Tech Translated

IT Security & Technology Blog

Practical IT insights for Australian businesses. Our team covers cybersecurity advisories, compliance updates, and plain-English explainers on the technology your business relies on, published regularly as the landscape shifts.

cyber incident

The average cyber incident now costs a small Australian business $56,600

The Australian Signals Directorate’s latest Annual Cyber Threat Report puts the average self-reported cost of a cybercrime incident for a small business at $56,600, up 14 per cent on the year before. A new synthesis of seven of the world’s leading threat reports, published this week by CyberPulse, lines those local numbers up against the biggest global studies and lands on a blunt conclusion: almost every breach traces back to just three pathways.

The three pathways

They are unpatched internet-facing systems, stolen identity, and third parties you don’t control. The 2026 data sharpens the point. For the first time in nineteen years, Verizon now ranks vulnerability exploitation ahead of stolen passwords as the top way attackers get in, and third-party involvement showed up in 48 per cent of breaches, a 60 per cent jump year on year.

For a small business, $56,600 isn’t a line item. It’s a quarter’s profit, a delayed hire, or the difference between a good year and a bad one.

The gap we see most often

Across the client environments we manage on the Northern Beaches, in wider Sydney and out through the Central West, the third pathway is the one owners consistently underestimate. It is rarely your own server that fails. It’s the booking platform, the bookkeeper’s login, or the outsourced payroll provider. Most small operators still think “we’re too small to be a target” — but attackers aren’t targeting you. They’re targeting a vendor you happen to share with a few hundred other businesses, and you’re collateral. Being in Orange or Brookvale rather than the CBD doesn’t move you off that list.

What to do first

  • Put phishing-resistant MFA on anything internet-facing. Passkeys or FIDO2 keys, not SMS codes, which attackers now intercept routinely.
  • Patch your edge devices on a real cadence. Firewalls, VPNs and remote-access appliances are now the number-one entry point, not an afterthought.
  • Confirm your backups actually restore. A backup you’ve never tested is a hope, not a control.
  • Map who touches your data outside the building. List every vendor with a login or a copy of your client data, then ask what happens if they’re breached.

None of this requires a big-business budget. It requires knowing where your exposure actually sits and closing the obvious gaps before someone else finds them.

Not sure which of the three pathways is your weak point?

All IT Services helps Australian small businesses find and close the exposure that leads to costly incidents. Monthly contracts, no lock-in.


Related Guide

Cybersecurity for Sydney SMBs

Explore our complete guide to protecting your business from cyber threats.

Read the Full Guide →