What we learned running our first SecureVIC webinar

We had a simple idea when we started SecureVIC. Most cyber security content aimed at business owners is either too technical to act on or too frightening to think about. We wanted to run something in the middle: a short, honest session that treats the business owner as the decision-maker, not the problem to be managed. On 10 June we ran the first one to a room of around twenty business owners and leaders, and it went better than we hoped.

SecureVIC for Business is a 45-minute online webinar for Victorian small and medium businesses. The first session covered the real threats facing SMBs today, what a practical security baseline actually looks like, where the SMB1001 framework fits, and how managed IT, security and governance work together rather than as separate things you buy. The format was deliberately conversational, and that mattered, because the questions are where the value was.

Two perspectives, one shared responsibility

I presented alongside Nikita Raina, who runs Secura Advisory, a Melbourne consultancy that works with SMBs on cyber governance, risk and compliance. I come at security from the IT side: the technical deployment, monitoring and management of the tools that keep an environment running and protected. Nikita comes at it from the governance side: the legal, contractual and insurance obligations a business carries, and the policies and evidence that sit above the technical layer.

The idea that tied the whole session together is that cyber security is a shared responsibility. It is not something a business hands entirely to its IT provider. An IT provider is accountable for deploying, monitoring and managing the technical controls. The business owner and directors are accountable for strategy, for deciding which risks to accept, for investing in the right tools, and for meeting the business's compliance obligations. Leadership and management are accountable for staff and for putting policy into practice. And every employee is accountable for following the procedures that are set. Security only holds together when each of those layers is engaged deliberately, and when the technical work actually lines up with the business's processes, policies and appetite for risk. You can connect with Nikita on LinkedIn if you want to follow her work.

Where security obligations actually come from

One of the most useful parts of the session was Nikita setting out where a business's security obligations come from in the first place, because many owners do not realise they have them. There are three main sources.

The law. If your business holds personal information about customers, clients or staff, the Australian Privacy Act already applies to you. Nikita also flagged the anti-money laundering reforms landing on 1 July 2026, which bring professional services such as accountants, lawyers, conveyancers and real estate agents under these obligations for the first time. For a lot of businesses that is a problem for this financial year, not a future one.

Contracts. Increasingly, clients and suppliers require evidence of security controls before they will work with you. The obligation is written into the agreement, and you have to be able to show you meet it.

Insurance. Cyber insurers now expect proof that controls are in place, and a claim can be reduced or refused if you cannot produce that evidence after an incident.

The point Nikita made plainly is that ignorance of an obligation does not remove it. Regulators, clients and insurers all expect a business to be able to evidence its position, and "we did not know" is not a defence that protects a contract or an insurance claim.

The gap is between doing and proving

Here is the part that landed hardest, and the most reassuring finding of the day. Most businesses are already doing a lot of the right things. They run backups. They train their staff. They have rules about how things are done. What they are missing is the evidence. There is no record of the training, no signed copy of the policy, no documented test of the backup. The work is happening, but it cannot be proven.

That gap between doing and proving is where the exposure sits. When a client asks for evidence of your controls, or an insurer asks after an incident, or a regulator asks during an investigation, "we do that, we just cannot show you" is the wrong answer to be giving. Governance is the layer that closes the gap: incident response plans that are written down, cyber security policies that are signed, AI usage rules that exist on paper. In most businesses these are missing or informal, even when the underlying practice is sound. We wrote about this split between operating and proving in how managed IT, security and governance fit together, which is the companion piece to the session.

SMB1001: a framework that fits a smaller business

To turn all of this from a worry into a plan, we walked through the SMB1001 framework. It is an Australian cyber security framework built specifically for small and medium businesses, structured in levels like a staircase. Bronze is basic hygiene: the firewall is on, antivirus is running, backups happen, and staff have done basic awareness training. For a professional services business in 2026, Bronze is the floor. Silver is where it gets interesting for most owners, because Silver stops being purely about technology and starts asking business questions: have your staff actually done the training, and do you have a process for invoice fraud, the scam where someone emails your accounts team posing as a supplier with new bank details. Gold is the level where you could hand a client that 40-question questionnaire and not break a sweat. It still covers the technical controls, but a large part of Gold is governance: documented policies, an incident response plan, and an AI usage policy. Above Gold sit Platinum and Diamond, which move into the formal external audit territory most smaller businesses do not need.

Nikita put it in context against the other frameworks people hear about. ISO 27001 is the heavyweight, big-company version: expensive, externally audited, and capable of taking a year to achieve. The ASD Essential Eight sits more on the government and defence side. SMB1001 is the one built for businesses the size of those in the room, and it is not a dead end: it is a recognised stepping stone to ISO 27001 if a business ever outgrows it. SMB1001 itself is not legally mandatory, but the obligations underneath it, your privacy duties, the new reforms and your client contracts, often are, and it is the most practical way to meet them all at once and have something to show for it. We are aligning AgileSECURE to the SMB1001 model for the same reason: it gives a business a clear picture of what "good" looks like, a structure for both technical and governance improvements, and a reason to have the security conversation regularly rather than once a year. Our SMB1001 page explains the framework in more detail.

The AI question every owner is now asking

AI came up repeatedly, and Nikita framed the risk in three parts. The first is data leakage, where staff paste confidential information into public AI tools that then hold it outside the business. The second is over-reliance, where AI output is used without being checked, which can become a professional liability if the output is wrong. The third is shadow AI, where staff quietly use unapproved tools, so the business cannot see or manage the risk at all.

The answer is not to ban AI. It is to bring it inside a policy. Nikita's recommendation was a clear AI acceptable use policy, an approved list of AI tools, and explicit guidance on what information can and cannot be entered into them. From the IT side, I suggested that businesses already in the Microsoft ecosystem look first at Microsoft Copilot, because it keeps data inside your own Microsoft environment rather than sending it out to a public tool, and I cautioned about staff signing up to personal AI subscriptions that sit entirely outside the business's control. The practical path is to choose AI tools that fit the platform you already run, keep the data boundary intact, and document the policy and the training so staff actually know the rules. We cover this in more depth on the AgileAI page.

The most useful thing you can do this week

When we were asked what single action would make the biggest difference, the answer from both of us was the same: document what you already do. Write down the training that happens, sign the policies you already follow informally, and record the test of the backup you already run. You will close most of the doing-versus-proving gap without buying anything, and you will be able to answer a client, an insurer or a regulator with evidence rather than a promise.

Run your own Cyber Health Check, free

Plenty of people wanted a way to check their own position without booking anything or talking to anyone first. We already have exactly that. Anyone can run our Cyber Health Check in a few minutes, on their own, at no cost. It walks through the practical questions that matter, shows you where the obvious gaps are, and lets you decide for yourself whether a conversation is worth having. It is the natural first step after a session like SecureVIC, and you do not need to be a client to use it.

Run the free Cyber Health Check →

What is next for SecureVIC

The first session confirmed the format works, so we will keep running it. The next one is a dedicated session on AI, the topic that drew the most questions on the day, and we are aiming to run it in the coming weeks. If you missed this session, the recording above covers the full conversation, and future sessions will go deeper on the themes that came up, including what SMB1001 alignment looks like in practice and how to read your own obligations. Keep an eye on the events page for upcoming dates.

If you would rather act now, Nikita and I are offering a free 30-minute Teams call to see where your business sits against the SMB1001 Silver baseline. It is a light conversation, not a technical audit: we do not need access to your systems or an administrator login, and if you already have an IT provider doing a good job, we are not looking to step on their toes. You get a clear read on your current posture and a short report on the areas worth improving, with no pressure to do anything next. Book your free 30-minute assessment →

Thank you to everyone who came along to the first SecureVIC, and to Nikita for bringing the governance and compliance perspective that made it a complete conversation rather than half of one. We are looking forward to the next one.