Most small and medium businesses in Australia treat cybersecurity as a technical problem and AI as someone else’s problem. Both are governance problems. The organisations that work this out early will be the ones still standing when the regulatory environment catches up to the threat environment.
This is not a theoretical concern. The Australian Signals Directorate’s 2024-25 Annual Cyber Threat Report confirmed that cybercriminals are targeting smaller organisations with increasing frequency. Around 58% of Australian small businesses reported at least one attempted cyber incident in the past 12 months. Meanwhile, 78% of employees are using AI tools their employer has not approved. The common thread: no governance framework in place to manage either risk.
Governance is not a compliance certificate you hang on the wall. It is not an annual audit. It is the set of structures, policies, and accountability mechanisms that determine how your organisation makes decisions about risk.
For a business with 15 to 200 staff, governance comes down to three things.
Defined accountability. Someone in the organisation is responsible for cybersecurity posture and AI usage. Not “the IT guy” or “we outsource that.” A named person who understands the risk and owns the outcome.
A framework you can measure against. Not a bespoke set of controls you invented. A recognised standard like the Essential Eight, SMB1001, or Further Five that lets you track maturity over time and demonstrate improvement to clients, insurers, and regulators.
Regular review cadences. Governance without review is policy without enforcement. Quarterly at minimum for cybersecurity. Monthly if you are running AI tools that process client or employee data.
If your organisation has none of these, you do not have governance. You have good intentions.
Cybersecurity is the most mature governance domain for Australian SMBs. The frameworks exist. The regulatory pressure is real. The question is whether your organisation has moved from awareness to action.
Here is the reality. The Cyber Security Act 2024 introduced mandatory ransomware payment reporting for any Australian business with annual turnover exceeding $3 million. Since 30 May 2025, those businesses must report ransomware payments to the Australian Signals Directorate within 72 hours. The civil penalty for non-compliance is up to $99,000 for corporations.
This is not a regulation aimed at banks and telcos. The $3 million threshold captures most established SMBs. If your business turns over more than $3 million and you have not reviewed your incident response plan, you are already behind.
But ransomware reporting is just the most visible obligation. The broader governance requirement is about having a defensible security posture before an incident occurs. That means alignment to a recognised framework.
For most Perth SMBs, the right starting point depends on size, industry, and what your clients or insurers require:
| Framework | Best for | Governance maturity |
|---|---|---|
| SMB1001 | Businesses wanting a structured starting point with tiered certification | Entry to intermediate |
| Essential Eight | Organisations needing alignment with ASD recommendations and government supply chain requirements | Intermediate |
| Further Five | Businesses already at Essential Eight Maturity Level 2 looking to extend coverage | Advanced |
| ISO 27001 | Organisations with enterprise clients or international compliance requirements | Enterprise |
The important point is not which framework you choose. It is that you choose one and measure against it. A framework gives governance something to govern. Without one, security reviews become subjective conversations that produce no measurable outcomes.
According to UpGuard’s 2025 research, more than 80% of workers use AI tools that have not been approved by their employer. Half of them do so regularly. And 75% of those employees admitted to sharing sensitive or proprietary information with unapproved AI tools.
This is not a technology problem. It is a governance failure. Your staff are already using AI. Whether you know about it, whether you have a policy covering it, and whether the tools being used are putting your client data at risk are the questions that matter now.
The research calls this shadow AI, the AI equivalent of shadow IT. The difference is the risk profile. When an employee used Dropbox without approval in 2015, they stored files externally. When an employee pastes client data into an unapproved AI tool today, that data may be used to train a model, stored indefinitely, or exposed through a breach. The risk is not bounded in the same way.
Small and mid-sized businesses are disproportionately exposed. A 2025 study found that companies with 11 to 50 employees had the highest concentration of unapproved AI tools, roughly 269 unsanctioned applications per 1,000 employees. Larger enterprises have the resources to discover and govern these tools. SMBs typically do not even know they exist.
AI governance for a 20-person accounting firm in Perth does not look like AI governance at a bank. It does not need to. But it does need to exist. At minimum:
An AI acceptable use policy. A document that tells your staff which AI tools are approved, what data can and cannot be entered, and what happens if the policy is breached. This does not need to be 40 pages. It needs to be clear.
Shadow AI discovery. An audit of what AI tools are currently being used across the business, whether you approved them or not. Most organisations are surprised by what they find.
Data classification rules. Not everything is sensitive. But client data, financial records, HR information, and legal documents should never enter an unapproved AI platform. Your staff need to know where the line is.
A review cadence. AI tools change faster than any other technology category. A policy written in January may be out of date by June. Monthly reviews for organisations actively using AI. Quarterly at minimum for everyone else.
The mistake most SMBs make is treating cybersecurity and AI as separate problems with separate owners and separate budgets. They are two expressions of the same governance challenge: how does your organisation manage technology risk?
The person responsible for your cybersecurity posture should also be responsible for your AI governance posture. The review cadences should be coordinated. The risk register should be unified. The managed IT provider delivering your security controls should be the same provider advising on AI governance, because the data protection concerns are identical.
At Epic IT, this is the model we have built. Our managed IT services include cybersecurity aligned to the Essential Eight, SMB1001, and Further Five frameworks. Our AI governance programme extends that same discipline to how your organisation adopts and manages AI. Same accountability structure. Same review cadences. Same risk management methodology.
We built it this way because governance fragments when you split it across providers and programmes. A business that manages cybersecurity with one partner and AI governance with another (or worse, manages AI governance with nobody) has gaps. Gaps are where incidents happen.
Australian regulation is moving in one direction: more obligations, lower thresholds, higher penalties.
The Cyber Security Act 2024 was the first standalone cybersecurity law in Australia. It introduced mandatory ransomware reporting, a Cyber Incident Review Board, and security standards for smart devices. The $3 million turnover threshold captures most established SMBs, and it aligns deliberately with the Privacy Act threshold.
On AI, Australia does not yet have prescriptive regulation equivalent to the EU AI Act. But the direction is set. The Office of the Australian Information Commissioner (OAIC) has published guidance on AI and privacy obligations under the existing Privacy Act. The federal government’s voluntary AI Ethics Framework is widely expected to evolve into something with more teeth as adoption scales.
For SMBs, the practical implication is straightforward. If you wait for regulation to force governance, you will be implementing controls under pressure, with deadlines, after an incident or a compliance gap has already been identified. The businesses that build governance frameworks now, while the regulatory environment is still forming, will be ahead when the rules tighten.
Most Perth businesses already have a managed IT services provider. That provider manages your endpoints, your Microsoft 365 environment, your backups, and your network. They are already inside your technology stack.
The question is whether that provider is also managing your governance posture or just keeping the lights on.
If your MSP cannot tell you which cybersecurity framework you are aligned to, what your current maturity level is, what your staff are doing with AI, and what your incident response plan looks like, then you have an IT support provider. You do not have a governance partner.
The difference matters. IT support is reactive. Governance is proactive. IT support fixes the server when it goes down. Governance is the reason the server was patched, the backups were tested, the access controls were reviewed, and the incident response plan was current before it went down.
We built Epic IT around this distinction. Our vCIO advisory provides the strategic governance layer that sits on top of day-to-day IT operations. Our cybersecurity practice delivers Essential Eight and SMB1001 compliance as part of every managed agreement, not as an add-on. And our AI services extend that governance discipline to how your business adopts AI safely.
Audit your current governance posture. Ask three questions: Are we aligned to a cybersecurity framework? Do we have an AI acceptable use policy? Who in the organisation is accountable for both? If the answer to any of these is “no” or “I’m not sure,” you have identified the gap.
Run a shadow AI discovery. Find out what AI tools your staff are actually using today. This is not about punishment. It is about visibility. You cannot govern what you cannot see. We offer a complimentary three-month Shadow AI Discovery for new and renewing managed services clients. It gives you an honest baseline without any obligation.
Talk to your MSP about governance, or talk to us. If your current provider cannot have this conversation, that tells you something important. We offer a free IT assessment that covers cybersecurity posture, governance gaps, and AI readiness for Perth businesses. Contact us on 1300 EPIC IT.
IT governance for a small business is the set of structures, policies, and accountability mechanisms that determine how the organisation manages technology risk. For Australian SMBs, this includes alignment to a cybersecurity framework like the Essential Eight or SMB1001, an AI acceptable use policy, defined accountability for security and AI decisions, and regular review cadences.
The mandatory ransomware reporting provisions of the Cyber Security Act 2024 apply to any Australian business with annual turnover exceeding $3 million. Since 30 May 2025, those businesses must report ransomware payments to the Australian Signals Directorate within 72 hours. Businesses below the $3 million threshold are encouraged but not legally required to report.
Shadow AI refers to AI tools used by employees without employer approval or oversight. Research shows over 80% of workers use unapproved AI tools, and 75% have shared sensitive data with them. Small businesses are disproportionately exposed because they lack the tools and resources to discover and govern unapproved AI usage across their organisation.
The right framework depends on your size, industry, and client requirements. SMB1001 is a strong starting point for businesses wanting tiered certification. The Essential Eight aligns with ASD recommendations and is increasingly required for government supply chain participation. ISO 27001 suits organisations with enterprise or international compliance needs.
If your staff use any AI tools, including ChatGPT, Copilot, Gemini, or any generative AI platform, your business needs AI governance. At minimum, this means an acceptable use policy, shadow AI discovery, data classification rules, and a regular review cadence. Without these, you have no visibility into what data is leaving your organisation through AI tools.
Yes. Cybersecurity and AI governance address the same underlying challenge: how your organisation manages technology risk. Splitting them across different providers or programmes creates gaps. The most effective approach is a unified governance framework managed by your managed IT provider, covering cybersecurity posture, AI usage, and incident response under one accountability structure.
At Epic IT, our specialists focus on long-term solutions for your business.
Our 90-day guarantee is simple: if you’re not satisfied, we’ll refund your onboarding fee and give you $5K. Contact us today!
Call Us
1300 EPIC IT
Email Us
info@epicit.com.au
Perth HQ
HQ – Unit 2, 62 Angove Street North Perth WA
Queensland Office
12 The Cct, Brisbane Airport QLD
Sydney Office
Unit 3, 104 Anglesea Street, Bondi NSW
Want to know more? Find our Privacy Policy and Terms of Use.
