Ultimate 2025 Cybersecurity Guide for Startups by Hytech

Cybersecurity Checklist for Startups in 2025-HYETECH

Quick Answer

Australian businesses face a cybercrime report every six minutes according to the ACSC. This 12-item checklist covers the most critical security controls for 2026, built around the ASD Essential Eight and your legal obligations under the Notifiable Data Breaches scheme and the Cyber Security Act 2024.

Why Australian Businesses Need This Checklist in 2026

The ACSC’s 2023-24 Annual Cyber Threat Report recorded 87,400 cybercrime reports across Australia — one every six minutes. Average incident costs reached $49,600 for small businesses and $62,800 for medium businesses. The 2023 Medibank and Optus breaches, the 2024 MediSecure incident (12.9 million patient records), and the 2025 superannuation fund attacks confirm that no organisation is too small to be targeted.

AI-generated phishing emails now pass spelling and grammar checks. Business Email Compromise cost Australian businesses over $84 million in 2023 alone. Ransomware groups increasingly target supply chains to reach their actual target. Cloud misconfigurations continue to be a leading root cause of Australian data breaches.

This checklist is a practical daily tool for keeping your security posture visible, accountable, and continuously improving. For independent verification that your controls are working as intended, see network security audit services.

What Is Cybersecurity?

Cybersecurity is the practice of protecting your business’s digital systems, data, networks, and devices from unauthorised access, theft, and damage. It covers everything from the hardware on your desks to the cloud platforms your team logs into every day — and all the policies and practices that govern how people use them.

At its core, cybersecurity is about three things: preventing unauthorised access before it happens, detecting threats early when prevention fails, and recovering quickly when something goes wrong. Good cybersecurity combines practical controls — strong authentication, regular patching, tested backups — with the human layer: staff who know how to recognise a phishing email and what to do when something looks wrong.

For Australian businesses, cybersecurity also has a legal dimension. The Privacy Act 1988, the Notifiable Data Breaches scheme, and the Cyber Security Act 2024 together mean that failing to protect customer data is not just a business risk — it is a compliance risk with real financial consequences. The network security audit framework explains how these regulatory requirements map to technical controls in practice.

The Impact of Getting It Wrong

Financial loss: Ransomware attacks cost Australian medium businesses an average of $97,200 in recovery costs in 2024 — before considering the ransom payment itself.

Legal liability: Under the Notifiable Data Breaches scheme, organisations with annual turnover above $3 million must notify the OAIC within 30 days of becoming aware of an eligible data breach. Inadequate security controls that slow detection increase legal exposure.

Reputational damage: The OAIC’s 2023-24 NDB report shows 38% of all data breaches resulted from cyber security incidents. Rebuilding customer trust after a public breach — especially in childcare, healthcare, or financial services — takes years.

Operational disruption: Average downtime from a ransomware attack in Australia is 21 days. Without tested backups and an incident response plan, that disruption can be permanent. See top cybersecurity threats for Australian businesses for the full threat landscape.

The 2026 Cybersecurity Checklist for Australian Businesses

1. Enable Multi-Factor Authentication on Every Account

MFA blocks over 99.9% of automated account attacks. Every account — email, cloud platforms, accounting software, remote access tools — should require a second factor.

Enable MFA on Microsoft 365, Google Workspace, accounting platforms, and all SaaS tools
Use an authenticator app rather than SMS — SMS can be intercepted via SIM swap attacks
Enable number-matching on push notifications to prevent MFA fatigue attacks
For admin accounts and finance roles, use hardware security keys (FIDO2/YubiKey)
Guide: Multi-Factor Authentication for Australian businesses

Essential Eight: MFA (all maturity levels)

2. Keep Software and Operating Systems Patched

Unpatched software is the most consistently exploited attack vector in Australia. The ACSC regularly publishes alerts about vulnerabilities with available patches that organisations simply have not applied.

Enable automatic updates for operating systems on all devices
Patch internet-facing applications within 48 hours of a critical patch release
Patch all other applications within two weeks of release
Remove or replace end-of-life software no longer receiving security updates
Maintain an asset register of all software across your environment

Essential Eight: Patch applications; Patch operating systems (all maturity levels)

3. Restrict and Review Administrator Privileges

Every admin account is a high-value target. Reducing privileged accounts directly reduces your blast radius if a credential is compromised.

Audit all admin rights — remove anyone who does not strictly require them
Create separate, dedicated admin accounts — never use admin accounts for day-to-day email and browsing
Apply principle of least privilege — give each user the minimum access required for their role
Remove access immediately when staff change roles or leave
Use role-specific admin roles in M365 rather than blanket Global Admin assignments
Log and review all privileged actions quarterly

Essential Eight: Restrict admin privileges (all maturity levels)

4. Implement Application Control

Application control prevents unauthorised software from executing — blocking malware even if it makes it past your email filter and onto a device.

Configure Windows Defender Application Control (WDAC) or AppLocker via Intune
At minimum, prevent execution of files from user-writable locations (Downloads, Temp, AppData)
Maintain an approved application list and review it quarterly
Block PowerShell execution for standard users where not required for their role

Essential Eight: Application control (all maturity levels)

5. Harden Microsoft Office Macro Settings

Malicious macros in Office documents remain one of the most effective ransomware delivery mechanisms in Australia. This attack vector has been active for over a decade and remains widely effective because macro controls are rarely configured.

Disable all macros by default via Intune policy or Group Policy
If macros are required, restrict to digitally signed macros from trusted publishers only
Enable ASR rule: Block Office applications from creating executable content
Educate staff to never enable macros on documents received by email

Essential Eight: Configure Microsoft Office macros (all maturity levels)

6. Configure Email Security — SPF, DKIM, DMARC, and Anti-Phishing

Email is the #1 attack vector for Australian businesses. The three DNS-based email authentication standards together prevent attackers from impersonating your domain.

Configure SPF — authorises which servers can send on your behalf
Configure DKIM — cryptographically signs outbound email
Configure DMARC with enforcement (p=reject or p=quarantine)
Enable Safe Links and Safe Attachments in Microsoft Defender for Office 365
Configure anti-phishing policies to detect executive impersonation
Guide: phishing types and prevention

Essential Eight: User application hardening; MFA (supporting control)

7. Back Up Critical Data — and Test the Restores

Backups are your last line of defence against ransomware. Only 8% of victims who pay the ransom recover all their data (Sophos). If you have clean, tested, offline backups you can recover without paying.

Follow the 3-2-1 backup rule: three copies, on two media types, one offsite or offline
Ensure at least one backup copy is immutable — ransomware increasingly targets backup systems
Enable OneDrive version history with at least 180-day retention
Test restores monthly — a backup you have never tested is not a backup
Store backup credentials separately from production system credentials

Essential Eight: Regular backups (all maturity levels)

8. Harden User Application Settings

Default browser and application settings include features that are convenient but increase attack surface. Hardening these settings reduces exposure to drive-by attacks and document-based exploits.

Disable or restrict browser extensions to an approved list
Configure browsers to block third-party cookies and warn before downloading executables
Configure PDF readers to block JavaScript execution
Disable Office features: automatic external content loading, ActiveX controls
Deploy these settings centrally via Intune or Group Policy

Essential Eight: User application hardening (all maturity levels)

9. Train Staff Regularly — and Test With Simulations

Human error accounts for the majority of successful cyber attacks in Australia. The ACSC consistently identifies phishing and credential theft as the primary initial access vectors in Australian incidents.

Run security awareness training at least quarterly — brief practical sessions (15-20 minutes)
Cover: phishing recognition, safe passwords, what to do if something looks wrong, how to report
Conduct phishing simulations — those who click receive immediate targeted training
Train specifically on BEC recognition — emails appearing to be executives requesting urgent transfers
Include security awareness in onboarding for all new staff

10. Have a Written Incident Response Plan — and Test It

When an incident happens, you do not want to be deciding who calls who and what gets shut down first. An incident response plan removes that decision-making from the crisis moment.

Document: who declares an incident, who is notified, what systems get isolated, who handles communications
Include contacts for: IT provider, cyber insurer, legal counsel, and ACSC (1300 CYBER1)
Know your NDB obligations: notify the OAIC within 30 days of an eligible data breach
Run a tabletop exercise annually — walk leadership through a simulated ransomware scenario
Guide: how to respond to a data breach

11. Monitor Your Systems Continuously

You cannot defend what you cannot see. Continuous monitoring means visibility over your network, endpoints, and cloud platforms — and being alerted when something unusual occurs.

Enable Unified Audit Logging in Microsoft 365; configure alerts for failed MFA, mass file downloads, new admin assignments, inbox forwarding rules
Deploy EDR — Microsoft Defender for Business (included in M365 Business Premium)
Review your Microsoft Secure Score quarterly and act on top-priority recommendations
For businesses without internal security staff, consider managed detection and response for 24/7 monitoring

12. Vet Third-Party Vendors and Supply Chain Partners

Supply chain attacks — where an attacker compromises a trusted vendor to reach their target — have been responsible for some of the most significant Australian breaches in recent years.

Ask key vendors about their security certifications (ISO 27001, SOC 2, Essential Eight maturity)
Review and revoke unnecessary vendor access to your systems
Ensure vendor contracts include security and breach notification obligations
Understand the shared responsibility model for cloud and SaaS vendors
Include vendor review in your annual security assessment
Context: AI-driven cyber attacks and how they exploit supply chain relationships

ASD Essential Eight — Where Each Checklist Item Maps

Essential Eight Control	Checklist Items
Multi-factor authentication	Item 1 (MFA on every account)
Patch applications	Item 2 (Software patching)
Patch operating systems	Item 2 (OS patching)
Restrict admin privileges	Item 3 (Admin privilege controls)
Application control	Item 4 (Application control)
Configure Microsoft Office macros	Item 5 (Macro settings)
User application hardening	Items 6 & 8 (Email security; app hardening)
Regular backups	Item 7 (Backups and restore testing)

For an independent assessment of your current Essential Eight maturity level, a cyber security audit will score each control and produce a prioritised remediation roadmap. Most Australian businesses should target Essential Eight Maturity Level 2 as their baseline.

Best Practices for Using This Checklist

Assign ownership for each item — a named person responsible, not just ‘IT’
Review quarterly — threats change faster than annual cycles can accommodate
Track completion, not just intention — use a shared document or ticketing system to record what is done, in progress, and deferred
Automate the repeatable tasks — patching, backup verification, and log review can all be automated
Use it alongside professional assessment — this checklist is a starting point, not a substitute for an annual network security audit that independently verifies your controls are working

Your Legal Obligations as an Australian Business

Notifiable Data Breaches (NDB) scheme

Applies to: organisations with annual turnover above $3 million; all healthcare providers; credit reporting bodies; tax file number recipients. Obligation: notify the OAIC and affected individuals within 30 days of becoming aware of an eligible data breach. Checklist items 1, 2, 3, 7, 10, and 11 directly reduce breach probability and support documentation of reasonable security measures that the OAIC considers in enforcement.

Cyber Security Act 2024

Applies to: operators of critical infrastructure (energy, water, transport, healthcare, financial services, communications, data storage, education). Obligation: mandatory incident reporting to the ACSC within 12 hours for significant incidents and 72 hours for other notifiable incidents. Checklist item 10 (incident response plan) directly addresses these obligations.

Frequently Asked Questions

Q1: What is the most important item for a small Australian business with limited IT resources?

MFA, without question. It is the fastest to implement, costs nothing for Microsoft 365 users, and blocks the vast majority of credential-based attacks. If you can only do one thing today, enable MFA on every account. Once MFA is in place, the next highest-impact items are patching and tested backups.

Q2: How does this checklist relate to the ASD Essential Eight?

This checklist covers all eight Essential Eight controls across its twelve items. The mapping table in this guide shows exactly where each item lands. For formal Essential Eight maturity scoring (Levels 1, 2, or 3), you need a professional assessment — a checklist self-assessment is not sufficient for compliance or insurance purposes.

Q3: What is the Notifiable Data Breaches scheme and does it apply to my business?

The NDB scheme requires organisations to notify individuals and the OAIC when a data breach is likely to cause serious harm. It applies to organisations with annual turnover above $3 million, all healthcare providers, credit reporting bodies, and tax file number recipients. The consequences of a notifiable breach without adequate prior security controls include regulatory investigation and potential civil penalties.

Q4: How often should I work through this checklist?

Quarterly review of the full checklist, with monthly spot-checks on the highest-risk items: patching status, backup test results, and admin privilege audit. The ACSC recommends treating cybersecurity as a continuous programme rather than a periodic checkbox exercise.

Q5: Do I need cyber insurance if I am doing everything on this checklist?

Cyber insurance and a cybersecurity checklist serve different purposes — one reduces risk, the other transfers it. Good security controls make you more insurable and typically reduce your premiums, but they do not eliminate all risk. Many insurers now require evidence of Essential Eight alignment as a condition of coverage.

Q6: My business uses Microsoft 365 — does that cover most of this checklist?

A correctly configured M365 Business Premium tenant covers a significant portion: MFA via Conditional Access, patching via Windows Update for Business, macro controls via Intune, email security via Defender for Office 365, EDR via Defender for Business, and audit logging. However, none of these are automatic — they need deliberate configuration. See Microsoft 365 security best practices at hyetech.com.au for the specific settings to configure.

Q7: What should I do if I discover a potential breach while working through this checklist?

Isolate the affected system from the network (disconnect from Wi-Fi/ethernet without shutting down — this preserves forensic evidence), and contact your IT provider immediately. Do not attempt to fix it yourself. Contact your cyber insurer if you have one. If personal information may have been accessed, start your NDB scheme assessment clock — you have 30 days from when you become aware to notify the OAIC if the breach is eligible.

Q8: How do I know if our current security is actually working?

You cannot know without independent testing. A checklist tells you what controls are in place — it does not verify whether they are configured correctly or would actually stop an attack. An annual network security audit or penetration test provides that independent verification. Microsoft Secure Score (for M365 tenants) is a useful continuous indicator of configuration quality between formal audits.