One Year of SMB Security: Lessons Learned

A year ago, I started writing about cybersecurity for Australian small businesses. Thirty-six articles later, I’ve learned as much as I’ve taught.

Here are the most important lessons from a year of working with SMBs on security.

Lesson 1: The Basics Are Still the Basics

Every time I start with a new client, I expect to find sophisticated vulnerabilities requiring advanced solutions. Every time, the actual problems are simpler:

  • MFA not enabled everywhere
  • Patches not applied
  • Backups not tested
  • Passwords reused and shared
  • Former employees with active accounts

I keep waiting for this to change. It doesn’t. The Essential Eight isn’t exciting, but it addresses the actual problems businesses face.

If your security program isn’t starting with fundamentals, it’s not going to work.

Lesson 2: Culture Beats Technology

The businesses with the best security outcomes aren’t the ones with the most expensive tools. They’re the ones where security is part of how people think.

In healthy security cultures:

  • People report suspicious emails without embarrassment
  • Questioning unusual requests is normal
  • Leadership demonstrates security practices
  • Security is everyone’s responsibility, not just IT’s
  • Mistakes are learning opportunities, not career events

You can buy all the tools in the world and still get breached if your people work around them. You can have modest tools and be well-protected if your people are engaged.

Building culture is harder than buying tools. It’s also more valuable.

Lesson 3: Perfect Is the Enemy of Good

I’ve watched businesses delay security improvements because they couldn’t do everything at once:

  • “We’ll implement MFA when we can do it properly across everything”
  • “Let’s wait until we have a full security assessment”
  • “We need a bigger budget before we start”

Meanwhile, they remained vulnerable to basic attacks.

Doing something imperfectly is better than doing nothing perfectly. Enable MFA on the systems you can, even if you can’t cover everything. Improve patching, even if you can’t reach your ideal cadence. Start training, even if you can’t afford the fancy platform.

Progress beats planning. Move forward.

Lesson 4: Security Is a Business Decision, Not a Technical One

The most important security decisions aren’t made by IT. They’re made by leadership:

  • How much risk are we willing to accept?
  • What are we willing to invest?
  • What’s more important: convenience or control?
  • How do we balance security with productivity?

When security is treated as purely technical, it fails. When it’s integrated into business decision-making, it succeeds.

Security leaders need to speak business language. Business leaders need to understand security basics. The conversation has to happen at the leadership level.

Lesson 5: External Help Is Underutilised

Too many small businesses try to figure everything out alone. They Google solutions, read articles (like this one), and muddle through.

Sometimes that works. Often it doesn’t.

External expertise - whether from IT providers, security consultants, or managed services - can accelerate improvement dramatically. The cost of help is usually less than the cost of getting it wrong.

You don’t need to become a security expert. You need to know when to call one.

Lesson 6: Insurance Is Driving Real Change

I was sceptical of cyber insurance as a security driver. Compliance checkboxes don’t equal real security.

But I’ve changed my view somewhat. Insurance requirements are forcing businesses to implement controls they would have otherwise postponed:

  • MFA mandates have pushed adoption
  • Backup requirements have improved resilience
  • Security questions have prompted self-assessment

Is insurance-driven security perfect? No. Is it better than what existed before? Often yes.

If your insurer is requiring something, do it properly rather than just ticking the box. They’re requiring it because it works.

Lesson 7: Small Businesses Are Part of Larger Ecosystems

The idea that small businesses are “too small to target” is clearly wrong. But it’s also wrong because of connections.

Small businesses:

  • Hold data that’s valuable to attackers
  • Have access to larger clients’ systems
  • Are part of supply chains that affect many others
  • Can be stepping stones to bigger targets

Your security posture affects not just you but everyone you’re connected to. That’s a responsibility, but it’s also a business opportunity - clients increasingly want to work with secure suppliers.

Lesson 8: Recovery Capability Matters as Much as Prevention

You cannot prevent every attack. Some will get through despite your best efforts.

The question is: what happens then?

Businesses with good recovery capability:

  • Have tested backups that actually work
  • Have incident response plans they’ve practiced
  • Know who to call and what to do
  • Can operate while systems are down
  • Can recover without paying ransoms

Prevention is essential. Recovery is also essential. Don’t neglect either.

Lesson 9: Sustained Effort Beats Heroic Projects

I’ve seen businesses do big security projects - major assessments, tool implementations, training rollouts - and then let things slide for years.

I’ve seen other businesses do modest but consistent work: monthly patching, quarterly reviews, ongoing awareness building.

The consistent businesses are more secure. Security isn’t a project with an end date. It’s a practice that continues indefinitely.

Build sustainable habits rather than burning out on heroic efforts.

Lesson 10: There’s Room for Optimism

Despite all the threats, despite all the breaches in the news, I’m optimistic about SMB security.

  • The tools are getting better and more accessible
  • The frameworks (Essential Eight) are clear and practical
  • Insurance is driving real improvements
  • Awareness is higher than ever
  • Businesses that invest are seeing results

The businesses that take security seriously, implement fundamentals consistently, and build healthy security cultures are doing well. They’re avoiding incidents, winning contracts, and building trust.

That path is available to any business willing to walk it.

What I’ve Learned About Writing

A quick aside on the writing itself:

People don’t want more fear. They want practical guidance they can actually use. Articles that say “everything is terrible, be scared” get attention but don’t help anyone.

People value specificity. “Implement MFA” is less useful than “Here’s how to enable MFA in Microsoft 365, step by step.”

People are smart. Treating readers as capable adults who can handle nuance is better than dumbing everything down.

People are busy. Getting to the point matters. (I should probably take my own advice more often.)

Looking Forward

After a year of writing and helping businesses, what would I tell someone just starting their security journey?

  1. Start with MFA. It’s the highest-impact, lowest-cost control available.

  2. Use what you have. Configure the security features in your existing tools before buying new ones.

  3. Build habits. Regular patching, backup testing, and access reviews. Consistency matters.

  4. Get help when needed. You don’t have to figure everything out alone.

  5. Keep going. Security is ongoing. Progress beats perfection.

Thank You

To everyone who’s read these articles, asked questions, shared feedback, or reached out: thank you.

To the business owners taking security seriously despite competing pressures: you’re doing important work.

To the IT providers and consultants helping SMBs navigate this: keep at it. Your work matters.

And to the attackers making all this necessary: well, I suppose you keep me employed.

Here’s to another year of helping Australian small businesses stay secure.

If you’ve read this far, you’re clearly committed to getting security right. That commitment is the foundation everything else builds on.

Keep going. You’ve got this.