Cybersecurity for SMBs: Why It’s No Longer Optional – and Where to Start

In today’s digital-first economy, cybersecurity is no longer a “nice to have” for small and medium businesses (SMBs), it’s a fundamental requirement for survival.

According to the Australian Cyber Security Centre (ACSC), the average cost of a cybercrime incident in 2022–23 was $46,000 AUD for small businesses and $97,000 AUD for medium businesses¹. These figures reflect more than just financial loss - they represent the erosion of customer trust, potential regulatory penalties, and in some cases, the permanent closure of businesses.

With over 97% of Australian businesses employing fewer than 20 staff, the margin for error is razor-thin. Many SMBs operate without dedicated internal or external IT teams, making them especially vulnerable to cyber threats. But the good news is: with the right focus, even small teams can build strong cyber resilience.

Where Should SMBs Focus Their Cybersecurity Efforts?

Here are six key areas that form a solid foundation for SMB cybersecurity:

1. Identity & Access Management

Most breaches begin with compromised credentials. Implementing multi-factor authentication (MFA) and enforcing strong password policies can significantly reduce the risk of unauthorised access. Consider using password managers and single sign-on (SSO) solutions to simplify secure access for staff.

2. Endpoint Protection

Every device - laptops, desktops, smartphones, tablets - is a potential entry point for attackers. Ensure all endpoints are protected with up-to-date antivirus software, firewalls, and regular patching. Don’t forget to include remote workers and BYOD (bring your own device) policies in your protection strategy.

3. Backup & Recovery

Ransomware attacks are on the rise, and having a tested backup and recovery plan is critical. Backups should be:

• Automated
• Encrypted
• Stored offsite or in the cloud
• Regularly tested for restoration

A robust backup strategy can mean the difference between a quick recovery and a complete shutdown.

4. Security Awareness Training

Human error remains one of the biggest cybersecurity risks. Regular training helps employees recognise phishing attempts, avoid unsafe downloads, and follow best practices. Training should be:

• Ongoing, not one-off
• Interactive, with real-world scenarios
• Tailored to different roles and responsibilities

5. Email & Web Filtering

Email remains a common attack vector. Use email filtering to block spam, phishing, and malicious attachments. Similarly, web filtering can prevent access to known malicious sites and reduce the risk of drive-by downloads.

6. Incident Response Planning

Even with strong defences, incidents can happen. Having a clear incident response plan ensures your team knows what to do when something goes wrong. Your plan should include:

• Roles and responsibilities
• Communication protocols
• Legal and regulatory steps
• Post-incident review

Case Study: When Cybersecurity Fails

A stark example of the consequences of probable outdated cybersecurity infrastructure comes from an Australian business that fell victim to a ransomware attack in July 2025. The company, which operates in the residential construction sector, had approximately 128GB of sensitive data exposed, including financial records, architectural plans and employee details, some of which were reportedly posted to the dark web. The breach also caused IT outages that disrupted operations and raised concerns about data integrity and business continuity.

The consequences of this attack are far-reaching. Beyond the immediate operational disruptions, the breach has triggered reputational damage and potential regulatory scrutiny under Australia’s data protection laws. Clients and stakeholders are likely to demand reassurances about future safeguards, while competitors may use the incident to highlight their own cybersecurity resilience. The breach also underscores the vulnerability of critical infrastructure sectors to increasingly sophisticated cyber threats.

This incident may have stemmed from a combination of factors common in the construction industry: legacy systems, decentralised IT environments, and limited investment in cybersecurity compared to other sectors. As digital transformation accelerates across the built environment, organisations in this space must reassess their risk exposure and prioritise robust cyber defences. The attack serves as a stark reminder that no industry is immune to ransomware, and proactive measures are essential to safeguard sensitive data and maintain trust.

Note: This article is intended solely to inform and does not reference any specific company by name.

Growing Your Cybersecurity Maturity

Once these foundational elements are in place, SMBs can begin layering in more advanced capabilities:

• Threat detection and response (XDR/SIEM)
• Dark web monitoring
• Zero-trust architecture
• Security audits and penetration testing
• Compliance frameworks (e.g., ISO 27001, Essential Eight)

Cybersecurity isn’t a one-time project - it’s a continuous journey. As your business grows, so should your security posture.

Final Thoughts

Cyber threats don’t discriminate by size. SMBs are increasingly targeted because attackers know they often lack the resources of larger enterprises. But with the right strategy, even the smallest business can build a resilient defence.

Start with the basics. Build a culture of security. And remember - cybersecurity is not just an IT issue; it’s a business imperative.

Sources:

• Securing Customer Personal Data for Small to Medium Businesses | Cyber.gov.au
• ACSC Small Business Survey Report*
  *For further reading, view the full report above.