For all Australian small and medium‑sized businesses (SMBs), cyber security is no longer just an IT concern, an ideal or a “best practice” recommendation. It is a legal, governance and business continuity responsibility. Over the past couple of years, Australia’s cyber security and privacy laws have strengthened significantly in response to the escalating ransomware attacks, data breaches, identity thefts and supply‑chain disruptions across Australia. Today, regulators an industry, expect all Australian businesses to actively manage cyber risk, protect personal information and respond decisively and openly when incidents occur.
This article explains what Australian SMBs are required to do, why these legal obligations have come about and what “reasonable cyber security” means for your buisness.
The Legal Baseline: The Privacy Act and Data Breach Obligations
For SMBs, cyber security obligations begin with The Privacy Act of 1988 and the newer Notifiable Data Breaches (NDB) Scheme.
If your business:
- Has an annual turnover of $3 million or more, or
- Provides any form of health services, or
- Trades in personal information, or
- Handles tax file numbers or any other sensitive personal data,
you are considered an Australian Privacy Principles Entity (APP entity) and are therefore legally required to take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access or disclosure.
If a cyber incident results in an eligible data breach – meaning the breach is likely to cause serious harm or disruption, you must:
- Assess the breach promptly
- Notify all affected individuals
- Notify the Office of the Australian Information Commissioner (OAIC)
Failure to do so can result in regulatory action, enforceable undertakings and significant financial penalties.
Cyber Security Act 2024: A Signal to All Businesses
In late 2024, Australia introduced its first standalone Cyber Security Act. This marked a clear shift, in Australia’s Cyber Threat posture and how government views cyber risk across the economy.
While many elements target critical infrastructure, larger organisations and the enterprise, the Act is intended to send a strong message to all businesses: cyber incidents are now a matter of national economic resilience, not just private loss.
Key reforms in this act include:
- Mandatory ransomware payment reporting for many organisations
- Expanded government visibility into any cyber incidents
- Stronger coordination with government during significant cyber events
Even where SMBs are not directly captured in this act, the expectations set by the Cyber Security Act, still heavily influence – regulators, insurers, customers and supply‑chain partners.
Security of Critical Infrastructure (SOCI): Does It Apply to SMBs?
Many SMBs assume the SOCI Act only applies to large enterprises, however this is not always true.
If your business operates in sectors such as:
- Healthcare and medical services
- Food and grocery supply
- Data storage or processing
- Higher education and research
- Communications or managed IT services
and you own, operate or support systems considered critical infrastructure, SOCI obligations may apply regardless of business size.
Furthermore if you are a supplier, customer, vendor or consultant for a larger organisation the SOCI obligations imposed on them may well extend to your business. Over half of the audits we perform for SMBs today are audits from larger organisations they directly do business with.
Where applicable, SOCI introduces mandatory requirements such as:
- Cyber incident reporting to government authorities
- Risk management programs and documentation
- Executive accountability for cyber resilience
“Reasonable Steps Now” Means Structured Cyber Security
Australian regulators no longer accept vague claims of “we take security seriously.” Businesses are expected to demonstrate structured, risk‑based cyber security controls.
The Australian Cyber Security Centre (ACSC) and AusCI strongly recommends the Essential Eight as the baseline for all Australian businesses, including SMBs. While currently not legislated, failure to implement these basic controls may be difficult to defend following a breach.
At a minimum, all SMBs should be able to show:
- Up to date patch management for operating systems and applications
- Multi‑factor authentication (MFA) for remote and privileged access with a plan to have MFA across the board
- Regular Secure backups that are tested, encrpyted and isolated
- Controlled administrative privileges (administrator users)
- Basic documented incident response and recovery planning
Cyber security is increasingly viewed through a governance lens, not just a technical one.
Directors and Owners: Cyber Risk Is a Business Risk
Regulators and courts are increasingly framing cyber security as a director level responsibility as it should be.
Boards and business owners are expected to:
- Understand all their cyber risks
- Ensure appropriate controls are funded and implemented
- Oversee incident response readiness
- Treat cyber security as part of enterprise risk management
Recent Australian reforms have strengthened regulator powers and increased penalties for failures in governance and accountability.
What Happens If You Get It Wrong
The consequences of inadequate cyber security are not hypothetical. For SMBs, impacts typically include:
- Regulatory investigations and compliance orders being made
- Mandatory breach notifications leading to reputational damage
- Loss of customer trust and commercial contracts
- Insurance exclusions, increased insurance policies or denied claims
- Business interruption, disruption and financial loss
In most cases, the damage from a cyber secure incident, is not the attack itself – but the inability to demonstrate that reasonable steps were taken beforehand.
The Bottom Line for Australian SMBs
Cyber security in Australia has crossed a threshold. SMBs are no longer asked if they have invested in cyber security, but whether they are meeting their legal and governance obligations.
You do not need enterprise grade complexity – but you do need:
- Clear accountability
- Documented controls
- Practical risk management
- The ability to respond when incidents occur
At AusCI, we help Australian businesses understand their obligations, reduce risk and demonstrate cyber maturity—before regulators, insurers, or attackers force the issue.
