IT Year in Review: Technology Lessons for Australian SMBs

As 2023 comes to a close, it is worth reflecting on the technology events and shifts that shaped the year for Australian small and medium businesses. Some were headline-grabbing disruptions, others were quiet but significant shifts in how businesses operate. All carry lessons for the year ahead.

This is not a comprehensive technology review. It is a practical assessment of the events and trends that matter most to Australian SMBs and what they should take from them.

Lesson 1: Cybersecurity Is a Board-Level Issue

The aftermath of the 2022 Optus and Medibank breaches continued to reverberate through 2023. Australian businesses of all sizes felt the impact through increased regulatory scrutiny, tougher cyber insurance requirements, and heightened customer expectations around data protection.

Key developments in 2023:

• The Australian Government announced increased penalties for serious privacy breaches, with fines of up to AUD 50 million, three times the benefit obtained, or 30 percent of adjusted turnover, whichever is greatest
• The ACSC reported continued growth in cybercrime reports targeting Australian organisations
• Latitude Financial suffered a major data breach affecting approximately 14 million records in March 2023
• HWL Ebsworth, one of Australia’s largest law firms, was hit by a ransomware attack, with stolen data published online
• Multiple smaller Australian businesses experienced ransomware and BEC attacks that did not make headlines but caused significant damage

The lesson: Cybersecurity is no longer a technical issue to be delegated entirely to the IT team. It is a business risk that requires attention from senior leadership. Australian SMBs need:

• Regular cybersecurity reporting to management or the board
• Cyber insurance with adequate coverage (and the security posture to qualify for it)
• Incident response plans that are documented and tested
• Investment in security tools and training commensurate with their risk profile

Lesson 2: The AI Revolution Is Real, But Practical

2023 was the year AI went mainstream. ChatGPT’s rapid adoption was followed by a wave of AI integration across business tools:

• Microsoft launched Copilot across Microsoft 365, Windows, and Bing
• Google introduced Bard and Duet AI across its Workspace suite
• Salesforce, Adobe, and dozens of other business platforms embedded AI capabilities
• Australian businesses began experimenting with AI for content creation, customer service, data analysis, and coding

The lesson: AI is not science fiction or a distant future technology. It is available now in the tools Australian businesses already use. However, the practical lesson is equally important:

• AI tools are assistants, not replacements. Human review remains essential.
• Data quality determines AI output quality. Businesses with well-organised data benefit most.
• AI usage policies are necessary to manage risks around accuracy, confidentiality, and intellectual property.
• The businesses that invested in Microsoft 365 data governance throughout the year are best positioned to benefit from Copilot and similar tools.

Lesson 3: Cloud Maturity Varies Widely

While cloud adoption among Australian SMBs is high (most businesses use cloud email and productivity tools), cloud maturity varies enormously. Many businesses discovered during 2023 that:

• Moving to the cloud did not automatically improve security (misconfigured cloud environments are vulnerable)
• Cloud costs need active management (subscription sprawl and over-provisioning are common)
• Cloud migration is not complete until legacy on-premises systems are decommissioned
• Cloud does not eliminate the need for IT management; it changes what is being managed

The lesson: Adopting cloud services is step one. Optimising, securing, and managing them effectively is the ongoing journey. Australian SMBs should focus on:

• Ensuring cloud environments are properly configured and secured (especially Microsoft 365 Security Defaults or Conditional Access)
• Regularly reviewing cloud costs and eliminating waste
• Completing the migration of remaining on-premises workloads where it makes sense
• Investing in cloud management skills or partnering with an MSP for ongoing management

Lesson 4: Hybrid Work Infrastructure Needs Investment

Three years after the pandemic-driven shift to remote work, hybrid work is the established norm for many Australian office-based businesses. In 2023, businesses moved from simply enabling hybrid work to optimising the experience:

• Meeting room technology upgrades to support equitable hybrid meetings
• WiFi infrastructure improvements to handle increased wireless device density
• VPN replacement or augmentation with Zero Trust network access
• Cloud phone systems replacing aging PBX infrastructure
• Digital collaboration maturity (moving beyond basic Teams/Slack usage)

The lesson: The ad hoc remote work setups of 2020 are not sufficient for long-term hybrid operations. Businesses that invested in proper hybrid infrastructure in 2023 are seeing productivity and employee satisfaction benefits. Those still running on pandemic-era stopgaps are experiencing friction and frustration.

Lesson 5: Supply Chain and Vendor Risk Are Real

The HWL Ebsworth breach highlighted supply chain risk for Australian businesses. When a major law firm is compromised, every client’s data is potentially affected. Similar patterns played out across other vendors and service providers throughout the year.

The lesson: Your cybersecurity is only as strong as your weakest vendor:

• Assess the security posture of key vendors and service providers
• Include cybersecurity requirements in vendor contracts
• Monitor vendor security incidents and respond appropriately
• Have contingency plans for key vendor failures
• Ask vendors about their security certifications (ISO 27001, SOC 2) and request audit reports

Lesson 6: Compliance Requirements Are Tightening

2023 saw increased regulatory expectations across multiple fronts:

• Privacy Act reform discussions continued, with potential changes to consent requirements, data breach notification, and enforcement
• APRA continued its focus on operational resilience and information security (CPS 234)
• The ACSC’s Essential Eight maturity model gained further traction as a baseline security standard
• Cyber insurance underwriters tightened requirements, demanding evidence of MFA, backup testing, and security controls

The lesson: Compliance is not static. Australian businesses need to:

• Stay informed about regulatory changes that affect their industry
• Treat the ACSC Essential Eight as a minimum security standard
• Document their security practices for insurance and regulatory purposes
• Conduct regular compliance reviews rather than waiting for audits

Lesson 7: IT Talent Remains Scarce

The Australian IT talent market remained tight throughout 2023. Finding and retaining skilled IT professionals, particularly in cybersecurity, cloud engineering, and IT management, continued to challenge SMBs that cannot match enterprise salaries.

The lesson: Australian SMBs need to think creatively about IT capability:

• Managed service providers can fill capability gaps without full-time hires
• Virtual CISO (vCISO) services provide security leadership without a full-time executive
• Invest in training and development for existing IT staff
• Use automation and managed services to reduce the workload on a small IT team
• Consider whether every IT task needs to be done in-house

Lesson 8: Business Continuity Is Not Optional

Natural disasters (floods, bushfires, storms), cyber attacks, and service outages all tested business continuity plans in 2023. Businesses with tested plans and redundant systems recovered quickly. Those without scrambled.

The lesson:

• Cloud-based systems provide inherent resilience (but only if properly backed up)
• Backup and disaster recovery plans need regular testing, not just documentation
• Business continuity plans should cover cyber incidents, not just natural disasters
• Communication plans (how to reach staff and customers when primary systems are down) are essential
• The businesses that fared best were those that had practised their response before they needed it

Lesson 9: The Basics Still Matter Most

Despite the headlines about AI, quantum computing, and next-generation threats, the vast majority of successful cyber attacks in 2023 exploited basic security gaps:

• Weak or reused passwords without MFA
• Unpatched software and systems
• Phishing emails that tricked employees
• Misconfigured cloud services
• Lack of backup and recovery capability

The lesson: Before chasing the latest technology trend, ensure you have the basics covered:

• MFA on all accounts
• Timely patching of all systems
• Security awareness training for all employees
• Tested backups with the ability to restore
• Business-grade firewall and endpoint protection
• Documented incident response plan

These are not exciting investments, but they prevent the vast majority of incidents targeting Australian SMBs.

Lesson 10: Strategic IT Planning Pays Off

Businesses that entered 2023 with a clear IT strategy and budget navigated the year more effectively than those making reactive, ad hoc decisions. A strategy does not need to be a 50-page document. A one-page plan covering priorities, budget, and timeline is sufficient for most SMBs.

The lesson: Dedicate time in Q4 each year to:

• Review the year’s IT successes and failures
• Identify upcoming technology needs and risks
• Set IT priorities for the year ahead
• Allocate budget to those priorities
• Communicate the plan to the business

Looking Ahead

As 2023 closes, Australian SMBs should enter 2024 with three priorities:

1. Secure the basics: MFA everywhere, patching current, backups tested, staff trained
2. Optimise cloud investments: Review costs, tighten configurations, complete migrations
3. Plan for AI: Prepare data governance, pilot AI tools, develop usage policies

The businesses that learn from 2023’s lessons and act on them will be better prepared, more resilient, and more competitive in 2024. Technology continues to evolve rapidly, but the fundamentals of good IT management, security, planning, and business alignment, remain constant.