Skip to content

Cybersecurity

The Five Eyes just wrote to your board. Here's the map we already hold every client to.

On 22 June 2026 the heads of six cyber agencies across the Five Eyes issued one joint statement, aimed at business leaders rather than IT teams. AI is making attacks faster and cheaper, they warned, and most organisations still haven't locked down the basics. They asked for five things. Every CCP client already has to meet all five.

5 min read
Jump to section
  1. 01The five things they asked for
  2. 02We already require all five
  3. 03Fundamentals beat budget
  4. 04The conversation to have this week

Statements like this normally land on a technical team’s desk and go no further. This one went straight to the people who sign off the budget. Six agency heads across five countries put their names to a single page: Stephanie Crowe at the Australian Signals Directorate, alongside her counterparts at Canada’s Communications Security Establishment, New Zealand’s GCSB, the UK’s National Cyber Security Centre, and both American agencies, the NSA and CISA. All six signed the same message.

Boards delegate cyber resilience to IT and treat it as a technical chore. That is exactly where it fails, and it is why the agencies wrote to leaders this time. They put cyber resilience alongside cash flow and insurance: a core business risk that sits with the people running the business. And the clock has changed. AI lowers the barrier for attackers and shrinks the gap between someone finding a flaw and someone using it against you at scale.

“The timeline is not years, it is months.”

That line is the agencies’ own. You can read the full statement on cyber.gov.au.

The five things they asked for

The statement is short and practical. Stripped to the actions, the agencies asked every organisation to do five things.

  1. Reduce your attack surface. Your attack surface is everything an intruder can reach: every login, every system left switched on, every connection open to the internet. Challenge whether each one needs to be exposed at all, and wall off the parts that don’t.
  2. Accelerate patching. A patch is the fix a vendor ships when a hole is found in their software. AI is shortening the time between that hole becoming public and someone using it, so a slow update cycle has turned from background housekeeping into your biggest exposure.
  3. Address legacy systems. Unsupported software that no longer gets security fixes is an easy target. The agencies were blunt about it: “They are not just technical debt, they are strategic liabilities.”
  4. Review and strengthen identity and access. Know who can reach your critical systems, give each person only what their role needs, and protect the front door with strong authentication. The clearest example is multi-factor authentication: the second step, a code or a tap on your phone, after the password.
  5. Prepare for incidents before they happen. Assume something will get through. Write the response plan, rehearse it, back up your data, and practise the recovery before the day you need it.

We already require all five

None of this is new to us. Every business we manage signs up to a Client Security Baseline: a set of controls that are contractual, not advisory. It predates this statement by years, and it already covers all five asks. We’ve noted where each one lands on the Essential Eight, the Australian government’s eight baseline security measures that insurers, brokers, and regulators now treat as the floor.

What the Five Eyes asked forWhat our Client Security Baseline already requires
Reduce the attack surfaceApplication control, locked-down admin rights, and a standing review that asks why a system is exposed at all. (Essential Eight: application control, restrict admin privileges, application hardening.)
Accelerate patchingKnown vulnerabilities fixed inside 30 days or better, tracked rather than left to a quarterly cycle. (Essential Eight: patch applications, patch operating systems.)
Address legacy systemsWe flag end-of-life software at the same review and get it retired or replaced. (Essential Eight: removing unsupported software.)
Strengthen identity and accessPhishing-resistant MFA on critical systems, a password manager so staff never hold the password themselves, and offboarding wired into HR so access dies the day someone leaves. (Essential Eight: multi-factor authentication, restrict admin privileges.)
Prepare for incidentsA written incident response plan and tested backups, so you have rehearsed recovery before you need it. (Essential Eight: regular backups.)

The baseline is not a poster on the wall. We check it at the operational reviews, and when a control has been switched off or never put in, we put it in writing and give the client thirty days to fix it. There is a harder edge to it, and it sits in the contract:

Where a client won’t meet the baseline, we’d rather decline the work than carry the risk of an incident they chose to ignore.

The reason is commercial as much as it is principled. We can’t afford to insure a business against the one control it refuses to put in, and the morning an incident hits a system a client left exposed against our advice, the damage lands on both of us. So we set the floor at the start, in writing, and we hold to it. That is the same position the Five Eyes agencies have now put in front of every board in the country.

Fundamentals beat budget

The sharpest line in the statement is not about AI at all. It is about spending. “Success will not come from having the most tools,” the agencies wrote. “It will come from getting the basics right.”

For a business owner, read that as permission to stop buying. A well-run Microsoft 365 Business Premium setup, with the fundamentals switched on and kept on, will beat a six-figure pile of security products that nobody finished configuring. The reflex when a board gets nervous is to approve another tool with another dashboard. More dashboards are not more defence. You already hold a licence for most of the controls the agencies listed. The work is switching them on and keeping them there. Secure-by-default is the baseline the agencies now expect, today rather than eventually.

The conversation to have this week

If you take one action from the statement, make it this: ask whoever runs your IT to walk you through these five points for your own setup. Your systems, your logins, your backups, your plan for the morning after a breach.

  • Ask your IT provider to map your environment against the Five Eyes five: attack surface, patching, legacy systems, identity, and incident readiness.
  • For each one, ask to see the evidence rather than the reassurance: a patch report, a list of who holds admin rights, the date your backups were last test-restored.
  • If the answer is vague on any of the five, you have found the gap. Fix it first.

If your provider can’t show you that map, that is the conversation to have this week. We’ll run the same five-point map across any Australian business’s current setup, whether you’re a client or not, and tell you where you’d stand. We build the baseline into every one of our plans by default, and the stance behind it is the one we take with every client. If you’d like us to run the map over your business, get in touch.

Tags five-eyesai-cyber-riskessential-eightclient-security-baselineasd-acscincident-response
Share LinkedIn Email
See if we're a fit