By Nathan Hutchison

Nathan Hutchison_All IT Services

The conversation that happens too often 

“We’re too small to need proper cybersecurity.” 

We hear this from 40-person businesses handling sensitive client data. From hospitality groups processing thousands of card payments weekly. From advisory firms managing investment portfolios. Even from some IT providers themselves. 

Here’s why that’s the wrong frame entirely. 

It’s not about the size of your business 

Cybersecurity requirements are determined by what you’re protecting, not by your staff count or annual revenue. 

What matters: 

    • The information you hold (client records, payment data, participant information, health records, financial data)
    • The sensitivity of that information (public vs confidential vs highly sensitive)
    • What happens if it’s stolen or lost (reputational damage, regulatory penalties, lost revenue, business closure)
    • How dependent people are on your systems (can they operate if your systems are offline for a day? A week?)
    • How critical your operations are (payment processing for hospitality revenue, portfolio access for financial advisers, case management for participant care)

Think about home security 

You don’t protect your house based on its square metres. You protect it based on what’s inside. A small apartment with valuable contents needs better security than a large house with nothing valuable. 

The same principle apply to business cybersecurity. 

The real risks you’re carrying 

Let’s say a 35-person wealth management firm holds personal information and financial data for 600 clients. If that data is stolen or leaked, every one of those 600 clients is affected. Regulatory penalties apply. Professional indemnity insurance may not cover the impact. Client trust is broken, referrals that their growth was built on stop coming. Decades of building trust and reputation can be damaged within a matter of hours. 

A 50-person not-for-profit manages participant case notes, health information, safeguarding records. If systems are breached or data lost, participants are harmed. Compliance standards violated. Funding is at risk and the community trust essential to your mission is broken. 

A hospitality group processes 2,000 card payments daily across five venues. If payment data is compromised, card schemes can fine you. Customers lose trust and the compliance violations threaten your liquor licenses. 

Your size doesn’t create that risk, it’s the information that you hold. 

“Proper” cybersecurity isn’t one-size-fits-all  

As outlined above, the controls and protections you need should map directly to your business and what matters. 

    • What information you store 
    • Who you serve (clients, communities, patrons, donors) 
    • What regulations apply to you (privacy , liquor licensing, care standards, financial services regulations) 
    • What would actually happen if systems failed or data was stolen 

A 30-person advisory firm handling investment data needs stronger access controls and backup than a 200-person manufacturer with no sensitive client information. 

A 45-person care provider with participant health records needs stricter privacy controls than a 150-person retail business. 

Bigger doesn’t automatically mean more complex cybersecurity needs. It means right-sized for your actual risk. 

Being defensible matters (even if breached) 

Cybersecurity isn’t infallible, and even well-protected businesses can be breached. 

What matters when breach happens: 

Can you prove you took reasonable steps? 

    • Multi-factor sign-in protecting accounts 
    • Devices secured and updated 
    • Backups tested (not just running) 
    • Staff trained on threats 
    • Policies documented 
    • Incident procedures ready 

Being defensible protects you: 

    • Regulators assess whether you took reasonable steps (not whether you were perfect) 
    • Insurance covers breaches where you had appropriate controls (may exclude if you were negligent) 
    • Client trust recovers faster when you can show you were protecting them properly 
    • Legal liability reduced when you demonstrate due care 
    • Having proof you were defensible matters as much as prevention itself.

The complexity is in the rollout (not the concept)

The concepts aren’t complicated: Protect accounts with extra verification. Secure devices. Back up data. Train staff. Document procedures. 

The complexity comes in rolling this out across your business: 

    • Which systems need extra sign-in protection first? 
    • How do you configure security without slowing staff? 
    • How do you train field workers who aren’t in the office? 
    • How do you maintain controls as staff change and systems evolve? 
    • How do you document for auditors in language they accept? 

This is where the right partner matters.

Understanding business first, tools second 

Good cybersecurity is beyond plugging in some tools, it’s about understanding:  

Your business: 

    • How your team actually works (office, home, field, client sites, venues) 
    • What slows them down vs what protects them appropriately 
    • What compliance standards apply to your sector 
    • Where your vulnerabilities actually are (not generic “best practices”) 

Your clients and people: 

    • Whose information you’re protecting (clients, participants, patrons, donors) 
    • What harm occurs if that information is compromised 
    • What trust looks like in your industry 
    • What your obligations are to the people who trust you with their information 

Then the tools: 

    • Which security controls address your actual risks 
    • How to configure them for your workflows 
    • How to maintain them as your business changes 
    • How to prove they’re working when auditors or insurers ask 
    • A partner who understands cybersecurity but not your business will deploy generic controls that don’t fit. A partner who understands your business but not cybersecurity won’t protect you properly. 

You need both. 

What this looks like in practice

  • Hospitality group (6 venues, 85 total staff): 
    Controls protecting card payment data. Camera footage retained for liquor licensing. Access controls for cash office and bottle shop. Incident records for compliance. Staff training on payment security and privacy. Right-sized for hospitality compliance and payment data risk. 
  • Not-for-profit (42 staff, registered care provider):
    Controls protecting participant information. Field staff accessing case notes securely on mobile devices. Privacy policies meeting care standards. Backup tested quarterly. Evidence maintained for compliance reviews. Right-sized for participant data sensitivity and regulatory requirements.
  • Financial planning practice (38 advisers and staff):
    Controls meeting regulatory expectations. Client data protected properly. Access limited based on roles. Email retained for required period. Systems documented for audits. Right-sized for financial services compliance and client trust obligations.

None of these are “too small for cybersecurity.” Each has appropriate controls for their actual risk. 

Where to start 

Understand the level of risk you’re actually carrying: 

    • What information do you hold that would damage clients, participants, or patrons if stolen or lost? 
    • What regulations apply to your industry? 
    • What would actually happen to your business if systems were offline for 3 days? A week? 
    • Can you prove you’re taking reasonable steps to protect people’s information? 

Then implement controls matching that risk. Not generic “small business security.” Not enterprise-level over-engineering. 

Right-sized protection for your actual situation.

Get an assessment 

We’ll assess where you should be based on the information you hold, the people you serve, and the regulations that apply to you. 

Not a generic checklist. An honest assessment of your actual risk and the controls that make sense for your business. 

    TIME FOR A VERY IMPORTANT QUESTION…

    Is Your Domain Protected from Cyber Threats?

    Are you confident that your domain name is safe from threats like phishing, spoofing, fraud, and impersonation? If you’re unsure, then it’s time to check your domain’s DMARC status (that’s Domain-based Message Authentication, Reporting & Conformance, by the way).

    It's super simple, takes just a minute, and guess what? It's free!

    Check Your DMARC Status Today

    Posted in Security Strategic

    About ALL I.T Services

    We’re a leading I.T specialist providing premium services and support to businesses across Australia’s eastern seaboard. Our strength lies in our size – big enough to tackle complex projects yet small enough to pick up the phone when you call.  At ALL I.T, our approach is refreshingly straightforward - no endless wait times or tech jargon. Just real people with genuine passion and expertise in I.T solutions.

    CONTACT US