Estimated reading time: 11 minutes
Cyber attacks on Australian small businesses are no longer a matter of if, they’re a matter of when. The average incident now costs $56,600, Australia receives a cybercrime report every 6 minutes, and 90% of those reports come from businesses with under $2M revenue. The threat is real, it’s growing, and most standard business insurance doesn’t cover it.
Whether you want an instant quote in 2 minutes or want to talk through your specific risk with a broker — Pocket covers both. Get an instant quote → or book a free call →
TL;DR
- The average cost of a cyber incident for an Australian small business is now $56,600 per incident, up 14% in FY2024–25, according to the Australian Signals Directorate.
- Australia receives a cybercrime report every 6 minutes.
- 90% of cybercrime reports in Australia and New Zealand come from businesses with under $2M revenue.
- SMEs represent 43% of all cyber attacks in Australia, not because they’re interesting, but because they’re easy targets.
- Most standard Business Pack policies do not cover cyber incidents. A separate Cyber Insurance policy is required.
Table of Contents
Why are Australian SMEs being targeted more than ever?
Cybercriminals don’t discriminate by company size. They discriminate by security posture and SMEs consistently present weaker targets than large enterprises.
The Australian Signals Directorate’s Annual Cyber Threat Report for FY2024–25 confirmed that the average self-reported cost of a cybercrime incident for Australian small businesses rose by 14% to $56,600. Other sources, accounting for ransom payments, system restoration, downtime, and reputational harm, report average losses between $49,600 and $122,000 depending on industry and the nature of the breach.
In Australia and New Zealand, 90% of cybercrime reports come from businesses with under $2M in annual revenue. Small businesses represent 43% of all cyber attacks in the country, not because they’re high-value targets, but because they’re accessible ones.
Sources: ASD Annual Cyber Threat Report FY2024–25; Computer One, 2026; DeepStrike Cyber Attacks on Small Businesses, 2025
What does a cyber incident actually cost?
The headline number — $56,600 — understates the true impact for many businesses. Here’s what goes into it:
| Cost category | What it includes |
|---|---|
Incident response | IT forensics, system restoration, emergency support |
Ransom payment (if paid) | Can range from thousands to hundreds of thousands |
Downtime and lost revenue | Time systems are unavailable, sales lost, staff unproductive |
Notification costs | Contacting affected customers and regulators |
Legal and regulatory costs | Privacy Act obligations, OAIC notification, legal advice |
Reputational damage | Lost clients, damaged supplier relationships |
Replacement hardware/software | New systems, licences, security tools |
The Mandatory Data Breach Notification regime under the Privacy Act requires businesses above $3M turnover to notify affected individuals and the OAIC of eligible data breaches. From 1 July 2026, more businesses will be subject to these obligations due to AML Tranche 2 changes.
Additionally, the Cyber Security Act 2024 introduced mandatory reporting of ransomware and cyber extortion payments for businesses with annual turnover above $3 million.
The most common attacks targeting Australian SMEs
1. Phishing and business email compromise (BEC)
Social Engineering Fraud covers a range of attacks where criminals manipulate people into transferring funds or sharing credentials. Business Email Compromise (BEC) is the most common form — an employee receives a convincing email impersonating a supplier, the ATO, or a senior colleague, and either clicks a malicious link or transfers funds to a fraudulent account. BEC alone costs Australian businesses tens of millions annually. When reviewing your policy, look for “Social Engineering Fraud” cover — BEC is covered under this section.
2. Ransomware
Attackers encrypt your systems and demand payment to restore access. Even if you don’t pay, recovery costs are substantial. Data from ITnews shows 75+ Australian businesses disclosed ransomware payments since June 2025, and these are only the ones required to report.
3. Credential theft
Compromised usernames and passwords, often obtained through previous data breaches, are used to access business accounts. Cloud services, email systems, and accounting software are prime targets.
4. Supply chain attacks
Attackers compromise a supplier or software provider to gain access to multiple downstream businesses simultaneously. A single breach at a payroll provider, accounting platform, or IT supplier can affect thousands of clients.
What cyber insurance actually covers
Many business owners assume their Business Pack, general liability, or professional indemnity policy covers cyber incidents. In most cases it doesn’t — standard policies were written before cyber was a distinct risk category and typically provide limited or no cover for cyber incidents. A standalone Cyber Insurance policy is what actually responds to a cyber event.
A standalone Cyber Insurance policy covers:
| Coverage area | What it pays for |
|---|---|
First-party loss | Your own costs, such as system restoration, data recovery, ransom (some policies) |
Business interruption | Revenue lost while systems are down |
Incident response | Forensics team, PR support, legal notification |
Data breach notification | Costs of notifying affected individuals and regulators |
Third-party liability | Third-party liability- Claims from customers or suppliers whose data was compromised (if selected — not included in all policies) |
Regulatory response | OAIC investigation costs, Privacy Act compliance |
Social engineering / BEC | Funds transferred to fraudulent accounts (check policy sub-limits) |
Check your Social Engineering / BEC sub-limit: Many cyber policies include Social Engineering Fraud cover (which covers BEC), but it often needs to be selected as an optional extension and comes with sub-limits significantly lower than the main policy limit. Pocket’s direct cyber policy includes it as an automatic inclusion — but the limit should still be reviewed. Get an instant quote → or Talk to a Pocket broker →
Cyber insurance costs for small businesses
Cyber insurance premiums vary depending on your industry, revenue, data risk profile, and the security controls you have in place. For most SMEs, cover is more affordable than the $56,600 average incident cost might suggest.The fastest way to get an accurate figure:
Get an instant quote online → or book a call with Pocket if your situation is more nuanced.
What you can do to reduce your cyber risk (and your premium)
Insurers assess your security posture when pricing Cyber Insurance. These controls also materially reduce your risk:
- Multi-factor authentication (MFA) on all email, cloud, and financial accounts
- Regular software updates and patching – unpatched systems are the most exploited vulnerability
- Staff training on phishing recognition – most breaches start with a human error
- Regular offsite backups – ransomware is far less damaging when you have clean backups
- Unique passwords via a password manager – credential reuse is a leading attack vector
- Endpoint protection – modern anti-malware on all devices
Source: Australian Cyber Security Centre (cyber.gov.au) — Essential Eight framework
Frequently asked questions
What is the average cost of a cyber attack on an Australian small business?
According to the Australian Signals Directorate’s Annual Cyber Threat Report for FY2024–25, the average self-reported cost of a cybercrime incident for small businesses is $56,600, up 14% on the prior year. Broader estimates, including all incident costs, range from $49,600 to $122,000.Does my Business Pack insurance cover cyber attacks?
Generally no. Standard Business Pack and general liability policies exclude electronic data, systems failures, and digital crime. A separate Cyber Insurance policy is required for cyber incident coverage.What is Business Email Compromise (BEC)?
BEC is a type of Social Engineering Fraud — a cyber attack where criminals manipulate people into transferring funds or sharing credentials. In BEC specifically, attackers impersonate a trusted party — a supplier, the ATO, or a senior colleague — to trick an employee into transferring funds or sharing credentials. When reviewing your insurance policy, look for “Social Engineering Fraud” cover — BEC claims are assessed under this section.What does cyber insurance cover for small businesses?
A cyber policy covers your own costs (system restoration, data recovery, ransom in some cases), business interruption, incident response costs, data breach notification, third-party liability claims (if selected) , and regulatory investigation costs including OAIC privacy obligations.How much does cyber insurance cost for a small business in Australia?
Premiums vary significantly based on industry, revenue, data risk, and security controls. For a small business with standard risk, annual premiums typically range from $1,500 to $4,000. Businesses in higher-risk industries (finance, health, professional services) generally pay more.Is ransomware covered by cyber insurance?
Many cyber policies include ransomware cover, including ransom payment and system restoration costs. However, coverage terms vary significantly between policies. Ask your broker specifically whether ransomware is covered and whether some sublimits or conditions apply.Are small businesses really targeted by cyber criminals?
Yes. In Australia and New Zealand, 90% of cybercrime reports come from businesses with under $2M annual revenue. SMEs represent 43% of all Australian cyber attacks. Attackers target SMEs not for their data value, but because their security posture is typically weaker than large enterprises.What is the Mandatory Data Breach Notification scheme?
Under Australia’s Privacy Act, businesses with annual turnover above $3M must notify the OAIC and affected individuals of eligible data breaches. From 1 July 2026, more businesses will come under these obligations due to AML Tranche 2. Cyber Insurance covers the costs of compliance with these notification requirements.What is the Essential Eight?
The Essential Eight is a framework of baseline cyber security controls published by the Australian Cyber Security Centre. It includes multi-factor authentication, application patching, restricting admin privileges, regular backups, and other practical controls. Implementing the Essential Eight significantly reduces cyber risk and can lower Cyber Insurance premiums.Does cyber insurance cover social engineering fraud?
Not automatically on all policies. Social Engineering Fraud cover (which includes BEC) often needs to be selected as an optional extension and comes with sub-limits lower than the main policy limit. Pocket’s direct cyber policy includes Social Engineering cover as an automatic inclusion, but the limit should still be reviewed for your specific risk. Get an instant quote →
Related guides
A $56,600 average loss. A fraction of that to insure against it.
Cyber Insurance is one of the most cost-effective protections available to Australian small businesses right now. Pocket compares cover across multiple insurers and makes sure your policy actually matches the risks your business faces.
Ready to get covered?
Simple risk profile? Get an instant online quote in 2 minutes →
More complex situation — multiple systems, client data, regulated industry? Book a free call with the Pocket team → and we’ll make sure the policy actually fits.
Call: 1300 475 092 | Email:hello@withpocket.com.au
With Pocket is a business name of Insurance Services Holdings Pty Ltd (ABN 36 612 629 295, AFSL 491165). Member of NIBA and part of the Steadfast Group. This article is general in nature and does not constitute financial or cybersecurity advice. Consult a licensed broker for advice specific to your circumstances.
Sources: Australian Signals Directorate (asd.gov.au), Computer One, DeepStrike, ACSC (cyber.gov.au).
Pocket is a licensed Australian insurance broker (AFSL 491165) and member of NIBA. Part of the Steadfast Group — Australia’s largest broker network. We help small and growing businesses get the right cover without the jargon. Start smart. Scale strong. Stay protected.