As we approach the end of 2025, it’s worth reflecting on what we’ve learned about cybersecurity for small business this year. Some trends accelerated, some threats evolved, and some lessons repeated themselves (unfortunately).

Here’s my take on the year that was.

The Big Themes

AI changed both sides of the equation.

2025 was the year AI security tools went mainstream. Microsoft and Google integrated AI into their security offerings, and even SMB-friendly products got smarter about detecting threats.

But attackers used AI too. Phishing emails got more convincing - better grammar, better personalisation, harder to spot. Voice cloning made vishing attacks more credible. And AI-generated content made social engineering at scale possible.

The net result? AI isn’t a silver bullet for defence, but it’s raising the baseline on both sides.

Supply chain attacks hit smaller targets.

The lesson from big breaches like Medibank and Optus - that attackers target suppliers to reach larger organisations - filtered down to SMB-level. Small IT providers, accountants, and professional services firms faced more sophisticated attacks because of who they connect to.

If you have access to larger clients’ systems or data, you’re a target whether you think of yourself that way or not.

Ransomware operators got more professional.

Ransomware as a Service continued to mature. The criminals running these operations have customer service, negotiation specialists, and business models. They’re also increasingly hitting smaller targets with smaller ransom demands - easier to pay, less law enforcement attention.

The volume of attacks on Australian SMBs increased even as the headline-grabbing attacks decreased. Death by a thousand small cuts.

Insurance requirements tightened (again).

Cyber insurance got harder to get and more expensive. Insurers now commonly require MFA, endpoint protection, and backup verification before they’ll quote. Some are asking about Essential Eight compliance specifically.

The upside: insurance requirements are forcing security improvements that should have happened anyway. The downside: some businesses are finding themselves uninsurable or underinsured.

The Incidents That Mattered

Without naming specific victims, here are patterns I saw repeatedly in 2025:

Business email compromise remained the biggest financial threat. I worked with multiple Australian businesses that lost significant money to invoice fraud and payment redirection. The attacks were low-tech - just convincing emails and social engineering - but devastatingly effective.

Ransomware hit businesses that thought they were prepared. Having backups isn’t enough if they’re connected to the network. I saw businesses with “good backup practices” discover their backups were encrypted too.

Credential stuffing attacks continued. Stolen credentials from unrelated breaches being tried against business systems. Without MFA, these often succeeded.

Third-party compromises caused downstream damage. When a vendor got breached, their clients had to scramble to assess their own exposure and communicate with customers.

What Worked

Some approaches clearly helped businesses stay safer:

MFA deployment. Businesses that had MFA everywhere didn’t face credential-based compromises. This continues to be the highest-impact control available.

Regular patching discipline. Businesses with consistent patch management avoided exploitation of known vulnerabilities. Automatic updates for workstations, scheduled maintenance for servers.

Tested backups with isolation. When ransomware hit, businesses with offline or immutable backups could recover. Those without had to pay, negotiate, or rebuild from scratch.

Security awareness that stuck. Not annual click-through training, but ongoing reinforcement. Businesses where reporting suspicious emails was normal and fast caught phishing campaigns early.

Essential Eight as a framework. Businesses using Essential Eight as their roadmap made consistent progress. Having a clear framework beats ad-hoc security spending.

What Didn’t Work

And some approaches clearly failed:

“We’re too small to be targeted.” I heard this repeatedly from businesses that were subsequently attacked. The attackers don’t care about your size; they care about their return on investment.

Compliance-driven security. Businesses focused on passing audits rather than managing risk. They had the policies but not the practices. When something happened, the gap between documentation and reality was painful.

Silver bullet thinking. Businesses that bought expensive tools expecting magic protection. Without proper configuration, monitoring, and response capability, tools are expensive paperweights.

Ignoring third-party risk. Businesses that had tight internal controls but gave vendors broad access. The perimeter extended further than they realised.

Predictions for 2026

Based on what I’m seeing:

AI attacks will become standard. Attackers will assume AI-assisted phishing and social engineering as baseline. Defence needs to adapt.

Regulatory requirements will expand. Privacy Act reforms will likely bring more businesses under stricter requirements. The Essential Eight may become more formally required for government suppliers.

Insurance will continue driving security. The practical minimum bar for security will increasingly be set by what insurers require rather than what businesses choose.

Supply chain security will become mandatory. Larger clients will require more formal security attestation from smaller suppliers. If you can’t demonstrate security, you’ll lose contracts.

The basics will still matter most. MFA, patching, backups, awareness - these will remain the foundation. Advanced controls are nice to have; basics are essential.

Lessons for Your 2026 Planning

If you’re planning your security priorities for the coming year:

1. Get the fundamentals right. Before investing in new tools, verify that MFA is universal, patches are current, and backups are tested. These remain the highest-value controls.

2. Know your third-party exposure. Inventory who has access to what. Review vendor security. Include third-party risk in your planning.

3. Plan for incidents. You might be breached despite best efforts. How will you detect it, respond, and recover? Test your plans.

4. Budget realistically. Security costs money. Factor it into your business planning, not as an afterthought but as an operational necessity.

5. Build culture, not just controls. Technical controls fail if people work around them. Make security part of how your business operates, not something imposed from outside.

The Bottom Line

2025 taught us that small businesses can’t hide from cyber threats. The attackers are organised, patient, and increasingly targeting the SMB segment.

But it also taught us that reasonable security measures work. Businesses with disciplined fundamentals - MFA, patching, backups, awareness - navigated the threat landscape much better than those without.

Security isn’t about perfection. It’s about consistent, sustained effort on the things that matter most. Do that, and you’re ahead of most businesses.

Here’s to a more secure 2026.