Back to Resources Cyber Threats & Risk

What Happens If Your Small Business Gets Hacked? The Real Costs — and What You're Required to Do

Most small business owners believe a cyber attack is something that happens to bigger organisations. The statistics say otherwise — and what happens after an attack is often more damaging than the attack itself.

9 January 2026  ·  8 min read

There's a common assumption among small business owners: cybercriminals are after banks, hospitals, and governments. Not a 12-person accounting firm in Parramatta, a GP clinic in Geelong, or a real estate agency on the Gold Coast.

That assumption is no longer accurate — and it hasn't been for several years. Large organisations have dedicated security teams, enterprise-grade controls, and incident response plans. Small businesses typically have none of these things, which makes them the path of least resistance. According to Accenture, 43% of cyberattacks target small businesses. According to the Australian Signals Directorate's Annual Cyber Threat Report 2024–25, the average self-reported cost of cybercrime for an Australian small business is $56,600 per incident. And a 2025 Mastercard survey of over 5,000 SMB owners found that approximately one in five businesses that experienced a cyberattack went bankrupt or closed.

This article explains what actually happens — the sequence of events, the costs, and the legal obligations that kick in whether you're ready for them or not.

43%
of cyber attacks target small businesses (Accenture / Verizon DBIR)
$56,600
average self-reported cost per cybercrime report for Australian small business (ASD Annual Cyber Threat Report 2024–25)
1 in 5
SMBs that experienced a cyberattack went bankrupt or out of business (Mastercard SMB survey, 2025, via Huntress)

How Most Small Business Attacks Actually Start

Forget the Hollywood image of hooded hackers breaking through firewalls. The vast majority of small business attacks start in much more mundane ways:

  • Phishing emails: A convincing email tricks a staff member into clicking a link or entering credentials on a fake login page. The email might impersonate the Australian Taxation Office (ATO), Australia Post, a supplier, or even your own bank. Once credentials are entered, the attacker has legitimate access.
  • Weak or reused passwords: If your email password is also your Xero password and your cloud storage password, a single data breach anywhere — even from an unrelated service — can give attackers access to everything.
  • Unpatched software: Software vulnerabilities are discovered regularly. Vendors release patches to fix them. Attackers specifically target businesses running outdated software because the exploit is already known and documented.
  • Compromised staff devices: A staff member uses their personal laptop to access work systems. That laptop has malware from a different incident. The malware captures their work credentials.

None of these entry points require sophisticated hacking skills. They require patience, automation, and a target that hasn't taken basic precautions.

What Happens in the First 24–72 Hours

The most dangerous period after a breach begins is usually before you know anything has happened. According to Mandiant's M-Trends reporting, attackers can spend days, weeks, or longer inside a compromised system before triggering the visible attack — using that time to map the network, locate backups, steal data, and position themselves for maximum impact.

When the visible attack occurs — usually ransomware encryption, a fraudulent transfer, or a customer data dump — the immediate reality for most small businesses looks like this:

Ransomware: Everything Stops

You arrive at work and your files are locked. Your accounting software won't open. Your customer database is inaccessible. A message on your screen demands payment — typically in cryptocurrency — in exchange for a decryption key. In some cases, attackers also threaten to publish stolen data if you don't pay.

For most small businesses, the immediate impact is complete operational shutdown. You cannot invoice. You cannot access client records. You cannot process payroll. If you run a service business, you simply cannot work. Every day of downtime has a direct revenue cost.

Average downtime from a ransomware attack is around 24 days, according to figures cited by Statista and Verizon — more than three weeks of potential operational shutdown. Even if you pay the ransom (which law enforcement agencies advise against and which doesn't guarantee data recovery), restoration takes time. If you have no backups, you may be rebuilding from scratch.

Business Email Compromise: Money Leaves

Business email compromise (BEC) is often invisible until it's too late. An attacker gains access to your email account — or your client's — and monitors conversations looking for payment opportunities. When an invoice or payment instruction is exchanged, the attacker intercepts it and substitutes their bank account details. The payment goes to the attacker. The legitimate invoice goes unpaid.

For small businesses, recovery is extremely difficult — once funds clear to the attacker's account (usually overseas), they are effectively gone. The Australian Competition and Consumer Commission's Scamwatch reports business email compromise as consistently one of the highest-value scam categories by financial loss.

Data Theft: The Slow Burn

Sometimes the attack isn't immediately visible. Customer data, employee records, or intellectual property is exfiltrated quietly. You may not discover the breach for weeks or months — often only when a customer reports identity theft, when the data appears for sale on dark web forums, or when the attacker returns with a ransom demand.

The Legal Obligations You Probably Don't Know About

Most small business owners are not aware that a data breach triggers specific legal obligations. Getting these wrong compounds the original damage significantly.

The Notifiable Data Breach Scheme

Under the Privacy Act 1988, if your business holds personal information and you experience a data breach that is likely to result in serious harm to any individual, you are legally required to:

  1. Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable
  2. Notify affected individuals directly

Important: The Privacy Act applies to businesses with an annual turnover above $3 million, businesses that handle tax file numbers (virtually all accounting and bookkeeping practices regardless of size), health service providers regardless of size, and any business that opts in. If you're unsure whether the Act applies to you, assume it does and seek advice.

Failing to notify when required is itself a breach of the Privacy Act, attracting penalties of up to $50 million for serious or repeated violations. For small businesses, even lower-tier penalties can be commercially devastating.

Industry Regulator Notifications

Depending on your industry, you may also have notification obligations to your sector regulator:

  • Accounting and bookkeeping: Tax Practitioners Board (TPB) — a breach affecting client data may constitute a Code breach requiring notification
  • Healthcare: AHPRA and, where Medicare data is involved, Services Australia
  • Financial services: ASIC and AFCA where client financial data is affected
  • NDIS providers: NDIS Commission under the NDIS Practice Standards

Client Notification and Liability

Beyond regulatory obligations, you have practical obligations to affected clients. Clients whose data was compromised need to be informed so they can take protective steps — changing passwords, monitoring for identity theft, cancelling compromised financial instruments. Failing to notify clients promptly, or notifying them inadequately, significantly increases your civil liability exposure.

Why 1 in 5 Small Businesses Don't Recover

The businesses that close after a cyber attack don't usually close because of the direct cost of the attack itself. They close because of the combination of factors that hit simultaneously:

  • Revenue stops during downtime, but fixed costs continue
  • Recovery costs — IT forensics, data restoration, system rebuilding — are substantial and often uninsured
  • Regulatory fines and legal costs arrive months later when cash flow is already strained
  • Reputation damage reduces new business and accelerates client departures
  • Key staff leave, citing the stress and uncertainty of the aftermath

For a business operating on typical small business margins, absorbing all of these simultaneously is often fatal. The businesses that survive are typically those that had cyber insurance with genuine coverage, had backups that worked, and were able to demonstrate to regulators and clients that they had taken reasonable steps before the attack occurred. The ASD's Essential Eight controls are specifically designed to prevent or significantly limit the incidents described above — and implementing them is materially cheaper than the costs of responding to a breach without them.

What You Can Do Now

The most important thing to understand is that cyber security for small business is not about preventing every possible attack — it's about reducing the likelihood of the most common ones, and reducing the damage when one does succeed.

The controls that make the biggest difference for most small businesses are not expensive or technically complex. Enabling multi-factor authentication (MFA) on your email and key business systems. Having tested backups stored separately from your main systems. Keeping software updated. Making sure staff know how to recognise a phishing attempt. Knowing what you'd do in the first hour of an incident.

None of these require an IT department. They require a systematic review of where you stand, and a prioritised list of what to address first.

Find Out Where Your Business Stands

Our Small Business Cyber Security Health Check walks you through the controls that matter most for your industry — in plain English, with no technical knowledge required. You'll get a prioritised list of gaps and specific recommendations, plus a written report you can keep as evidence of due diligence.

See All Health Checks

Related Articles

Cyber Insurance for Small Business

Cyber insurance is activated the moment a breach is confirmed — understand what your policy covers before you need to make a claim.

Privacy Act Reforms: What Australian Businesses Must Know

The updated NDB Scheme obligations that apply when a breach occurs are a direct product of the 2024 Privacy Act reforms.

The Essential Eight

The Essential Eight controls are designed to prevent or limit the incidents described in this article — prevention is always cheaper than response.

References

  1. Australian Signals Directorate, Annual Cyber Threat Report 2024–25, October 2025. cyber.gov.au
  2. Accenture, cited by U.S. Small Business Administration, Cyber Safety Tips for Small Business Owners, 2023. sba.gov
  3. Verizon, Data Breach Investigations Report 2019 — 43% of data breaches involved small businesses.
  4. Mastercard SMB Cybersecurity Survey (2025), cited in Huntress, Ransomware Attack Statistics. huntress.com
  5. Statista / Verizon — average ransomware downtime of 24 days, cited across multiple industry sources.
  6. Mandiant, M-Trends Report — annual reporting on attacker dwell time in compromised environments. mandiant.com
  7. Office of the Australian Information Commissioner, Notifiable Data Breaches scheme. oaic.gov.au
  8. Privacy Act 1988 (Cth), as amended by the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Act 2021.