Cyber security basics every Perth small business needs in 2026.

If you're a small business owner, your mental image of "getting hacked" probably involves a hooded figure and a green terminal. The reality is much more boring. The attacks aimed at small businesses are mostly automated, opportunistic and mass-produced — the cyber equivalent of someone walking down the street trying every car door. They're not picking you. They're picking the easiest car on the street.

The good news: you don't have to be a fortress. You just have to be slightly less convenient than the next business along. Here are seven boring things that do that, in the order I'd recommend tackling them.

1. Turn on two-factor authentication everywhere it's offered

This is the single most valuable cyber security action available to a small business owner, and it costs nothing. Email, banking, accounting, hosting, social media, CRM — all of it. Use an authenticator app (Authy, 1Password, Google Authenticator) rather than SMS where you can. If a password ever leaks, 2FA is what stops a real incident from happening anyway.

Start here:

• Your primary work email
• Your banking and accounting platforms
• Your website's hosting / admin login
• Your domain registrar (this one gets forgotten — and it's the keys to the castle)

2. Use a password manager (and stop reusing passwords)

The reason people reuse passwords is that they can't remember unique ones. The reason attackers love it is that one leaked password from a forgotten online forum gives them your email. A password manager (1Password, Bitwarden) ends this trade-off. You remember one strong password; the manager remembers everything else.

3. Keep things updated

Most successful attacks exploit vulnerabilities that have been patched for months. The fix is unglamorous: keep your devices, browsers, operating systems and website software up to date. Turn on automatic updates wherever you can. The hassle of restarting your laptop is cheaper than the alternative.

4. Back up your important data — and test the restore

"We have backups" is something everyone says. "We restored from backups recently" is something almost nobody can say. A backup you've never tested is a hope, not a plan. At minimum, follow the 3-2-1 rule: three copies, on two different types of media, with one off-site. For most small businesses, that's the originals on your computer, a copy in cloud storage, and an external drive you rotate.

5. Learn to spot the three most common scams

Almost all of the email-based attacks that cost Australian small businesses money fall into three categories:

• Invoice fraud. A familiar-looking email from a "supplier" asks you to pay a new BSB. Always verify changes to payment details by phone, using a number you already had.
• Boss impersonation. An email "from the director" urgently asks for a transfer or a gift card. Same rule: verify by voice, not by reply.
• Credential phishing. A link to "log into" your Microsoft / Google / banking account. If anything urgent ever asks you to log in via an email link, don't. Open a new tab and go to the site yourself.

6. Lock down your domain and email

If you have your own domain name, two technical settings deserve attention even if you outsource your IT: SPF, DKIM and DMARC records on your DNS. Without these, anyone can send email pretending to be you — and they will. Most hosting providers can help set them up in an afternoon, and it removes a whole class of attack that small businesses don't realise they're vulnerable to.

7. Have a simple "what if" plan

You don't need a 50-page incident response plan. You need answers to four questions, written down somewhere everyone can find:

1. If our email accounts are compromised, who do we call and how?
2. If our website goes down, who do we call and how?
3. If our bank account is compromised, who do we call and how?
4. What's our backup plan for getting work done if everything is offline for 24 hours?

That's it. The plan doesn't have to be sophisticated. It has to exist, and your team has to know where it is. Most of the panic in an incident comes from not knowing what to do first.

The 90/10 rule

Everything in this list takes a weekend afternoon to set up and almost nothing to maintain. None of it requires a "cyber expert." And together it blocks the vast majority of the actual attacks aimed at small businesses — because the attacks are boring, so the defences only need to be boring back.

If you do those seven things and nothing else, you're already ahead of most of the small businesses in your suburb. The remaining 10% — bespoke threats, advanced compliance, regulated industries — is where specialists come in. But for the average Perth small business, the gap between "wildly vulnerable" and "reasonably safe" is closer than you think.