If you run a Melbourne small business and you’ve been quoted for “advanced cyber security” recently, you’ve probably noticed the catalogue is enormous and the prices are spread across an order of magnitude. EDR, XDR, SIEM, MDR, Zero Trust, application allowlisting, DLP, CASB, SOAR. Most SMEs walk out of those meetings less clear than they walked in.
Here’s the contrarian truth: most Melbourne small businesses don’t need fifteen products. Five well-implemented controls stop nearly every attack the typical 20-200 staff business will face. The other ten products are useful — but for the businesses with a real attacker problem, not a “we want a tick-box” problem.
This post lists the five controls that actually matter, in priority order, with what they cost in 2026 and what they protect against.
Control #1: Multi-factor authentication on every internet-facing login
Email, M365, the line-of-business app login, the remote desktop server, the firewall admin page, the VPN. Every login that’s reachable from the public internet should require something beyond a password.
This is the single highest-ROI control in cyber security. Microsoft’s own data says it stops 99.2% of identity-based attacks against M365 accounts. Australian Cyber Security Centre incident data says credential-stuffing and phishing are the top two attack vectors against SMEs.
Cost: zero on M365 (it’s included). Some line-of-business vendors charge extra. Either way, it’s the cheapest cyber security you’ll buy. Our MFA for business guide covers rollout sequencing.
Control #2: Application control (allowlisting)
The user clicks the wrong attachment, the malware downloads, the executable tries to run. Application control says no — only programs on the approved list run on this machine, period. Even if the user is trying to run it as administrator.
This is harder to deploy than MFA. It changes user workflow because they can’t install random tools. But for ransomware specifically, it’s close to a hard stop. Read our application control piece for deployment detail.
Cost: $30–$60 per device per month for a managed application control service. Worth every dollar.
Control #3: Endpoint detection and response (EDR)
Antivirus from 2010 looked at file signatures. EDR watches behaviour. If a process suddenly starts encrypting files at scale, or trying to talk to a known command-and-control server, EDR notices and either kills it automatically or escalates to a human within minutes.
Get an EDR product with 24/7 human response (sometimes called managed detection and response, MDR). EDR alerts at 2am that nobody acts on are useless.
Cost: $25–$50 per user per month, depending on whether 24/7 SOC response is included.
Control #4: Backup that survives ransomware
Backup doesn’t prevent attacks. It makes them survivable. The minimum standard in 2026 is the 3-2-1-1-0 backup rule — three copies, two different media types, one off-site, one immutable (so the ransomware can’t encrypt the backup itself), zero errors verified.
Test the restore. Most SMEs that have backups have never tried to actually use them. Discovering at hour two of an incident that the backup is corrupt or missing the database is a special kind of pain.
Cost: typically built into a managed backup service at $80–$200 per month for a small office, scaling up with data volume.
Control #5: Email and identity hardening (M365 specifically)
Most Melbourne SMEs run on M365. The default M365 configuration is OK. The hardened M365 configuration is genuinely solid. The gap is configuration work that most SMEs never do.
The minimum: Conditional Access policies that block sign-ins from outside Australia (or your country list), block legacy authentication, require MFA always; SPF/DKIM/DMARC properly configured; safe attachments and safe links enabled; impossible-travel detection on; admin alerts firing into a channel someone reads.
Cost: zero in licensing if you’re on M365 Business Premium or above. The work is the engineering hours to configure and tune. Budget eight to twelve hours.
What about the rest?
SIEM, XDR, SOAR, CASB, DLP, secure web gateway — they’re all real tools that solve real problems. They’re not the priority for a 50-staff Melbourne business that hasn’t yet nailed the five above. Get the basics solid, then layer on what’s appropriate for your industry, your data sensitivity, and your regulatory environment.
Our cyber security services walks through how we sequence the deployments, and the managed security page covers the ongoing operations side.
What to do next
Score yourself on the five above. If you’ve got all five running well, you’re in better shape than most Melbourne SMEs. If you’re missing two or three, that’s the project for the next quarter, not “we need a SIEM”.
Talk to a specialist if you’d like a no-cost gap assessment against the five — we’ll send the report whether or not you become a customer.
