On reflection of conversations I’ve had over the years with owners of smaller firms (typically fewer than 100-200 staff) that have suffered breaches due to inadequate security controls, I’m struck by the growing challenge they face. For many of these organisations, the cost of implementing appropriate data protection measures is becoming increasingly prohibitive—raising serious questions about how they can continue to operate, compete, and thrive in a future shaped by heightened regulatory expectations.
Australia’s regulatory landscape for information security and data protection continues to evolve at a rapid pace. From the amendments to the Privacy Act and evolving privacy reforms and the expanding obligations under the strengthened Security of Critical Infrastructure (SOCI) Act to APRA’s upcoming CPS 230 operational risk standards and other sector-specific regulations the message is clear: organisations are expected to protect data and services to a higher standard — and be able to prove it – and so they should.
This is a positive shift. Regulation is helping lift the national baseline for security, and reinforcing trust in digital services. However, there’s a growing concern emerging for smaller and mid-sized organisations: can they keep up?
As the list of compliance requirements continues to grow, for many organisations, the challenge is how to do so cost effectively, without losing sight of actual risk.
The Cost of Compliance
Many of these new or evolving regulations are resource-intensive. They require not only technical controls — such as data loss prevention, encryption, and threat detection — but also formal governance processes, reporting mechanisms, and cross-functional collaboration. For large enterprises, these expectations can be absorbed and integrated into well-resourced Security and Risk teams. For smaller businesses, however, the burden can be disproportionately high.
Some challenges we’re seeing in this space:
- SMEs struggling to resource even the basic governance functions like risk registers, incident response plans, or access reviews.
- A lack of dedicated security personnel, leading to reactive rather than proactive control implementation.
- Pure compliance focus on controls implementation rather than risk based, leading to misinterpretation of controls requirements and lack of a prioritised and program managed approach to cybersecurity uplift.
- Pressure from enterprise customers demanding security attestations (e.g. ISO 27001, Essential Eight maturity, SOC 2) as a condition of doing business.
The Risk of ‘Compliance Fatigue’
As regulatory expectations grow, smaller players may face a harsh set of choices: invest heavily in controls they can barely afford, risk non-compliance and reputational damage, or exit the market altogether. In some sectors, we are already beginning to see a consolidation effect — where less mature organisations are acquired by larger, more secure firms, or are driven out of the market entirely following a data breach or regulatory penalty.
The intent behind regulation is to raise the baseline (and in many cases, protect citizen data), not eliminate smaller competitors. But if we don’t find scalable models for supporting smaller enterprises — such as industry frameworks, affordable managed services, or cooperative security arrangements — we risk creating a two-tiered economy: one where only the biggest players can afford to be secure and compliant.
In a climate of economic pressure, smaller enterprise should not look at security and data protection as a way to cut non-revenue generating costs. Rather they need to see security as an enabler and key differentiator.
A Risk-Aligned Path Forward
For both regulators and business leaders, the key is to focus not just on the letter of the regulation, but on its purpose: to ensure the confidentiality, integrity, and availability of data and services in proportion to risk.
This means:
- Supporting smaller organisations with pragmatic, risk-proportional control requirements.
- Leveraging standards tailored to SME’s, such as the SMB1001 facilitating small business to progressively enhance their cybersecurity measures in line with their resources and risk profile.
- Encouraging shared services and security-as-a-service models to lower the cost of entry.
- Helping all organisations see compliance not as a burden, but as an enabler of trust and resilience.
As security leaders, we have a role to play in advocating for balanced, sustainable approaches to regulation — ones that protect people and data, while supporting innovation and inclusion across the economy.
At Business Aspect, we work with organisations of all sizes. Having experienced business from both the advisory and operational sides, we understand the challenges of running a small business. We also have deep insight into the current and evolving regulatory landscape, and how to interpret these requirements through a risk lens to support the cost-effective implementation of controls.
We would love to hear how you are navigating these challenges and share thoughts on the path forward.