67% of Cyber Incidents Target Small Businesses, Australia's Escalating Threat (and What to Do)
The Australian Cyber Security Centre's latest annual report makes for uncomfortable reading if you run a small business. Two-thirds of all reported cyber incidents in Australia involved small and medium businesses, and that figure rose 23% from the previous year. If you assumed cybercriminals were only interested in big corporations with deep pockets, the data says otherwise.
The reason small businesses are targeted so frequently comes down to three things: weaker defences, faster payments, and less oversight. A sole trader or a 10-person team rarely has a dedicated IT security person. Payments to invoices often go through without a second pair of eyes. And if ransomware locks your files on a Wednesday, you need them back by Friday or the business grinds to a halt. Criminals know this, and they price their attacks accordingly.
The good news is that the most common attacks are also the most preventable. Here are the three types hitting Perth businesses hardest right now, and what you can do about each one.
Phishing and Business Email Compromise
Phishing remains the entry point for the majority of cyber incidents. It's no longer just the obvious "Nigerian prince" emails, modern phishing is targeted, personalised, and increasingly hard to spot. Business Email Compromise (BEC) takes it a step further: an attacker either hacks into your email account or creates one that looks identical to yours, then contacts your customers, suppliers, or staff with fraudulent payment instructions.
The average loss to an Australian SMB from a BEC attack exceeds $50,000. In a typical scenario, a Perth trades business receives what looks like an email from their accountant, asking them to update the bank account for an upcoming payment. The email domain differs by one letter. The payment goes through. By the time anyone notices, the money is gone and near-impossible to recover.
The fix is not expensive. Enable multi-factor authentication (MFA) on your email accounts so that even if someone steals your password, they can't log in. Set up a simple verbal confirmation rule: any change to payment details gets a phone call to confirm, using a number you already have, never one provided in the email. Most banks and accounting bodies recommend this as standard practice.
Credential Theft and Weak Passwords
The second major attack type doesn't require any clever hacking. Criminals simply buy lists of leaked usernames and passwords from previous data breaches (there are billions of them freely available on the dark web) and try them across popular business services. If you use the same password across multiple accounts, one breach on any website puts all your accounts at risk.
A realistic scenario: a Perth retail business owner uses the same password for their Shopify store, their Gmail, and their accounting software. A data breach at an unrelated subscription service exposes that password. Within hours, automated tools try it against common business platforms. The attacker gets into the accounting software, changes the bank account details for upcoming payments, and is gone before anyone notices.
The solution is a password manager. Tools like Bitwarden (free for individuals, very affordable for teams) or 1Password generate and store a unique, complex password for every account. You only need to remember one master password. Combine this with MFA on all critical accounts and credential theft becomes significantly harder. This is not a big investment: most password managers cost less than $10 per user per month.
Ransomware via Remote Access
Ransomware is the attack that makes headlines, and for good reason. It encrypts all your files and demands payment, usually in cryptocurrency, to get them back. The most common entry point for small businesses isn't a sophisticated hack, it's remote desktop tools left open to the internet, often set up by a previous IT provider and never properly secured.
A common scenario in Perth: a small professional services firm has a Windows server accessible via Remote Desktop Protocol (RDP) so staff can work from home. The port is open to the internet, the password hasn't been changed in two years, and there's no MFA. Automated scanning tools find the open port within hours of it being exposed. A ransomware group logs in, deploys their software overnight, and by morning every file on the network is encrypted. The ransom demand: $15,000 in Bitcoin.
The fix for ransomware is a two-part approach. First, lock down remote access: use a VPN instead of RDP directly exposed to the internet, and require MFA. Second, and equally important, maintain proper backups. The 3-2-1 rule is the standard: keep three copies of your data, on two different types of media, with one copy stored off-site (cloud backup services handle this automatically). If you have clean backups from yesterday, ransomware loses most of its leverage.
The Core Four Protections Every Business Needs
You don't need to solve everything at once. If you implement these four things before the end of the month, you'll be meaningfully more secure than the majority of Australian small businesses:
MFA on all accounts. Start with email, accounting software, and any cloud storage. Microsoft 365 and Google Workspace both have MFA built in, it takes about 10 minutes to enable. This single step blocks the vast majority of account takeover attacks.
A password manager. Replace reused and weak passwords across your team. Bitwarden has a free tier and a team plan at around $5 per user per month. 1Password is slightly more polished if your team works across multiple devices.
Automatic backups following the 3-2-1 rule. If your files live on Microsoft 365 or Google Workspace, automatic cloud backup is partly built in, but it's worth adding a dedicated backup tool. Backblaze Business Backup runs about $7 per computer per month and backs up continuously in the background.
Email filtering. Most spam filters catch obvious phishing, but a dedicated email security layer (Microsoft Defender for Business or a third-party tool like Proofpoint Essentials) adds another level of protection against targeted attacks. If you're on Microsoft 365, Defender is included in Business Premium plans.
Reporting and Getting Help
If you experience a cyber incident, report it to ReportCyber.gov.au. This is the Australian Government's official reporting portal and it's free to use. Reporting helps the ACSC track trends and build a better picture of the threat landscape, and in some cases, they can provide direct assistance.
For a structured approach to improving your security posture, the Australian Signals Directorate's Essential Eight framework is the best starting point for Australian businesses. It's freely available at cyber.gov.au and covers the eight mitigation strategies that address the most common attack vectors. You don't need to implement all eight at once, even the first two or three make a significant difference.
If you'd like an honest assessment of where your business stands right now, we offer a straightforward security review that covers your current setup against the Essential Eight baseline. Most Perth businesses we work with have low-hanging fruit that can be addressed quickly and affordably, the goal is practical improvement, not a long list of expensive upgrades.
The threat is real and it's growing, but so is the awareness. The businesses that take a few concrete steps now are the ones that won't be calling us in a panic on a Friday afternoon.
