After a year of writing about SMB cybersecurity, talking with business owners, and helping organisations improve their defences, I want to step back and look at the bigger picture.

Where does Australian small business actually stand on security? What’s working? What’s not? And where do we go from here?

The Current Reality

Let me be honest: most Australian small businesses are still vulnerable to basic attacks.

The statistics tell part of the story. The ACSC reports that small businesses are increasingly targeted. The average incident cost continues to rise. The same attack methods - phishing, credential theft, ransomware - keep working year after year.

But statistics don’t capture the frustration of a business owner who did everything right and still got breached. Or the relief of one who dodged an attack because they’d implemented MFA the month before. Or the resignation of someone who knows they should do more but can’t find the time or money.

The reality is messy and human, not a clean data set.

What’s Actually Improved

Despite the challenges, some things are genuinely better:

MFA awareness is widespread. Five years ago, I had to explain what MFA was. Now, most business owners have heard of it, and many have implemented it. We’ve shifted from “why would I need that?” to “I know I should do that.”

Insurance is forcing the issue. Cyber insurance requirements have pushed many businesses to implement controls they would have otherwise delayed. It’s not a perfect mechanism, but it’s driving real improvement.

The Essential Eight is becoming a standard. Australian businesses now have a clear, government-backed framework. It’s not perfect, but having a common language and reference point helps.

Cloud platforms have improved default security. Microsoft 365 and Google Workspace ship with better security defaults than they did years ago. Businesses get baseline protection even if they don’t configure anything.

Breach notification changed attitudes. Seeing major Australian brands in the news for breaches has made cybersecurity feel real for business owners. It’s no longer theoretical.

What’s Still Failing

But improvement doesn’t mean success:

Implementation lags awareness. Knowing you should do something and actually doing it are different things. Many businesses acknowledge the risks but haven’t taken meaningful action.

Fundamentals are still missing. Too many businesses still lack MFA on all accounts, still have unpatched systems, still have untested backups. The same basic failures keep enabling the same basic attacks.

SMB security is under-resourced. Small businesses don’t have security teams, often don’t have IT teams, and can’t afford enterprise solutions. The market has been slow to provide genuinely suitable options.

Training doesn’t change behaviour. Annual compliance training ticks boxes but doesn’t build security culture. People still click on phishing links at alarming rates.

Supply chain security is a mess. Businesses are connected to each other in ways that create shared risk, but vendor security management remains immature across the SMB sector.

The Structural Problems

Some challenges are bigger than individual businesses:

Security expertise is scarce and expensive. There aren’t enough qualified cybersecurity professionals, and the ones who exist are expensive. Small businesses can’t compete with enterprises for talent.

The threat landscape moves faster than defences. Attackers adapt quickly. By the time a defence becomes standard, attackers have moved on. SMBs are often defending against yesterday’s threats.

Regulatory frameworks are playing catch-up. Privacy Act reforms, Essential Eight guidance, and industry requirements are still evolving. Businesses face uncertainty about what will be required.

The incentives are misaligned. For software vendors, security features are costs that don’t directly generate revenue. For businesses, security spending doesn’t show immediate returns. The incentives favour underinvestment until a breach makes it unavoidable.

What Needs to Change

If I could change a few things:

Make security easier, not just more important. Telling businesses to take security seriously hasn’t worked. We need tools and services that make good security the path of least resistance.

Develop SMB-appropriate solutions. Enterprise security tools don’t scale down well. We need solutions designed for the constraints of small business - limited budget, limited expertise, limited time.

Shift the liability appropriately. Software vendors should bear more responsibility for shipping secure products. Businesses shouldn’t need to become security experts to use software safely.

Invest in the security workforce. Australia needs more cybersecurity professionals, especially those who can work effectively with SMBs. Training programs and career pathways need expansion.

Make breach data more useful. Better sharing of attack patterns and vulnerabilities would help defenders stay current. Privacy concerns are real but shouldn’t prevent aggregate learning.

What You Can Do

If you’re running a small business, the structural problems aren’t yours to solve. But you can:

Focus on fundamentals. MFA, patching, backups, awareness. These aren’t exciting, but they stop most attacks. Get these right before worrying about anything else.

Seek help when needed. You don’t have to figure everything out alone. IT providers, consultants, and resources like the ACSC exist. Use them.

Make security part of operations. Security isn’t a separate project - it’s how you run your business. Build it into processes, decisions, and culture.

Accept that perfect isn’t possible. You can reduce risk, but you can’t eliminate it. Aim for reasonable security, not impossible perfection. Have response plans for when things go wrong anyway.

Stay informed without drowning. You don’t need to track every threat. But understanding the landscape - what’s targeting businesses like yours, what’s working - helps you prioritise.

The Optimistic View

Despite everything, I’m optimistic about SMB security.

The tools are getting better. Cloud platforms handle more security automatically. AI is making detection smarter. Managed services make expert help more accessible.

Awareness is higher than ever. Business owners understand cyber risk is real. They’re not starting from complete ignorance anymore.

Frameworks like Essential Eight provide clear roadmaps. Businesses don’t have to figure out what to do from scratch.

And most importantly, the businesses that take security seriously are getting better results. They’re avoiding breaches, winning contracts that require security attestation, and building trust with clients.

The gap between leaders and laggards is widening. Being on the right side of that gap is achievable for any business willing to put in consistent effort.

Final Thoughts

Cybersecurity for small business isn’t about becoming unhackable. It’s not about implementing every control or achieving perfect compliance. It’s about managing risk sensibly with the resources you have.

Do the fundamentals. Seek help when needed. Build security into how you operate. Accept imperfection but don’t accept negligence.

And remember why this matters. It’s not about compliance checkboxes or insurance requirements. It’s about protecting your business, your employees, and your customers from harm.

That’s worth doing well.

Here’s to better security in 2026 and beyond. If firms like AI consultants Sydney and others continue to make security more accessible to SMBs, and if businesses keep making steady progress on fundamentals, we might look back on this era as the time things started improving.

Let’s make it happen.