This Australian Signals Directorate’s 2025 Annual Cyber Threat Report has just been released. It warns that malicious cyber activity remains a national risk, urging Australians and businesses to strengthen our defences.
The Australian cyber landscape suffers from both persistent state-sponsored cyber actors and relentless cybercriminals targeting the economy for financial gain, with this report indicating that it’s happening more often, it’s costing us more, and SMBs are a target.
Financial and Operational Impact on Small Business
- Frequency: The ACSC received over 84,700 cybercrime reports to ReportCyber, on average one every 6 minutes.
- Increasing Costs: The average self-reported cost of cybercrime per report for small business increased by 14% in FY2024–25, reaching $56,600.
- Targeting SMBs: Small-to-medium enterprise owners face significantly higher rates of all types of cybercrime compared to other victims, and they are more likely to lose larger amounts when victimised.
- Ransomware and Data Theft: Ransomware continues to be the most disruptive cybercrime threat, resulting in serious operational, financial, and reputational consequences. Cybercriminals commonly use malware designed to covertly harvest information (info stealers) from victims, using the stolen data, usernames, and passwords to launch subsequent attacks and compromise corporate accounts.
- Top Reported Threats: The top self-reported cybercrime threats for businesses include Email compromise resulting in no financial loss (19%), Business email compromise (BEC) fraud resulting in financial loss (15%), and Identity fraud (11%).
Vulnerabilities and Supply Chain Risk
- Exploiting Weaknesses: Malicious cyber actors leverage vulnerabilities in the technology and security practices of individuals and businesses.
- Legacy IT Risk: Legacy IT increases the likelihood and impact of a cyber security incident, often allowing actors to gain a foothold before moving to more modern systems.
- Edge Device Vulnerabilities: Internet-facing vulnerabilities in edge devices (routers, firewalls, VPNs) are common and are difficult for network owners to monitor or secure, making them attractive targets for initial access.
- Third-Party and Supply Chain Exploitation: The IT supply chain can often be the weakest link, as malicious actors exploit trusted relationships between the vendor and the customer to steal information or deliver malware.
Actions and Mitigations
We all need fortify our cyber resilience. For small businesses, the basics are the most effective first line of defence and implementing these mitigations can prevent the majority of incidents.
Essential Actions for Small Business Cybersecurity
Small businesses and individuals should focus on these core defensive actions:
- Use Strong MFA: Implement strong Multi-Factor Authentication wherever possible, preferably phishing-resistant options like passkeys.
- Manage Credentials: Use strong and unique passwords/passphrases, and consider implementing a reputable password manager.
- Keep Software Updated: Keep software and operating systems on devices updated. Replace software or devices that are no longer supported by vendors.
- Practice Vigilance: Be alert for phishing messages and scams. If a social engineering attempt is suspected, do not engage, and report it immediately.
- Data Backup: Regularly back up important data in a secure and proven manner.
Waiting to experience data loss to decide if you need a backup plan is too late. Not having backup is simply an accident waiting to happen – yet it can still be a challenge to get businesses to take it seriously.
Actions for Businesses and MSPs
Businesses and IT service providers should operate with an “assume compromise” mindset, starting with the basics and building from there.
- Prioritise Assets: Businesses should prioritise the protection of their most critical assets or ‘crown jewels’.
- Secure Edge Devices: Network owners should change default credentials, enable phishing-resistant MFA, disable unneeded internet-facing functionality, and keep network devices up to date.
- Replace Legacy IT: To eliminate risks, legacy IT should be replaced with supported systems. If replacement is not immediately feasible, temporary measures should be adopted to mitigate risk.
- Incident Response: Everyone should have a cyber security incident response plan and test it regularly.
- Reporting: It remains critically important to report suspicious cyber activity, incidents, and vulnerabilities. Reporting helps ACSC build understanding of the threat environment and develop updated advice.
" Just like seatbelts in a car, having a cyber incident response plan (CIRP) isn't optional. It may seem inconvenient at first, but you’ll be glad you have it when disaster strikes. Everyone on your team must know it, or where to find it. Regular rehearsals ensure we can act quickly and confidently if a real incident occurs. "
Sean Dendle, Cymax
This report is a clear call to action: criminals are exploiting new technologies and targeting SMBs. Small businesses face rising exposure and must prioritise working with their IT providers for proactive risk management and cloud security.
Manage Protect can help with tailored cloud security advice, recommendations and SMB1001 certification support – get in touch today
