SecurityPolicy.com.au
Home/ Australia/ Human Factors/ The human side of security policy for Australian small businesses
Australia Human Factors Fundamentals Reviewed 2026-07-12

The human side of security policy for Australian small businesses

84,700+
cybercrime reports received by ASD’s ACSC in FY2024–25
1 every 6 minutes
average ReportCyber reporting rate in FY2024–25
$56,600
average self-reported cybercrime cost per report for small businesses
Almost 2,100
Australian small businesses represented in Cyber Wardens mindset and culture research
Why this guide exists

Frequency is qualitative, not search-volume data. It reflects recurrence across verified Australian forum discussions, Cyber Wardens research involving almost 2,100 small businesses, the 2026 pulse check, and the practical questions addressed repeatedly in Australian Government small-business guidance.

Do I even need a security policy — isn't this only for big companies?

You do not need a bank-sized manual. You need a short, usable agreement about the systems and information that matter, the few rules people must follow, who makes decisions, and what to do when something looks wrong. The business case exists even where a particular law does not apply: Australian small businesses use email, banking, cloud software, customer information and supplier accounts that can be disrupted or misused. Start with one or two pages and expand only where your people, contracts, data or risk justify it. Separately check whether the Privacy Act or an industry rule applies; being under $3 million turnover is not a universal exemption.

How this differs by situation
  • sole trader or microbusiness — Use a one-page baseline covering critical accounts, devices, backups, payment changes and incident contacts.
  • small business with employees — Add clear staff responsibilities, acceptable use, access rules, reporting and onboarding.
  • ACSC small-business baseline — Begin with MFA, software updates and backups, then build according to risk.
PUT THIS IN YOUR POLICY, EXACTLY

We are not writing a big-company manual. We are agreeing on the few rules that protect our money, customer information and ability to keep trading.

This feels like overkill and it's too expensive for a small business.

That objection is reasonable when security is presented as a large certification project or a shopping list of enterprise tools. Proportionate security means matching effort to what could genuinely hurt the business: payment fraud, loss of email, exposure of sensitive records, inability to trade, or a critical supplier failure. Start with low-cost controls that reduce common risk, document any gaps you consciously accept, and use staged frameworks rather than attempting everything at once. For businesses covered by the Privacy Act, OAIC guidance also applies a circumstances-based test that considers size, resources, sensitivity, consequences, time and cost; cost matters, but it is not by itself a reason to do nothing.

How this differs by situation
  • cash-constrained microbusiness — Prioritise account protection, updates, backups, access removal and payment verification before buying specialist platforms.
  • SMB1001 Levels 1–2 — Use progressive levels to avoid treating mature enterprise controls as the starting line.
  • APP 11 reasonable steps — Where the Privacy Act applies, proportionality depends on circumstances, not turnover alone.
PUT THIS IN YOUR POLICY, EXACTLY

We will spend in proportion to our risk: protect the critical accounts first, use free or low-cost controls where they work, and record what we cannot yet afford.

Where do I even start? It's overwhelming and I don't know what matters.

Do not begin by writing twenty policies. Begin by identifying the few things the business cannot comfortably lose: the main email tenant, banking and payment processes, customer or client records, line-of-business software, website and domain, and recoverable copies of essential data. Then complete a short baseline: turn on MFA for important accounts, enable automatic updates, confirm who has administrator access, test one backup restore, create a separate check for changed bank details, and give everyone one obvious way to report a suspected incident. Put owners and dates beside unfinished actions. The Australian Government’s free, anonymous Cyber Health Check provides a tailored action plan and is a sensible first diagnostic.

How this differs by situation
  • owner-led business without internal IT — Use a single-page asset list and action register rather than a technical risk register.
  • first 30 days — Protect critical accounts, patch, back up, test reporting and assign ownership before adding complexity.
  • Essential Eight Maturity Level One — Treat it as a next-stage reference after the small-business basics, not a reason to delay starting.
PUT THIS IN YOUR POLICY, EXACTLY

This month we will do five things: name our critical systems, turn on MFA, enable updates, test one backup restore, and make incident reporting easy.

Isn't security just IT's job / the MSP's job?

IT staff and managed service providers can recommend and operate controls, but management still decides what information and operations matter, how much risk to accept, what suppliers may access, how staff are expected to behave, and what happens during an incident. Make the split explicit: the owner or leadership team owns business risk and approves priorities; the MSP documents and operates contracted controls; process owners approve access and payment changes; staff follow the rules and report concerns. Ask the MSP for a written responsibility matrix and evidence of recurring tasks. An outsourced task is not an outsourced accountability.

How this differs by situation
  • business with an MSP — Attach a simple customer-versus-provider responsibility matrix to the service agreement.
  • business with internal IT — Leadership sets risk priorities; IT implements and reports on controls.
  • business risk governance — Review cyber risk alongside financial, operational, legal and supplier risk.
PUT THIS IN YOUR POLICY, EXACTLY

Management owns the risk. Our MSP advises and operates controls; staff follow them and report problems; the owner decides what risk is accepted.

We'll deal with security properly once we're bigger.

Growth usually increases accounts, staff, suppliers, data and workarounds, so waiting often makes the clean-up harder. Put in a minimum baseline now and schedule maturity rather than postponing the whole subject. A practical first month can be small: protect critical logins, verify payment-detail changes through a second channel, remove unused access, test a backup, write down incident contacts and run a short staff briefing. Review the baseline when you add staff, change software, enter a major contract, collect more sensitive information or experience an incident. This is not a prediction that your business will be attacked tomorrow; it is ordinary preparation for a risk that affects organisations of every size.

How this differs by situation
  • pre-growth business — Create the minimum baseline before new employees and systems multiply access and exceptions.
  • minimum viable security — Use a dated 30-day baseline and a six-month improvement list.
  • change-triggered review — Review after growth, new technology, sensitive-data collection, major contracts or incidents.
PUT THIS IN YOUR POLICY, EXACTLY

We will not wait for growth. We will put a minimum baseline in place now and strengthen it as the business changes.

Won't our cloud provider, software, or cyber insurance cover us anyway?

They can reduce risk and recovery cost, but none is a complete transfer of responsibility. A cloud provider may secure its infrastructure while you remain responsible for users, permissions, MFA, configuration, devices, data handling and recovery choices. Software vendors also divide responsibilities through contracts and settings. Insurance is financial protection subject to the exact wording, limits, exclusions, waiting periods, security declarations and notification requirements. For each important provider, write down: what it secures, what you must configure, who monitors it, what evidence is retained, what support is available during an incident, and what the contract or policy excludes. Have the broker or insurer confirm ambiguous insurance points in writing.

How this differs by situation
  • cloud-first small business — Document provider and customer responsibilities for identity, devices, data, configuration and recovery.
  • shared-responsibility review — Repeat for each critical cloud service rather than assuming one universal model.
  • insurance readiness — Check representations, conditions, exclusions, incident contacts and evidence before a claim.
PUT THIS IN YOUR POLICY, EXACTLY

Cloud and insurance support us, but they do not remove our responsibilities. We will document what each provider covers and what remains ours.

Nobody actually follows the policy — how do I get staff to care?

People are more likely to follow rules that are short, relevant, demonstrated by leaders and built into the way work is done. Explain the reason in concrete terms: protecting wages, customers, jobs and the ability to trade. Remove friction where possible, provide approved alternatives, include security in onboarding, repeat short scenario-based refreshers, and make the reporting route obvious. Thank people who quickly report a suspicious message or mistake; early reporting limits harm. Managers must follow the same rules. Where someone repeatedly or deliberately ignores a clear rule, address it consistently and through a fair performance or disciplinary process rather than turning every honest mistake into blame.

How this differs by situation
  • frontline and mixed-digital-confidence workforce — Use brief scenarios tied to real tasks such as invoices, passwords, customer records and personal devices.
  • positive reporting culture — Reward early reporting and separate honest mistakes from deliberate or repeated disregard.
  • fair and consistent enforcement — Keep expectations current, provide support, document concerns and give employees a chance to respond.
PUT THIS IN YOUR POLICY, EXACTLY

Report suspicious activity or mistakes immediately. You will be thanked for speaking up; we will fix the process first and address repeated or deliberate breaches fairly.

We can't afford a consultant and don't know who to trust.

You can make meaningful progress before buying consulting. Use the free Australian Government Cyber Health Check, the ACSC small-business guide, free Small Business Cyber Resilience Service advice and free Cyber Wardens training. When paid help becomes useful, buy a defined outcome rather than a vague promise: for example, an identity-and-access review, backup recovery test, incident plan workshop or a gap assessment against an agreed level. Ask the adviser to state the scope, exclusions, evidence, data access, subcontractors, deliverables, total cost and what your team must maintain afterwards. Verify identity and business details, seek references relevant to businesses like yours, use least-privilege and time-limited access, and do not give unrestricted administrator credentials merely because someone claims expertise.

How this differs by situation
  • business with no advisory budget — Use free diagnostics, guidance, training and one-to-one support before purchasing tools.
  • bounded advisory engagement — Specify the outcome, system scope, access, evidence, handover and fixed or capped price.
  • supplier due diligence — Verify the provider and control privileged access; qualifications do not replace an agreed scope and supervision.
PUT THIS IN YOUR POLICY, EXACTLY

We will start with trusted free guidance. Any paid adviser must explain the scope, evidence, data handling, deliverables and total cost in plain English before we approve work.

Is this just box-ticking compliance, or does it actually make us safer?

A document or certificate cannot guarantee safety. A useful policy makes decisions repeatable and testable: who has access, how payment changes are verified, how updates and backups are managed, what staff report, who leads an incident and how suppliers are checked. Turn each important rule into evidence. Sample whether MFA is enabled, restore a file from backup, check that a former user was removed, rehearse one incident scenario, and review whether a critical supplier’s responsibilities are understood. Compliance can provide a useful minimum and evidence of governance, but the purpose is reduced likelihood, reduced impact and faster recovery. Record exceptions and improvement actions instead of pretending every control is complete.

How this differs by situation
  • policy-to-control mapping — Every major policy statement should point to an owner, operating control and evidence.
  • quarterly practical assurance — Test a small sample of access, backup, incident and supplier controls rather than relying on attestation alone.
  • regulated or contract-driven SME — Meet the required baseline, then test whether it addresses the business’s actual failure modes.
PUT THIS IN YOUR POLICY, EXACTLY

We will judge this policy by evidence: accounts protected, backups restored, access removed on time, incidents rehearsed and improvements completed—not by the document alone.

What's my next step?

Common misconceptions

  • “We are too small to be targeted.” Cyber Wardens describes size-based safety as a dangerous fallacy, and ASD says malicious actors target organisations of all types and sizes. VERIFIED
  • “A security policy has to be an ISO-sized manual.” Australian Government guidance describes a policy in practical terms—assets, threats, rules, controls, responsibilities and incident response—so a small business can begin with a short document. INFERRED
  • “Every business under $3 million turnover is exempt from the Privacy Act.” OAIC lists categories covered regardless of turnover. VERIFIED
  • “Our cloud provider handles all security.” ASD says responsibility is shared and the customer always retains some responsibilities and risk. VERIFIED
  • “Any business insurance policy will cover a cyber event.” Coverage depends on the wording; AAMI, for example, states that its small-business package wordings expressly exclude cyber risks. VERIFIED
  • “The MSP owns the business’s cyber risk.” Providers can operate controls, but ASD treats cyber risk management as a leadership and business responsibility. INFERRED
  • “One annual training session creates a security culture.” ACSC recommends regular awareness and training, positive culture and rewarding early reporting. VERIFIED
  • “A certificate or compliance checklist proves the business is secure.” ACSC says even the Essential Eight is not exhaustive and must be built upon for organisational needs. VERIFIED
  • “MFA alone is enough.” ACSC places MFA alongside software updates, backups and further maturity measures, indicating that no single control is the whole program. INFERRED
  • “Any staff mistake should trigger punishment immediately.” ACSC recommends rewarding breach reporting and positive culture, while Fair Work guidance emphasises consistency and a fair opportunity to respond. INFERRED

Obligations at a glance

The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.

OBLIGATION REGULATOR TRIGGER TIMEFRAME PENALTY
Privacy Act 1988 — APP 11 security of personal information Office of the Australian Information Commissioner The business is an APP entity. This generally includes businesses over $3 million annual turnover and specified smaller businesses, including health service providers, businesses trading in personal information, Commonwealth contractors and other listed categories. Ongoing. Take reasonable technical and organisational steps to protect personal information and, when it is no longer needed and no retention exception applies, destroy it or de-identify it.
Privacy Act 1988 — Notifiable Data Breaches scheme Office of the Australian Information Commissioner An entity covered by the NDB scheme has reasonable grounds to believe an eligible data breach has occurred—generally unauthorised access, disclosure or loss likely to result in serious harm that has not been prevented by remedial action. Assess a suspected eligible breach expeditiously; the statutory assessment period is generally up to 30 days. If eligible, notify affected individuals and provide a statement to the OAIC as soon as practicable, unless an exception applies.
Cyber Security Act 2024 — ransomware and cyber extortion payment reporting Department of Home Affairs through the Australian Signals Directorate reporting portal A business carrying on business in Australia with previous-financial-year turnover of at least $3 million, or a responsible entity for a covered critical infrastructure asset, makes or becomes aware of a ransomware or cyber extortion payment made on its behalf. Report within 72 hours of making, or becoming aware of, the payment.
Fair Work Act 2009 — fair process when enforcing a security policy Fair Work Ombudsman and Fair Work Commission The employer uses an alleged security-policy breach or related underperformance as a basis for warning, performance management or dismissal; small business employers with fewer than 15 employees should also follow the Small Business Fair Dismissal Code where applicable. Before dismissal, use a valid reason, tell the employee the reason, give a chance to respond and, for underperformance, ordinarily provide prior warning; document and apply workplace policies consistently.

Sources

  1. Annual Cyber Threat Report 2024–25 primary
  2. Small business cyber security guide primary
  3. Create a cyber security policy primary
  4. Cyber security checklist primary
  5. Cyber security and your business primary
  6. Cyber security priorities for boards of directors 2025–26 primary
  7. Cloud shared responsibility model: Guidance for individuals and small and medium businesses primary
  8. Protecting your staff primary
  9. Small business cloud security guides: Introduction primary
  10. SMB1001 cybersecurity standard primary
  11. Small Business Cyber Security Pulse Check Report primary
  12. Small Business Cyber Security Pulse Check Report 2026 primary
  13. Small business privacy obligations primary
  14. APP 11 security of personal information primary
  15. Quick reference guide for responding to data breaches primary
  16. Ransomware payment and cyber extortion payment reporting primary
  17. Managing performance and warnings primary
  18. Unfair dismissal primary
  19. AAMI An Introduction to Silent Cyber fact sheet primary
  20. r/australia discussion: small-business data breaches may go unreported forum
  21. Whirlpool discussion: ISO workload, cost and resourcing forum
  22. r/sysadmin discussion: Australian organisation asks who owns the insurance decision forum
  23. r/australia discussion: preventative security treated as a cost to cut forum
  24. r/australia discussion: insurance as the trigger for security investment forum
  25. r/auscorp discussion: passkeys, personal devices and staff empathy forum
  26. Whirlpool discussion: privileged access and trust in auditors forum
  27. r/australia discussion: compliance versus cyber security forum
  28. Cyber security primary
Not legal advice

This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.