Something I often hear is that small and medium businesses don’t feel they are big targets.  So, in an effort to understand the scale of cybercrime affecting small and medium-sized businesses (SMBs) in Australia, I turned to the most authoritative source available: the Australian Signals Directorate (ASD). Each year, the ASD publishes its Annual Cyber Threat Report, which consolidates data from multiple government agencies, including the Australian Cyber Security Centre (ACSC), the Australian Federal Police (AFP), and the Office of the Australian Information Commissioner (OAIC). The most recent report was the ASD Cyber Threat Report 2024 that provides data and information covering the period July 2023 to June 2024.

While the ASD report is rich in statistics, it lacks granularity when it comes to identifying the specific demographics of cybercrime victims. Notably, it does not distinguish between individuals, large enterprises, government agencies, and SMEs. This makes it difficult to directly quantify how many small and medium businesses are affected. I've previously contacted the ASD asking for more granular detail, but received no response.

Fortunately, by applying logical assumptions and interpreting the available data, it's possible to estimate a rough order of magnitude.

SUMMARY

The available statistics suggest that in one year, around 3000 small and medium size organisations reported to the Australian Government a cybersecurity incident resulting in extensive compromise, i.e. excluding minor incidents. However, it is important to note that the statistics reported by the ASD are based only on incidents that were actually reported. Whether or not it should be, disclosing a cybersecurity incident is often perceived as embarrassing due to the potential for reputational damage. Also, in Australia, it is not mandatory to report incidents in some circumstances.

THE FULL WORKINGS

For those interested in how the above figure was estimated, the workings are described in the following PDF (safe to download).

Please email contact@holisticyber.au if you have any comments or suggestions on these detailed workings and the conclusion.