If you run a small or medium business in Perth, cyber security can feel overwhelming. Between ransomware headlines, the Australian Cyber Security Centre's Essential 8, and the constant stream of new threats, it's hard to know where to start.
The good news: you don't need a million-dollar security operation to dramatically reduce your risk. Most breaches are caused by basic gaps — not sophisticated attacks. This checklist gives you the 9 things every Perth SME should have in place, ordered by impact.
⚠️ Why This Matters for Perth Businesses
The ACSC's 2024–2025 Cyber Threat Report recorded over 94,000 cyber crime reports in Australia, with an average cost of $71,600 per incident for small businesses. Perth's professional services, mining, and healthcare industries are prime targets — attackers know we handle valuable data.
☐ 1. Enable Multi-Factor Authentication (MFA)
This is the single highest-impact security control you can implement. MFA stops 99.9% of automated credential-stuffing attacks. Every Microsoft 365 account, every business application, every admin panel — if it supports MFA, turn it on. Today.
Perth action step: Start with Microsoft 365 MFA (it's free), then move to your accounting software, CRM, and any remote-access tools. Use an authenticator app (Microsoft Authenticator, Google Authenticator) — SMS-based MFA is better than nothing but less secure.
☐ 2. Implement Automated Backups
The number one cause of permanent data loss in Perth SMEs isn't hackers — it's accidental deletion, hardware failure, and ransomware. Automated, tested backups are your safety net. The 3-2-1 rule: three copies of your data, on two different media types, with one copy off-site (or air-gapped).
Perth action step: Ensure your backup solution includes cloud backup (off-site) and that restores are tested at least quarterly. A backup you've never tested isn't a backup — it's a wish.
☐ 3. Deploy Endpoint Detection & Response (EDR)
Traditional antivirus is no longer sufficient. EDR tools (like SentinelOne, CrowdStrike, or Microsoft Defender for Business) monitor endpoints for suspicious behaviour and can respond automatically — isolating a compromised machine before ransomware spreads. This is an Essential 8 core requirement and a non-negotiable for any business with more than 5 staff.
☐ 4. Set Up Email Security
Email is the #1 attack vector. 94% of cyber attacks start with an email. A proper email security gateway filters out phishing attempts, malicious attachments, and spoofed domains before they reach your staff. Microsoft 365's built-in protection is decent but not enough for businesses that handle sensitive data. Layer on a dedicated email security solution and configure DMARC, DKIM, and SPF records for your domain to prevent spoofing.
☐ 5. Implement Patch Management
Unpatched software is the most common entry point for attackers. The ACSC's Essential 8 mandates patching operating systems and applications within 48 hours for critical vulnerabilities and within 2 weeks for high-severity ones. Automate this — relying on staff to click "update later" is not a strategy. A proper RMM (Remote Monitoring and Management) tool handles patch deployment and compliance reporting automatically.
☐ 6. Restrict Admin Privileges
Most Perth SMEs give every staff member local admin rights to their computer. This means one phishing click can give an attacker full control of that machine — and potentially your whole network. Standard users should NOT have admin privileges. Create separate admin accounts for the people who genuinely need them, and use Privileged Access Management (PAM) tools to elevate privileges only when needed.
☐ 7. Conduct Staff Security Awareness Training
Your staff are your first line of defence — or your biggest vulnerability. Regular security awareness training (with simulated phishing tests) reduces click rates on real phishing emails from ~30% to under 5%. Many Perth MSPs include this in their managed services, and dedicated platforms like KnowBe4 and Mimecast make it easy to automate.
☐ 8. Create an Incident Response Plan
Not if, but when. Every business needs a documented incident response plan that answers: who leads the response, how do we communicate with staff and clients if email is down, what systems do we take offline first, and how do we restore operations. Tabletop exercises (simulated walkthroughs) are worth their weight in gold. We covered this in detail in our incident response guide.
☐ 9. Get a Professional Security Assessment
A qualified Perth MSP can assess your current security posture, identify gaps, and prioritise fixes — usually within a day. The Stride IT security assessment covers all Essential 8 controls, email security, backup integrity, user permissions, and network architecture. It's the fastest way to go from "I think we're okay" to "I know we're protected."
📋 Quick Scorecard
| Control | Cost | Impact |
|---|---|---|
| MFA | Free–Low | ★★★★★ |
| Automated Backups | Low–Med | ★★★★★ |
| EDR | Med | ★★★★★ |
| Email Security | Low–Med | ★★★★☆ |
| Patch Management | Low | ★★★★☆ |
| Restrict Admin | Free | ★★★★☆ |
| Staff Training | Low | ★★★☆☆ |
| Incident Plan | Low | ★★★★☆ |
| Security Assess. | Low–Med | ★★★★★ |
Not sure where your business stands?
We'll audit your current security posture and give you a clear roadmap — no pressure, no sales pitch.
Book a Free Security ReviewNeed help implementing these controls? Stride IT is a Perth-based managed IT provider that helps local businesses implement and maintain all nine controls as part of our Managed IT and Cyber Security services. Get in touch for a no-obligation discussion.