By The Most Secure Man Alive | WISECLICK Ambassador
I have watched a hundred small businesses begin at a kitchen table.
The laptop. The half-finished logo. The quiet promise to tidy everything up later.
Later rarely arrives the way people imagine it will.
A modern Australian small business is built on software. That isn't a problem. That's just the shape of the work now.
Someone opens Xero because the accountant said so. They sign up for Microsoft 365 or Google Workspace because the email has to come from somewhere. They add a CRM, a Stripe account, a Shopify store, a Mailchimp list, a Canva subscription, a booking app, and three other tools they couldn't name on a Tuesday if you asked them.
The whole business now lives in a laptop bag and a handful of browser tabs.
I have no complaint with any of that. The tools are good. The owners are sensible. The setup is honest work.
The trouble starts somewhere else. The trouble starts with what isn't on the list.
The List Everyone Gets Handed
The standard small business checklist is a fine document. Register the name. Open the bank account. Set up Xero. Get a website. Sort out invoicing. Pick a payment gateway. Connect the domain. Start posting.
All of that is correct.
What I notice is what the list politely leaves out.
Nobody hands the new owner a second checklist asking the questions that decide whether the business survives a bad Tuesday. What happens if the laptop disappears in the back of an Uber. What happens if the Microsoft 365 account locks out the owner two hours before a board meeting. What happens when "I'm sure it's backed up" turns out to mean "I hope it is."
I don't ask those questions to alarm anybody. I ask them because the answer determines whether the next twelve months feel like building a business or rebuilding one.
The Stack Everyone Builds
If you earn your living from a laptop, you already have a business stack. Most of them look the same:
- Xero or MYOB for the books
- Microsoft 365 or Google Workspace for email, files, and the calendar holding the week together
- A CRM, a quoting app, or a spreadsheet doing its level best
- Mailchimp or Klaviyo for the marketing
- Stripe, PayPal, Square, or Shopify for getting paid
- A domain, a website, and the quiet collection of logins nobody thinks about until one breaks
Every one of those tools sends me a monthly invoice. Not one of them sends me a warning when something goes wrong.
It is, on paper, very efficient. It is also, on paper, slightly more fragile than it looks.
The assumption that catches a lot of owners out is the one nobody says out loud: surely Microsoft has this sorted. Surely Google does. Surely the platforms I pay for are covering the whole picture.
The platforms do cover part of the picture. Part of the picture is not the same thing as the picture.
What the Startup Guides Quietly Skip
The hidden risk in a modern small business isn't the dramatic Hollywood ransomware moment. It's the slow accumulation of small assumptions.
The assumption that Microsoft 365 is a backup. (It isn't.)
The assumption that the antivirus that came with the laptop is doing the job. (It's doing a job. Not always the right one.)
The assumption that the business is too small to be interesting to anyone with bad intentions.
That last assumption is the one I would most like to escort out of the room.
The Australian Signals Directorate publishes a regular threat report through the Australian Cyber Security Centre. The latest one — covering 2024 to 2025 — recorded over 84,700 cybercrime reports. One every six minutes. The average self-reported cost to a small business rose 14% in a year, to $56,600. (cyber.gov.au, if anyone wants to read it for themselves.)
Small businesses are not skipped over for being small. That has been the picture for years now. The smaller operation is often the easier door.
I don't share that to alarm anyone. I share it so the assumption can come off the list. Quietly. Without ceremony.
Where I Think Cyber Actually Belongs
This is the part of the conversation I have most often, and the part that gets misunderstood most.
People file cyber under "things big companies worry about." It sits in a separate mental drawer next to enterprise IT and the bit my nephew talked about over Christmas. That drawer is, I think, the wrong drawer.
Cyber belongs in the same drawer as Xero. Same drawer as the M365 subscription. Same drawer as the phone bill.
It is not an upgrade. It is not a luxury you graduate into when the business gets bigger. It is the layer that keeps the rest of the stack standing up.
When I look at a small business stack, I see seven things on the list: accounting, email and documents, a website, a payment platform, a phone, a laptop, and quiet protection. Six of those things, every small business buys. The seventh, almost nobody does.
That is the gap.
Here's How I Think About It
I don't tell small business owners what they must do. I have no patience for that kind of talking. But people ask me how I think about my own stack, so here is the short version.
I assume the laptop will go missing. Not tomorrow, necessarily. One day. It might be theft, it might be a coffee, it might be the back of an Uber. The question I want answered before that day is: if it disappears tonight, do I lose anything that matters? If the answer is "yes," something needs adjusting.
I assume the main email account is the front door of the business. If you have ever been locked out of an inbox for half a day you will know what I mean. I keep the recovery details current. I keep multi-factor authentication on. I make sure somebody trusted can help me get back in if my phone takes a swim.
I assume the backups exist until proven otherwise. The Australian Cyber Security Centre lists regular backups as one of the Essential Eight strategies for a reason — and the reason is not that backups are clever. The reason is that almost nobody tests theirs. A backup you have never restored from is a rumour about a backup.
I assume someone needs to be quietly watching. Not me. Not the owner. Set and forget should not mean buy something and hope. It should mean the important things are being looked after by someone who already understands the business — without turning the owner into part-time IT support.
The Grown-Up Version of the Stack
A grown-up small business stack isn't seven tools. It's six tools and a quiet seventh thing watching over them.
Xero. M365 or Google. The CRM. The website. The payment platform. The laptop. And the layer underneath that keeps one bad Tuesday from becoming three bad weeks.
Some owners will tell you the seventh thing is a luxury. I have watched the businesses that learned otherwise. None of them learned it cheaply.
That is not overkill. That is just a small business that has decided to keep operating.
Most small businesses that take the assessment find two or three gaps they hadn't spotted. That's not a failure. That's the assessment doing its job.
Want to know where your own stack sits?
The Essential 8 Gap Assessment shows you exactly where your business stands — across all eight controls, in plain English.
It's a thirty-minute online assessment you do in your own time. No phone call. No appointment. No screen-share with a technician. Plain-English questions about how your business actually runs, and you finish with a clear picture of what's already covered, what needs a small adjustment, and what can safely wait.
30 minutes. No tech knowledge needed. $149.
No drama. No upsell theatre. Just the picture. The assessment stands on its own — you leave with a useful map whether you ever speak to us or not.
Frequently Asked Questions
1. Isn't cyber security only really a concern for bigger businesses?
The Australian Cyber Security Centre publishes data on this every year. The 2024–25 report logged over 84,700 cybercrime reports in Australia — averaging one every six minutes — with the average self-reported cost to a small business rising 14% to $56,600. Smaller operations are often easier doors to walk through, which is part of why they get chosen. (cyber.gov.au)
2. Doesn't Microsoft 365 back everything up automatically?
It doesn't, no. Microsoft protects its own service infrastructure. The contents of your mailbox, your files, and your accounts are your responsibility to back up. Most small business owners find this out the day they need it back — which is the day it's least convenient. Better to know on a Tuesday.
3. Is the antivirus that came with my laptop enough?
It is something. Whether it is enough depends on what your business actually runs on the device. For a laptop carrying client data, financials, and a year of email, "something" and "enough" are usually different words. The Essential 8 Gap Assessment tells you which side of that line your setup actually sits on.
4. How much should a small business spend on cyber?
Less than people think. Probably more than they're currently spending. The honest answer is: enough that the laptop, the inbox, and the data are looked after — and not a dollar of theatre on top.
5. What does the Essential 8 actually cover?
The Essential Eight is the Australian Signals Directorate's baseline — eight mitigation strategies the government considers the cyber security floor for any organisation. It's the foundation we work from. (cyber.gov.au)
6. Do I need to be technical to take a gap assessment?
No. The whole point is the opposite. The assessment is built for owners who run businesses, not networks.
7. What if I find out my setup has gaps?
That's the useful version of the day. Knowing where the gaps are is the part most small businesses skip for years. Closing them is straightforward once they're visible.
8. Can I do this myself?
Some of it. Multi-factor authentication, password hygiene, account recovery — those are honest weekend jobs. The rest is the layer that runs quietly in the background, and that part is what membership is for.
Need help putting it all in place? WISE ASSIST is the support service built for small businesses who want to get this right — without hiring an IT department.
A lot of small businesses don't run into trouble because the owner was careless.
The expensive moments usually come from one or two small things that looked handled on the surface — and were never really checked.
Most businesses are closer to sorted than they think. They don't need a security department. They need the basics handled properly, checked occasionally, and watched quietly in the background.
That's the bit that belongs on the to-do list earlier than most people put it there.
Stay protected, my friends.
— The Most Secure Man Alive
Leave a comment
This site is protected by hCaptcha and the hCaptcha Privacy Policy and Terms of Service apply.