Are small and mid-sized businesses targeted?

Yes. SMBs are frequently targeted because they often have mixed control maturity while still holding valuable business and customer data.

Can businesses materially reduce breach cost?

Yes. Faster detection, stronger identity controls, tested recovery workflows and a defined incident response process usually reduce breach impact.

CyberHault Resource

Cost of a Cyber Breach for Australian Businesses

Q: Is breach cost mostly technical?

No. Operational disruption, lost productivity, customer impact, legal communications and post-incident uplift can exceed direct technical response costs.

Q: Do all incidents require OAIC notification?

No. Under the Notifiable Data Breaches scheme, notification is generally required for eligible breaches likely to result in serious harm.

A practical breakdown of where breach costs come from and how to reduce them.

For Australian businesses with 10–200 employees, cyber incidents are usually expensive because they combine immediate technical response costs with longer-term operational and commercial impact.

This guide summarises current Australian data, outlines the main cost drivers, and provides a practical way to estimate exposure for your organisation.

Last reviewed: 11 March 2026

What Recent Data Shows

Average Reported Cybercrime Loss

Small: $49,600 | Medium: $62,800

ACSC FY 2024–25 average self-reported losses per cybercrime report by business size.

Data Breach Notifications

595 notifications

OAIC (July–December 2024): 69% were malicious or criminal attacks, with phishing/social engineering and compromised credentials among leading causes.

Global Benchmark

US$4.44M average breach cost

IBM Cost of a Data Breach Report 2025 global benchmark. Australian outcomes vary by sector, response maturity, and downtime.

In ACSC 2024–25 reporting, email compromise remained one of the most frequent cybercrime categories for Australian businesses, reinforcing why identity and email controls are key cost reduction levers.

Where Costs Usually Come From

Operational downtime: lost revenue, delayed projects, and reduced team output.
Incident response: forensics, containment, specialist support, and emergency IT effort.
Recovery work: restoring endpoints, cloud services, data integrity, and business workflows.
Customer impact: churn risk, contract friction, and slower new-business conversion.
Legal/compliance effort: privacy assessment, communications, and external advice.
Post-incident uplift: urgent control upgrades implemented after the event.

Australian Privacy Notification Reality

Under the Notifiable Data Breaches scheme, organisations generally must notify the OAIC and affected individuals when an eligible breach is likely to result in serious harm.

Businesses can undertake an assessment where needed, but this should be completed quickly (generally within 30 days). For leadership teams, this adds time-critical legal, communications, and operational workload on top of technical recovery.

This is general information only and not legal advice. Incident obligations should always be confirmed with your legal/privacy advisors.

Simple Cost Model for a 50-Person Business

Use this practical worksheet to estimate potential breach impact in your own environment.

Downtime cost: hourly business impact x outage hours.
Productivity loss: affected staff x average loaded hourly rate x disruption hours.
Recovery effort: internal IT/security hours + external specialist support.
Client/commercial impact: delayed opportunities + churn risk over 3–6 months.
Compliance/communications: legal, privacy, and customer notification effort.
Security uplift: essential controls implemented post-incident.

Many SMBs underestimate secondary costs (lost momentum, management distraction, and customer confidence impact) because they are not captured in immediate IT invoices.

What Usually Increases Breach Cost

Late Detection

Longer attacker dwell time usually increases data exposure and remediation scope.

Weak Identity Controls

Missing MFA and over-privileged accounts often increase blast radius.

Limited Backups/Recovery Testing

Recovery delays extend downtime and increase commercial impact.

No Incident Playbook

Unclear internal response ownership leads to slower decisions under pressure.

Poor Security Visibility

Without monitoring, containment and scoping take longer and cost more.

Low Staff Awareness

Phishing and social engineering remain common and high-impact entry paths.

How to Reduce Likely Breach Cost

Deploy layered endpoint, email, and web protection to reduce preventable incidents.
Strengthen identity controls with MFA and least-privilege access.
Maintain vulnerability visibility and risk-based patch remediation.
Run ongoing staff awareness and phishing simulation programs.
Define an incident response workflow before an incident occurs.
Test backup and recovery workflows to reduce outage duration.

Quick FAQ

Is breach cost mostly technical?

No. Commercial and operational impact can outweigh direct IT spend.

Are small businesses targeted?

Yes. SMBs are regularly targeted due to uneven controls and high reliance on email/cloud tools.

Do all incidents require OAIC notification?

No. Notification is generally required for eligible breaches likely to cause serious harm.

Can cost be materially reduced?

Yes. Faster detection, clear response ownership, and layered controls usually reduce incident impact.

Sources

Plan for Lower Risk and Lower Impact

CyberHault helps Australian businesses design practical controls that reduce both breach likelihood and breach impact across devices, users, email, and cloud services.

Request a Security Consultation Start a Security Health Check