Is Your Cybersecurity Good Enough, and Can You Prove It?
“Pretty secure” isn’t good enough anymore.
That’s the uncomfortable truth we put to our LinkedIn audience recently, and the response told us it landed. Because most businesses answer the cybersecurity question the same way: do we have antivirus, backups, MFA? Yes, yes, yes. So we’re pretty secure, right?
The problem is that “pretty secure” is doing a lot of heavy lifting. Cyber insurers don’t accept pretty secure. Enterprise clients putting you through procurement don’t accept pretty secure. And when something goes wrong, pretty secure won’t hold up in a board conversation either.
The shift happening right now is from cybersecurity as a tool checklist to cybersecurity as something you can actually demonstrate. Not describe. Demonstrate. That’s a different question entirely – and most SMEs aren’t ready for it yet.
We spent the last six months getting ready for it ourselves. Here’s what that looked like, and what it means for your business.
The numbers that put this in context
Before we get to the insurance conversation, it helps to understand the baseline. The ASD’s 2024-25 Annual Cyber Threat Report recorded over 84,700 cybercrime reports in Australia last financial year – one every six minutes – with the average cost to small businesses rising 14 per cent to $56,600 per incident. That’s not the cost of a catastrophic breach at a large organisation. That’s the average cost hitting businesses like yours and ours.
What’s notable is how many of those businesses thought they were pretty secure right up until they weren’t.
Why demonstrable security is becoming the new standard
Cyber insurance is the most immediate place this shift is showing up. Not long ago, insurers would run through a checklist at renewal: multifactor authentication, regular patching, offsite backups. A yes across the board and you’d get your policy.
That process has changed substantially. Australian cyber insurance underwriting tightened significantly through 2024 and 2025. The informal tick-and-flick application form has been replaced by detailed technical questionnaires, and for higher cover, evidence of controls. SMEs that haven’t invested in structured security practices are increasingly finding that cyber insurance is either expensive or simply unavailable.
The market is also about to get more costly. After two years of softening rates, S&P Global forecasts a 15 to 20 per cent premium increase in 2026. Organisations with strong, documented security postures will be better placed to negotiate favourable terms. Those without them won’t.
There’s also a significant coverage gap that most SME owners aren’t aware of. Only 10 to 20 per cent of SMEs currently carry cyber insurance, compared to 40 to 50 per cent of mid-market firms. That means the majority of small businesses are carrying a risk they’ve largely left unquantified – and uninsured.
The procurement picture is similar. If your business sells to enterprise clients or operates in regulated industries like financial services or healthcare, you may already be fielding questions about your security posture from clients or partners. Insurers are increasingly requesting third-party security attestations, such as framework certifications or maturity assessments, for cover above $1 million. That expectation is spreading beyond the insurance conversation into tenders, contracts, and supplier assessments. It only moves in one direction.
The two frameworks worth knowing
Australia has two well-regarded cybersecurity frameworks that help businesses move from informal security practices to something documented, structured, and verifiable.
The first is the Essential Eight, developed by the Australian Signals Directorate. Most businesses have heard of it. It covers eight technical mitigation strategies across three maturity levels and is designed to reduce the most common attack vectors. It’s a strong technical foundation.
The second is SMB1001, developed by Dynamic Standards International and backed by the Council of Small Business Organisations Australia. It’s less well known, but it was built specifically for businesses of 200 staff or fewer, which makes it more practical for most SMEs. SMB1001 runs across five certification tiers – Bronze, Silver, Gold, Platinum, and Diamond – and covers both technical controls and business processes and policies. Where the Essential Eight focuses primarily on technical hardening, SMB1001 takes a broader view of what a mature security posture looks like across an organisation.
They’re not competing frameworks. They overlap significantly, and pursuing one naturally builds toward the other. The right starting point depends on where your business is now and what your most pressing compliance or assurance needs are.
What our certification process actually looked like
We recently achieved SMB1001 Gold, the third of five tiers. The process took around six months and covered technical uplifts, policy documentation, and third-party vendor accountability.
What it revealed wasn’t a long list of gaps. It was how much good practice we already had in place that simply wasn’t documented. Cyber awareness training that engineers were completing but nobody was formally tracking. Password governance that existed informally but hadn’t been written down. Account management processes that were sound but undocumented. The certification process forced us to formalise what we were already doing, and in doing so, made it auditable, repeatable, and demonstrable to anyone who asked.
That’s a pattern we see consistently across businesses at the 30-to-100-staff mark. The foundations are often stronger than people think. What’s typically missing is the structure and documentation to prove it.
The question worth sitting with
If your cyber insurer, your biggest client, or your board asked you to demonstrate your cybersecurity maturity tomorrow – not describe it, but demonstrate it – what would you be able to show them?
If the honest answer is not much, that’s worth taking seriously. Not because a breach is necessarily imminent, but because the window for getting ahead of this expectation is narrowing. Businesses that can produce evidence of structured, certified security practices are increasingly differentiated in insurance conversations, in procurement processes, and in client confidence.
The good news is that for most SMEs, the starting point isn’t as far away as it looks. A gap assessment against either framework will typically show that a significant portion of requirements are already being met. The work is usually in formalisation and documentation, not in building security from scratch.
Where to start
If you’re not sure where your business sits, a gap assessment is the logical first step. It gives you a clear picture of what you have, what you’re missing, and what a realistic certification pathway looks like, without committing to anything before you understand the scope.
We’re also hosting a webinar shortly that will walk through both frameworks in detail, compare them side by side, and outline what a practical pathway to certification looks like for a Brisbane SME. If this is something your business is starting to think about, it’s a worthwhile hour.
Ready to move from research to action? The first step is understanding where you currently stand. A baseline security assessment can break decision paralysis by giving you concrete starting point. Contact us today to discuss your current cybersecurity posture and next best steps forward.
Sources
Australian Signals Directorate, Annual Cyber Threat Report 2024-25, cyber.gov.au
Cliffside, Cyber Insurance Requirements Australia, cliffside.com.au (March 2026)
4iT, Cyber Insurance for Australian SMEs in 2026, 4it.com.au (May 2026)
