The Real Cost of a Cyber Attack on an Australian Small Business

Most small business owners know that cyber attacks are a risk. Fewer know what one actually costs. The numbers are worse than you think, and they go well beyond the ransom or the IT bill.

The Numbers

According to the ASD Annual Cyber Threat Report 2024-2025, the average self-reported cost of cybercrime for a small business in Australia is $56,600 per incident (up 14% year on year). For medium businesses, it's $97,200 (up 55%). For large businesses, $202,700 (up 219%). And those are averages. The worst cases run into the millions.

The ACSC received over 84,000 cybercrime reports in FY2024-25, averaging one every six minutes. ASD also responded to over 1,200 cyber security incidents, an 11% increase from the previous year. And those are just the ones that get reported.

What People Miss: The Hidden Costs

The direct financial loss (ransom payment, stolen funds, fraud) is usually the smallest part of the bill. The real cost is everything that follows.

Downtime

The ASD Annual Cyber Threat Report 2024-2025 calls ransomware the most disruptive cybercrime threat facing Australian organisations. ASD responded to 138 ransomware incidents in FY2024-25, and the operational disruption from each can last weeks. That's weeks where you can't invoice, can't access customer records, can't operate normally. For a business doing $500,000 a year in revenue, even two to three weeks of downtime costs tens of thousands in lost income alone.

Recovery and remediation

Forensic investigation to figure out what happened. Emergency IT support to rebuild systems. New hardware if devices are compromised. Software re-licensing. Data recovery from backups (if you have them). This easily runs $10,000 to $50,000 depending on the severity.

Legal and regulatory

Under the Privacy Act 1988, Australian businesses with revenue over $3 million must report eligible data breaches to the Office of the Australian Information Commissioner (OAIC). The Notifiable Data Breaches scheme requires assessment within 30 days and notification as soon as practicable. Following the 2022 Privacy Legislation Amendment, penalties for serious or repeated breaches can reach up to $50 million, three times the benefit obtained, or 30% of adjusted turnover, whichever is greater. Even if you're under the revenue threshold, state-based privacy obligations may still apply.

Reputation damage

This is the hardest cost to quantify but often the most damaging. Customers lose trust. Contracts get reviewed. Partners ask uncomfortable questions. The OAIC received 595 data breach notifications in the second half of 2024 alone, a 15% increase, making 2024 the highest year for notifications since the scheme began in 2018. Each notification means affected individuals are told their data was compromised. That kind of disclosure erodes trust in ways that take years to rebuild.

Insurance consequences

Even if you have cyber insurance, a claim will increase your premiums. And if your insurer finds that you lacked basic controls (like MFA or current patching), they may reduce or deny the payout entirely. Insurance is a safety net, not a security strategy.

Real Scenarios, Real Costs

A regional accounting firm in Victoria had a staff member click a phishing link. The attackers gained access to the email system, sent fraudulent invoices to clients, and redirected $87,000 in payments. The firm spent $35,000 on incident response, lost two clients, and their insurance premium tripled at renewal.

A construction company in Queensland had ransomware encrypt their project files and accounting data. They had backups, but hadn't tested restores. Recovery took four weeks. Total cost including lost contracts and emergency IT: over $120,000.

A dental practice in South Australia had patient records exposed through an unpatched server. They were required to notify affected patients under the Notifiable Data Breaches scheme. The reputational damage took over a year to recover from.

What Does Prevention Actually Cost?

Here's the thing that makes these stories frustrating: the controls that would have prevented most of these incidents are neither expensive nor complicated.

• MFA on all accounts: free to enable with most providers.
• Automated patching: built into Windows, macOS, and most business software.
• Daily backups with tested restores: $50 to $200 per month for a cloud backup solution.
• Restricting admin privileges: a configuration change, not a purchase.
• Application control: available in Windows Pro and Enterprise at no extra cost.

The total cost of implementing Essential Eight Level 1 controls for a typical small business ranges from $0 (for businesses using modern cloud platforms) to a few thousand dollars for those that need some infrastructure changes. Compare that to $56,600+ per incident.

The Essential Eight Connection

The Essential Eight framework exists precisely because these attacks are preventable. Each strategy directly addresses a common attack vector:

• Phishing leads to compromised accounts. MFA stops it.
• Unpatched software gets exploited. Patching closes the holes.
• Ransomware encrypts your data. Backups let you recover without paying.
• Malware runs on your systems. Application control prevents execution.
• Attackers escalate privileges. Restricting admin access limits the damage.

Every control you implement reduces your attack surface. You don't need all eight perfect on day one. You just need to start.

What to Do Right Now

Take 5 minutes to run a Quick Check assessment. It covers the 10 most critical controls and shows you where your biggest risks are. It's free, it's private (your data never leaves your browser), and it gives you a clear starting point.

The cost of a cyber attack is real. The cost of checking where you stand is zero.