doesn't need access to your server infrastructure.
2. Patching and Updates
Unpatched software is one of the most exploited attack vectors in existence and one of the most preventable. When a vulnerability is disclosed, attackers move fast. Businesses that are slow to patch are easy targets.
This means:
- Operating systems, applications, and firmware should be patched promptly, ideally through an automated patch management process that doesn't rely on individual staff remembering to update.
- End-of-life software (anything no longer receiving security updates) should be treated as a liability and replaced. Windows 10 reached end of life in October 2025. If you still have machines running it, that's an active risk.
- Network devices, including routers, switches, and firewalls, are frequently overlooked. They need firmware updates too.
3. Endpoint Protection
Antivirus software alone is no longer sufficient. Modern endpoint protection platforms (EPP) and endpoint detection and response (EDR) tools go beyond signature-based detection to identify behavioural threats, including fileless attacks and ransomware that traditional antivirus misses.
Every device that connects to your business network, including personal devices used for work, should have appropriate protection in place.
4. Backups
Ransomware doesn't always need to be stopped to be survivable. Organisations with clean, tested, offline backups can recover from an attack without paying a ransom. Organisations without them often cannot.
A solid backup posture means:
- Regular backups of all critical data, daily as a minimum.
- Offsite or cloud storage: backups stored only on the same network as the production environment can be encrypted along with everything else.
- Tested restores: a backup you haven't tested is an assumption, not a safety net. Restoration should be verified regularly.
- Immutable backups: backup copies that cannot be modified or deleted, even by an attacker with admin credentials.
5. Email Security
Email remains the primary delivery mechanism for phishing attacks, business email compromise, and malicious attachments. Basic controls here have an outsized impact:
- SPF, DKIM, and DMARC records should be configured for your domain. These protocols make it significantly harder for attackers to spoof your business's email address, protecting both you and your clients.
- Anti-phishing filters should be active and current.
- Staff should understand how to identify a phishing attempt. Training doesn't need to be complex. Even a brief, practical session annually makes a measurable difference.
6. Incident Response
Most small businesses have no plan for what happens when, not if, something goes wrong. An incident response plan doesn't need to be a lengthy document. It needs to answer three questions: who do we call, what do we isolate first, and where are our backups?
Knowing the answers before an incident occurs saves hours of confusion in the middle of one.
7. Compliance Awareness
Depending on your industry, you may have specific cybersecurity obligations. Healthcare organisations handling patient data, businesses processing payment card information, and organisations working with government are subject to frameworks and regulations with real consequences for non-compliance. Understanding which obligations apply to you is a prerequisite for meeting them.
Where Do You Actually Stand?
Reading a checklist and knowing your actual security posture are two different things. It's easy to assume the basics are covered, and common to discover they aren't.
Atropos Technologies has built a free security posture assessment specifically for Tasmanian businesses. Seven questions across the key risk domains, including identity, patching, backups, and email, and you'll receive an immediate score out of 100, a domain-by-domain breakdown, and a prioritised remediation roadmap tailored to your answers.
It takes about three minutes and gives you something concrete to act on.
Take the free security assessment →
Frequently Asked Questions
Do small Tasmanian businesses actually get targeted by cyberattacks?
Yes, and increasingly so. Most attacks are automated and indiscriminate. Small businesses are targeted precisely because they are perceived as easier to breach than larger organisations with dedicated security teams.
What is the most important cybersecurity step for a small business?
Enforcing multi-factor authentication across all business accounts delivers the highest return on investment of any single security measure. It blocks the vast majority of credential-based attacks.
How much does cybersecurity cost for a small business?
The foundational measures, including MFA, endpoint protection, email security, and a backup strategy, are achievable within a modest IT budget. The cost of not having them in place is substantially higher.
What should I do if my business is hit by a ransomware attack?
Isolate affected devices immediately by disconnecting them from the network. Do not pay the ransom without taking professional advice. Payment does not guarantee recovery. Contact your IT provider and, if you're in Australia, report the incident to the Australian Cyber Security Centre (ACSC) at cyber.gov.au.
Is cyber insurance worth it for a Tasmanian SMB?
Cyber insurance is increasingly worth considering, particularly for businesses handling sensitive client data. It typically covers incident response costs, legal fees, and some data recovery costs, but insurers are increasingly requiring evidence of baseline security controls before issuing policies.
Atropos Technologies provides security and compliance services to businesses across Tasmania. Take the free security posture assessment to find out where your organisation stands, or get in touch to talk through your security environment directly.