What cybersecurity does a small business actually need?
Most small businesses do not need a cybersecurity consultant. Who the enterprise providers actually serve, the 4 questions that matter at 1–30 staff, and when a consultancy is genuinely the right call.
Cybersecurity at small-business scale means knowing whether your basics are set up correctly — not buying an enterprise security program. Consultancies like CyberCX, Deloitte Cyber and PwC's cyber practice are real, good at their work, and correctly designed for enterprises with regulators to answer to and complicated estates to defend. Most small businesses do not need a consultant. At 1–30 staff, cybersecurity comes down to 4 questions:
- Is your website set up correctly?
- Is your email arriving — and could a stranger send invoices that look like yours?
- Do you have a backup that survives the office and that you have actually restored from?
- Would your staff recognise a phishing email asking them to move money?
Every one of those is checkable without hiring anyone. The enterprise version of cybersecurity is real — it just solves problems most small businesses do not have.
Say "cybersecurity" to a small business owner and the word arrives pre-loaded: breach headlines, government frameworks with numbered controls, and a consultant in a nice suit presenting a 90-page report that cost more than the ute. The image is not wrong — that industry exists and does serious work. The problem is the conclusion owners draw from it: that cybersecurity is a $50,000 problem, and since there is no $50,000, it gets filed under later.
This page is the un-filing. It covers who the enterprise security providers actually serve, the 4 questions that constitute cybersecurity at 1–30 staff, and the genuine cases where a consultancy is the right call. If you want the direct side-by-side of a consultancy engagement versus our scanning subscription, that lives at Red Bridge Cyber vs cybersecurity consultancies.
The PwC-perception trap
The reason cybersecurity sounds expensive is that the loudest voices in the market are priced for enterprises. When a bank is breached, the firms quoted in the coverage are the big consultancies. When the government publishes guidance, it is written against frameworks designed for organisations with IT departments. A small business owner hearing all this reasonably concludes that the entry price is enterprise-shaped. It is not — but to see that, it helps to know who the 4 kinds of provider actually are.
Cybersecurity consultancies. CyberCX, Deloitte Cyber, PwC's cyber practice and firms like them do engagement-based work: red-team exercises, compliance assessments against ISO 27001 or the Essential Eight, incident response, security strategy. They are very good at this, and it is correctly priced for organisations with hundreds of staff, regulators to answer to, and something genuinely complicated to defend. Nothing on their services page is built for a 6-person business, and that is by design, not neglect.
Managed security service providers (MSSPs). An MSSP watches your systems continuously — networks, servers, staff laptops — from a 24/7 security operations centre, and responds when something looks wrong. The product assumes there is an internal network worth watching. A small business running a website, cloud email and a handful of laptops mostly does not have one.
Penetration testers. A pen test is a one-off engagement where a specialist actively attacks a specific system to find what breaks. It is the right tool when you have something custom worth attacking — a web application holding sensitive customer data, for instance. For a standard small business website, it is a scalpel where a checklist is needed; the full comparison is at Red Bridge Cyber vs penetration testing.
Scanning services. A scanning service runs automated checks against the public-facing parts of your website — email configuration, certificates, security headers, DNS — and reports what is missing in plain language, continuously. No simulated attacks, no consultants on site. This is the tier we operate in, and at small-business scale it covers the majority of what actually goes wrong.
What you actually need at 1–30 staff
At this size your entire technology footprint is usually a website, an email service, some cloud apps and the laptops your staff carry. Cybersecurity for that footprint is not a program. It is 4 questions.
1. Is your website set up correctly?
The median Australian small business website scores 20/100 on Red Bridge Cyber's Security category — grade F.* That number is not a verdict that half the country is breached. It measures missing basics: security headers that no host sets by default, TLS configuration that drifted out of date, records nobody re-checked after the last provider change. Almost every finding behind that grade is a small, one-time fix at the hosting or DNS layer. You can check individual slices yourself with free tools — our guide to the free scanners covers each one — or have a scan correlate the lot.
2. Is your email arriving — and could someone send email pretending to be you?
Three DNS records — SPF, DKIM and DMARC — control whether your email lands in inboxes and whether a stranger can send invoices with your domain on them. Most small businesses have these partially configured at best, because nobody owns the job: the website developer assumes the email provider did it, and vice versa. Spoofed-invoice fraud is the attack most likely to cost a small business real money, and the defence is 3 DNS records, not a consultant. Start with what DMARC is and check your own domain in MXToolbox.
3. Do you have working backups?
Not "the laptop syncs to a drive in the office" — a backup that survives the office (fire, theft, flood) and that you have actually restored from at least once. An untested backup is a hope, not a control. The ACSC Small Business Cyber Security Guide covers this properly, along with software updates and multi-factor authentication — it is the single best free document in Australian small-business security, and it is 12 pages, not 90.
4. Would your staff recognise a phishing email?
Most incidents at this scale do not start with someone breaking through your website. They start with an email that asks a staff member to do something — pay this invoice, reset this password, buy these gift cards. The fix is not technology. It is a 20-minute conversation with your team, repeated occasionally: what these emails look like, and the standing rule that any payment-change request gets verified by phone. The ACSC's small business hub has free materials for exactly this conversation.
That is the list. No security operations centre, no framework certification, no retainer. If those 4 questions all have good answers, a small business is ahead of the vast majority of its peers — 85% of Australian small business websites land at grade D or below on outbound Security scanning.*
One addendum for businesses that need to prove the basics rather than just have them: SMB1001 is the certification standard actually designed for small businesses — 5 tiers, entry pricing closer to a software subscription than an audit, and a sensible next step when a customer or tender asks for evidence. The lower tiers are self-attested by a director, which is exactly why checking your public-facing basics first is not optional. We cover it tier-by-tier in our SMB1001 certification guide.
When you do need a consultancy
There are small organisations that genuinely need the enterprise tier, and they share one property: a regulator or a contract says so.
If you are APRA-regulated — a bank, insurer or superannuation trustee of any size — CPS 234 imposes information-security obligations that require formal assessment. If you hold health records, you carry sensitive-data obligations under the Privacy Act, and the OAIC's Notifiable Data Breaches scheme means a mishandled incident becomes a legal event, not just a bad week. If you supply the defence sector, your contracts will reference the ISM and may require DISP membership. And if a large enterprise customer sends you a 40-page security questionnaire, answering it can be cheaper with help.
In these cases a consultancy is not overkill — it is the product designed for your situation, and the good ones earn their fees. This is, deliberately, not most of our readers. If you are not sure which side of the line you are on, the comparison page sets out what each tier does and does not include.
The middle ground
Between the free-tools-and-a-spare-evening approach and a consultancy engagement sits a thin middle tier: vulnerability management as a service, lightweight MSSP offerings, and scanning subscriptions like ours. What they share is continuity — the checks re-run on a schedule, so the configuration that silently breaks in a site rebuild gets caught the week it breaks, not the year after. What separates them is scope: an MSSP watches your internal systems and responds to incidents; a scanning service watches your public surface and tells you what to fix. For a business whose technology is a website and cloud services, the public surface is most of the story — which is why this tier is priced like a software subscription and not like a salary.
What we don't do
We are not a cybersecurity consultancy, and this page is not a pitch pretending otherwise. We do not do penetration testing, incident response, compliance certification or security strategy. When customers need an ISO 27001, NIST, Essential Eight, SMB1001 or ISM assessment, we refer them to partners who do that work — and we take no referral fee for it, as our partner & referral disclosures set out. If the enterprise tier is what your situation requires, Red Bridge Cyber vs cybersecurity consultancies is honest about where our scan stops and their engagement letter starts.