Five Eyes warns Australian businesses: AI cyber attacks are months away

By Moe Chizari / Jun 24, 2026 / Epic IT News

On Monday 23 June 2026, the intelligence agencies of Australia, the United States, the United Kingdom, Canada, and New Zealand did something they almost never do. The Five Eyes alliance, which normally shares its work behind closed doors, put its name to a public joint statement warning that AI is about to change cyber attacks faster than most businesses can keep up with. Their words: the timeline is not years, it is months.

If that sounds like distant geopolitics, read the next bit carefully. An AI and national security expert at the University of Sydney summed up who is most exposed, and it was not big corporates. It was small and medium businesses that have under-invested in security so far. Her word for them was blunt: sitting ducks. This is what the warning actually says, why an AI cyber attack on an Australian business is now a near-term operational risk, and the exact five things the agencies want you doing about it.

What the Five Eyes actually said

The joint statement is short and aimed squarely at boards and business owners, not IT engineers. Its core claim is that frontier AI models are improving quickly enough to outpace current cybersecurity practice within months, lowering the barrier for attackers and increasing both the speed and the complexity of attacks.

Two things make this unusual. First, the Five Eyes rarely issue a unified public message, so when they do, it signals that incremental adjustments are no longer enough. Second, the statement is honest about the conclusion most vendors avoid stating plainly: breaches will occur. The agencies frame preparedness not as a way to guarantee you never get hit, but as the thing that lets you contain an incident quickly instead of watching it escalate into an operational and financial crisis.

The warning did not come out of nowhere. It follows AI company Anthropic disclosing that its most advanced models showed an unprecedented ability to find software vulnerabilities, and a US directive restricting foreign-national access to those models. Read together, the export restriction and the intelligence warning look like two responses to the same capability threshold being crossed.

Why AI changes the maths for small business

For years, most Australian SMBs have been protected by a quiet form of obscurity. Skilled attackers had limited time, so they went after large targets with big payouts. A 30-person accounting firm in Perth was rarely worth a hacker’s manual effort.

AI removes that protection. The capabilities the agencies flag are automated vulnerability discovery, large-scale synthetic social engineering, faster exploit development, and automated malware generation. In plain terms: the work that used to take a skilled attacker days or weeks can now be pointed at thousands of small targets at once, cheaply. You do not have to be interesting to get attacked. You only have to be reachable and unpatched.

This is the same pattern we wrote about when an AI agent deleted a production database in nine seconds. The technology that makes a junior developer faster makes an attacker faster too, and the gap between “someone found the hole” and “someone walked through it” is collapsing. The Five Eyes are telling business leaders to stop treating that gap as a buffer they can rely on.

The five actions the agencies want you running now

The genuinely useful part of the statement is that it is specific. Strip away the framing and you get five practical actions. None of them is exotic. All of them are things a competent managed cyber security programme already covers, which is rather the point.

Action What it means for your business
Reduce your attack surface Close off anything internet-facing that does not need to be. Every exposed login page, remote-access port, and forgotten admin portal is a door an AI-driven scanner will find.
Accelerate patching Shrink the window between a patch being released and you applying it. AI compresses the time attackers need to weaponise a known flaw, so a 30-day patch cycle is now a 30-day open door.
Address legacy systems Old, unsupported software is the easiest thing for an automated attack to exploit. If it cannot be patched, it needs to be replaced, isolated, or retired.
Strengthen identity and access Enforce multi-factor authentication everywhere, review who has access to what, and remove standing privileges nobody uses. Stolen or guessed credentials remain the number one way in.
Prepare for breaches Test your incident response plan before you need it. Assume a control will fail and rehearse containing the damage, because preparedness is what turns a crisis into an inconvenience.

If that list looks familiar, it should. Four of the five map directly onto the Essential Eight, the ACSC framework Australian businesses already have available to them. The Five Eyes did not invent a new standard. They told you the one you already have is now urgent.

The Essential Eight is the Five Eyes plan, already written down

Here is the reality that should make this easier, not harder. The Australian Signals Directorate co-signed this statement, and the ASD already publishes the exact controls that satisfy it. Patching applications and operating systems, restricting administrative privileges, and multi-factor authentication are four of the eight strategies. Reducing attack surface and removing legacy systems are baked into the patching and hardening requirements.

Reaching Essential Eight Maturity Level 1 covers the commodity attacks that make up the overwhelming majority of what SMBs face, including the AI-accelerated, spray-everywhere attacks the agencies are warning about. It is also the level cyber insurers increasingly treat as the floor for adequate controls. Most businesses that think they are covered are actually sitting at ML0 because of one or two gaps, usually patching speed or incomplete MFA.

The point of difference the agencies stressed is that AI is not only a weapon for the other side. Businesses that build AI into their own security operations can detect unusual behaviour, find vulnerabilities, and respond to incidents faster than a human-only team. The defenders who lose will be the ones who treat AI as someone else’s problem.

What this means for Perth businesses specifically

Western Australia’s economy is heavy on the exact sectors automated attackers like: professional services holding client funds and data, construction and engineering firms with project information, mining and resources operators with operational technology, and healthcare providers holding sensitive records. None of these are too small to be worth an AI-driven attack, because the attacker’s cost per target has dropped close to zero.

We have watched the “we’re too small to be a target” assumption get quietly demolished over the past two years. The Five Eyes warning is the formal end of that idea. If your security posture was built on the hope that nobody would bother, that hope is now a liability.

What you should do now

Find out where you actually stand. Most businesses cannot answer “are we at Essential Eight Maturity Level 1?” with confidence. A proper security audit tells you which of the five actions you have covered and which are open doors. You cannot fix what you have not measured.

Close the two fastest wins this month. Enforce multi-factor authentication on every account, with no exceptions for executives or service accounts, and tighten your patch cycle on internet-facing systems. These two cover the majority of real-world entry points and need no major budget. Our access management work usually starts here.

Rehearse a breach before you have one. Book a session to walk through what happens if a control fails. Who do you call, what do you isolate, how do you keep operating. Talk to our Perth team for a free security gap analysis and we will show you exactly where you sit against the five actions the Five Eyes just published.

Frequently asked questions

What did the Five Eyes warning about AI cyber attacks actually say?

On 23 June 2026 the Five Eyes intelligence alliance issued a rare joint public statement warning that frontier AI models will transform offensive cyber capabilities in months, not years. It urged governments and businesses to act now by reducing attack surface, patching faster, addressing legacy systems, strengthening identity controls, and preparing to contain breaches.

Why are small and medium businesses most at risk from AI cyber attacks?

AI drops the cost of an attack close to zero, so attackers no longer need to focus only on large, high-value targets. An AI cyber attack can be pointed at thousands of small businesses at once, and the ones that have under-invested in basic controls are the easiest to compromise. Larger corporates tend to already have defences in place, leaving SMBs as the soft target.

Does the Essential Eight protect against AI-driven attacks?

Largely, yes. Four of the five actions the Five Eyes recommend map directly onto Essential Eight strategies, including patching, multi-factor authentication, and restricting administrative privileges. Reaching Essential Eight Maturity Level 1 removes you from the easy-target pool that AI-accelerated commodity attacks rely on.

What is the single most important thing to do first?

Enforce multi-factor authentication on every account with no exceptions. Stolen and guessed credentials remain the most common way attackers get in, and MFA blocks the overwhelming majority of those attempts. It costs little, deploys quickly, and is one of the five actions the Five Eyes explicitly call for.

How quickly do we need to act on this?

The agencies were deliberate in saying the timeline is months, not years. Treat it as a current-quarter priority rather than a next-year project. Start with a security audit to find your gaps, then close multi-factor authentication and patching first because they deliver the most protection for the least effort.

Worried about AI-driven cyber threats?

Our Perth-based team can show you exactly where you stand against the five actions the Five Eyes just published. Book a free security gap analysis today.

Book a Free Assessment

About the Author
Written by Moe Chizari, Chief Executive Officer of Epic IT, a managed IT, cyber security and AI partner for Australian mid-market businesses, with offices in Perth, Sydney and Brisbane. Moe brings 17 years across financial markets, treasury and technology, including five years at Bravura Solutions running enterprise software delivery and five years inside Group Treasury at Westpac and Macquarie leading APRA-regulated programmes (APS-117 IRRBB, APS-210 LCR & Capital Transformation). He holds a Bachelor of International Business from RMIT University, is a certified Project Management Professional (PMP), and an AFMA Diploma of Financial Markets graduate.

Further Reading

Previous

FortiBleed: what the Fortinet firewall leak means for your business

Return to News
Back to News
Next

The ASD is retiring the Essential Eight. Here's what it means for your business