The ACSC has reported a surge in cyberattacks targeting Australia’s critical infrastructure, with the national conversation shifting from prevention alone to resilience — the assumption that intrusions will happen and the measure of an organisation is how well it withstands and recovers. The SOCI obligations on critical-infrastructure operators keep tightening in step.
Most SMBs read “critical infrastructure” and tune out. That’s a mistake, because the techniques aimed at the big operators — edge-device compromise, stolen credentials, supply-chain footholds — are the same ones hitting small business, just with a bigger logo on the press release. The threat actors reuse playbooks; the only thing that changes is the target’s size.
“Resilience” is the word worth borrowing. It means tested backups, a written incident-response plan, MFA everywhere, and knowing your critical dependencies before one fails — not a heroic defence that never lets anything through. Adopt the posture the regulators are pushing onto infrastructure operators; it’s the right posture for a business of any size.
