Most small businesses do not need to start with a full penetration test. They need to stop the obvious problems first.
Website digital safety means checking the basics that affect trust, spam, enquiries, and control of important accounts.
It is not about scare tactics. It is about making the business easier and safer to operate.
What “basic digital safety” means
For a local business, basic digital safety usually means:
- the website loads over HTTPS
- contact forms are not attracting constant spam
- the site is not exposing private files
- email records make spoofing harder
- admin access is controlled
- old agencies or staff do not keep unnecessary access
- the business owner knows who controls the domain, hosting, email, and Google profile
- there is a backup or rollback path before risky changes
That is different from specialist cyber work.
What it does not mean
A basic safety check is not:
- a full penetration test
- a guarantee the site cannot be hacked
- legal/compliance advice
- incident response
- dark web monitoring
- device security
- staff cyber training
Those can matter, but they are next-level services. For serious projects or high-risk businesses, bring in a cyber specialist.
Start with HTTPS
Customers expect the lock icon.
Check:
- the site uses
https:// - the certificate is valid
- old
http://links redirect properly - the correct domain is used consistently
Broken HTTPS makes a business look less trustworthy and can scare customers away.
Check obvious exposed files
Some websites accidentally publish files that should never be public.
Examples:
.env.git/config- backup zip files
- database dumps
- old config files
- internal notes
A safe public check can look for a tiny list of common exposed paths. It should not involve trying to break in or probing aggressively.
Keep forms simple and safe
Forms should collect enough detail to respond, not every private detail in the customer’s life.
Good form practice:
- ask for name, phone/email, suburb, service needed, short message
- avoid requesting passwords, card details, bank details, or private documents
- use spam protection where needed
- send notifications to a verified owner/team address
- test the form regularly
If a business is getting spammed, the fix may be a honeypot, CAPTCHA, rate limiting, or moving to a more reliable form provider.
Email trust matters
Scammers can try to spoof business domains. Email trust records help receiving mail systems decide what to trust.
Useful records:
- SPF: which systems are allowed to send email for the domain
- DKIM: cryptographic signing for outgoing mail
- DMARC: what to do when mail fails checks, and where to send reports
Start gently. Many small businesses should begin with DMARC set to monitoring mode before tightening it.
Admin access should be boring
A lot of risk comes from messy access.
Check:
- who has website admin access
- whether 2FA is available
- whether old agencies or ex-staff still have access
- whether passwords are shared
- who controls the domain registrar
- who controls Google Business Profile
- who controls email hosting
The goal is not paranoia. It is knowing who can change important things.
Backups and rollback matter
Before big changes, know how to recover.
For a small site, this might mean:
- a Git repo
- hosting backup
- CMS backup
- export of key content
- documented rollback step
If no one knows how to restore the site, even a simple update can become stressful.
When to bring in a specialist
Bring in a cyber specialist for:
- suspected breach
- customer data exposure
- payment/card systems
- medical/legal/sensitive records
- high-value ecommerce
- custom web apps with logins
- full penetration testing
- compliance requirements
For most small local businesses, though, the first win is cleaning up the basics.
A practical safety checklist
Start here:
- Check HTTPS.
- Check contact forms.
- Check obvious exposed files.
- Check SPF/DKIM/DMARC.
- Review admin access.
- Confirm backups.
- Remove old access where possible.
- Add a plain-English safety summary after changes.
Want a basic safety check?
Bush Digital Guides includes practical digital safety checks in website, enquiry, and local growth work.
Start with a Free Local Growth Review, read about the Website Safety & Growth Check, or ask about local growth services.
Want the same lens on your business?
Start with a Free Local Growth Review for your website, Google Profile, reviews, enquiry path, and quote follow-up.