Australian small businesses are being pushed into a harsher cyber environment, with new research showing most have already experienced a cyber incident while many are now using artificial intelligence tools without proper safeguards.
A 2026 small business cyber security survey found 84% of Australian small businesses had experienced a cyber incident in the past year, up three percentage points from the first round of research in 2023.
That figure should cut through the usual language around cyber awareness. This is no longer a distant risk sitting somewhere in the IT department.
For many small operators, it has already arrived through email, invoices, staff devices, cloud software, social media accounts, fake websites and business systems they depend on every day.
The findings suggest a small business sector that is becoming more aware of the problem but still struggling to keep up with the speed and sophistication of the threat.
The research found owners and staff are becoming more confident in managing digital risks, introducing stronger passwords, acting on software updates faster and seeing cyber security as a whole-of-team responsibility rather than a technical job left to one person.
That progress matters. But it is not moving fast enough.
Artificial intelligence has now added a new layer of risk. One in four small businesses are sharing sensitive business and customer information with AI tools such as ChatGPT, while another 40% are using AI-generated content without checking its accuracy.
That is a serious governance gap.
Small businesses are using AI because it is useful. It writes emails, summarises documents, helps prepare marketing material, drafts policies and speeds up admin.
The problem is that many of these tools are being used before businesses have worked out what information should never be uploaded, who is allowed to use them, and whether AI-generated output is being checked before it is sent to customers or published online.
The same technology is also changing the threat environment.
Four in five small businesses now believe cyber criminals are becoming more sophisticated because of AI, yet fewer than one in five have put guardrails in place for safe AI use.
That mismatch is the real story. Business owners can see the threat building, but many have not translated that concern into practical controls.
Separate guidance from the Australian Signals Directorate has warned that small businesses adopting cloud-based AI tools need to understand risks including data leaks, privacy breaches, unreliable or manipulated AI outputs and supply chain vulnerabilities.
For a small business, those risks are not abstract.
They can mean customer records copied into an external tool, staff relying on an inaccurate AI-generated answer, confidential financial information being exposed, or an employee using a public AI system without understanding where the data goes.
The pressure is also being felt across the wider scam economy.
The National Anti-Scam Centre reported Australians made 481,523 scam reports in 2025 across Scamwatch, ReportCyber, the Australian Financial Crimes Exchange, IDCARE and ASIC. Of those, 274,577 involved financial losses totalling $2.18 billion.
The largest scam categories by loss included investment scams at $837.7 million, payment redirection scams at $166.8 million, romance scams at $139.9 million, phishing scams at $97.6 million and remote access scams at $69.9 million.
Those figures matter for small businesses because many of the highest-risk scams now target ordinary business processes.
A fake invoice. A changed bank account. A supplier impersonation. A compromised email account. A staff member clicking a link because the message looked normal.
Payment redirection scams, in particular, should worry every business that pays suppliers by email. These attacks do not always require advanced hacking. Often, they rely on timing, trust and a small change in payment details.
Research also highlights uneven cyber maturity across industries.
Hospitality businesses were found to be among the least likely to adopt cyber-safe practices, with only about one in two using unique passwords or passphrases and just one in three protecting business emails with multi-factor authentication.
That is a weak point for cafes, restaurants, pubs, motels and other hospitality operators already dealing with tight margins, staff turnover, payment systems, online booking platforms and customer data.
Multi-factor authentication is one of the simplest barriers a business can put in place, yet many still do not use it consistently.
Unique passwords are another basic control, but the research suggests too many businesses are still relying on habits that are no longer safe.
The concern is not just technical. It is financial.
Seventy-nine per cent of small businesses expressed concern about a cyber attack, with cyber risk ranked as a higher threat than workforce shortages, rapid technological change and extreme weather events.
That ranking is significant. Small businesses are not short of problems.
They are dealing with rising costs, skills shortages, insurance pressure, compliance obligations, supplier issues and weaker consumer demand in some sectors. Yet cyber has moved high on the list because it can hit quickly and create immediate operational damage.
A cyber incident can lock staff out of systems, stop payments, expose customer data, disrupt bookings, damage trust and leave owners trying to work out whether they need technical help, legal advice, customer notifications or law enforcement support.
For small operators, the recovery burden can be brutal.
The research points to a clear divide. Awareness is improving, but practical protection is still patchy. Many businesses know cyber risk is real.
Fewer have turned that knowledge into daily habits, written processes, staff training, AI rules, stronger access controls and tested recovery plans.
That is where the next phase of small business cyber security needs to focus.
The priority should not be complicated language or expensive enterprise frameworks. It should be basic protection that actually gets used.
That means using unique passwords, multi-factor authentication, regular software updates, verified payment changes, limited admin access, secure backups and clear rules for how staff use AI.
It also means training staff and having a simple incident response plan that tells people exactly what to do in the first hour after something goes wrong.
That is the uncomfortable part.
Australian small businesses are becoming more digitally dependent at the same time criminals are becoming faster, more automated and more convincing. AI is making that gap harder to close.
For business owners, the message is straightforward: cyber security is no longer optional admin. It is part of staying open.
