Cyber Health Check

A cyber health check is what every small business owner asks for, often without knowing the words for it. "How do I know if we're OK on cyber?" "What's the most important thing to fix?" "Am I going to lose my business if we get hit by ransomware?" A health check answers those questions in a structured, evidence-based way.

This page explains what a cyber health check actually is, what you get from one, and how to pick the right version for your business — the generic small business assessment, or one of eleven industry-specific versions tailored to your sector's regulators, systems, and threat profile.

What is a cyber health check?

A cyber health check is a structured self-assessment of a small business's cyber security posture. It walks through the controls that matter — passwords and access, backups and recovery, patching, staff awareness, supplier risk, data handling, and incident response — and produces three things: a scored result, a readiness rating, and a prioritised action plan.

It's the small business equivalent of a cyber security maturity assessment. The same idea — measure where you stand, identify gaps, prioritise fixes — translated into plain English and designed to be completed in one sitting by a practice manager, owner-operator, or office administrator. No IT background required.

What you get

Why industry-specific matters

The cyber threats that affect a community pharmacy are not the same as the cyber threats that affect an accounting practice. A real estate agency's settlement scams are not the same as an NDIS provider's participant data risk. A childcare centre's family records aren't the same as a law firm's trust account exposure.

An industry-specific cyber health check asks about the systems, regulators, and threats that actually apply to your sector. The pharmacy assessment asks about PBS Online, eRx, MediSecure, RTPM and the Schedule 8 register. The accounting assessment asks about ATO portal access and TPB cyber obligations. The legal assessment asks about trust account fraud and BEC attacks. The resulting report is more useful to your insurer, regulator, and IT provider — because it speaks their language.

If you're in one of the eleven sectors below, use the industry-specific version. If your business doesn't match any of them, use the generic small business cyber health check instead.

Choose your cyber health check

How a cyber health check fits into the bigger picture

A cyber health check is one tool within the broader discipline of cyber security assurance — the ongoing work of producing evidence that your security controls work. For small businesses, the health check usually is the assurance work. The scored report is what you hand to your insurer at renewal, what you reference in a board paper, what you show to a regulator who asks, and what gives your IT provider a structured list to work through.

For businesses with higher regulatory load — APRA-regulated entities, energy responsible entities, listed companies, larger healthcare providers — the framework-specific enterprise assessments are the right starting point instead.

Frequently asked questions

How long does a cyber health check take?

About 60 minutes for a typical small business. The questions are written in plain English with hover tooltips for any technical terms. Most small business owners or practice managers can complete it in one sitting.

Do I need an IT person to help me?

No. The health check is specifically designed to be completed by a non-technical owner, practice manager, or office administrator. Every question is in plain English, and the companion user guide explains the intent of each question — what "yes" really means and what evidence to look for. You may want to share the final report with your IT provider, but you don't need one to run the assessment.

Is a cyber health check the same as a cyber security audit?

No. A health check is a self-assessment — a working tool that tells you where you stand and what to fix. An audit is a formal, independent examination performed by a qualified external auditor against a defined standard, typically resulting in a certificate or formal opinion. A health check is the most cost-effective way to identify and close gaps before an audit, or as the regular check-in for businesses that don't require formal audit.

Does my data leave my device?

No. The assessment runs entirely in your browser. Your answers and evidence stay on your computer. There's no cloud account, no telemetry, and nothing is transmitted to CyberAssure. When you're ready, the tool generates the Word and Excel exports directly to your downloads folder.

How often should we run it?

Most small businesses run a full health check once a year, with a quick re-review of any high-priority gaps every six months. Cyber insurance renewals are a natural trigger, as are major business changes (new system, new site, new staff with privileged access, or after any security incident).

What if my industry isn't listed?

Use the generic small business cyber health check. It covers the same security areas as the industry-specific versions, with framing that works for any Australian small business. If you'd like an industry-specific version built for your sector, please get in touch — several recent additions to the line-up came directly from customer requests.