The Small Business Cyber Security Checklist (Australia, 2026)

You don't need a CISO to get the basics right. This is the 20-item checklist we walk every new managed IT client through in their first 90 days. Most items are free or already paid for in your Microsoft 365 licence — you just need to turn them on.

Identity (the most exploited layer)

1. MFA enabled for every user, including the boss
2. Legacy authentication blocked in Microsoft 365
3. Conditional Access rule: block sign-ins from outside Australia/NZ unless travelling
4. Break-glass admin account stored offline, password 24+ characters
5. Self-service password reset enabled with security questions removed

Email

6. SPF, DKIM and DMARC records published — DMARC at least in p=quarantine
7. External email banner enabled in Exchange Online
8. Anti-phishing policy with impersonation protection for the leadership team
9. Safe Links and Safe Attachments turned on (Defender for Office 365)

Devices

10. BitLocker enabled on every Windows laptop, recovery keys in Entra ID
11. FileVault on every Mac
12. Windows updates managed centrally (Intune update rings)
13. EDR installed (Defender for Business, SentinelOne or CrowdStrike)
14. Staff don't run as local administrator

Data

15. Microsoft 365 backup with at least 90 days retention
16. Restore tested in the last 90 days (write down the date)
17. Shared inboxes and SharePoint sites reviewed for external sharing every quarter

People and process

18. Phishing simulation run at least quarterly
19. Offboarding checklist that disables accounts within 1 hour of resignation
20. Incident response plan with phone numbers — printed, not just in SharePoint

Get through this list and you're already in the top 25% of Australian SMBs for cyber maturity. Most breaches we respond to involve at least three of these items being missing — usually #1, #15 and #20.