The Australian Cyber Security Centre dropped their latest Annual Cyber Threat Report, and it’s got plenty of alarming statistics. But let’s be honest - most of these reports read like they were written for enterprise security teams with dedicated staff and seven-figure budgets.

What does it actually mean for a small business owner in Brisbane or Perth or Adelaide? Let me translate.

The Headlines That Matter

Cyber crime reports increased again. The ACSC received over 94,000 cybercrime reports this year, up from the year before. That’s one report every 6 minutes. And remember, these are just the incidents people actually reported - the real number is much higher.

The average cost of cyber crime for small businesses: Around $46,000 per incident. That’s not pocket change for most SMBs. And it doesn’t include the hidden costs: lost productivity, damaged client relationships, the stress and distraction.

Business email compromise (BEC) remains the biggest financial threat. This is the one where attackers impersonate a supplier or executive to trick you into transferring money. The ACSC reported losses in the hundreds of millions. I’ve seen it happen to local businesses - a Sydney construction company lost $150,000 to a single fraudulent invoice.

What’s Actually Attacking SMBs

The report confirms what we’ve been seeing on the ground:

Phishing is still king. Despite all the training, all the warnings, people are still clicking malicious links and opening dodgy attachments. The phishing campaigns have gotten more sophisticated - they’re now using Australian brand names, referencing real local events, and the grammar has improved dramatically.

Ransomware groups are hitting smaller targets. The big attacks on major corporations make news, but ransomware operators have discovered that small businesses are easier to breach and more likely to pay. They won’t get $10 million from you, but $50,000 across 200 targets adds up.

Supply chain attacks are escalating. Attackers are going after the smaller companies that service larger ones. If you’re an IT provider, accountant, or anyone with access to client systems, you’re a high-value target even if you don’t think of yourself that way.

Exploitation of known vulnerabilities. Many successful attacks exploited security holes that had patches available for months. The attackers aren’t using brilliant new techniques - they’re walking through doors that were left open.

What the ACSC Is Recommending

No surprises here - the Essential Eight continues to be their primary recommendation. Specifically:

Patching is critical. The report emphasises patching known vulnerabilities as quickly as possible, especially internet-facing systems. When a patch is released, attackers immediately start scanning for vulnerable systems. The clock is ticking.

MFA prevents most account compromises. The ACSC keeps hammering this point because it keeps being true. Accounts without MFA are dramatically more likely to be compromised.

Backups need to be tested and offline. Having backups is great. Having backups that actually work and can’t be encrypted by ransomware is what matters.

The Part They Don’t Say Out Loud

Here’s my honest take on what the report implies but doesn’t explicitly state:

Most SMBs are still unprepared. The same vulnerabilities appear year after year. The same attack methods keep working. This tells me that the message isn’t getting through - or it’s getting through but not being acted on.

The government can’t protect you. The ACSC provides guidance, reports, and resources, but they can’t stop an attack on your business. You’re responsible for your own security.

Compliance isn’t security. You can tick all the boxes on a compliance checklist and still get breached if you’re not genuinely implementing and maintaining controls.

What You Should Actually Do

Based on this report, here’s where I’d focus if I were running a small business:

1. Take BEC seriously. Establish verification procedures for any financial transaction changes. If someone emails asking to change bank details, call them on a known number (not one from the email) to confirm. Every time, no exceptions.

2. Review your patching. How long does it take you to apply critical security patches? If the answer is “I don’t know” or “months,” that’s a problem. Aim for critical patches within 48 hours.

3. Test your backups. Not just “do you have backups” but “can you actually restore from them?” Schedule a test restoration and see what happens.

4. Assume you’ll be phished. Despite your best efforts, someone will eventually click something they shouldn’t. What happens then? Do you have endpoint protection that might catch it? Are privileges restricted so the damage is limited?

5. Check your supply chain. If you use external IT support, accountants, or any other providers with access to your systems, what are their security practices? Their weakness becomes your weakness.

The Bigger Picture

Look, I get it. These reports can feel overwhelming. Threats are increasing, attacks are more sophisticated, and you’ve already got a business to run.

But here’s the thing: you don’t need to be perfectly secure. You just need to be secure enough that attackers move on to easier targets. Most cybercriminals are opportunistic - they’re looking for open doors, not picking locks.

The Essential Eight, implemented even at Maturity Level One, closes most of those doors. It won’t stop a nation-state actor with unlimited resources (but let’s be real, if ASIO is concerned about your business, you’ve got bigger problems). It will stop the ransomware gangs, the BEC scammers, and the automated attacks that make up the vast majority of threats.

The ACSC report is sobering reading. But it’s also a roadmap. The attacks that worked last year will work again this year unless we do something different.

Will you?