The Australian Cyber Security Centre recorded more than 76,000 cybercrime reports in the 2024-25 financial year — up 23% on the year before. Numbers at that scale can feel abstract, like weather statistics for a storm somewhere else. They are not. Every one of those reports is a business or individual who has already been through what you are trying to prevent.
The more useful question is not “how big is the number” but “who is behind it, and why.” The honest answer runs against the instinct most business owners have.
01Why smaller businesses, not larger ones
43% of attacks target businesses with fewer than 50 staff. That is not because smaller businesses hold less valuable data — client records, financial details, and system access are worth the same to an attacker regardless of your headcount. It is because the controls guarding that data are, on average, weaker and cheaper to get past. A large enterprise has a security team, a budget line, and a board asking pointed questions. A 30-person business usually has an IT provider and a firewall. Attackers are running a numbers game, and the numbers favour the smaller target.
02What a report actually costs
The average Australian SMB breach costs around $122,000 — direct incident-response costs, lost trading time, notification obligations, and the customers who do not come back. 60% of small businesses that suffer a breach close within six months. That is the real weight sitting behind the ACSC's report count: not an inconvenience, a genuine threat to the business continuing to exist.
03Why the number keeps climbing
Three forces are compounding. Attack tooling has become cheaper and more automated, so a single operator can target thousands of businesses in the time it once took to target dozens. Ransomware-as-a-service means technical skill is no longer the barrier to running an attack — renting a kit is. And Australian businesses are, slowly, getting better at reporting incidents rather than quietly absorbing them, which means part of the rise is visibility catching up to a threat that was already there.
04What actually moves the needle
The businesses that do not end up as one of the 76,000 are not the ones spending the most. They are the ones with the fewest gaps in a short list of controls: multi-factor authentication enforced everywhere, endpoints protected with monitored detection rather than consumer antivirus, backups that are tested and cannot be encrypted alongside the rest of the network, and a plan for the first hour after something goes wrong. 67% of Australian SMB owners already rate cyber risk a top-three concern — the gap is between knowing it matters and knowing exactly where your own business stands.
That second part is the one worth resolving this quarter, not next year. A ten-question, three-minute assessment will tell you where you sit today; a Cyber Readiness Assessment tells you precisely what to fix and in what order.
Where this leaves you
Knowing the risk is not the same as knowing your own exposure.
The Cyber Readiness Assessment gives you a written, prioritised answer in ten business days — credited toward your first year if you go further with us.