In June 2026 the heads of the Five Eyes cyber security agencies, our own ACSC among them, put out a rare joint statement titled "The AI shift in cyber risk: why leaders must act now." It's addressed to business leaders, and tellingly, the ACSC tagged it for small and medium business, not just large organisations and government. If you run an SMB in South Australia, this one was written with you in mind, and the thing it warns about lands hardest on businesses like yours.
What they actually said
The message, stripped of the diplomatic language, is this: AI is changing the speed of cyber risk, and the old assumptions no longer hold. The agencies warn that AI is compressing the time between a vulnerability being discovered and it being exploited, from years down to months, sometimes less. It lowers the barrier for attackers, letting them find weaknesses and launch attacks faster and more cheaply than ever. The same technology helps defenders too, but the headline is that the clock has sped up and leaders need to act now rather than wait.
This came from the Australian Cyber Security Centre alongside its counterparts in the United States, the United Kingdom, Canada and New Zealand. When five national agencies sign the same page, it is worth a read.
Why this matters more for small businesses, not less
The instinct I hear most often from business owners is "we're too small to be a target." That was never quite true, and AI has finished it off. Attackers using AI don't hand-pick victims. They scan everything, indiscriminately and at machine speed, looking for the soft, unpatched, exposed systems. They are not deciding whether you are worth attacking. They are simply finding who is easy.
That is exactly where a smaller business is exposed. Larger organisations have security teams who patch quickly and watch their perimeter. A small business with a lean IT setup and a patching cycle measured in "when we get to it" is the soft target the speed-up is built to catch. The shrinking window between a flaw going public and being exploited punishes whoever moves slowest, and that is usually the smaller end of town.
The four things the agencies asked for, in plain terms
The statement asked leaders to do four things. Here is what each one means if you run an SMB rather than a listed company.
- Understand your risk and who owns it. Know what you have exposed to the internet, what data matters, and who is actually accountable for security. For most SMBs that accountability sits with an owner or with your IT provider, but it should sit with someone by name, not nowhere.
- Prioritise the foundations. Not exotic AI defences. The boring, proven controls: multi-factor authentication, fast patching, tested backups, least-privilege access. The ACSC Essential Eight is the prioritised checklist for exactly this.
- Give security real authority and resources. You can't hire a full-time security chief on an SMB budget, and you don't need to. A Virtual CISO gives you that leadership and accountability on a retained basis.
- Stay engaged. The threats and the guidance keep moving. This is not a set-and-forget exercise, which is the whole reason an ongoing relationship beats a once-a-year audit.
What I'd actually do this quarter
If you take one thing from the agencies' warning, make it this: the response to "attacks are faster" is "patch faster and expose less." Concretely, for a South Australian SMB, that means:
- Get patching onto a fast, automated cycle rather than a manual backlog. This is the single most direct answer to a shrinking exploitation window, and it is something a managed IT arrangement handles in the background.
- Shrink your attack surface. Close down remote access, ports and old accounts you no longer use. Every exposed system is a door an automated scan can try.
- Retire or isolate legacy systems. Unsupported software that no longer receives security updates is the easiest target there is. The statement is blunt about this: legacy systems are a strategic liability, not just technical debt.
- Turn on multi-factor authentication everywhere, and make sure your backups are tested and isolated, so that if something does get through, you recover rather than negotiate. We've written separately about Australia's mandatory ransomware reporting, and the best position is never needing to use it.
- Work through the Essential Eight to a sensible maturity level for your size and risk.
How we think about it
None of this is new advice, and that is rather the point. As the agencies put it, success won't come from having the most tools; it comes from getting the basics right and acting quickly. They do also make the case that defenders should use AI, the way a modern security operation uses it to spot unusual behaviour and respond faster, but that sits on top of the fundamentals, not instead of them. As an ISO 27001 certified provider, that is the work we do every day for South Australian businesses: get the foundations right, give you security leadership without a full-time hire, and keep the boring things current so the fast-moving threats have nothing easy to grab.
The warning is about speed. The fix is boring, done faster.
You don't need an AI strategy to respond to this. You need the basics, patching, MFA, backups, a smaller attack surface and someone accountable, done consistently and kept current. AI has shortened the time you have to get them right. The businesses that come through the next few years well will be the ones that treated "we're too small to bother" as the myth it always was.
If you're not sure how exposed you are, or how fast you'd patch a serious flaw if one dropped tomorrow, that's worth knowing before it's tested for you. Our cyber security team can walk through where you stand and what to prioritise first.