Blog - Building a Cyber Safe Culture - Practical Steps for Small and Medium Businesses

Every October, Cyber Security Awareness Month reminds us that technology alone cannot keep us safe, it takes people, policies, and daily habits working together. This annual initiative, backed by the Australian Government, shines a spotlight on key areas of cyber resilience. This year’s themes are a call to action for businesses of all sizes, especially small and medium businesses (SMBs). The focus areas - event logging, legacy technology, supply chain and third-party risks, and quantum readiness – might sound technical, but they boil down to one idea: building a cyber safe culture in your organisation.

Why culture? Because a cyber safe culture means everyone in the business understands the importance of security and takes it seriously. It means security is part of everyday decisions, from the software you buy to how employees handle data. In a climate where cybercrime reports are rising and even smaller companies are frequent targets, fostering this culture is no longer optional, it’s a necessity. By engaging with the weekly themes of Cyber Security Awareness Month, Australian SMBs can learn practical steps to boost their security posture. Let’s explore each of these four themes and how you can apply them to protect your business.

1. Event Logging: Visibility into Your Systems

Logs provide insight into what’s happening across your network. Without them, investigating incidents is almost impossible.

Key actions for SMBs:

• Enable logs everywhere: operating systems, cloud platforms, firewalls, and business-critical apps.
• Centralise logs: even free or low-cost tools (e.g., Graylog, Wazuh) can help small firms consolidate data. Larger SMBs might use a managed SIEM service.
• Use alerts wisely: set automated alerts for suspicious behaviour like multiple failed logins, unusual file transfers, or disabled antivirus.
• Audit regularly: schedule weekly reviews; retain logs 6-12 months for compliance and investigations.

Extra tip: Map logging to compliance needs (e.g., PCI DSS for payments, ISO 27001 for broader security). This reduces audit pain later.

2. Legacy Technology: Update or Isolate

Unsupported software and hardware create weak points for attackers. According to Microsoft, PCs running unsupported Windows versions are 3–5 times more likely to suffer malware infections.

Key actions for SMBs:

• Audit assets: create a list of all hardware, operating systems, and apps. Flag those past end-of-life.
• Prioritise high-risk systems: focus on internet-facing systems and tools holding sensitive data.
• Plan upgrades: schedule phased upgrades to spread cost and disruption. Cloud-based SaaS often provides affordable alternatives to legacy on-premise apps.
• Mitigate where needed: if replacement isn’t possible, isolate old systems, limit internet access, and back up critical data.

Extra tip: Factor in hidden costs of legacy tech - downtime, staff frustration, and higher support fees- when building the business case for upgrades.

3. Supply Chain and Third-Party Risks

Nearly half of SMBs report being affected by a vendor-related breach. Attackers often target smaller partners as stepping stones to larger organisations.

Key actions for SMBs:

• Due diligence: ask suppliers about patching cycles, MFA, backup practices, and certifications (ISO 27001, SOC 2).
• Contractual safeguards: require breach notification within 24 hours, MFA for remote access, and secure data handling.
• Limit access: enforce least privilege - give vendors only what they need, and revoke access immediately once work ends.
• Maintain a vendor register: track who has access, what data they hold, and what controls are in place.
• Conduct reviews: even an annual check-in with major suppliers can highlight issues early.

Extra tip: Train staff to spot business email compromise (BEC) scams, where attackers impersonate suppliers. Simple verification procedures (e.g., calling to confirm bank account changes) can prevent major losses.

4. Quantum Readiness

Quantum computing isn’t mainstream yet, but once it is, many current encryption methods will become obsolete. Governments and major vendors are already moving to post-quantum cryptography.

Key actions for SMBs:

• Raise awareness: ensure leaders and IT staff understand the basics of quantum risk.
• Identify long-life data: protect assets like medical records, contracts, or IP with the strongest encryption available now.
• Stay informed: follow updates from the Australian Cyber Security Centre (ACSC) and NIST (US) on post-quantum standards.
• Procure smartly: when buying software or cloud services, ask vendors about their quantum-safe roadmap.

Extra tip: Start small by including “future encryption” as a procurement criterion. This prevents lock-in with vendors who won’t adapt.

Rachis Technology - Supporting SMBs in Cyber Resilience

Rachis Technology partners with Australian SMBs to strengthen cyber resilience through:

• Logging & Monitoring: Implementing centralised log collection, real-time monitoring, and rapid response to threats.
• Legacy Mitigation: Assessing outdated systems, guiding secure upgrades, and isolating unavoidable legacy tools.
• Third-Party Risk Management: Reviewing vendor security, enforcing controls like MFA, and responding quickly to supply chain vulnerabilities.
• Future-Proofing: Translating emerging threats (including quantum computing) into practical, long-term security strategies.

With ISO 27001 certification, Rachis embeds best practices into every service, from staff training to managed IT. Our goal is to make cyber safety achievable, helping SMBs protect assets, maintain trust, and prepare for the future.