Small businesses are not collateral damage in cyber attacks. They are the primary target.
There is a persistent myth that cyber criminals focus on large enterprises and that small businesses are too insignificant to attract attention. The data says the opposite. Small businesses account for the majority of cybercrime reports to the ASD. They are targeted precisely because they are less likely to have dedicated security staff, less likely to have multi-factor authentication enabled, and less likely to detect an intrusion before it causes damage.
The economics are straightforward. An attacker who compromises one large enterprise needs to bypass significant security infrastructure, evade detection teams, and deal with incident response capabilities. The same attacker can compromise dozens of small businesses using automated tools, commodity phishing kits, and known vulnerabilities in unpatched software. The per-target effort is lower, the aggregate return is higher, and the risk of prosecution is minimal.
ASD's 2023-24 Annual Cyber Threat Report recorded over 87,400 cybercrime reports from Australians, an increase of 7% on the previous year. Average self-reported costs rose across every business size category. For small businesses (0 to 19 employees), the average cost reached $49,600 per incident. For medium businesses (20 to 199 employees), $62,800.
These figures understate reality. ASD's cost data is self-reported and covers direct financial losses only. It excludes reputational damage, customer churn, regulatory penalties, staff time spent on recovery, and the long tail of remediation costs. Insurance industry data consistently shows total incident costs running two to five times higher than self-reported figures.
The trend line matters more than any single year's number. Cybercrime costs for Australian small businesses have increased year on year for every reporting period since ASD began publishing the data. There is no evidence that this trajectory is slowing.
Forget advanced persistent threats. The problems are far more mundane, and far more preventable.
The gap between what the cybersecurity industry talks about and what actually compromises small businesses is enormous. Small businesses are not being hit by sophisticated nation-state actors deploying custom malware. They are being hit by commodity attacks that exploit basic security gaps. Understanding the actual threat profile is essential for directing limited budgets to the controls that matter.
BEC remains the highest-impact cybercrime type for Australian businesses by financial loss. The attack is deceptively simple: an attacker gains access to or impersonates a legitimate email account, then uses that access to redirect payments, request fraudulent transfers, or harvest credentials. No malware required. No sophisticated tooling. Just a convincing email from what appears to be a trusted source.
Smaller teams mean fewer approval layers for financial transactions. A single person often handles invoicing, payments, and banking. Without dual-authorisation processes and without email authentication controls like DMARC, SPF, and DKIM, a well-crafted BEC email is extremely difficult to detect.
Phishing is the most common initial access vector across all business sizes. For small businesses, it is particularly effective because fewer organisations run security awareness training and fewer have email filtering capable of catching modern phishing campaigns. Stolen credentials are then used for account takeover, data exfiltration, or as a stepping stone into connected systems.
Small business employees frequently reuse passwords across personal and work accounts. A credential breach at an unrelated consumer service can directly compromise business systems. Without MFA, a single stolen password is often enough for full account access.
Ransomware attacks against small businesses are largely automated and opportunistic. Attackers scan for vulnerable internet-facing services, exploit known vulnerabilities, or use stolen credentials to deploy ransomware at scale. The ransomware-as-a-service model means technically unsophisticated criminals can deploy enterprise-grade encryption. Small businesses are disproportionately affected because they are less likely to have tested backups, less likely to have an incident response plan, and more likely to pay the ransom due to existential business pressure.
Many small businesses believe they have backups until they need them. Untested backups, backups stored on the same network as production systems, and backups without offline copies are functionally useless against modern ransomware that specifically targets backup infrastructure before encrypting primary systems.
Attackers routinely scan the internet for systems running software with known, publicly disclosed vulnerabilities. When a critical vulnerability is published, mass exploitation typically begins within days. Small businesses running unpatched web servers, VPN appliances, email gateways, or content management systems are discovered and exploited automatically, often before anyone at the business even knows the vulnerability exists.
ASD data consistently shows that the majority of exploited vulnerabilities have had patches available for weeks or months before exploitation. The problem is not that patches do not exist. The problem is that small businesses lack the process, tooling, or awareness to apply them in time.
Five priority actions that prevent the majority of successful attacks against small businesses.
The good news is that the commodity nature of threats against small businesses means that basic, well-implemented controls stop the vast majority of attacks. You do not need an enterprise security stack. You need the fundamentals done properly. These five actions, drawn from ASD's Essential Eight framework and adapted for small business realities, address the root causes of the threats described above.
MFA is the single most effective control for preventing account compromise. It makes stolen credentials insufficient for access. Enable it on every account that supports it: email (Microsoft 365, Google Workspace), banking, accounting software, cloud storage, VPN, remote desktop, and any system accessible from the internet. Prefer authenticator apps or hardware keys over SMS-based MFA.
Most cloud platforms include MFA at no additional cost. Microsoft 365 Business Basic includes it. Google Workspace includes it. The cost is staff time to configure and enrol users. For a 20-person business, expect half a day of setup time.
Enable automatic updates for operating systems, web browsers, and productivity software. For internet-facing systems (websites, email servers, VPN appliances), apply critical security patches within two weeks of release at a minimum. Replace any software that is no longer receiving security updates from its vendor.
Automatic updates are free. The cost is managing the occasional restart or compatibility issue. For businesses using managed IT providers, patching should already be included in the service agreement. If your IT provider is not patching, that is a serious problem.
Perform daily backups of critical business data. Store at least one copy offline or in an immutable cloud storage tier that cannot be modified or deleted, even with administrative credentials. Test your restore process quarterly. A backup you have never tested is a backup you cannot rely on.
Cloud backup solutions for small businesses typically cost $5 to $20 per user per month. Microsoft 365 retention policies and Azure Backup provide reasonable protection within the existing licensing. The critical investment is testing, which costs time, not money.
Do not let staff use administrator accounts for daily work. Create separate admin accounts used only for system changes. Limit the number of people with admin access to the absolute minimum. When ransomware runs under an admin account, it can encrypt everything the account has access to. Under a standard user account, the blast radius is dramatically smaller.
Zero direct cost. This is a configuration change. It requires discipline and a process for handling the occasional legitimate admin task, but the security benefit per dollar spent is among the highest of any control.
Annual compliance training does not work. Short, frequent, scenario-based training does. Run phishing simulations monthly. Teach staff to verify payment change requests by phone. Make it easy to report suspicious emails without fear of blame. The goal is not to create security experts. The goal is to create a team that pauses before clicking.
Security awareness platforms cost $2 to $5 per user per month for small businesses. Managed phishing simulation services are available from $200 to $500 per month. The return on this investment is difficult to measure precisely, but organisations that run regular simulations consistently see phishing click rates drop from 25-30% to under 5%.
Prioritisation matters more than completeness. A small business that implements these five controls well is better protected than one that half-implements fifteen. The Essential Eight Maturity Level 1 is a sensible target for most small businesses. It covers these basics and more. Do not let the perfect be the enemy of the good.
When to hire in-house, when to outsource, and what to look for either way.
The honest answer for most small businesses with fewer than 50 staff: you cannot afford to do cybersecurity entirely in-house, and you should not try. A competent mid-level security analyst in Sydney or Melbourne commands $120,000 to $150,000 in salary alone, before superannuation, tools, training, and the reality that one person cannot provide 24/7 coverage. That single hire consumes budget that could fund a comprehensive managed security programme covering monitoring, incident response, vulnerability management, and regular assessments.
The question is not whether to outsource. The question is what to outsource and what to keep in-house.
| Function | In-house or outsource | Why |
|---|---|---|
| Security awareness and culture | Keep in-house, support with external tools | Culture change requires internal ownership. External platforms provide the training content and phishing simulations. |
| Day-to-day IT hygiene (patching, backups, MFA) | Managed IT provider | These are operational tasks that benefit from automation and established processes. Most managed IT providers include them. |
| 24/7 monitoring and incident response | Outsource to managed SOC | Round-the-clock monitoring requires shift coverage that no single hire can provide. Managed SOC services deliver this at a fraction of in-house cost. |
| Vulnerability assessment and pen testing | Outsource to specialists | Independent testing requires objectivity and specialised skills. Your own IT team should not assess their own work. |
| Incident response planning | Build with external help | You need a plan tailored to your business. An external consultant builds it; your team owns and rehearses it. |
| Risk assessment and strategy | External assessment, internal ownership | An independent assessment identifies risks objectively. Your leadership decides which risks to accept, mitigate, or transfer. |
What to look for in a security provider
The Australian cybersecurity services market has a wide quality range. When evaluating providers, look for these indicators:
- Relevant certifications: ISO 27001 certification of the provider itself (not just staff holding the cert), CREST membership for penetration testing, ASD-aligned assessment capabilities
- Australian presence and jurisdiction: Data sovereignty matters. Ensure your provider operates under Australian law and stores monitoring data in Australian data centres
- Transparent pricing: Avoid providers who refuse to quote without lengthy discovery processes. Basic managed security services have known price ranges
- Independence: Be cautious of providers who always recommend the same vendor's products. Good advice is vendor-neutral
- Right-sized solutions: A provider pushing enterprise SIEM platforms at a 15-person business is selling what they have, not what you need
Six patterns we see repeatedly in small businesses that have been breached.
After conducting security assessments for Australian businesses of every size, certain patterns emerge consistently. These are not obscure technical failures. They are predictable, avoidable decisions that create the conditions for a successful attack.
- ✕ Treating cybersecurity as an IT problem
Cybersecurity is a business risk, not a technology issue. When it sits entirely with IT (or worse, with a managed IT provider who also handles security), there is no independent oversight, no risk-based decision-making, and no accountability at the leadership level. The business owner or board needs to own the risk, even if they delegate the technical execution.
- ✕ Buying tools without process
A next-generation firewall that nobody monitors is expensive furniture. Endpoint detection software that generates alerts nobody reads is worse than useless because it creates a false sense of security. Tools need processes: who monitors, who responds, what happens at 2am on a Saturday, and who decides when to escalate. Without process, tools are just cost.
- ✕ No incident response plan
The time to decide how to respond to a ransomware attack is not during the ransomware attack. Yet the majority of small businesses we assess have no documented incident response plan. At minimum, you need: who to call first (your IT provider, your insurer, ASD's 1300 CYBER1 hotline), how to isolate affected systems, where your backups are and how to restore them, and who communicates with customers and regulators.
- ✕ Assuming cyber insurance is a substitute for security
Cyber insurance is a risk transfer mechanism, not a risk mitigation strategy. Insurers are increasingly requiring evidence of baseline security controls (MFA, patching, backups) before issuing policies. Claims are being denied when organisations cannot demonstrate these basics were in place. Insurance covers some financial losses. It does not recover your reputation, your customer trust, or the three weeks of operational disruption.
- ✕ Ignoring supply chain risk
Your cybersecurity posture is only as strong as your weakest connected third party. Small businesses frequently share data with accountants, bookkeepers, payroll providers, web developers, and IT support firms without any assessment of those parties' security practices. A breach at your bookkeeper is effectively a breach at your business. Ask your key suppliers about their security controls, or engage a provider who can conduct third-party risk assessments on your behalf.
- ✕ Doing nothing because the problem feels too big
The most common response to cybersecurity complexity is paralysis. The volume of advice, the jargon, and the apparent cost create a feeling that meaningful security is impossible without enterprise budgets. This is not true. The five priority actions outlined in this article cost very little and prevent the vast majority of commodity attacks. Starting imperfectly is dramatically better than not starting at all.
What the law actually requires of Australian small businesses.
The regulatory environment for cybersecurity in Australia has tightened significantly since 2018. Small businesses are not exempt from all obligations, and the trend is toward greater accountability, not less.
Privacy Act 1988 and the Notifiable Data Breaches scheme
The Privacy Act applies to organisations with annual turnover above $3 million, as well as health service providers, businesses trading in personal information, and certain other categories regardless of turnover. If the Act applies to your business, you are required to take reasonable steps to protect personal information from misuse, interference, and loss, and from unauthorised access, modification, or disclosure.
The Notifiable Data Breaches (NDB) scheme requires you to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when a data breach is likely to result in serious harm. Since the scheme began in February 2018, the OAIC has received thousands of notifications, with a significant proportion coming from small and medium businesses. Failure to notify can result in civil penalties.
The Privacy Act Review, which has been progressing since 2022, proposes expanding coverage to businesses with turnover below $3 million. If enacted, this would bring the majority of Australian small businesses under the regime for the first time.
Security of Critical Infrastructure Act 2018
The SOCI Act applies to operators of critical infrastructure assets across eleven sectors, including communications, data storage, energy, financial services, food, health, higher education, space, transport, and water. It applies regardless of business size. If your small business operates assets in these sectors, you may be subject to enhanced cybersecurity obligations including risk management programmes and mandatory incident reporting to the Australian Signals Directorate.
Industry-specific requirements
Financial services businesses regulated by APRA must comply with CPS 234 Information Security, which requires information security capability commensurate with the threats faced. Health sector organisations handling My Health Record data face additional obligations under the My Health Records Act 2012. Businesses in the Defence supply chain must comply with the Defence Industry Security Program (DISP), which now mandates Essential Eight Maturity Level 2.
Essential Eight, ISO 27001, NIST CSF: which one is right for a small business?
Small businesses do not need multiple overlapping frameworks. They need one practical starting point. Here is an honest comparison of the three most relevant options.
Eight prescriptive technical controls, prioritised by effectiveness. Free to adopt. Maturity Level 1 is achievable for most small businesses within months. Designed for the Australian threat landscape. The best starting point for organisations that have not yet adopted a formal framework.
Best for: Small businesses looking for a practical, prioritised technical baseline with minimal governance overhead.
A comprehensive information security management system covering governance, people, processes, and technology across 93 controls. Provides an internationally recognised certification that can satisfy customer and contractual security requirements. More effort to implement but more comprehensive in scope.
Best for: Growing businesses that need to demonstrate security maturity to enterprise customers or meet contractual requirements.
A risk-based framework organised around five functions: Identify, Protect, Detect, Respond, Recover. Flexible and widely adopted internationally. Less prescriptive than the Essential Eight, which can be both a strength (adaptability) and a weakness (less clear on what to do first).
Best for: Businesses with US-based customers or partners who specifically require NIST alignment.
Start with the Essential Eight at Maturity Level 1. It is free, practical, and addresses the threats that actually compromise Australian small businesses. Once you have the technical baseline in place, consider ISO 27001 if your business growth requires demonstrable security governance to win contracts or enter regulated markets.
Do not try to implement multiple frameworks simultaneously. Get one right first.
What the Cliffside approach looks like for small businesses.
We hold ISO/IEC 27001:2022 certification ourselves. We deliver cybersecurity assessments, managed security services, and virtual CISO programmes for Australian organisations from 10-person professional services firms to ASX-listed companies. We understand the difference between enterprise advice and practical guidance for businesses with limited budgets, because we work with both, every day.
Our approach for small businesses starts with the Lighthouse Assessment: a structured, multi-specialist evaluation of your current security posture against the threats that actually target businesses your size. The output is not a 200-page report full of jargon. It is a prioritised, actionable plan that tells you exactly what to fix first, what it will cost, and what risk reduction you can expect.
We will tell you honestly:
- →Where your real vulnerabilities are, not the theoretical ones
- →Which risks justify spending money on and which you can accept
- →Whether your current IT provider is delivering adequate security, or whether there are gaps
- →What a realistic security programme costs for a business your size
- →Which framework is right for your situation and growth trajectory
- →Where outsourcing makes sense and where you should build internal capability
If the honest answer is that your current setup is adequate and you just need to tighten a few controls, we will say that. We would rather give you good advice and earn your trust than sell you services you do not need.