“I’m trying to think what’s next?" he writes. I received an email from Ian. Its timestamp was 2:38am. It’s something I’ve come to expect from him. He’s awake again, burning the candle for his life’s work. He’s just hit another dead-end, trying to generate at-scale interest in his cyber security business which focuses exclusively on supporting small businesses.

Adobe Stock: Photobank

“I’m trying to think what’s next?" he writes.  

I received an email from Ian. Its timestamp was 2:38am.  It’s something I’ve come to expect from him.  He’s awake again, burning the candle for his life’s work.  

He’s just hit another dead-end, trying to generate at-scale interest in his cyber security business which focuses exclusively on supporting small businesses.  After a flurry of engagement, and promising exchanges, the negotiations fizzle and Ian is back at square one.  Not for the first time.

Almost 98% of businesses in Australia are small businesses, accounting for one third of GDP. Despite the importance of small businesses to the economy, this sector remains largely vulnerable to cyber-criminals. There have been proposals over many years, by government and others, to help small businesses improve their cyber security and protect their own and their customer’s data. But these efforts consistently fail to bring about a meaningful change, and the outcome is a small business sector hopelessly outgunned in the fight against cybercrime.

Ian’s story is one of relentless pursuit, a two-decade journey trying to bridge the cyber security gap in Australia's small business sector. Despite his managed service 'CyberBasics' offering a tailored solution, the uptake has been underwhelming. Ian's frustration mirrors a broader issue: the continued disconnect between government strategies and on-the-ground realities for small businesses regarding cyber security.

“I understand the small business dilemma” he says, “Most know they should do something, but it never becomes a priority against other challenges in the cost of doing business”.

November’s, much anticipated, release of the 2023-2030 Australian Cyber Security Strategy by Minister Clare O’Neil is the latest milestone in building a cyber resilient nation by the Albanese government.  Many believe that this government has hit the ground running on their cyber security mandate.  But scrutiny of the new strategy’s support for small businesses reveals a gap between policy and practical reality for this sector. And for Ian this gap could herald the end of his business, despite sitting ready to be part of the fix.

The government has committed $586.9 million to execute the seven-year strategy, alongside a pre-existing commitment of $2.3 billion already being spent. Undoubtedly there are strengths to the plan, but the small business component is still triggering alarms. The strategy itemises two sector specific deliverables:  to ‘create cyber ‘health checks’ for small and medium businesses’, and to establish a ‘small business cyber security resilience service’.  These items score a combined 18.2 million dollars of funding.  

Cyber ‘health checks’ have been tried before, by government and other entities, in various forms.  These schemes generally fail on the basis of design and incentivisation.  The hiatus between policy intent and the practicality of its delivery is a small business challenge which consecutive governments are failing to grasp. This hiatus was observed when our current government was in opposition, when a National Cyber Resilience paper by Tim Watts and Kristen Kenneally observed:

“Perhaps the best example of the disconnect between Australian cyber security policy makers and small business was the $10 million ‘Cyber Security Small Business Program’, which offered small businesses $2100 to cover half the cost of [an] accredited cybersecurity health check. “(Watts & Kenneally 2020)

The scheme reportedly attracted less than 1% of forecast subscribers to the $2,100 subsidy.  Although the nature of the current proposed health check and that of the 2016 strategy are different, we must hope that Labor has a plan to bring adoptees to the service.  ‘Build it and they will come’ does not hold in the small business cyber domain.

The second strategic deliverable for small business is that of the Small Business Cyber Security Resilience Service, presumably a help-desk.  On face value, another worthy initiative.  However, achieving a meaningful outcome will be problematic.  The service will ‘provide free tailored advice and victim support’.  Advice and support are great to have, but we must question if a help-desk can support a significant shift in the cyber security baseline required of 2.5 million small businesses.  

What’s going to trigger small businesses to enter this uplift process at all?  Perhaps it’s going to take a change in legislation, something like the revision of the Privacy Act 1988?  

We already know that the existing Privacy Act compliance exemption for small businesses is likely to be removed. This would expose small businesses to punitive measures for breaches of information security.  Small business advocacy organisations are rallying to ensure safeguards but let’s assume the exemption is removed and small businesses face financial penalty for not taking reasonable steps to protect private data. Perhaps we will see a rush on the health check and the help-desk phone will be ringing hot.  Even so, what then?

There is a broad diversity of small business operation in Australia.  By general definition, they can have up to 20 employees or be sole traders, and everything in between.  They could be your doctor, dentist, taxi driver, hairdresser, or local tradie.  Small businesses are the majority service providers to the NDIS – handling the data of our most vulnerable citizens. (In fact, on the 7th December, the National Cyber Security Coordinator announced a cyber incident impacting a larger entity in this domain, the Aboriginal Family Support Services (AFSS), an NDIS service provider. A fresh reminder of the vulnerability and ‘desirability’ of participant data). Who is going to help small businesses to uplift their cyber security in real, practical terms?

Some of these businesses will outsource their IT, some will not.  Those that do might assume their IT provider will apply appropriate cyber defences. But it’s not always the case.  Many will not have the qualification nor experience to provide effective risk mitigation.

Australian small businesses need cyber support that allows for ‘risk outsourcing’. They need trusted (preferably accredited) cyber managed services that deliver a comprehensive solution at the right price point. We have Australian owned and managed capabilities to fulfill this need, with an abundance of cyber start-ups and scale-ups.  But there’s an enablement model missing.  

Minister O’Neil rightly points out in her November LinkedIn post launching the strategy “…cyber security isn't just a threat: it's our big shot. The cyber industry is booming globally, and if we get this right, Australia can create jobs at home and export know-how to our friends and partners overseas”.

But, for Ian, who employs a local team of cyber specialists, the lack of demand at home will close him down or move him overseas to that ‘booming market’.  Is this what is meant by exporting our know-how?

“I’m trying to think what’s next?’ he writes.  

Alison Howe

Co-Founder and Interim Chief Executive Officer

Author Profile