The Australian Cyber Security Centre’s latest Annual Cyber Threat Report reveals a sharp rise in cyber attacks targeting Australian businesses. From small enterprises to large corporations, no one is immune. With both cybercriminals and state-sponsored actors ramping up their efforts, it’s more important than ever for businesses to take proactive steps to safeguard their digital environments.

Here’s our breakdown of the key insights from the 2024–25 report and what they mean for your business.

Cybercrime Is Escalating—Fast

• 84,700+ cybercrime reports were received by ACSC —one every 6 minutes.
• The average cost per cybercrime report for businesses jumped 50% to $80,850.
  • Small businesses: $56,600 (up 14%)
  • Medium businesses: $97,200 (up 55%)
  • Large businesses: $202,700 (up 219%)

These figures highlight the growing financial impact of cybercrime, especially for medium and large organisations.

Ransomware remains a major threat—11% of all cyber incidents reported to the ACSC involved ransomware.
These attacks typically lock or encrypt a business’s data, followed by a demand for payment (a ransom) to restore access. Ransomware can halt operations, damage reputations, and lead to significant financial losses—especially if backups and recovery plans aren’t in place.

Top Threats Facing Businesses

The most reported cybercrimes include:

• Email compromise without financial loss (19%)
• Business email compromise fraud (15%)
• Identity fraud (11%)

These attacks often start with stolen credentials and escalate into full-blown breaches. The ACSC notes that cybercriminals are increasingly using malware to harvest usernames and passwords, which are then sold or reused for further attacks.

Queensland once again topped the national for Cybercrime reports by state accounting for 28% of reported incidents.

The Role of AI and Emerging Tech

Artificial Intelligence is now a double-edged sword:

• Cybercriminals are using AI to launch faster and more sophisticated attacks
• It also offers opportunities for enhanced threat detection—if used securely.

The ACSC encourages businesses to choose technology that’s built with security in mind from the start. As we move into a future with even more advanced tech (like quantum computing), making smart, secure choices now is key.

Social engineering

Social engineering is a longstanding threat that is becoming easier for malicious cyber actors to use at scale, thanks in part to AI technologies.

Phishing – a type of social engineering – was recorded in 60% of the incidents reported to ACSC in FY2024–25.

Social engineering techniques are used by malicious cyber actors to direct individuals or staff into performing specific actions such as opening an attachment, visiting a website, revealing credentials, disclosing sensitive information, or transferring funds. Social engineering techniques can be highly convincing.

If you suspect a social engineering attempt, do not engage – hang up. Do not delete or forward the communication. Report it immediately to your manager (or FortiTech if you are one of our clients) Preserving the communication is important for investigation and threat response.

What Your Business Should Do Now

The ACSC recommends four critical actions for businesses:

1. Implement best-practice event logging
2. Replace legacy technology
3. Choose secure-by-design products and services
4. Start planning for post-quantum cryptography

Additionally, businesses should adopt a mindset of “assume compromise” and focus on protecting their crown jewels—the most valuable data and systems.

Cyber threats are no longer just an IT issue—they’re a business risk. Whether you're a small business or a large enterprise, the message is clear: cyber resilience must be a priority.

If you’re unsure where to start, FortiTech offers tailored solutions to help you assess your current posture and build a stronger defence. Reach out for a chat about securing your business.