Cyber security for the mid-market

Helping you prevent, detect and respond to cyber threats

Find out how
Australia’s mid-market sector is vital in delivering services, infrastructure, and economic value across the country.

From local government and healthcare to financial services, education, and critical industries, these organisations keep communities functioning and markets moving. Their operations are increasingly digital, interconnected, and exposed to cyber risk.

In 2023–24, the Australian Cyber Security Centre received over 87,000 cybercrime reports, and notifiable data breaches rose by 25 per cent. Cyber incidents are becoming more frequent, disruptive, and harder to contain. Yet many mid-market organisations do not have dedicated internal cyber teams, formalised programs, or access to specialist capability. The threat landscape evolves faster than most can translate into structured action, particularly for organisations balancing operational delivery, compliance, transformation, and risk without a centralised security function.

KPMG works with the mid-market to close this gap. Whether you’re navigating regulatory expectations in aged care, managing digital uplift in local government, responding to an incident in financial services, or building security capability in a fast-growing venture, mining operation, or education provider – we help prioritise what matters, embed sustainable capability, and build confidence at every level of the organisation.


Helping you confidently manage your security risk

  • Know where you stand

    We help you build a clear picture of your cyber risk, obligations, and current maturity. This allows you to focus time and investment on the areas that have the greatest impact on reducing exposure, rather than spreading resources too thin or overcommitting where it’s not needed.

  • Make the right moves

    We help you move from strategy to execution. Whether you need guidance, delivery support, or a team to take ownership, we work within your structure and resourcing to turn priorities into practical, achievable outcomes.

  • Be ready when it counts

    We help you plan for real-world incidents and prepare your team to respond confidently. This includes supporting regulatory engagement, running executive simulations, and embedding the processes and escalation paths needed to protect your operations and reputation when pressure is high.

Right-sized cyber security support for your organisation

Whether you’re building from the ground up, responding to regulatory pressure, or refining what already exists, we can help you clarify your cyber risk, obligations, and priorities and then support you in planning, uplifting, and managing them over time.

  • Cyber maturity assessments and health checks

    Cyber maturity assessments and health checks

    If you’re unsure what’s working or where to focus, start here.

    We provide independent assessments to help you understand your current maturity, identify gaps, and decide where to go next. Our focus is on clarity, not scoring, and on advice you can act on.

    • Assess maturity across governance, controls, response capability and leadership
    • Benchmark performance against sector norms and risk tolerance
    • Deliver findings in practical terms that guide decisions
    • Run health checks during uplift, after incidents, or before major investments
    • Recommend next steps aligned to risk, outcomes and capacity
  • Cyber strategy, program design and embedded support

    Cyber strategy, program design and embedded support

    If you have a plan, we help make it real. If you don’t, we’ll help build one that fits.

    Many organisations have cyber initiatives underway, but few have a coordinated plan that reflects their risk, obligations, and resourcing. We help clarify direction, align stakeholders, and support delivery.

    • Build or refine your cyber strategy based on business context, obligations and risk appetite
    • Translate strategy into practical delivery plans across governance, controls, capability and timing
    • Provide embedded cyber advisers or virtual CISO Adviser support for organisations without dedicated teams
    • Align internal teams, remove duplication, and maintain momentum over time
  • Incident readiness and response

    Incident readiness and response

    If a cyber event tests your organisation tomorrow, will it be ready?

    We help you prepare for incidents before they happen and support you when they do. We focus on decision-making under pressure, leadership coordination, and regulator-facing readiness.

    • Review and improve incident response plans, protocols and governance
    • Run tabletop exercises for executives, operational teams, and board members
    • Assess readiness against regulatory expectations and internal accountability
    • Support post-incident debriefs, root cause analysis, and improvement planning
  • Cyber security governance, risk and compliance management

    Cyber security governance, risk and compliance management

    Regulatory and stakeholder expectations continue to rise. We help you understand your obligations, assess your current state, and strengthen your governance and compliance environment.

    • Map and address obligations under the Privacy Act, Cyber Security Act 2024, SOCI Act, CPS 234 and other instruments
    • Align with frameworks including ACSC Essential Eight, AESCSF, ISM, ISO 27001, VPDSS, PSPF, PDSS, PCI DSS, SOC 2, and NIST CSF
    • Review and uplift control design, documentation and assurance evidence
    • Conduct internal audits, management reviews or readiness assessments
    • Provide privacy management support, including breach response planning and OAIC alignment
    • Support third-party and procurement reviews to manage external risk
  • Cyber awareness and behavioural uplift

    Cyber awareness and behavioural uplift

    Cyber risk stems from the everyday choices people make. Our cutting-edge cyber learning and training program empowers your workforce to adopt stronger security behaviours.

    We provide impactful training initiatives to transform behaviour and enhance your organisation’s security posture. From targeted messaging to full program delivery, we support uplift across business roles and maturity levels.

    • Evaluate the effectiveness of your current training and awareness approach
    • Design behaviourally informed campaigns across teams and business units
    • Deliver programs using your content or KPMG’s Cyber Learning Unlock platform
    • Track engagement, participation, and measurable improvement
    • Tailor messaging by role, exposure and risk profile
Let us help

Meet the team

  • Dominika Zerbe-Anders
    Dominika Zerbe-Anders
     Dominika Zerbe-Anders, Cyber Human Risk Partner & Solution Owner | ASPAC Women in Cyber Leader – KPMG Australia

    Dominika is a distinguished Cyber Partner with KPMG Australia, where she spearheads the Cyber Human Risk Management capability. She is a cyber resilience Partner with a passion for people, strategy and change.

  • Gergana Winzer
    Gergana Winzer
     Partner, Cyber Security – Mid Market Lead – KPMG Australia

    Gergana is an experienced and respected member of the cybersecurity community in Australia and Asia and an engaging keynote and public speaker on cyber security and privacy matters, risks and issues to the business community.

  • Gordon Pereira
    Gordon Pereira
     Gordon Pereira, Partner Enterprise Risk and Cyber Consulting – KPMG Australia

    Gordon specialises in conducting internal audit, governance, risk and compliance reviews and has worked in each line of defence. He has a deep understanding of technology and cyber risks,, and the changing digital landscape.

Our specialist insights