Cyber security checklist for Central Queensland small businesses

Most small-business cyber security advice online is either written for enterprise (and completely unworkable for a 10-person business) or written to sell a product. This is neither.

This is the list of things we recommend to every small business we work with in Central Queensland, in the order we'd do them if we were starting from scratch. Do the first four and you've closed most of the doors attackers actually walk through. Do all eight and you're genuinely in good shape.

Why you should care

Small businesses are now the top target for ransomware. Not because attackers dislike you personally, but because you're an easier target than an enterprise and you're more likely to pay. Regional businesses get hit just as often as city ones; the attackers don't look at postcodes.

The good news is that the attacks are overwhelmingly the same five or six patterns, and the defences against those patterns are affordable, unglamorous, and available to any business.

The essentials (do these first)

1. Multi-factor authentication on every account that supports it

Start with email. Then banking. Then Microsoft 365 or Google Workspace. Then every other app that touches your business data.

MFA is the single highest-value thing you can do. A password on its own is a single point of failure; with MFA, even if your password gets stolen or phished, the attacker still can't get in without your phone. Microsoft's own numbers say MFA stops more than 99% of account takeover attacks.

If you're not sure how to turn it on, it's usually under "Security" in the account settings, or your IT provider can do it in an afternoon.

2. Proper endpoint protection, not just "antivirus"

The old model of antivirus (a program that scans files for known bad signatures) doesn't stop modern attacks. What you actually need is EDR (endpoint detection and response), which watches for suspicious behaviour rather than just matching known-bad files.

Your IT provider should be rolling out business-grade EDR on every laptop, desktop and server. If all you've got is Windows Defender and hope, you're exposed.

3. Patch everything, on a schedule

Most breaches exploit unpatched software. Bugs that have had fixes available for weeks or months. Your operating systems, your business apps, your network gear and your servers all need to stay current. Not "when I remember", but on an automatic cadence with someone watching it.

Managed IT plans include this. If you don't have a plan, put a calendar reminder in place and check for updates every Monday. It's not perfect, but it's infinitely better than nothing.

4. Business-grade email filtering

Email is the number-one way attackers get in. Standard spam filters catch the obvious stuff but miss targeted phishing. A proper business email security layer catches the rest: suspicious links, impersonation attempts, payloads hidden in attachments.

Microsoft 365 and Google Workspace both include reasonable built-in filtering if you've paid for the right tier. Anything sensitive warrants a dedicated layer on top.

The next level (do these when you've got the essentials in place)

5. A real backup, that you've actually restored from

A backup you've never restored is a wish, not a plan. Whoever runs your backups should be testing a restore at least quarterly. If that's you, put a quarterly recurring event in your calendar right now and test-restore something when it fires. If it's an IT provider, ask them when the last test was and what was restored.

Bonus points if the backups are immutable, meaning attackers can't delete them even if they gain admin access. This is the single biggest technical difference between businesses that survive a ransomware attack and businesses that don't.

6. Staff awareness, not a three-hour seminar, just the basics

Your people are not the problem. But they are the attack surface. A short conversation, ten minutes, practical, plain English, goes a long way. Cover the three things that matter:

• Never trust urgent money requests by email. If the boss is "suddenly asking you to transfer funds to a new account", verify it over the phone.
• Check the actual sender address, not just the display name. Attackers spoof names casually.
• Don't click anything in a text message that says "your package is waiting" or "verify your Myki".

That's most of what matters.

7. Separate personal and business use

Where practical, keep business email off personal phones that also have games and TikTok and whatever else. If mixing is unavoidable, use managed apps (Microsoft Intune, Google MDM, or equivalent) so the business data lives in a sandbox.

8. A recovery plan, on paper, that isn't stored on the network

The worst time to design a ransomware response is during a ransomware event. Spend an hour writing down:

• Who makes the call?
• Who do we ring first (us, our insurer, the bank)?
• How do we communicate if the internal email is down?
• Where are the critical passwords if the password manager is encrypted?

Put the answers on paper. Put the paper somewhere offline. Every good business owner gets to skip this step until they wish they hadn't.

What this actually costs

The essentials (items 1–4) can be rolled out across a small business for very little. MFA is free. Patching is a routine. Email filtering is often already in your M365/Workspace subscription if you upgrade a tier. EDR is the biggest line item, but it's the highest-impact defensive investment you can make, and it's priced per device per month at an amount that will surprise you in a good way.

The whole package is a fraction of the cost of one ransomware hit. Even a modest one.

How CQ can help

We handle all of this as part of our managed IT plans, and we also take on once-off cyber security hardening projects if you'd rather not commit to a full plan. Every engagement starts with a free IT Health Check so we're both looking at the same picture before anyone quotes anything.

If you'd rather just ask questions first, get in touch. We'll give you a straight answer in plain English, and you'll leave the conversation knowing more than you did going in.