Key Lessons for Small and Mid-Sized Businesses
The Australian Signals Directorate’s (ASD) latest cyber security posture review shows gradual improvement across government in meeting its Essential Eight (E8) baseline, but progress is still slow.
Even though the report focuses on government agencies, the lessons also apply directly to SMBs, especially those in regulated industries or servicing government customers.
Regardless of industry, strong security builds customer trust and unlocks new opportunities. If you're modernising your business, make sure your security foundation is ready.
Review our 9 key takeaways for SMBs from the report below:
1. Cyber Basics Still Matter More Than Anything Else
- Even large agencies struggle to implement core controls like MFA, patching, and admin privilege restrictions.
- For SMBs: Start with the fundamentals. Most cyber incidents exploit simple weaknesses.
2. “Phishing Resistant MFA” Is Becoming the New Standard
- MFA alone is no longer enough. ASD is pushing for stronger, hardware-based or app-based MFA that resists phishing attacks.
- For SMBs: SMS codes or security questions can fall victim to phishing or interception. Consider upgrading to FIDO2, passkeys, or authenticator apps.
3. Application Control Is Moving From ‘Nice-to-Have’ to Mandatory
- ASD tightened requirements, reflecting growing risks from malware and rogue software.
- For SMBs: Move toward allow-listing trusted applications so only they can run. Defeat malware at the source by listing trusted applications instead of reacting to threats after they appear.
4. Supply Chain Risk Must Be Monitored, Not Assumed
- A decline in risk assessment shows how easily supplier oversight slips. The ASD recommends ensuring supply chain risk assessments are a core component for new IT procurements.
- For SMBs: Your network is only as secure as your weakest supplier. Evaluate the security of software, cloud providers, and hardware vendors.
5. Logging and Monitoring Are Often the Weakest Link
- ASD urges all organisations to prioritise visibility. You can’t respond to incidents you can’t detect.
- For SMBs: Enable centralised logging and consider a managed Endpoint Security & Access Control service or a managed SIEM service.
6. Legacy Systems Are a Hidden, Growing Liability
- Outdated systems create vulnerabilities and block adoption of newer protections.
- For SMBs: Plan now to retire, isolate, or upgrade legacy systems instead of tolerating them – they are a security weakness.
7. Disaster Recovery Must Include Cyber Incidents
- With 92% of agencies now addressing cyber security disruptions in business continuity plans, this is becoming best practice.
- For SMBs: Ensure backups are isolated, tested, and quickly recoverable during a cyber attack. Consider regular penetration testing to identify vulnerabilities before they are targeted.
8. The Post-Quantum Era Is Coming Faster Than ExpectedQuantum Era Is Coming Faster Than Expected
- ASD is urging organisations to identify assets needing upgraded protection against the threat of a cryptographically relevant quantum computer (CRQC) before 2030. CRQC will render common public-key encryption protocols insecure due to vastly increased processing power.
- For SMBs: You don’t need quantum-proof encryption yet, but you do need an inventory of what relies on cryptographic algorithms (e.g., VPNs, certificates, secure apps) and consider moving to more secure forms of encryption by 2030.
9. Participation and Collaboration Improve Security Outcomes
- Nearly all mandated agencies (99%) have joined ASD’s Cyber Security Partnership Program.
- For SMBs: Engage with industry groups, ISACs, Australia Cyber Security Centre programs, or vendor security communities. Security improves with shared intelligence.
Not sure where your security stands, or what to fix first? Our Security Posture Assessment is designed for small and mid-sized businesses that need clarity without complexity.
Call us on 1300 667 871 or get in touch via our Contact Us page.
