Big Budgets, F-Grade Basics: What Our 450-Domain Scan Found
We scanned 450 domains Australians rely on. Enterprise and government medianed an F on web security — same grade as small business. Budget didn’t buy basics.
The enterprise and government cohort in our June scan — the banks, the departments, the ASX names — medianed an F on web security. The same grade as the small businesses they out-spend a thousand to one, and below the mid-sized firms sitting in between. Organisations with security teams, security budgets and security vendors on retainer could not, as a cohort, beat the corner store.
The enterprise and government cohort in our June scan — the banks, the departments, the ASX names — medianed an F on web security. The same grade as the small businesses they out-spend a thousand to one, and below the mid-sized firms sitting in between. Organisations with security teams, security budgets and security vendors on retainer could not, as a cohort, beat the corner store.
I want to be careful with those sentences, because they're exactly the kind of numbers that get quoted without their caveats. So let me show you the working.
What we actually measured
In June 2026 we ran our quarterly Posture Research across five cohorts: 150 Australian small-business domains, and 75 each of medium businesses, enterprise and government, education, and the global multinationals Australians deal with daily — a cross-section of the domains this country relies on, from the corner store to the ASX to the airlines you fly (Red Bridge Cyber Posture Research, June 2026). Public surface only — DNS lookups and a normal page fetch. The things any visitor's browser, and any attacker's first-pass recon, can see for free. No intrusive tools, no scanning anyone's infrastructure.
Three categories matter for this piece: domain (DNS), email, and web security. The full cohort reports are published, raw numbers and exclusions included, so you can check everything I'm about to say.
Security: the mid-sized businesses beat the big end of town
This edition's web-security medians came back F for small business, E for medium business, F for enterprise and government, E for education, and E for multinationals (Enterprise & Government Posture Baseline, June 2026). Read that grid again. Medium businesses — the cohort generally too big for the owner to do it personally and too small for a dedicated security function — outscored the enterprise and government cohort. Nobody passed. The best median in the country was an E.
Underneath the grades, the detail is worse. As of June 2026, 45% of the enterprise and government sites we could score don't enforce HTTPS — the worst rate of any cohort, including small business at 38%. Among medium businesses it's 6%. A security.txt contact file, the simplest courtesy in the whole rubric, is missing from 90% of enterprise and government sites and 99% of small-business ones.
These aren't exotic controls. They're response headers and a redirect — configuration, not capability.
DNS: an E for everyone, no exceptions
Domain posture flattened the cohorts completely. Every single cohort in the June 2026 edition medianed an E on DNS (Red Bridge Cyber Posture Research, June 2026). DNSSEC sits at 2% among small businesses and reaches only 7% at the very top end. CAA records peak at 25%, and that's the multinationals. Nobody — at any size, on any budget — has deployed the hardening layer of the domain name system.
If you've ever assumed the big organisations had this sorted and you were the one lagging — you weren't. Nobody's doing it.
Email: the honest counterweight
I'd be writing propaganda if I stopped there, so here's where the money does show up. Email was the strongest category measured: in June 2026 the median was a B in every cohort except small business, which managed a C (SMB Posture Baseline, June 2026).
Enforcement is the gap. 83% of small businesses publish a DMARC record, but only 43% enforce it — most have done the easy half and stopped. Enterprise and government enforce at 85%, multinationals at 83%. That's what a funded team with a clear owner looks like: the control doesn't just get deployed, it gets finished. Credit where it's due.
Education is the odd one out — 57% enforcement from institutions that email tens of thousands of students daily. I don't have a tidy explanation for that, and I'm not going to invent one.
Why budgets don't reach the basics
I've spent thirty years inside the organisations that make up that enterprise cohort — data centres, stadium networks, airport infrastructure, government agencies. I can tell you exactly how a bank ends up with missing security headers, because I've watched it happen from the inside.
Security owns the SOC, the compliance calendar, the pen-test schedule. Marketing owns the public website, which was built by an agency that rolled off the project in 2021. Response headers are nobody's KPI. The pen-test scope says "internal systems"; the website is "just brochureware". Every team assumes the basics are someone else's job, and the bigger the organisation, the more teams there are to do the assuming.
In a five-person business there's nobody to assume that. Which is bad news and good news in the same breath: nobody is coming to fix it for you — and there's also no committee standing between you and fixing it this afternoon.
The hour of work
Here's the part I keep coming back to. Most of the distance between an F and a C on our security rubric is configuration: enforce HTTPS, add HSTS, set a handful of response headers, move DMARC from monitoring to quarantine. On a typical small-business site behind Cloudflare or a managed host, that's an afternoon. Some of it is genuinely an hour — our explainer on the free security scanners shows you where you stand, and our plain-English overview of small-business cybersecurity covers what to fix first.
Do that work and your public posture lands ahead of half the enterprise and government cohort we scanned in June 2026. Not your security program — let's not kid ourselves. The bank's internal controls, monitoring and people dwarf anything a small business will ever run, and our scan sees none of it. But the public surface — the part phishers spoof, the part browsers warn about, the part that shows up in everyone's recon — is winnable on effort, not budget.
That's the honest assessment of Australian cyber security posture this edition gives us: the basics don't scale with headcount. They scale with ownership.
We'll run the same scan again next quarter. The big end of town probably won't have moved — no one's bonus depends on those headers. Yours can move in a week. Whose job is your domain this afternoon?
Sources
- Red Bridge Cyber Posture Research, June 2026
- Red Bridge Cyber, SMB Posture Baseline, June 2026
- Red Bridge Cyber, Enterprise & Government Posture Baseline, June 2026
- Red Bridge Cyber, Medium Business Posture Baseline, June 2026
- Red Bridge Cyber, Education Posture Baseline, June 2026
- Red Bridge Cyber, Multinational Posture Baseline, June 2026