NAB Business Cyber Security Awareness
Australian businesses face skyrocketing cyber crime costs after a brutal 2025 marked by AI-powered attacks and major breaches, pushing average losses for large organisations to $202,700.
Key takeaways
- •The ACSC's 2024-25 report revealed cyber crime costs surged dramatically in 2025, with large businesses seeing a 219% increase, driven by sophisticated AI-enhanced threats and ransomware.
- •New regulations under the Cyber Security Act 2024, including mandatory ransomware payment reporting since May 2025 and impending smart device security standards effective March 2026, impose stricter compliance burdens on businesses.
- •Ongoing high-profile incidents into early 2026, combined with board-level scrutiny and supply-chain vulnerabilities, highlight that inaction now risks severe financial, operational, and reputational damage amid evolving state-sponsored threats.
Rising Cyber Stakes in Australia
Australian organisations endured a punishing 2025 as cyber threats intensified, with the Australian Cyber Security Centre (ACSC) documenting sharp rises in both attack volume and financial impact. Average cyber crime costs climbed across all business sizes: small businesses faced $56,600 per incident (up 14%), medium ones $97,000 (up 55%), and large organisations $202,700 (a staggering 219% jump). These figures reflect the growing sophistication of attacks, often powered by artificial intelligence, which enable more targeted phishing, ransomware, and exploitation of vulnerabilities.
The surge prompted regulatory tightening. The Cyber Security Act 2024 introduced mandatory reporting of ransomware payments for businesses with annual turnover above $3 million starting 30 May 2025, with enforcement ramping up from January 2026. Amendments to the Security of Critical Infrastructure Act 2018 (SOCI Act) clarified and expanded obligations for protecting critical data storage systems and telecommunications assets, with key rules taking effect in April 2025 and further IoT security standards for smart devices scheduled for 4 March 2026.
High-profile breaches continued into 2026, affecting sectors from hospitality and mining to healthcare and finance, often involving ransomware groups claiming data exfiltration. State-linked actors targeted operational technology in manufacturing and energy, underscoring supply-chain risks. Boards now face explicit guidance to prioritise secure-by-design technology, legacy system replacement, third-party risk management, and post-quantum cryptography transitions.
Tensions emerge between compliance costs and operational realities: smaller businesses struggle with resource demands, while critical infrastructure operators balance enhanced reporting against potential exposure of sensitive information. The shift toward assuming compromise rather than preventing all intrusions forces trade-offs in resource allocation, yet failing to adapt risks regulatory penalties, revenue losses—up to 10% of annual figures in some cases—and eroded customer trust in an interconnected economy.
Sources
- https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2024-2025
- https://www.interactive.com.au/insights/2025-in-cyber-the-threats-that-changed-the-landscape-and-how-to-stop-them-in-2026
- https://www.cyber.gov.au/business-government/protecting-business-leaders/cyber-security-for-business-leaders/cyber-security-priorities-for-boards-of-directors-2025-26
- https://www.homeaffairs.gov.au/cyber-security-subsite/Pages/cyber-security-act.aspx
- https://www.webberinsurance.com.au/data-breaches-list
- https://www.legislation.gov.au/C2024A00098/asmade/text
- https://www.cisc.gov.au/legislation-regulation-and-compliance/cyber-security-legislative-reforms