Australian businesses are being hit by a sharper, faster and more expensive wave of cybercrime, with new figures showing digital attacks are no longer a background technology issue but a direct threat to company survival, customer privacy and national resilience.

According to the Australian Signals Directorate’s latest Annual Cyber Threat Report, the average self-reported cost of a cyber breach for businesses jumped by 50% in 2024–25, reaching more than $80,000 per incident.

The report recorded more than 84,700 cybercrime reports across the year — roughly one attack every six minutes.

The agency also responded to more than 1,250 cyber incidents and handled over 42,500 calls to its cybersecurity hotline, a 16% increase on the previous year.

The figures point to a troubling shift. Cybercrime is not only becoming more frequent. It is becoming more damaging.

Business email compromise, identity fraud and ransomware remain among the most common threats affecting Australian organisations.

The attacks often begin quietly: a fake invoice, a compromised login, a stolen identity, or a malicious email that looks routine. The damage can be anything but routine.

For many companies, one breach can mean days of disruption, frozen systems, stolen customer records, legal exposure, regulatory scrutiny and a loss of trust that can take years to repair.

The warning is particularly serious for sectors holding sensitive data or delivering critical services, including insurance, financial services, healthcare, professional services and infrastructure operators.

Australian industries are attractive targets because they hold exactly what criminals want: personal records, payment information, identity documents and systems that cannot afford to fail.

Globally, The Threat Picture Is Moving Even Faster

CrowdStrike’s 2026 Global Threat Report found the fastest recorded eCrime breakout time was just 27 seconds, meaning attackers were able to begin moving inside a victim environment almost immediately after gaining access.

AI-enabled adversary activity also increased by 89%, while attackers are exploiting cloud, identity and software weaknesses at increasing speed.

The same global threat data points to a deeper problem for defenders:

A 42% increase in zero-day vulnerabilities exploited before public disclosure, 40% of vulnerabilities exploited by China-nexus threat actors targeting edge devices, and a 266% increase in cloud-conscious intrusions by state-nexus threat actors.

A cyber incident is no longer just a private company problem. When insurers, banks, medical providers, schools or service operators are breached, ordinary Australians can be exposed to identity theft, fraud, service disruption and long-term privacy harm.

Australia’s growing reliance on internet-connected systems has created enormous convenience, but it has also created a larger and more fragile digital dependency chain.

Every weak password, unpatched device, exposed login and poorly secured supplier can become the opening move in a much larger incident.

The latest figures leave little room for complacency.

Cybercrime Hits One In Three Australian Businesses As Recovery Costs Climb

Australian SMEs Bear The Brunt

Cybercrime has become a major business risk in Australia, with 33% of businesses — about 693,053 operators — experiencing a cybercrime incident.

The damage is no longer limited to stolen passwords or temporary website outages. Across the reporting period, 11,703 cyber incidents were recorded, including 153 reports involving critical infrastructure across energy, utilities and finance.

Small and medium-sized businesses carried much of the burden, accounting for 60% of all targeted attacks. For many operators, a cyber incident now brings weeks of disruption, lost revenue and expensive recovery work.

The average cost of a cybercrime attack reached $276,323 per business, with more than half of that expense tied to detection and recovery.

Denial-of-service attacks were among the most costly, averaging $180,458, followed by malicious insiders at $177,834 and malicious code at $105,223.

Web-based attacks cost businesses an average of $79,380, while phishing and social engineering incidents averaged $23,209.

Even lower-cost incidents still caused damage, with stolen devices averaging $13,044, botnets $867, malware $458, and viruses, worms or trojans $421.

Half of all cybercrime costs were linked to web-based attacks and insiders, pointing to a growing risk from both external criminals and people with trusted access inside an organisation.

The impact often continued well after the initial breach. Cyber attacks caused business disruption in 40% of cases, information loss in 29%, productivity loss in 29%, revenue loss in 25%, and equipment damage in 4%.

Recovery was rarely immediate. The average attack took 23 days to resolve, but incidents involving a malicious insider, employee or contractor took an average of 51 days.

For Australian businesses, the message is clear:

Cybercrime is no longer an occasional technical problem. It is a direct financial threat capable of stopping operations, draining revenue and exposing weaknesses inside the organisation itself.