There is a line we hear from business owners regularly: “We’re too small to be a target.” It sounds reasonable. Why would an attacker bother with a 20-person accounting firm when banks and hospitals exist?
The reality is the opposite. Small businesses are not targeted despite being small. They are targeted because they are small. Fewer security controls. No dedicated IT team. Outdated systems that nobody has patched in months. For an attacker, that is not a hard target. It is an open door.
The Australian Cyber Security Centre (ACSC) receives a cybercrime report roughly every six minutes. A significant portion of those reports come from small and medium businesses. This is not a hypothetical risk. It is happening across Sydney and across the country, every day.
Attackers go where the defences are weakest
Ransomware (malicious software that locks your files and demands payment to release them) is largely automated. Attackers are not sitting in a room choosing targets by name. They scan thousands of systems at once, looking for known vulnerabilities. Whichever systems respond, those are the targets.
Large organisations have security teams, monitoring tools, and incident response plans. Small businesses typically have none of those. The result is predictable: small businesses are easier to breach, less likely to detect the attack early, and more likely to pay the ransom because they have no backup plan.
According to the ACSC, the average cost of cybercrime for a small business is over $46,000 per incident. For many small businesses, that is enough to threaten the operation entirely.
The most common way in is the simplest
Most ransomware does not arrive through some elaborate technical exploit. It arrives through email. A staff member clicks a link. They enter their password on a fake login page. Or they open an attachment that installs malware in the background.
From there, the attacker moves through the network, escalates their access, and deploys the ransomware. The encryption happens fast, often overnight or over a weekend when nobody is watching. Our Incident Response 60-Minute Playbook walks through what to do in the first hour if you discover an attack underway.
The other common entry point is unpatched software. When a security update is released for Windows, or for your accounting software, or for your firewall firmware, it is released because a vulnerability was found. If you do not apply the patch, that vulnerability stays open. Attackers know this and actively scan for systems running outdated software.
Our endpoint security approach covers both of these entry points, email protection and automated patching, as standard.
Backups only help if they actually work
Many business owners assume their backups will save them. Sometimes they do. Often they do not.
The problems we see most often: backups that have not been tested, backups stored on the same network as everything else (so the ransomware encrypts them too), and backup schedules that are weeks or months out of date.
A proper backup strategy follows the 3-2-1 rule: three copies of your data, on two different types of media, with one copy stored offsite. That offsite copy needs to be isolated from your main network so it cannot be reached during an attack.
We test backup restores regularly for our managed IT clients. Not once a year. Regularly. Because a backup you have never tested is a backup you cannot trust. To check your own setup against the same questions we ask in an audit, download the free Backup Audit Checklist.
Learn more about our security stack, which includes backup verification as standard.
The fix is simpler than you think
Protecting a small business from ransomware does not require a massive budget or a team of security specialists. It requires a handful of controls, properly implemented and consistently maintained.
Here is what that looks like in practice:
- MFA on every account. Multi-factor authentication (requiring a second step beyond a password to log in) blocks the vast majority of credential theft attacks.
- Automated patching. Every device and every application stays up to date without relying on staff to click “update later” for the fourth time.
- EDR on every endpoint. Endpoint detection and response, which is software that monitors devices for suspicious behaviour and can isolate a threat before it spreads.
- Email filtering and phishing protection. Catching malicious links and attachments before they reach your team.
- Tested, isolated backups. Following the 3-2-1 rule with regular restore testing.
- Staff awareness. Your team knowing what a phishing email looks like and what to do when they see one.
These are not exotic measures. They are the baseline. The ACSC’s Essential Eight (eight security strategies recommended by the Australian government) covers most of this ground. Implementing these controls does not make you invulnerable, but it significantly reduces the risk and makes your business a far harder target.
You do not need to figure this out alone
If you are not sure where your business stands right now, that is a normal starting point. Whether your backups would survive a ransomware attack, whether your systems are patched, whether your staff would recognise a phishing email. Most businesses we work with start in exactly the same position.
Our free IT Maturity Assessment gives you a clear picture of where your business sits across security, backup, and IT management. It takes a few minutes, and you get a plain-English report showing what is working and what needs attention.
Not sure how protected your business actually is? Take the free IT Maturity Assessment. It takes a few minutes and gives you a clear, honest picture of where you stand. No sales pitch, just the facts.
