Small businesses are under attack. Not occasionally, not in isolated incidents. Constantly. According to the ASD’s Annual Cyber Threat Report 2024-25, Australian small businesses paid an average of $56,600 per cybercrime report last year, a 14 per cent jump on the year before. A cybercrime report was filed with the Australian Cyber Security Centre (ACSC) every six minutes across that same period. Small businesses are under attack.
Not occasionally, not in isolated incidents. Constantly. According to the ASD’s Annual Cyber Threat Report 2024-25, Australian small businesses paid an average of $56,600 per cybercrime report last year, a 14 per cent jump on the year before. A cybercrime report was filed with the Australian Cyber Security Centre (ACSC) every six minutes across that same period.
The good news? Most small business cyber incidents are preventable. This guide walks you through the biggest threats, the steps that actually reduce your exposure, and when it makes sense to bring in professional support.
Key Takeaways
- Australian small businesses lost an average of $56,600 per cybercrime report in FY2024-25, up 14% year-on-year (ASD Annual Cyber Threat Report 2024-25).
- Phishing, ransomware, and business email compromise (BEC) are the most common threats facing Australian small businesses.
- Multi-factor authentication (MFA) is the single most effective step you can take and costs nothing to enable.
- Under Australia’s Notifiable Data Breaches scheme, you may be legally required to report certain breaches to the OAIC.
- A managed IT provider can monitor your systems around the clock so your team doesn’t have to.
The average cost of a cyber incident for an Australian small business hit $56,600 in FY2024-25, according to the ASD Annual Cyber Threat Report 2024-25. That figure doesn’t include reputational damage, lost clients, or the staff hours spent recovering. Cybercriminals target small businesses precisely because they assume the defences are weaker. They’re often right.
Large corporations invest millions in dedicated security teams. Small businesses typically don’t have that budget or the in-house expertise to match it. That gap is what attackers look for. Over 84,700 cybercrime reports were filed with the ACSC in FY2024-25, that’s one every six minutes, with small businesses accounting for a significant share.
If you’ve assumed your business is too small to be worth targeting, it’s worth reconsidering that. Attackers run automated scans looking for the easiest doors to open: outdated software, weak passwords, and no multi-factor authentication. Size rarely comes into it.
“Cybercriminals don’t pick victims randomly. They scan for businesses with outdated software, weak passwords, and no multi-factor authentication. For Australian small businesses, closing those gaps doesn’t require a large budget. It requires the right approach.”

The Most Common Cyber Threats Facing Australian Small Businesses
Ransomware accounted for 11 per cent of all cyber incidents in Australia in FY2024-25, but made up 34 per cent of the most severe incidents. That imbalance tells you something important: the threats that hit small businesses hardest aren’t always the most frequent ones. Here’s what you’re most likely to face.
Phishing
Phishing emails remain the most common entry point for attacks. They’re designed to look legitimate: a fake invoice from a supplier, a password reset from your bank, a parcel delivery notification. One click from a staff member can give attackers access to your systems, email accounts, or client data. Most phishing attempts aren’t sophisticated. They’re convincing.
Ransomware
Ransomware encrypts your files and demands payment for the decryption key. For a small business without recent backups, it can mean weeks of downtime or permanent data loss. Even if you pay, there’s no guarantee you’ll get your data back. Regular, tested backups are your best insurance policy.
Business Email Compromise (BEC)
BEC attacks involve impersonating your business or a trusted supplier to redirect payments or extract sensitive information. They don’t need malware, just a convincing email. Australian businesses lose tens of millions to BEC annually, and small businesses are frequently targeted because payment processes tend to be less formalised.
Weak Credentials and Credential Theft
Reused passwords, simple passwords, and accounts without multi-factor authentication are easy targets. Once an attacker has one set of credentials, they’ll test them across every system they can reach. Credential stuffing attacks are largely automated, which means the scale of exposure can be significant before anyone notices.
Five Essential Cybersecurity Practices for Small Businesses
You don’t need a large IT budget to meaningfully reduce your cyber risk. These five practices cover the most significant vulnerabilities for most small businesses.

1. Enable Multi-Factor Authentication (MFA):
MFA adds a second verification step before anyone can log in to your accounts. Usually, it’s a code sent to your phone. Enable it on your email, cloud storage, accounting software, and any system that holds client data. It’s free or low-cost to set up and blocks the vast majority of automated credential attacks.
2. Keep Software and Systems Updated:
Most successful attacks exploit known vulnerabilities in outdated software. Enable automatic updates wherever possible and make patching a regular part of your IT routine. If you’re running software that no longer receives security updates, prioritise replacing it.
3. Train Your Staff Regularly:
Your staff is your first line of defence. Run regular phishing simulations, teach them how to spot suspicious emails, and make sure they know the process for reporting something that looks wrong. A ten-minute training session can prevent a $56,000 incident.
4. Back Up Your Data and Test Those Backups:
Maintain at least three copies of your data: one on-site, one off-site, and one in the cloud. Test your backups regularly. A backup you haven’t tested is a backup you can’t rely on. This is your primary defence against ransomware.
5. Secure Your Email:
Email is the primary vector for phishing and BEC attacks. Email security solutions add filtering layers that intercept malicious emails before they reach your inbox, significantly reducing the risk of a successful attack. This is one of the most cost-effective layers of protection you can add.
“Getting cybersecurity right as a small business isn’t about matching the defences of a major corporation. It’s about removing the easy opportunities. Attackers will always follow the path of least resistance. Your job is to make sure that path doesn’t run through your business.”
What to Do After a Cyber Incident
Even well-prepared businesses can be hit. Knowing what to do in the first hours after an incident can dramatically limit the damage.
Contain the breach first:
Disconnect affected devices from the network immediately. Don’t turn them off, as you may destroy forensic evidence, but isolate them from the rest of your systems.
Report to the ACSC:
Lodge a report via cyber.gov.au. The ACSC can provide guidance and, in serious cases, direct assistance. The earlier you report, the more options you have.
Notify affected parties if required:
Under Australia’s Privacy Act and the Notifiable Data Breaches scheme, you may be legally obligated to notify the OAIC and affected individuals if personal data was compromised. Act quickly and seek legal advice if you’re unsure whether your business is covered.
Don’t pay the ransom:
Payment doesn’t guarantee you’ll get your data back, and it marks your business as a target for future attacks. Contact the ACSC before making any decisions.
How a Managed IT Provider Strengthens Your Cyber Defences
Monitoring your systems around the clock, applying patches as they’re released, responding to incidents in real time: these are full-time jobs. For most small businesses, doing this in-house isn’t realistic.
A managed IT provider handles all of this on your behalf. At Tecnic Group, our cyber security services for Perth businesses include proactive monitoring, vulnerability assessments, endpoint protection, MFA implementation, and regular security audits.
You get enterprise-grade protection without the cost of an in-house security team.
Our managed IT services are built for the fast-moving, resource-constrained environment that small businesses operate in. We watch your systems so you can focus on running your business. Not sure what a managed service provider actually does?
Our guide on what an MSP is and how it works explains it clearly for business owners who haven’t used one before.
If your business operates in a sector with specific compliance requirements, such as healthcare or accounting, it’s worth reading our post on cybersecurity for Australian accounting firms for more tailored guidance.
“For small businesses, the question isn’t whether you need cybersecurity support. It’s whether the right level of protection is already in place. A proactive managed IT partner identifies gaps before attackers do, and responds within minutes when something goes wrong.”
Frequently Asked Questions
According to the ASD’s Annual Cyber Threat Report 2024-25, the average self-reported cost of a cybercrime incident for an Australian small business is $56,600, up 14 per cent on the prior year. This covers direct costs only and doesn’t include reputational damage or lost customers.
In many cases, yes. Under Australia’s Notifiable Data Breaches (NDB) scheme, businesses covered by the Privacy Act must notify the OAIC and affected individuals if a data breach is likely to cause serious harm. Check the OAIC website or seek legal advice if you’re unsure whether your business is covered.
Enable multi-factor authentication across all your key accounts: email, cloud storage, and accounting software. It’s free or low-cost to implement and blocks the overwhelming majority of credential-based attacks, which are the most common entry point for breaches.
At a minimum, once a year, with refreshers when new threats emerge. Quarterly short sessions, including phishing simulations, are significantly more effective than a single annual training. The goal is to build habits, not just awareness.
Yes. A managed service provider offers proactive monitoring, patch management, endpoint security, and incident response as part of an ongoing IT plan. Contact Tecnic Group to discuss what level of coverage is right for your business size and industry.
Protect Your Business Before an Incident Happens
Cybersecurity isn’t something you can afford to put off. The threats are real, they’re growing, and small businesses are firmly in the crosshairs. The steps outlined above are a strong starting point. But if you want comprehensive protection without the complexity of managing it yourself, that’s where we come in.
Get in touch with Tecnic Group to discuss a cybersecurity solution built around your business, or explore our cyber security services for Perth businesses to see what protection looks like in practice.



