If there’s one thing I’ve learned as the Managing Director of an IT company for the last 14 years, it’s this: small and medium businesses are just as likely, if not more likely, to be targeted by cybercriminals than the big guys.

Unfortunately, many small and medium businesses still operate under the assumption that cyber attacks are someone else’s problem. “We’re too small to be a target,” they say. Or, “We’ve got antivirus, so we’re covered.” I hear it all the time, and I’ve also seen the fallout when those assumptions don’t hold up.

At Computer Technology Corporation (CTC), we work with a wide range of Australian businesses across industries. And while each business is different, the most common cyber security mistakes they make tend to be eerily similar. Thankfully, these mistakes are easy to fix, if you know what to look for and how to prepare yourself.

3 cyber security problems and how to fix them

1. Thinking technology alone will save you

If you only take away one thing from this article, let it be this. Your people are your first and strongest line of defence against cyber attacks. Firewalls, antivirus, endpoint protection, they’re all extremely important, but they’re not bulletproof.

The vast majority of cyber attacks today don’t start with a technical breach, they start with a human one. Phishing emails, social engineering scams, and fraudulent links prey on your staff’s instincts. These attacks prey on human behaviour. Curiosity, urgency, trust. One wrong click and a bad actor is inside your system.

That’s why we don’t just deploy tech, we build what I call the “human firewall.” We run regular security awareness training with our team, including simulated phishing simulations and practical training sessions about things like password hygiene, social engineering red flags, and what to do if something feels off. We build a workplace culture where it’s okay to ask, double-check, or flag something that looks suspicious. It’s not a once-a-year seminar. It’s an ongoing conversation.

If you’re not sure where to begin, lean on a trusted cyber security partner.  We work closely with ESET, as their platform gives us threat visibility in real-time. More importantly, it helps reinforce the training we deliver by flagging risks and automating responses before humans even notice.

2. Skipping Multi-Factor Authentication because it’s “too hard”

I get it. Multi-Factor Authentication (MFA) can be annoying. It adds a few extra seconds to your login process. For a small business with limited resources, it might feel like overkill, but those few seconds could be the difference between business as usual and a full-blown data breach.

MFA is one of the simplest, most powerful tools you have. Which is why we have made it mandatory across every system we use. From email to cloud apps, VPNs to admin consoles, it’s an absolute non-negotiable. Why? Because passwords get stolen. It’s not a matter of if, it’s when. MFA gives you a critical second gate. Even if someone managed to get your credentials, they still can’t get in without that second factor.

Rolling out MFA doesn’t have to be complicated. Prioritise systems with sensitive data like email, CRM, accounting software, and work your way out from there. We use ESET’s endpoint protection, which has allowed us to deploy consistent MFA policies across all our clients, regardless of size or sector. Their tools make it easier to monitor who’s accessing what, and to ensure sensitive systems are properly locked down.

If you’re still on the fence about MFA remember, convenience is no match for compromised data. Take the extra seconds when you login. Save yourself the pain later.

3. Not preparing for the worst

Here’s a hard truth. Breaches can, and do happen, even with solid protection in place. What separates those who bounce back from those who don’t is what they’ve got ready before the crisis hits. Those who rally, have two things in common. A well-defined incident response plan and regular, isolated backups.

Too many small businesses don’t have a proper incident response plan in place. They’ve got vague ideas of what they’d do, maybe a backup on an old hard drive somewhere, but no real structure. And in the middle of a crisis, that lack of clarity can be devastating.

It’s important to treat incident response as non-negotiable. Our advanced threat detection, powered by ESET, means we can catch and isolate breaches faster, but recovery still comes down to preparation. If you don’t have a tested, repeatable process, a small incident can quickly spiral into a major shutdown.

That’s why we’ve built and tested clear plans that outline exactly what happens if something goes wrong. Who does what, who to notify, what to shut down, what to restore. We run drills so the plan becomes muscle memory. Everyone knows their role, and nothing is left to guesswork.

Equally important are backups. We maintain multiple, isolated copies of all critical data, including offline or immutable backups that can’t be encrypted by ransomware. That means if the worst does happen, we’re not negotiating with criminals, we’re restoring from clean backups and moving on.

It’s not just about risk,  it’s about resilience

If you’re running an SMB, cyber security might feel like something you’ll “get to later.” But later often comes too late. You don’t need a 20-person IT department or an enterprise-sized budget to get the basics right. You just need to be proactive and consistent.

Educate your people. Protect your systems. Prepare for the unexpected. You’ll be surprised how far those three steps will take you.  At CTC, we’ve built our business around making cyber security approachable and achievable for small to medium businesses. And with trusted partners like ESET in our corner, we’re able to offer enterprise-grade protection without the enterprise-level complexity.

Cyber security isn’t about fear. It’s about resilience. It’s about protecting the business you’ve worked hard to build, the clients who trust you, and the team that depends on you.

Want more? Get our newsletter delivered straight to your inbox!  Follow Business Builders on Facebook , X , Instagram , and LinkedIn.