In today’s digital-first world, small and medium businesses (SMBs) are increasingly in the crosshairs of cybercriminals. The latest Annual Cyber Threat Report 2024–25 from the Australian Cyber Security Centre paints a sobering picture: cybercrime is not only growing in frequency but also in financial impact – and SMBs are feeling the pinch.
The cost of cybercrime Is climbing
According to the report, the average self-reported cost of cybercrime for small businesses rose to $56,600, a 14% increase from the previous year. Medium businesses were hit even harder, with average losses jumping 55% to $97,200. These figures reflect not just the direct financial damage but also the time, resources and reputational harm that follow a cyber incident.
Top threats facing SMBs
The most common cybercrime threats reported by businesses include:
- Email compromise without financial loss (19%)
- Business email compromise (BEC) fraud with financial loss (15%)
- Identity fraud (11%)
These attacks often begin with stolen credentials or phishing emails and can escalate quickly into full-blown breaches or ransomware incidents.
It is worth noting that while email compromise without financial loss might sound like a win, but it’s still a serious breach. They could be snooping on sensitive information, impersonating staff or setting up for a bigger attack later. No money lost yet, but the risk is real.
Why SMBs are attractive targets
Cybercriminals are increasingly targeting SMBs due to their perceived lower cyber maturity and valuable data holdings. Many small businesses lack the resources to implement robust cyber defences, making them easier targets for credential theft, ransomware, and data extortion.
Simple steps to strengthen your cyber defences
The good news? There are practical, cost-effective steps SMBs can take to reduce their risk:
- Use phishing-resistant multi-factor authentication (MFA) – preferably passkeys.
- Create strong, unique passwords and consider using a reputable password manager.
- Keep software and systems up to date – patching vulnerabilities is critical.
- Back up important data regularly and securely.
- Be alert for phishing messages and scams – train your team to spot and report suspicious activity.
Assume compromise – and plan accordingly
The ACSC recommends that businesses adopt a mindset of “assume compromise” and prioritise protecting their most critical assets. Four key moves can help:
- Implement best-practice logging to detect threats early.
- Replace legacy IT systems that are no longer supported.
- Manage third-party risk – know who has access to your systems.
- Prepare for post-quantum cryptography – future-proof your security.
