The short version. Turn on MFA everywhere. Get backups running and actually test a restore. Patch operating systems and applications on a schedule. Stop using administrator accounts for daily work. Write down what you own. Lock down Office macros and harden browsers. Protect the inbox with email authentication and a little training. Do these eight things and you've closed the doors most attackers walk through - at close to zero spend.
How to read each step
Every recommendation below answers the three questions a CISO asks before approving anything: What to do (the concrete action), Why it matters (the risk it removes and the obligation it meets), and roughly What it costs (time and money, honestly). At the end you'll find a single table mapping every step to the Essential Eight, ISO 27001:2022 Annex A, and NIST CSF 2.0 - so when someone asks "says who?", the answer is the frameworks, not us.
A note on the cost figures: where a price is public and citable we name it; where it genuinely varies we give a clearly-labelled rough range rather than invent a precise number. Treat the money notes as order of magnitude, current as of June 2026.
1. Know what you own
You cannot protect what you don't know exists. Every other control on this page assumes you have a list of your devices, accounts, and the software and cloud services your business depends on. It's the least exciting step and the one most often skipped - which is exactly why attackers find the forgotten laptop, the ex-employee's still-active login, or the shadow SaaS app nobody remembered.
What to do. Build and keep a simple inventory of four things: hardware (laptops, servers, phones), software and SaaS (what's installed and what people sign into), user accounts (who has access to what), and your data (what's sensitive and where it lives). A spreadsheet is a completely acceptable start - the point is that it exists and gets reviewed, not that it's a fancy tool.
Why it matters. Inventory is the foundation of every framework because it bounds the problem. It's how you know which devices still need patching, which accounts to disable when someone leaves, and what an attacker could reach. It's also the first thing a cyber-insurance questionnaire or a customer security review asks about.
Roughly what it costs. Free to start - the cost is time, not money. A few hours to build the first version and a recurring calendar reminder to keep it honest. Tools that automate discovery exist and help as you grow, but don't let "we don't have the tool" be the reason there's no list.
2. Turn on MFA everywhere
Multi-factor authentication is the single highest-impact security control available to a small business, and on most platforms it's already included in what you pay for. A stolen or guessed password is the most common way in; MFA makes that password far less useful on its own.
What to do. Require a second factor on every account that supports it - starting with email, your identity provider (Microsoft 365 / Entra ID, Google Workspace), remote access / VPN, and any administrator account. Prefer an authenticator app or a hardware security key over SMS codes, which can be intercepted. Turn it on for administrators first; they're the highest-value target.
Why it matters. MFA is one of the eight Essential Eight mitigation strategies and a near universal requirement on cyber-insurance applications - many insurers now decline cover without it. It directly addresses the password-based attacks (phishing, credential stuffing, password spraying) that dominate small-business incidents.
Roughly what it costs. Effectively free. MFA is included in Microsoft 365 (including the Business plans and via free Security Defaults), Google Workspace, and essentially every major identity provider; authenticator apps are free. Hardware keys, if you choose them for admins, are a modest per-key one-off. The real cost is the rollout effort and a little user-change management, not licensing.
3. Patch operating systems and applications
Most successful intrusions exploit a vulnerability for which a fix already existed. Patching is how you shut that window. It's unglamorous, ongoing, and one of the most reliable risk reductions you can make.
What to do. Enable automatic updates for operating systems and for the applications that touch the internet most - browsers, email clients, PDF readers, Office. Set a cadence for everything else and stick to it. The Essential Eight's baseline expectation is that internet-facing services and applications with known exploited vulnerabilities get patched fast (within roughly 48 hours at the lower maturity levels), with operating systems on a regular schedule.
Why it matters. Two of the eight Essential Eight strategies are literally "patch applications" and "patch operating systems." Unpatched systems were among the specific failings ASIC pointed to in its enforcement action against FIIG Securities - this is the kind of basic that regulators now treat as non-negotiable diligence.
Roughly what it costs. The software is free - patching is built into the OS and apps. The real cost is operational: time to test and deploy, and the maintenance windows and occasional reboots that disrupt work. Budget the process, not a product.
4. Back up - and test the restore
Backups are your last line against ransomware, hardware failure, and human error. The catch most businesses learn the hard way: a backup you've never restored from is a hope, not a backup.
What to do. Follow the 3-2-1 principle - three copies of your data, on two different media, with one kept off-site (or in a separate cloud account). Crucially, at least one copy should be offline or immutable so ransomware can't encrypt your backups along with everything else. Then schedule a real restore test, because the only way to know a backup works is to recover from it.
Why it matters. "Regular backups" is the eighth Essential Eight strategy, and tested, isolated backups are what turn a ransomware incident from an existential event into an expensive inconvenience. Recoverability is also where the Cyber Security Act 2024's ransomware-reporting reality bites: the better your backups, the less pressure to even consider a payment.
Roughly what it costs. Varies with data volume - the cost is storage plus a backup tool, and ranges from near-free for a small cloud-first business using built-in versioning to a meaningful monthly line item at larger data sizes. The discipline of testing restores is free; not doing it is what's expensive.
5. Stop using administrator accounts for daily work
When an everyday account also has administrator rights, any malware or attacker who lands on it inherits the keys to everything. Separating the two is free and dramatically limits the blast radius of a single compromise.
What to do. Give people standard (non-admin) accounts for daily work - email, browsing, documents. Where someone genuinely needs admin rights, that should be a separate account used only for admin tasks. Remove local-administrator rights from regular user laptops, and review who holds privileged access regularly, removing anyone who no longer needs it.
Why it matters. "Restrict administrative privileges" is an Essential Eight strategy and a core least-privilege principle in every framework. It's one of the cheapest ways to stop a routine malware infection or phished login from becoming a full domain compromise.
Roughly what it costs. Free - it's a configuration and process change, not a purchase. The cost is a modest amount of friction (admins running a second account) and the discipline to keep the privileged list short.
6. Harden the obvious soft spots
Two of the most common malware delivery routes are malicious Office macros and over-permissive browsers. Both are closed with configuration you already own.
What to do. Block macros in files that arrive from the internet, and only allow macros where there's a demonstrated business need - Microsoft already blocks internet-sourced macros by default in current Office, so the task is largely "don't undo that." Harden web browsers and PDF readers by disabling unneeded plugins and legacy features, and remove software you don't use. These two steps are the Essential Eight strategies "configure Microsoft Office macro settings" and "user application hardening."
Why it matters. Macros and vulnerable browser plugins are classic initial-access vectors. Turning them off removes a large slice of commodity attacks for no licensing cost and little ongoing effort.
Roughly what it costs. Free. This is policy and configuration - applied through the management tools built into Microsoft 365, Windows, or your device-management platform. The cost is the time to set the policy and handle the occasional legitimate macro exception.
7. Defend the inbox
Email is how most attacks begin - phishing for credentials, and business email compromise that redirects a real payment to an attacker's account. A layer of email authentication plus basic awareness closes a lot of it.
What to do. Publish the three email-authentication records for your domain - SPF, DKIM, and DMARC - so others can detect and reject mail that spoofs you, and so your own mail is trusted. Turn on the anti-phishing and anti-spoofing protections in your mail platform. Then run short, regular security-awareness training so staff can recognise phishing and, critically, know to verify any change of bank details through a second channel.
Why it matters. Business email compromise and invoice fraud are among the costliest incidents for small businesses - especially in sectors like construction, where large supplier payments move regularly and a redirected invoice can cost six figures in one transaction. Awareness and email authentication are the controls that catch it. Staff training is also an explicit ISO 27001 control.
Roughly what it costs. The DNS records (SPF/DKIM/DMARC) are free to publish; DMARC monitoring services have free tiers and paid options as you scale. The platform anti-phishing settings are included in your mail subscription. Awareness training ranges from free internal sessions to a modest per-user-per-year cost for a managed platform.
One step that comes later: application control
The eighth Essential Eight strategy - application control (allowing only approved software to run) - is genuinely powerful but harder to implement well, and it's where small businesses most often stumble. It belongs on the roadmap rather than in day one of Foundation; you'll climb into it as you move up the maturity levels in later stages. Getting the seven steps above solid first is the right order.
Where this maps
Every step above ties to a recognised control. Here it is in one place - the answer to "is this just your opinion?" It isn't; it's the baseline three frameworks already agree on.
| Foundation step | ASD Essential Eight | ISO 27001:2022 Annex A | NIST CSF 2.0 |
|---|---|---|---|
| 1. Know what you own | Assumed prerequisite | A.5.9 Inventory of assets | ID.AM Asset Management |
| 2. MFA everywhere | Multi-factor authentication | A.8.5 Secure authentication | PR.AA Identity & Access |
| 3. Patch OS & apps | Patch applications; Patch operating systems | A.8.8 Technical vulnerabilities | ID.RA; PR.PS Platform Security |
| 4. Tested backups | Regular backups | A.8.13 Information backup | PR.DS; RC.RP Recovery |
| 5. Restrict admin rights | Restrict administrative privileges | A.8.2 Privileged access rights | PR.AA-05 Least privilege |
| 6. Harden macros & apps | Configure Office macros; User application hardening | A.8.7 Malware; A.8.19 Software on systems | PR.PS Platform Security |
| 7. Defend the inbox | (Supports the above) | A.6.3 Awareness; A.8.7 Malware | PR.AT Awareness & Training |
| Later: application control | Application control | A.8.19 Software on systems | PR.PS Platform Security |
Doing this with help. Everything in Foundation is achievable in-house, and this guide is meant to let you do exactly that. If you'd rather have it assessed, prioritised, and implemented with you - and carried up through the later stages - that's the virtual CISO engagement: the same method, delivered alongside you.