Andrew Lawrence, CEO, de.iterate

The introduction of the Cyber Security Act marks a pivotal shift in how Australia addresses digital risk. While headlines have largely focused on its impact on critical infrastructure and large enterprises, the reality is that the new legislation will touch businesses of all sizes, including small and mediumsized enterprises (SMEs).

This is a wake-up call for the sector. Cyber security is no longer a ‘nice to have’—it’s a business essential, and the new Act sets a clear direction: cyber resilience is a shared responsibility.

What Is the Cyber Security Act?

The Cyber Security Act 2025 (CSA) is part of the federal government’s broader 2023–2030 Australian Cyber Security Strategy, aimed at making Australia the most cyber secure nation in the world by the end of the decade.

The Act introduces a new legislative framework to replace and expand upon the previous Security of Critical Infrastructure Act and supplements the obligations already in place under the Privacy Act and industry-specific regulations. Its purpose is to address the increasing frequency, severity and complexity of cyber threats faced by Australian organisations, both public and private.

While much of the attention centres on critical infrastructure sectors (such as healthcare, energy, transport and telecommunications), the Act introduces a series of ‘graduated’ regulatory obligations that will scale over time to include a broader range of sectors and entities, particularly those involved in managing personal data, digital supply chains or essential services.

Why Was It Introduced?

The Australian Government has been clear: cybercrime is a national security issue and an economic risk. In 2023 alone, the Australian

Signals Directorate (ASD) responded to over 1,100 cyber incidents, with small businesses representing a disproportionate number of victims.

High-profile breaches at large enterprises have shown how quickly consumer trust can be eroded. But it’s small businesses , which often lack the resources, expertise or infrastructure of their larger counterparts, that are most vulnerable. The Act was introduced to:

• Strengthen national cyber resilience across all sectors, not just critical infrastructure

• Improve incident reporting and intelligence sharing

• Drive uplift in baseline security standards

• Create a more coordinated national response to major cyber incidents

Put simply, the Act signals a shift from reactive compliance to proactive, integrated cyber risk management.

What

Does This Mean for Small Businesses?

If you’re a small business owner, you may be wondering whether the Cyber Security Act applies to you. While the initial obligations target highrisk sectors and systems, the government has been explicit in its intention to cascade security expectations across the economy.

Here’s what small businesses need to know.

1. You may be in scope, directly or indirectly. Even if your organisation is not regulated directly under the new Act, your partners, suppliers or clients may be. That means you’ll need to demonstrate a level of cyber maturity to retain commercial relationships. This is particularly true for SMEs in government supply chains or professional services.

(Continued on page 6)

2. Mandatory reporting is here, and expanding.

The Act builds on existing incident notification requirements under the Privacy Act and critical infrastructure rules. If your business experiences a cyber incident that could impact customers, operations or systems, you may soon be required to report it within tight timeframes, in some cases, within 12 hours.

3. Baseline cyber standards are the new normal.

Minimum cyber hygiene expectations are no longer optional. Expect to see a push for:

• Multi-factor authentication

• Patch management

• Secure backup and recovery

• Access controls and identity governance

• Staff awareness and training

Failure to meet these baselines could increasingly be seen as negligence—not just poor practice.

4. Insurance, finance and partnerships will demand compliance.

Insurers, banks and enterprise clients are already asking small businesses to prove they have cyber controls in place. Expect more requests for evidence of compliance, including policy documents, risk assessments, and staff training logs.

How Can Small Businesses Prepare?

The most important step is to stop viewing cyber security as a technical issue. It’s a business risk, and managing it is a leadership responsibility. Start by:

• Understanding what data you have, where it is sorted, and how you are protecting it

• Reviewing your current cyber posture, including systems, people, processes and thirdparty relationships

• Developing or updating your incident response plan

• Training your staff in phishing awareness and secure practices

• Keeping your software and systems up to date

• Seeking help from professionals with cyber governance and compliance experience

It doesn’t need to be expensive or complicated. But it does need to be deliberate, consistent and aligned with your business operations.

How de.iterate Can Help

At de.iterate, we work with small and mid-sized businesses across Australia to simplify compliance and embed security into everyday operations. Our platform makes it easy to:

• Understand what’s required under the Cyber Security Act and other frameworks like ISO 27001, Essential 8, SOC 2 and the Australian Privacy Act

• Implement policies and controls tailored to your business

• Track compliance progress and gather evidence for reporting

• Prepare for audits or due diligence with minimal disruption

Whether you’re just getting started or looking to mature your existing security posture, we’re here to help you navigate the evolving landscape with practical support, not fear-driven hype.

Author Biography

Andrew Lawrence, CEO, de.iterate

With over 20 years’ experience, Andrew is a passionate information and cyber security leader. Andrew’s expertise spans risk, governance, compliance, strategy, critical infrastructure security, and technology management and architecture. Andrew has worked across diverse industries, from telecommunications through to banking and superannuation. Andrew founded de.iterate in 2021 to make privacy and cyber security stress-free for Australian businesses. The de.iterate compliance platform streamlines certification to standards like ISO 27001, ISO 27701, The Privacy Act, and the ACSC Essential Eight. It encompasses policies, employee training modules, a risk register, a compliance calendar, and reporting tools. For further information, visit: https://deiterate.com/

This article is produced by a third party (not the ASO) for guidance purpose only. Data privacy and cyber security advice should be sought for your Practice’s circumstances. For tailored advice for your Practice, please email hello@deiterate.com

WHAT AUSTRALIA’S NEW CYBER SECURITY ACT MEANS FOR YOUR PRACTICE – AND HOW TO PREPARE