Business cyber security awareness webinar
With cyber incidents in Australia surging 11% to over 1,200 in 2024-25 and new laws mandating ransomware reporting from May 2025, businesses risk crippling financial losses and regulatory penalties amid escalating attacks.
Key takeaways
- •Ransomware and data breaches have intensified, with 138 incidents reported and average losses for medium businesses climbing 55% to $97,200, affecting sectors like finance and healthcare.
- •Mandatory regulations, including ransomware payment reporting for firms with $3 million turnover starting May 2025 and smart device security standards from March 2026, create urgent compliance deadlines.
- •Emerging quantum computing threats and third-party vulnerabilities expose hidden risks, demanding proactive cultural changes beyond basic defenses to avoid operational disruptions.
Cyber Threat Escalation
Australia's cyber landscape has deteriorated sharply. The Australian Signals Directorate reported over 1,200 incidents in the 2024-25 financial year, an 11% rise from the previous period. Ransomware cases reached 138, often stemming from unpatched vulnerabilities or phishing. Cybercrime reports hit 84,700, averaging one every six minutes. Identity fraud, the top cybercrime, increased 8%. These figures underscore a relentless assault on businesses, with malicious attacks accounting for 59% of data breaches in early 2025.
Major incidents highlight the toll. In July 2025, Qantas suffered a breach via a third-party call center, exposing data of 5.7 million customers. February 2026 saw fintech platform youX confirm a massive leak of 141 gigabytes, including over 600,000 loan applications. Hospitality group Seagrass and jeweler BECKS also fell victim to ransomware in late 2025 and early 2026. Health and finance sectors reported the most breaches, with healthcare at 18% and finance at 14% of notifications. Critical infrastructure remains a prime target, with state actors and hacktivists probing for weaknesses.
New regulations amplify the urgency. The Cyber Security Act 2024 introduces mandatory ransomware payment reporting from May 30, 2025, for entities with annual turnover exceeding $3 million. Failure to report within 72 hours could invite penalties. From March 4, 2026, security standards for smart devices ban default passwords and require vulnerability disclosure, aiming to curb IoT exploits. Updates to the Security of Critical Infrastructure Act clarify protections for data storage systems. These changes stem from the 2023-2030 Cyber Security Strategy, pushing businesses toward resilience.
Stakes are concrete and mounting. Small businesses face average losses of $56,600 per incident, up 14%, while medium ones see $97,200, a 55% jump. Inaction risks operational shutdowns, as seen in supply chain disruptions like the UNFI attack in 2025. Legal consequences include fines under the Notifiable Data Breaches scheme, which saw 1,113 reports in 2024—a 25% increase. Reputational damage erodes customer trust, with breaches like PowerSchool's affecting 62 million records in education.
Non-obvious tensions emerge. SMEs struggle with compliance costs, often relying on third parties that become weak links, as in Qantas's case. Quantum computing poses 'harvest now, decrypt later' risks, where data stolen today could be cracked tomorrow. AI amplifies threats through sophisticated phishing but also aids defenses, creating a trade-off between innovation and security. Stakeholder conflicts arise: regulators demand transparency, while businesses fear reporting could invite more attacks or scrutiny. Cultural shifts are essential; technology alone fails without employee training, yet talent shortages persist, with Australia needing 30,000 more professionals by 2026.
Sources
- https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2024-2025
- https://www.upguard.com/blog/biggest-data-breaches-australia
- https://www.webberinsurance.com.au/data-breaches-list
- https://www.oaic.gov.au/news/blog/latest-notifiable-data-breach-statistics-for-january-to-june-2025
- https://industrialcyber.co/reports/acsc-reports-surge-in-cyberattacks-targeting-australias-critical-infrastructure-focus-shifts-to-building-resilience
- https://www.computerweekly.com/news/366636080/Top-10-ANZ-stories-of-2025
- https://www.minister.defence.gov.au/media-releases/2025-10-14/annual-cyber-threat-report-highlights-persistent-threat-individuals-across-australian-economy
- https://www.pkware.com/blog/recent-data-breaches
- https://riskonnect.com/cyber-security/oaic-show-data-breaches-rise-australia
- https://www.rachis.com.au/blog/blog-post-cyber-threats-in-australia-2024-2025-insights-for-businesses
- https://www.homeaffairs.gov.au/cyber-security-subsite/Pages/cyber-security-act.aspx
- https://www.nemko.com/blog/mandatory-cybersecurity-australias-new-regulations-from-4-march-2026
- https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/security-standards-for-smart-devices
- https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/australia
- https://www.cyber.gov.au/business-government/protecting-business-leaders/cyber-security-for-business-leaders/cyber-security-priorities-for-boards-of-directors-2025-26
- https://www.cyber.gov.au/