Small Businesses Start Here

IN PROGRESS

Essential 8. This is what the Australian Government thinks you need to start with first.

• https://www.cyber.gov.au/acsc/view-all-content/essential-eight/essential-eight-explained

• https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-maturity-model 

There is also this one, called the 5 Knows, from Telstra which is good.

• https://www.telstra.com.au/content/dam/tcom/business-enterprise/security-services/pdf/5-knows-of-cyber-security.pdf 

I think it’s good, but many small businesses don’t even know where to start to even begin to read that.

This document is trying to start with the very basics.

It is intended for small businesses that have a pretty basic setup, do NOT have a server in their back room, use Cloud Services by default, and do NOT do custom App development. If you do do custom app development you need to start from this point, but there is way more to think about that is not included in these pages.

Basics

Know about this stuff:

• Passwords

• Phishing

• Data Storage

• Sharing Data

• PCI Compliance

• Access restriction

• Principle of least privilege 

• Alerts for data changes

  • eg Email employee if their bank details change on the payroll system

    • Visibility

    • Logs 

• Protecting emails - eg having rules in place for money transfers eg for Email hacking.

• SPF / DMARC / DKIM

Pre-Steps

• Don’t even start with these steps unless your Business Email and Document storage is in the cloud. I don’t care if it’s Microsoft 365 or GSuite, just get it.

  • If you don’t like OneDrive or Google Drive for all your documents (I use highly complex Word Documents and I don’t trust either cloud service to not stuff them up), then get Dropbox (Pro or Business) or Box.

First Steps

• Get a Password Manager

  • 1Password Business or LastPass Enterprise. I don’t care which one, just get it.

• Use your Password Manager

  • Every single business login needs to be in there.

  • Anything shared with your team or outside your team is only shared via the app.

  • I have both so my clients can share passwords with me via their app of choice.

• Turn on 2 Factor Authentication for everything.

  • DO THIS NOW!

  • Yes, every app your business touches.

    • Eg Xero (now mandatory), Microsoft365, GSuite, Salesforce, Unleashed, Quickbooks, Twitter, Facebook

  • I like Authy, but it’s probably easiest to use the token generator in 1Password or LastPass. I would not use Microsoft or Salesforce specific ones unless needed (eg Salesforce needs to use theirs for Lightning Login).

  • I use a Yubikey for my most sensitive accounts - eg my GSuite, my M365, my Windows laptop, and my Salesforce.

• Ensure the basics of Virus Protection, Malware Protection and Ransomware protection are on your devices.

  • Yes, that includes your Macs. Don’t risk your business on the myth that “Macs don’t get viruses”.

  • I use Microsoft defender.

• Your laptop does have a secure login doesn’t it?

  • I use Windows Hello but also have my Microsoft login behind MFA using a Yubikey device.

• Your phone does have a secure login doesn’t it?

  • I use Android fingerprint login.

Next Steps

• Getting Started with Microsoft 365 Business security features

•