Red Bridge CyberRed Bridge Cyber
Customer Login
What We CheckHow It WorksPricingResearchAboutBlogCustomer Login
Perspective2026-06-17·5 min read

The Security Advice You’re Sold Is Sized for Someone Else

Most small business security advice is a shrunk-down enterprise plan built for staff you don’t employ. The ASD puts small-business cybercrime at $56,571 a year. Here’s the index-card version that actually fits.

ABBy Adam Burgess — Founder, Red Bridge Cyber

Most small-business security advice is a scaled-down enterprise plan — the wrong shape, not just the wrong size:

  • It assumes staff, budgets and systems an owner-operator does not have — a security team to run the controls it recommends
  • The Australian Signals Directorate puts the average cost of cybercrime to a small business at $56,571 a year, so the risk is real — but the enterprise template is not the fix
  • What fits is a short, prioritised list — the handful of controls that move the most risk for a business run by the people who also do everything else

The right answer for a small business is not a smaller version of the enterprise document. It is a different document — one that fits on an index card.

A few years ago I sat through the security review for a large customer with a genuinely complex network environment. Hundreds of pages of architecture, a seven-figure implementation budget, and a project team larger than most of the businesses I work with now. It was the right work for that job. I have spent a fair part of the last thirty years on jobs like it: data centres, critical infrastructure, large corporate networks, government agencies.

Here is what I have noticed since I started working with small businesses instead. Most of the small business security advice on the market is a scaled-down version of that enterprise document, and it is the wrong shape for you. Not just too expensive, though it is, but the wrong shape.

The advice is built for an org chart you don't have

Enterprise security assumes there is someone to do the work. A security operations team to read the alerts. A change manager to schedule the patching. A vendor manager to hold the suppliers to account. The frameworks, the audits, the 40-page reports are all instructions for staff you don't employ.

When a five-person business gets handed that shape of advice, I watch the same thing happen every time. They nod, they pay, they file the report, and nothing changes. Not because they are lazy, but because the advice assumed a recipient who does not exist. The owner is the security team, the change manager and the vendor manager, in the gaps between actually running the business.

This mismatch is expensive at both ends. In its Annual Cyber Threat Report 2024–25, the Australian Signals Directorate put the average self-reported cost of cybercrime for a small business at $56,571, up 14% in a year (ASD, October 2025). That same report found email compromise alone made up about a third of business cybercrime reports: 15% business email compromise fraud, plus 19% email compromise without direct financial loss.

None of those incidents needed an enterprise-grade architecture to prevent. Most needed configuration that takes an afternoon.

What the data says about who's actually protected

In 2025, EasyDMARC's analysis of DMARC adoption, the email record that stops criminals sending invoices as you, found 62.7% of Fortune 500 companies with the record enforce it, against 15.2% of mid-market Inc. 5000 firms (EasyDMARC, "DMARC Adoption Across Fortune 500 and Inc. 5000", July 2025). Protection tracks company size almost perfectly. Which means the businesses least able to wear a $56,571 loss are the least defended against it.

Our own June 2026 scan of Australian small-business domains for the SMB Posture Baseline found the same gradient at home: the records are mostly there, but fewer than half are set to actually enforce anything. Enterprises got the protection. Consultancies got the fees. You got the leftovers.

I don't think that is a conspiracy, for what it is worth. Big consultancies sell what big clients buy, and a five-person plumbing firm was never going to be their market. The problem is that their language, frameworks, maturity models, road maps, leaked downmarket into products sold to people who needed none of it.

What thirty years actually taught me

The unglamorous truth is that the basics have never stopped working, and they have never stopped being ignored. ASD says it plainly in the same 2024–25 report: the basics remain the most effective first line of defence, multi-factor authentication, unique passphrases, software updates, and alertness to phishing.

Every genuinely damaging incident I have been close to in three decades, and there have been a few, including on projects with budgets a thousand times yours, came down to something basic left undone, not the absence of a sophisticated control. The expensive architecture documents mostly protected against the exotic. The breaches walked in through the ordinary.

For an owner-operator, that is good news wearing a bad disguise. You can't afford the enterprise document, and you don't need it. What you need fits on an index card:

  • Turn on multi-factor authentication everywhere it is offered.
  • Keep software updated, especially whatever runs your website.
  • Use a password manager so every account gets its own passphrase.
  • Fix the email records that stop people sending invoices as you.
  • Back up the things whose loss would end the business, and check the backup actually restores.

That is not a maturity model. It is a Saturday morning and a little discipline. And every item on it is checkable from the outside, which is the entire reason our scan exists, and why it reports in plain English rather than in framework language.

The question worth sitting with

The security industry will keep selling shapes that fit its biggest customers; that incentive is not changing. Your developer is not going to fix this. Your hosting provider is not. The consultant who quoted you five figures for a road map might, eventually, after the workshops.

Nobody is coming to do the index card for you. It is five items. Honestly, which one have you been putting off, and what is the real reason?

Sources

#perspective#australian-business#small-business

Continue Reading

View All Articles →
Security5 min read

Why I built Red Bridge Cyber instead of joining another consultancy

Australia’s big cyber consultancies sell a $40k-a-year product that 95% of small businesses cannot buy. Here is the market gap I left a consulting career to fill, and the numbers behind it.

2026-06-17
Security5 min read

A reply to the PwC cyber report — what they got right and what they missed about small business

PwC’s 2025 Digital Trust survey is solid for the ASX 200 and wrong for the corner clinic. Four findings that don’t translate to Australian small business, and the honest version that does.

2026-06-17
Security6 min read

The real reason your pen-tester didn’t find anything wrong

A clean penetration test report often proves the scope was wrong, not the business safe. With AU tests running $5k-$40k and the average breach now AUD $4.26M, here’s what to ask before you trust the result.

2026-06-18
Security6 min read

Big Budgets, F-Grade Basics: What Our 450-Domain Scan Found

We scanned 450 domains Australians rely on. Enterprise and government medianed an F on web security — same grade as small business. Budget didn’t buy basics.

2026-06-25