Congratulations - you’re now responsible for your company’s cybersecurity. Maybe it was a formal appointment. Maybe the boss just said “you’re the tech person, you handle it.” Either way, here you are.

Don’t panic. You don’t need to be a security expert. You need to be organised, consistent, and willing to learn.

Here’s your roadmap for the first 90 days.

Days 1-30: Understanding Your Current State

Before you can improve security, you need to know what you’re working with.

Week 1: Inventory

Create lists of:

• All computers (desktops, laptops)
• Mobile devices accessing company data
• Servers (on-premises or cloud)
• Network equipment (routers, switches, firewalls)
• Software and SaaS applications
• Cloud services (Microsoft 365, Google Workspace, AWS, etc.)
• Accounts with admin or privileged access

This doesn’t need to be perfect. It needs to exist.

Week 2: Access Review

For each major system:

• Who has access?
• Who has admin/privileged access?
• When were access lists last reviewed?
• Are there any accounts for people who’ve left?

Clean up anything obvious - former employees with active accounts, shared passwords that everyone knows.

Week 3: Current Controls

Audit what’s already in place:

• Is MFA enabled? Where?
• What endpoint protection is running?
• Are backups happening? Where do they go?
• What email security is configured?
• Are systems being patched?

You’re looking for gaps, not judging what came before.

Week 4: Quick Wins

Based on what you’ve learned, pick 2-3 things you can fix immediately:

• Enable MFA where it’s not
• Disable accounts that shouldn’t be active
• Turn on automatic updates
• Configure backup verification

Document what you did and why. This starts your security record.

Days 31-60: Building Foundations

Now you know your environment. Time to establish sustainable practices.

Week 5-6: Policies and Procedures

You don’t need a 50-page security manual. You need clear answers to:

• What are acceptable uses of company systems?
• How do we handle suspected security incidents?
• What happens when someone joins or leaves?
• Who can approve software installations?
• What are password requirements?

Write these down. Keep them simple. Share them with leadership for approval.

Week 7-8: Essential Controls

Focus on the Essential Eight fundamentals:

• Patching: Establish a regular update schedule
• Backups: Verify they’re working and test a restore
• MFA: Expand coverage to all critical systems
• Privileges: Review and reduce admin access

Don’t try to reach full maturity. Aim for basic implementation across all areas.

Days 61-90: Sustainable Practices

Short-term fixes are done. Now build habits that will last.

Week 9-10: Monitoring and Alerting

Set up alerts for:

• Failed login attempts (excessive)
• New admin account creation
• Backup failures
• Malware detections
• Unusual activity patterns

Define who receives alerts and how often they’re reviewed. Start with a weekly review schedule.

Week 11-12: Training and Culture

Roll out basic security awareness:

• What phishing looks like and how to report it
• Why MFA matters
• How to handle suspicious emails or files
• Who to contact with security concerns

This doesn’t need to be formal training. A 30-minute team meeting with real examples works.

Week 13: Planning Ahead

Create a security roadmap for the next 6-12 months:

• What gaps remain?
• What resources (time, budget) are needed?
• What compliance requirements are coming?
• What should leadership know?

Present this to decision-makers. Get buy-in for continued investment.

Key Principles for the Whole Journey

Document everything. Future you will thank present you. Keep records of what you’ve done, why, and what remains.

Focus on fundamentals. The Essential Eight exists because these controls stop most attacks. Don’t chase advanced solutions until basics are solid.

Build relationships. IT support, managed service providers, leadership - you’ll need allies. Cultivate them early.

Accept imperfection. You won’t fix everything. Some risks will remain. That’s okay if they’re understood and accepted consciously.

Ask for help when needed. You’re not expected to know everything. Bring in specialists for assessments, complex configurations, or incident response.

Common Mistakes to Avoid

Trying to do too much at once. Pick priorities and stick to them. Scattered effort achieves nothing.

Buying tools before understanding problems. Don’t let vendors convince you to buy solutions for problems you haven’t confirmed you have.

Ignoring the people side. Technical controls matter. Culture and behaviour matter more. Invest in both.

Keeping security a secret. Transparency builds trust. Share what you’re doing and why (appropriately). People support what they understand.

Expecting instant results. Security improvement is gradual. Measure progress over months, not days.

Resources to Lean On

ACSC Small Business Guides: Practical, Australia-specific, free. Start here. cyber.gov.au/resources-business-and-government/essential-cyber-security

Essential Eight Maturity Model: The framework you’ll be working toward.

Microsoft 365 Secure Score: If you’re on Microsoft, this tells you what to improve and how.

Your IT provider: They should be an ally in this. Ask questions. Get help.

The 90-Day Milestone

By day 90, you should have:

• An inventory of systems and accounts
• MFA enabled on critical systems
• Documented policies for key scenarios
• Regular patching and backup verification
• Basic monitoring and alerting
• Initial awareness training completed
• A roadmap for continued improvement

Is this perfect security? No. But it’s a massive improvement over where most small businesses start, and it’s a sustainable foundation for ongoing maturity.

Security isn’t a destination. It’s a practice. These first 90 days establish that practice.

You’ve got this. One step at a time.