Small Business Cyber Essentials: The Practical Questions Every Non-Technical Leader Should Ask

A plain-English guide for small business and not-for-profit leaders to understand their cyber risk profile and focus on the essentials that prevent real-world incidents.

Mark Scales

Minimalist flat illustration showing a laptop, documents, folders, and a checklist, with small warning icons indicating cyber alerts. Designed in soft blues and greys under the heading ‘SME Cyber Essentials’.

By the end of this article, you won’t just “know more about cyber.” You’ll know exactly what questions to ask, what good looks like, and how to reduce cyber risk without needing to be an IT expert. This is written for small and medium businesses (SMEs), not-for-profits (NFPs), and leaders who carry responsibility without dedicated cyber teams.

Why Cyber Risk Matters for Small Organisations (Even If You’re “Not Technical”)

Most cyber incidents that hit small organisations have nothing to do with sophisticated hackers. They come from simple issues: weak passwords, staff clicking a phishing email, shared logins, an old laptop, or a vendor outage.

For SMEs and NFPs, the consequences are amplified:

  • You don’t have a big IT team to respond.
  • You often don’t have backups or disaster recovery plans.
  • You rely heavily on a small number of systems or suppliers.
  • Incidents create real business interruption—lost revenue, lost trust, accreditation issues, or funder concerns.

Cyber isn’t an IT issue. It’s a small business survival issue.

Step One: Understand Your Cyber Risk Profile

A simple way to understand your cyber risk profile is to answer three questions:

a) What digital assets matter most to us?

Examples:

  • Client data
  • Booking systems
  • Payment systems
  • Email
  • HR/payroll
  • Cloud storage (Google Drive, Microsoft 365, Xero, MYOB)

b) How could those assets be compromised?

Use the Event → Cause → Impact model from the StartRisk content framework:

  • Event: “Email account compromised”
  • Cause: Staff clicked a phishing email
  • Impact: Invoices changed, payments diverted, reputational harm

c) Who are we dependent on?

Small organisations almost always underestimate third-party risk.
Consider:

  • Cloud platforms (Google, Microsoft, Shopify, Salesforce)
  • IT support contractors
  • Payment processors
  • Sector systems (NDIS portals, CRM systems, donor platforms)

The UniSuper / Google Cloud outage is a good example of what can go wrong—even for very mature organisations. StartRisk’s case study highlights exactly how a vendor misconfiguration can become a business interruption event.

Practical takeaway:
You don’t need a cyber framework. You need a clear picture of what matters, what could go wrong, and where you rely on others.

The Cyber Essentials: The Questions Every Leader Should Be Asking

These are the non-technical, business-level questions that actually reduce risk. If you only implemented the basics below, you’d be ahead of most SMEs and NFPs in Australia.

Essential 1: Access & Identity Controls

“Do we know who has access to what—and is it safe?”

Questions to ask your IT team or provider:

  • Do all staff have individual logins (no shared accounts)?
  • Do we enforce multi-factor authentication (MFA) everywhere?
  • Do we ensure former staff or contractors don’t have access to anything?
  • Do we use strong, unique passwords with a password manager?
  • Do we monitor people accessing our systems from any device, anywhere?

Why it matters:
Most small-business cyber breaches begin with a compromised account.
These are the Preventative Controls that add the most value quickly.

Essential 2: Device Security

“Are the laptops, phones and tablets we use actually secured?”

Ask:

  • Are all business devices set to update automatically?
  • Do we have disk encryption enabled (e.g., FileVault, BitLocker)?
  • Do we allow staff to use personal devices without any controls?
  • If a device was lost today, what data could be accessed?

Why it matters:
Lost laptops are one of the most common sources of breaches, especially in small NFPs and service teams.

Essential 3: Data Backup & Recovery

“If our systems disappeared tomorrow, could we recover?”

Ask:

  • What systems are backed up?
  • How often?
  • Where is the backup stored?
  • Has anyone actually tested a restore in the last 6 months?

If the answer to the last question is “no”, you don’t have a backup, you are living in hope.

Why it matters: When something goes wrong, for any reason, backups are one of the best ways to get back up and running quickly and with minimal lost work. But the right things need to be backed up and you need confidence that they can be restored.

Essential 4: Staff Awareness & Behaviour

“Do our people know how to spot cyber threats?”

You don’t need a training program. You need five basics:

  1. How to spot a phishing email
  2. How to verify payment changes
  3. When to pause and report something suspicious
  4. Why MFA matters
  5. What to do if they click something by mistake

Example:
Your finance officer receives an email saying a supplier has changed bank details.
The difference between a $0 issue and a $30k fraud is whether they know to verify via phone.

Essential 5: Vendor & System Dependence

“Who are we relying on—and what happens if they go down?”

Ask:

  • What are our top 5 critical third-party systems?
  • What would a 24-hour outage mean for us?
  • Do we have alternatives?
  • Do we have a way to continue operations offline?

Small organisations underestimate this risk more than any other. There are regular instances of global household brands being taken offline by a third party failure and it can happen to your business just as easily.

Example: When I ran a retail business I was surprised how often had the internet connections would go down! This would prevent us from taking credit card sales, a massive problem! We implemented 5G mobile backups and offline processing to manage the risk.

Essential 6: Incident Response (Simple, Not Scary)

“If something went wrong, do we know who to call and what to do?”

You don’t need a comprehensive plan. You need a one-page checklist:

  • Who to call (IT provider, bank, cyber insurer, key staff)
  • How to isolate affected devices
  • How to communicate to staff
  • What external reporting may be required (OAIC, funders, partners)

A simple plan reduces fear and speeds up recovery.

The Common Pitfalls SMEs Make With Cyber (And How to Fix Them)

Small organisations tend to either overcomplicate or under-resource cyber. Consider if any of these common pitfalls could be affecting your business:

Pitfall 1: Thinking “we’re too small to be targeted.”

Fix: Focus on common attack patterns (phishing and credential theft) not Hollywood style State sponsored hacking.

Pitfall 2: No control over offboarding staff and contractors.

Fix: Make “remove access” a standard part of staff exit checklists and have a regular review cycle.

Pitfall 3: Personal devices everywhere.

Fix: Introduce basic mobile device management (MDM) on personal devices used for work or require password/PIN + auto-lock.

Pitfall 4: Depending entirely on your IT provider without oversight.

Fix: Ask for an annual “cyber health check” report in plain English.

Pitfall 5: No clarity on what matters most.

Fix: Map your critical systems + critical data. This becomes your cyber risk profile.

Pitfall 6: Overly complex frameworks no one uses.

Fix: Minimum viable approach. Simple, consistent, and understood beats complex every time.

How StartRisk Helps (Soft, Value-Focused CTA)

If you’re looking for a simple way to build a clear cyber risk profile and strengthen the basics, StartRisk can help.

Our AI tools give small teams practical guidance, plain-English risk statements, and suggested controls—without needing a dedicated risk expert.

Try StartRisk free at any time.

More articles