Business Cyber Security: Stay Ahead of Threats
Large Australian businesses absorbed average cyber-crime costs of $202,700 in 2024-25 after a 219% surge, as malicious activity notifications rose 83% and mandatory smart-device standards plus ransomware reporting rules tighten in early 2026.
Key takeaways
- •Cyber-crime costs for large Australian organisations jumped 219% to an average $202,700 in FY2024-25 while the ACSC issued over 1,700 malicious-activity alerts, an 83% increase, amid AI-driven scaling of attacks.
- •Major breaches such as Qantas's July 2025 compromise via a third-party platform exposed data of up to six million customers, illustrating how supply-chain weaknesses now deliver national-scale impact.
- •Regulatory deadlines including mandatory ransomware reporting for firms above $3 million turnover since May 2025 and smart-device security rules commencing 4 March 2026 are forcing compliance costs and procurement changes onto businesses already stretched by skills shortages.
Mounting Cyber Risks for Business
Australian businesses operated in a sharply more hostile digital environment through 2025. The Australian Cyber Security Centre responded to more than 1,200 incidents and notified entities of potentially malicious activity over 1,700 times, an 83% rise on the previous year. Denial-of-service attacks alone increased more than 280%.
The Office of the Australian Information Commissioner received 532 notifiable data-breach reports in the first half of 2025, 59% of them from malicious or criminal attacks. Health, finance and government sectors accounted for the largest shares, with cyber incidents affecting an average of more than 10,000 individuals each.
Financial consequences have escalated sharply. Large organisations faced average self-reported cyber-crime costs of $202,700, up 219%, medium businesses $97,200 (up 55%) and small businesses $56,600 (up 14%). These figures capture direct losses but exclude longer-term reputational damage and lost revenue from downtime.
High-profile cases have made the risks tangible. In July 2025 Qantas disclosed a breach originating in a third-party call-centre platform that compromised records of up to six million customers. Coordinated credential-stuffing campaigns hit multiple superannuation funds in March 2025, while healthcare providers continued to suffer ransomware that endangered patient data.
Regulatory changes now impose concrete deadlines. Since 30 May 2025 businesses with annual turnover above $3 million and critical-infrastructure entities must report ransomware payments. From 4 March 2026 manufacturers and suppliers of most consumer smart devices must meet baseline standards: no universal default passwords, published vulnerability-reporting mechanisms and disclosure of security-update support periods. Non-compliance restricts market access and shifts liability across supply chains.
Less visible tensions complicate responses. Many breaches trace to compromised third-party services or legacy systems, complicating accountability in interconnected ecosystems. Boards face rising expectations for direct oversight, especially under frameworks such as APRA's CPS 230 for financial entities, yet persistent cyber-skills shortages and competing demands from digital transformation create resource trade-offs. Geopolitical tensions continue to drive state-sponsored espionage that opportunistically feeds criminal toolkits.
Sources
- https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2024-2025
- https://www.oaic.gov.au/news/blog/latest-notifiable-data-breach-statistics-for-january-to-june-2025
- https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/security-standards-for-smart-devices
- https://kpmg.com/au/en/insights/leadership/australian-business-leaders-top-five-challenges.html
- https://www.upguard.com/blog/biggest-data-breaches-australia
- https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/the-commonwealth-cyber-security-posture-in-2025