The ACSC Just Dropped a Bombshell Report — Your Business Is in It

The Australian Cyber Security Centre (ACSC), the government’s technical authority on cyber security, released its 2024–25 Annual Cyber Threat Report on 14 Oct 2025. If you own or manage a Small to Medium Enterprise (SME), this isn’t just paperwork. It’s a distress flare. The findings of this report confirm that the “I’m too small to be targeted” mindset is officially dead. For the cybercriminal sitting halfway across the world, you aren’t a small business; you are a soft target with a bank account and valuable customer data. At Protectera, we’ve analysed the findings to break down exactly what this means for the Australian middle market. Here is the reality check you need to hear.

The latest ACSC 2024-2025 Report Findings: A Reality Check

• The ACSC responded to over 1,200 cybersecurity incidents in 2024–25, an 11% increase from the prior year, showing threats are not shrinking.
• Australian organisations reported 84,700 cybercrime incidents; that’s roughly one every six minutes.
• The report highlights that attackers love the growing “gap” between the cyber-haves (big corporates with massive security budgets) and the cyber-have-nots (SMEs trying to do it themselves).
• Identity fraud, email compromise, and ransomware remain among the most common threats.
• The average cost of cybercrime for businesses surged 50%. 
• Small firms reported an average loss of AU$56,600, and medium firms nearly AU$97,200. 

Who Is Being Targeted? Industries Most Targeted

While government and healthcare remain top-tier targets due to the sensitivity of the data they hold, the attacks are increasingly democratised across all sectors. Irrespective of size, if your business handles money, holds Personally Identifiable Information (PII) on staff or customers, or possesses intellectual property, you are on the list. The ACSC Threat Report 2025 highlights a spike in targeting against:

Professional Services & Healthcare: The SMEs providing healthcare services, accounting services, and legal services hold sensitive personal or corporate data that attracts cybercriminals to monetise the information through ransom or blackmail.

Supply Chain Partners: Cybercriminals target smaller vendors to reach larger targets. An SME, supporting a large organisation, often becomes a weak link, creating avenues for breaches.

Retail and Hospitality: High volumes of credit card transactions and customer databases make these businesses an attractive target for quick data grab-and-run attacks.

Construction and Manufacturing: These businesses are perceived as having weaker digital defences. These sectors are prime targets for ransomware.

Everyday Local Businesses: Cybercriminals are increasingly targeting cafes, retail stores, and trading businesses through simple email scams, compromised credentials, or phishing campaigns, leading to bigger breaches.

Bottom line: If you transact online, store customer data, or use digital systems, you may be the next target of cybercriminals. 

Top Cyber-Attack Types Targeting Australian Businesses as per ACSC Threat Report 2025 

Understanding the kinds of attacks you face is the first step to defending against them. While new threats constantly emerge, Aussie businesses are facing massive financial loss due to three main attack vectors.

1. Business Email Compromise (BEC): BEC is one of the most financially damaging scams. It exploits trust inside your communication channels. Note: For SMEs, even one successful BEC attack can wipe out months of revenue.
2. Ransomware Attacks: Ransomware remains a top threat category in Australia. At least 11% of ACSC-recorded incidents were Ransomware attacks. Note: The recovery time, lost productivity, and reputational damage can cost your business far more.
3. Supply Chain Attacks: You might have great security, but what about the vendors you trust? Once inside a small business, they escalate privileges to the main target. Note: During 2024-25, Supply Chain attacks emerged as a major vector for large-scale breaches by compromising trusted third-party vendors or software.

Why SMEs Must Care? Understand the Business Risk

Being small doesn’t make you invisible; it makes you easier to hit. The ACSC figures show that average losses are rising, even for small organisations. At Protectera, we see cybercriminals target the path of least resistance, and many SMEs still run outdated systems, weak authentication, and inadequate backup strategies. For SMEs, the consequences go beyond financial loss- 

• Loss of intellectual property
• Business interruption that could threaten survival
• Reputation damage with customers and partners
• Regulatory penalties if personal data is exposed

Immediate Security Priorities for Your Business: Your Move

So what should you do right now to strengthen your defence? Based on the ACSC Threat Report 2025 findings and our experience at Protectera, here we list your immediate priorities:

• Replace legacy technology
• Harden your core defences
• Implement event logging & detection
• Manage third-party risk
• Prepare for incident response

If you are concerned about what the ACSC findings mean for your specific business, or if you need help implementing these immediate priorities, Protectera is here to help. Being a leading cybersecurity expert agency having offices in Sydney, Melbourne, Canberra, and Brisbane, we understand the local landscape better. Over the years, we have been offering world-class, supremely innovative cybersecurity solutions tailored to address the unique level of business risk. Get your free assessment, or call directly- 02 7227 5428, or email contact@protectera.com.au.