The average cyber incident now costs a small Australian business $56,600
The Australian Signals Directorate’s latest Annual Cyber Threat Report puts the average self-reported cost of a cybercrime incident for a small business at $56,600, up 14 per cent on the year before. A new synthesis of seven of the world’s leading threat reports, published this week by CyberPulse, lines those local numbers up against the biggest global studies and lands on a blunt conclusion: almost every breach traces back to just three pathways.
The three pathways
They are unpatched internet-facing systems, stolen identity, and third parties you don’t control. The 2026 data sharpens the point. For the first time in nineteen years, Verizon now ranks vulnerability exploitation ahead of stolen passwords as the top way attackers get in, and third-party involvement showed up in 48 per cent of breaches, a 60 per cent jump year on year.
The gap we see most often
Across the client environments we manage on the Northern Beaches, in wider Sydney and out through the Central West, the third pathway is the one owners consistently underestimate. It is rarely your own server that fails. It’s the booking platform, the bookkeeper’s login, or the outsourced payroll provider. Most small operators still think “we’re too small to be a target” — but attackers aren’t targeting you. They’re targeting a vendor you happen to share with a few hundred other businesses, and you’re collateral. Being in Orange or Brookvale rather than the CBD doesn’t move you off that list.
What to do first
- Put phishing-resistant MFA on anything internet-facing. Passkeys or FIDO2 keys, not SMS codes, which attackers now intercept routinely.
- Patch your edge devices on a real cadence. Firewalls, VPNs and remote-access appliances are now the number-one entry point, not an afterthought.
- Confirm your backups actually restore. A backup you’ve never tested is a hope, not a control.
- Map who touches your data outside the building. List every vendor with a login or a copy of your client data, then ask what happens if they’re breached.
None of this requires a big-business budget. It requires knowing where your exposure actually sits and closing the obvious gaps before someone else finds them.
Not sure which of the three pathways is your weak point?
All IT Services helps Australian small businesses find and close the exposure that leads to costly incidents. Monthly contracts, no lock-in.
Related Guide
Cybersecurity for Sydney SMBs
Explore our complete guide to protecting your business from cyber threats.
