Free course · Australian small business

Cyber Essentials for Small Business

Protect your business in an afternoon — no jargon, no IT degree required. Six short lessons on the handful of habits that stop the attacks that actually happen.

6 lessons ~40 minutes Self-paced Free

Start the free course It's free — get instant access →

What you'll be able to do

✓Recognise the small set of attacks that actually hit businesses like yours.
✓Set up the five protections that stop the large majority of them.
✓Know exactly what to do in the first hour if something goes wrong.

Free instant access

Get the free course

Tell us where to send it and you'll get instant access on this page — plus a copy of the link by email so you can pick it up any time.

🔑 Passwords🛡️ Two-step login🔄 Updates💾 Backups🎣 Scam-spotting🚨 Incident plan

Course contents

Strong passwords & passphrases~6 min
Multi-factor authentication~5 min
Keep everything updated~5 min
Back up your data~6 min
Spot the scam: phishing & AI cons~8 min
When something goes wrong~7 min

Before we start

Why a business like yours is a target

There's a comforting myth that cybercriminals only go after big companies. The opposite is true — small businesses are often the preferred target.

You have what they want, with fewer guards. You hold money, customer data and bank access — but rarely a dedicated security team. That's an attractive trade-off for an attacker.
Most attacks are automated. Criminals don't hand-pick you. Software scans the whole internet for the weak and the unpatched. Your size is irrelevant; your exposure isn't.
It's usually a con, not "hacking." Forget the hooded figure in the dark. The real threats are a fake invoice, a login page that looks exactly like your bank's, or a password you reused on a site that was breached years ago.
The damage is more than money. It's downtime, the cost of recovery, legal obligations, and customer trust that takes years to rebuild.

The good news: you don't need to be a fortress. You need to be a harder target than the business next door. A few basic locks send automated attackers off to easier prey — and that's most of the battle. This course gives you those locks, one lesson at a time.

Lesson 01

Strong passwords & passphrases 🔑

The problem

When a website is breached, the stolen passwords end up on lists that criminals feed into software. That software tries the same email-and-password combinations on hundreds of other sites — your email, your accounting tool, your bank. If you reuse passwords, one old breach unlocks your whole business. It's called credential stuffing, and it's one of the most common ways small businesses get hit.

What to do

Use passphrases, not passwords. Four or more random words — purple-stapler-river-cloud — are far harder for a computer to crack than P@ssw0rd1, and far easier to remember. Length beats complexity.
Never reuse one. Every important account gets its own unique passphrase.
Use a password manager. It generates, stores and fills strong passwords, so you only memorise one master passphrase. This is the single biggest time-saver in security.
Change the defaults. New routers, cameras and devices often ship with a public default password like admin. Change it immediately.

🎯

Quick win · 5 minutes

Install a password manager and move your five most important accounts into it: business email, online banking, accounting software, your website/domain login, and your main social media account.

Check Why is reusing the same password across sites dangerous?Show answer

If any one of those sites is breached, criminals can take that stolen password and use it to log in to all the others — turning one leak into many.

Lesson 02

Multi-factor authentication (MFA) 🛡️

The problem

A password can be stolen, guessed or phished. When that happens, it's the only thing between a criminal and your account. MFA adds a second lock — so a stolen password alone isn't enough to get in.

What to do

Turn on MFA everywhere it's offered — starting with the accounts that matter most: email first, then banking, accounting, payroll and social media.
Why email first? Your inbox is the master key. Anyone in it can click "forgot password" on every other service and reset their way in. Lock the inbox and you protect the rest.
1. Passkeys — newest and phishing-resistant. Use these wherever they're offered.
2. An authenticator app (e.g. Microsoft or Google Authenticator) — generates a rotating code.
3. SMS codes — better than nothing, but the weakest option, because phone numbers can be hijacked. Use only if it's the sole choice.

🎯

Quick win · 5 minutes

Enable MFA on your main business email account right now. Then do your accounting software next.

Check If a criminal steals your password but you have MFA on, can they get in?Show answer

Not easily — they'd also need your second factor (your phone, app code or passkey), which they don't have. The stolen password alone is a dead end.

Lesson 03

Keep everything updated 🔄

The problem

All software has flaws. When one is discovered, the maker releases an update to fix it — but that same announcement tells criminals exactly where the hole is. They then run automated tools to find anyone who hasn't updated. Old, unpatched software is one of the easiest ways in.

What to do

Turn on automatic updates for everything: your computer's operating system, your phone, your web browser and your apps.
Don't ignore the restart. Many updates only finish after a restart. "Remind me tomorrow" for two weeks leaves you exposed the whole time.
Update your router and devices too. Routers, cameras and other connected gear get firmware updates — check the device's app or settings.
Retire anything "end of life." If a product no longer receives updates, it can never be patched again. Plan to replace it.

🎯

Quick win · 5 minutes

Switch on automatic updates on your computer and your phone today.

Check Why is outdated software risky even if "it still works fine"?Show answer

Known flaws in old versions are publicly documented, and criminals actively scan for and exploit anyone who hasn't installed the fix. "Working fine" and "safe" aren't the same thing.

Lesson 04

Back up your data 💾

The problem

Ransomware locks your files and demands payment. A laptop is stolen or dropped. A staff member deletes the wrong folder. In every case the question is the same: can you get your data back? If your only copy is gone, the answer is no — and for many small businesses that's fatal.

What to do — the 3-2-1 rule

3 copies of anything important.
2 different types of storage (e.g. your computer + a cloud service, or + an external drive).
1 copy kept offsite or offline — somewhere a problem on your main system can't reach. An offline copy is your insurance against ransomware, because malware can't encrypt a drive that isn't plugged in.
Automate it. A backup you have to remember to run is a backup that won't happen. Use a service that runs on a schedule.
Test a restore. A backup you've never restored from is a guess, not a safety net. Once a quarter, recover a file to confirm it works.

🎯

Quick win · 10 minutes

Set up automatic cloud backup for your critical files (OneDrive, Google Drive, Dropbox or a dedicated backup service), and make one copy onto an external drive that you then unplug.

Check Why should at least one backup be kept offline?Show answer

So ransomware or an attack on your main system can't reach and encrypt it. An unplugged copy is your guaranteed clean version to restore from.

Lesson 05

Spot the scam: phishing & AI cons 🎣

The problem

This is how most small businesses are actually hit. Instead of breaking in, the criminal tricks a person into letting them in — a fake email, a text pretending to be the bank, an "urgent" message from the "boss." The most expensive version is business email compromise, where a scammer poses as a supplier or executive and gets an invoice paid into the wrong account.

And it's getting harder to spot. Scammers now use AI to write flawless, personalised messages — the old giveaways of bad spelling and clumsy grammar are gone. AI can even clone a voice from a few seconds of audio, so a phone call "from the boss" may not be real. The lesson: trust your process, not how polished or convincing a message looks.

Red flags to teach everyone

Urgency and pressure — "Pay this in the next hour or we lose the contract."
A change to bank or payment details — treat every such request as suspicious until verified.
Unexpected links or attachments — especially invoices, "delivery" notices and login prompts.
A sender address that's slightly off — accounts@yoursuppl1er.com instead of the real domain.
A request to break the normal rules — "skip the usual sign-off, just do it."

What to do

Verify out-of-band. For any payment or change of bank details, call the person on a number you already have (never the one in the email) and confirm. This one habit stops the most costly attacks.
Slow down. Urgency is the scammer's main weapon. Pausing to check is almost always free.
Hover before you click. Check where a link really goes; when in doubt, type the website address yourself instead.
Make it a team rule, not a personal skill — so it doesn't depend on one person being sharp on a busy day.

🎯

Quick win · 5 minutes

Put a "call to confirm" rule in writing: any invoice or change to bank details must be verified by phone, to a known number, before payment.

Check A supplier emails that their bank account has changed — pay the new one. What do you do?Show answer

Don't pay yet. Call the supplier on a number you already have on file (not one from the email) and confirm the change is genuine before sending a cent.

Lesson 06

When something goes wrong 🚨

The problem

In the panic of a real incident, people freeze or make things worse. A simple plan written now means you act fast and calmly later — and speed limits the damage.

The first hour — in order

Isolate it. Disconnect the affected device from the internet and your network (unplug the cable / turn off Wi-Fi) to stop anything spreading. Leave it switched on if you can.
Change passwords from a different, clean device. Start with email, then banking and anything sensitive. Turn on MFA if it wasn't already.
Call your bank immediately if money moved or financial details were exposed — they may be able to stop or reverse a transfer.
Get expert help. Call IDCARE, Australia's free identity & cyber support service, on 1800 595 160.
Report it. Lodge a report at cyber.gov.au (ReportCyber). For scams, also alert Scamwatch.
Tell affected people. If customer or staff data was exposed you may have a legal duty to notify them and the regulator. Be honest and prompt — it protects them and your reputation.

Your one-page incident plan

Fill this in now, print it, and keep a copy offline where you can find it without a working computer.

IF WE SUSPECT A CYBER INCIDENT, IN ORDER:
  1. Isolate the affected device (disconnect from internet/network).
  2. From a clean device, change passwords — email first, then banking.
  3. Call the bank if money/financial data is involved.
  4. Call IDCARE: 1800 595 160
  5. Report at cyber.gov.au   |   Scams: scamwatch.gov.au
  6. Notify affected customers/staff if their data was exposed.

KEY CONTACTS
  Person leading our response: __________________  Phone: __________
  Our bank (fraud line):       __________________  Phone: __________
  Our IT support:              __________________  Phone: __________
  IDCARE:                      1800 595 160

OUR BACKUPS
  Where they are: _______________________________________________
  How to restore: _______________________________________________
  Last tested on: _______________________________________________

ACCOUNTS WITH MFA ENABLED
  [ ] Email   [ ] Banking   [ ] Accounting   [ ] Payroll   [ ] Social

🎯

Quick win · 10 minutes

Fill in the plan above and pin it somewhere the whole team can find it.

Put it into practice

Your 30-minute action checklist

Tick these off and you're ahead of most small businesses in the country. Your progress is saved on this device.

Your progress 0 / 6

Install a password manager and move your 5 key accounts into it. Turn on MFA — email first, then banking and accounting. Switch on automatic updates on your computer and phone. Set up automatic backups (cloud + one offline copy) and note where they are. Write down the "call to confirm" rule for invoices and bank-detail changes. Fill in your one-page incident plan and pin it up.

For the keen

How this maps to the official standard

These five habits aren't arbitrary — they're the foundation of the Australian Government's Essential Eight mitigation strategies, published by the Australian Cyber Security Centre (ACSC). Once the basics here are in place, the natural next steps are restricting who has administrator access, controlling which applications can run, and hardening your settings. When you're ready to level up, that's the roadmap.

Free, official resources

Australian Cyber Security Centre — small business cyber security guidance and the Essential Eight.
Scamwatch — report scams and see the latest ones doing the rounds.
IDCARE — free identity & cyber support · 1800 595 160.
ReportCyber — report a cybercrime to police.

From the team at Helexian AI

Want a hand putting this in place?

We help Australian small businesses adopt AI safely — with the cyber and privacy guardrails built in from day one. If you'd like the basics set up properly, or you're weighing up AI and want to do it without getting something badly wrong, start with a free, no-obligation chat.

Book a free AI Opportunity Audit