Introduction
Most cybersecurity advice assumes you have a security team. You have a CISO, analysts, and engineers who handle this. But what if you are the CEO, COO, or IT manager of a business with 20 to 200 employees, doing your best with limited resources and no dedicated security staff?
The good news: you do not need a security team to build a credible, effective cybersecurity strategy. You need a clear framework, the right priorities, and the discipline to execute.
Start With a Threat Reality Check
The first mistake most small businesses make is assuming they are not a target. The reality in Australia is different. The ACSC's annual cybercrime reports consistently show that small and medium businesses are disproportionately impacted by opportunistic attacks — ransomware, business email compromise, credential theft, and invoice fraud.
You do not need to defend against nation-state actors. You need to stop opportunistic, financially motivated criminals who look for the easiest target. That changes what you prioritize.
Step 1: Know What You Are Protecting
Every effective strategy starts with an asset inventory. Ask:
• What data does your business collect, store, and process? (Customer PII, payment data, health records, intellectual property)
• What systems would stop your business if they went down? (Email, accounting software, customer database, production systems)
• Who has access to what, and from where?
• What third-party services or cloud platforms does your business rely on?
You do not need expensive tools to do this. A well-structured spreadsheet is sufficient for most businesses under 200 employees. The act of documenting forces clarity.
Step 2: Assess Your Current Controls Against the Essential Eight
Australia's Essential Eight framework, published by the ACSC, is your starting point. It defines eight baseline mitigation strategies that, when implemented, make it significantly harder for adversaries to compromise your systems:
1. Application control — prevent unapproved software from running
2. Patch applications — keep software updated
3. Configure Microsoft Office macro settings — block malicious macros
4. User application hardening — protect browsers and PDF readers
5. Restrict administrative privileges — limit who has admin access
6. Patch operating systems — keep OS current
7. Multi-factor authentication (MFA) — require it everywhere
8. Regular backups — and test them
Rate yourself against each control honestly. Maturity Level 1 compliance is achievable for most businesses within 3–6 months without a security team. MFA and patching alone will eliminate the majority of opportunistic attack vectors.
Step 3: Define Your Risk Appetite
Every business has a different risk tolerance. A healthcare provider holding patient records has a very different risk appetite to a boutique consultancy. Your strategy should reflect what risks you are willing to accept, manage, or transfer.
Risk transfer is where cyber insurance comes in. But do not mistake insurance for a security strategy — insurers are increasingly requiring demonstrable controls before issuing policies, and exclusions are widening. Insurance sits on top of a security baseline, not in place of one.
Step 4: Build a 12-Month Security Roadmap
Structure your roadmap across three horizons:
First 90 Days — Stop the Bleeding
• Enable MFA on all accounts (email, cloud services, VPN)
• Audit and remove unnecessary administrative privileges
• Ensure all systems and applications are patched
• Implement an automated, tested backup solution
• Deploy endpoint protection across all devices
Months 4–6 — Build the Foundation
• Document your incident response procedure (even a one-page plan is better than none)
• Complete a data mapping exercise — know where your sensitive data lives
• Review your vendor and third-party access — remove what is no longer needed
• Train your team on phishing awareness
Months 7–12 — Mature and Govern
• Establish a simple cyber risk register and review it quarterly
• Engage a vCISO or security consultant for a structured gap assessment
• Define your security policies (acceptable use, password policy, incident response)
• Prepare for compliance requirements relevant to your industry
Step 5: Know When to Get Help
Building a strategy without a security team is entirely possible — and this framework gives you a solid foundation. But there are moments when external expertise is not optional:
• Before bidding on a government or enterprise contract that requires security accreditation
• After experiencing a security incident
• When preparing for ISO 27001, SOC 2, or Essential Eight assessment
• When your data handling obligations change (new customer types, new markets, new products)
At these inflection points, a vCISO or advisory engagement can compress months of work into weeks and ensure you are solving the right problems in the right order.
The Bottom Line
A cybersecurity strategy is not a technology project. It is a business decision about how much risk you are willing to carry, what controls you will invest in, and what your plan is when things go wrong. The businesses that get this right are not necessarily the ones with the biggest security budgets — they are the ones who started thinking clearly about it earlier than everyone else.

