Cyber Security for Small Business: Why Melbourne Owners Are Exactly Who Criminals Target (and How to Protect Yourself)

Published 16 June 2026 · Tech Seek

Cyber Security for Small Business: Why Melbourne Owners Are Exactly Who Criminals Target (and How to Protect Yourself)

"We're too small to be a target." It is the most common thing small business owners say about cyber security, and it is exactly the thinking that makes them easy to hit.

Here is the reality. Most attacks are not some hacker personally choosing your business. They are automated, scanning the internet for any business with a weak password, an unpatched system, or a staff member who will click the wrong link. To that software, a 12-person business in Coburg is not too small. It is a softer target than a bank, with less defending it.

The numbers back it up. The Australian Signals Directorate received more than 84,700 cybercrime reports in 2024 to 2025, around one every six minutes, and the average self-reported cost of an incident for a small business rose to $56,600. Small business owners are more than twice as likely to be hit by ransomware as the average person, according to the Australian Institute of Criminology.

One thing you will not get here is fake scare statistics. You may have seen the claim that "60% of small businesses close within six months of a cyber attack." It has been thrown around for years, but the organisation it usually gets attributed to has publicly disowned it, and no one can find the original source. The real figures are alarming enough without inventing any.

So this is the honest playbook. Why you are a target, the threats that actually hit Australian small businesses, the protection you genuinely need, what it costs, and exactly what to do in the first hour if it happens to you.

Here's what's covered:

Why small businesses are exactly who criminals target

The "too small to matter" myth costs Australian businesses dearly, because it is built on a misunderstanding of how attacks actually work.

Attackers are not sitting at a screen hand-picking victims. They run automated tools that sweep across thousands of businesses at once, looking for the easy ways in: a password that has leaked in another breach, a system missing a security update, an email account without multi-factor authentication. Your size does not protect you. Your defences do, and small businesses usually have fewer of them.

There is a grim logic to it. A large company has a security team, monitoring, and layers of protection. A small business often has antivirus and crossed fingers. Same automated attack, far easier payday.

Small businesses are also attractive because of what they connect to. You might hold customer payment details, you might supply a bigger company attackers really want, and you almost certainly have a bank account worth draining. The OAIC recorded 1,113 data breach notifications in 2024, the highest since the scheme began, and small businesses are well represented in that number.

None of this is meant to frighten you into paralysis. It is meant to retire the idea that you are not worth attacking. You are. The good news is that the same basic defences that frustrate these automated attacks are well within reach of a small business, and most of the rest of this guide is about exactly that.

The threats that actually hit Australian small businesses

Cyber security can feel abstract until you see how these attacks play out. Here are the ones that genuinely hit Australian small businesses, in plain English, with how they tend to unfold.

Phishing and email scams

Phishing is a fake message designed to trick someone into handing over a password or clicking something harmful. It is the most common starting point for attacks, recorded as the initial way in for well over a third of the incidents ASD responds to.

It usually looks like a legitimate email: a fake login page for your email or bank, a "your account is locked" warning, a delivery notice. One staff member enters their details, and the attacker now has a way in.

The defences are multi-factor authentication (so a stolen password alone is not enough), email filtering to catch the obvious ones, and staff who know what to look for.

Business email compromise and invoice fraud

This is the one that empties bank accounts, and it is the costliest scam type for Australian businesses by a wide margin. Australians reported $166.8 million in payment redirection losses, and small businesses are squarely in the firing line.

Here is how it plays out. An attacker gets into your email, or convincingly fakes it, and watches. When an invoice is due, they send the client a polite "please note our bank details have changed" message. The client pays the criminal's account, the money is gone, and everyone finds out weeks later.

The fix is part technical and part process: secure the email accounts with multi-factor authentication, and adopt a hard rule that any change of bank details is verified by a phone call to a known number, never trusted from an email alone.

Ransomware

Ransomware is malware that locks up your files and demands payment to unlock them. For a small business it can mean not being able to invoice, access customer records, or operate at all, overnight.

It typically arrives through a dodgy attachment or link, or through a remote-access connection left exposed. Once it runs, it encrypts everything it can reach, often including backups that are connected to the same network.

The single most important defence is backups that are tested and kept out of the attacker's reach, which we cover in our guide to IT disaster recovery . With a clean backup, ransomware is a bad day. Without one, it can be the end.

Weak and stolen passwords

Passwords get stolen in their millions through breaches at other companies, then attackers try them against business logins, betting that people reuse them. If your work password is the same one that leaked from some old shopping site, you are exposed.

The two fixes are simple and cheap. A password manager so every account has a strong, unique password nobody has to remember, and multi-factor authentication so a stolen password alone does not open the door.

What a small business actually needs: layered protection

There is no single product that makes you secure. Real protection is a few sensible layers, each catching what the others miss. Here is the realistic set for a small business, roughly in order of impact.

Multi-factor authentication (MFA). The highest-value control there is. Microsoft has found MFA blocks more than 99.2% of account-compromise attacks. Put it on email, banking, remote access, and every important system, not just one of them.

Endpoint protection. Modern security software on every device that detects and stops malware and ransomware. Tech Seek uses Bitdefender across client devices for this layer.

Managed patching. Keeping software and operating systems updated so attackers cannot walk through known holes. Done properly, this runs in the background rather than depending on someone remembering.

Tested backups. Daily backups, kept off-site and disconnected, and actually test-restored. This is your last line of defence against ransomware.

Email security. Filtering that catches phishing and scam emails before they reach the inbox, cutting off the most common attack at the door.

Staff awareness training. Most breaches involve a person, so a team that can spot a dodgy email is one of your strongest defences. This works best as ongoing training, not a one-off lecture.

Password management and firewalls. A password manager kills password reuse, and a properly configured firewall controls what reaches your network. Both are quiet, foundational, and worth getting right.

You do not have to roll all of this out at once, and protection comes from the layers working together rather than any single magic product. These layers also line up closely with the government's Essential Eight , the baseline set of controls worth knowing about. The early layers, MFA, backups, and patching, give you the most safety for the least effort.

Securing your remote and hybrid team

The shift to working from home opened up doors a lot of businesses never closed. When staff work outside the office, your security has to follow them, and for many small businesses it simply has not.

The weak points are predictable. Home Wi-Fi that was set up once and never secured. Personal laptops and phones being used for work without protection. Remote-access connections left open to the internet, which are a favourite way in for ransomware.

The fixes are not complicated. Multi-factor authentication on every remote login, so an exposed connection is not an open one. Endpoint protection on every device that touches work data, personal ones included. Keeping those devices updated. And secure remote access set up properly rather than cobbled together.

If your team went remote in a hurry and the security never caught up, you are not alone, and it is one of the more common gaps we find. It is also one of the more straightforward to close.

What it actually costs

Here is the question every other guide dodges. There is no single price, because it depends on your size and what you already have, but you deserve real numbers rather than "contact us."

As a rough guide, managed security for a small business tends to run somewhere in the range of $30 to $200 per user per month depending on depth, with a basic layer of protection at the lower end and round-the-clock monitoring at the higher end. Staff awareness training platforms add roughly $15 to $30 per user per month. Many small businesses fold all of this into a managed IT arrangement rather than buying it piece by piece.

For a reference point, Tech Seek's Total Care Membership starts from $545 per month and bundles the core security layers (multi-factor authentication, monitoring, patching, backups, and endpoint protection) into the wider service, with no lock-in contract.

The honest way to weigh it is against the alternative. The average small-business incident costs around $56,600, and that is before the downtime and the lost trust. The basics are some of the cheapest protection a business can buy.

The only way to get a real figure for your business is to look at what you actually have. A discovery session is a no-obligation way to find out where the gaps are and what closing them would cost.

What to do in the first hour of a breach

If it happens, the first hour shapes how bad it gets. Panic and the wrong moves make it worse. Here is the short version of what to do, in order.

Disconnect, do not wipe. Isolate affected devices from the network to stop the spread: unplug the network cable, turn off the Wi-Fi. Do not delete anything or rebuild machines yet, because you will destroy evidence you may need.

If money has moved, call your bank immediately. For an invoice or payment scam, the bank's fraud team is your best chance of stopping or recovering a transfer, and minutes matter. Call them before anything else.

Call your IT provider. The sooner someone who knows your systems is involved, the better the outcome. This is exactly what an after-hours number is for.

Preserve evidence and do not rush to pay. Paying a ransom is no guarantee you get your data back, it marks you as someone who pays, and it may carry legal reporting obligations. Make that call with expert advice, not in a panic.

Report it. Report cybercrime to the Australian Cyber Security Centre through ReportCyber at cyber.gov.au, or call the Australian Cyber Security Hotline on 1300 CYBER1. If personal information has been exposed, you may have obligations to notify the OAIC and the affected people. Businesses over a certain size also have to report a ransom payment to the government within 72 hours under the Cyber Security Act.

Tell the people who need to know. Staff, and where required, affected customers. Handled openly, a breach is survivable. Handled badly, the cover-up does more damage than the attack.

The businesses that come through an incident intact are almost never the lucky ones. They are the ones who knew what to do before it happened.

Cyber insurance: what it covers and what insurers now demand

Cyber insurance covers the costs of an incident: the forensic investigation, data recovery, business interruption, notifying customers, and the liability if their data is exposed. For a small business that cannot absorb a $56,600 hit, it is worth understanding, yet only around 20% of Australian small and medium businesses currently hold it, according to the Insurance Council of Australia.

The thing to know is that insurance and good security are not alternatives. They go together, because insurers now demand the controls before they will cover you well.

A modern cyber insurance application is a detailed technical questionnaire. Insurers want to see multi-factor authentication, endpoint protection on every device, and tested backups, at a minimum. Without them, cover is more expensive, more limited, or refused outright. And if you say you have a control you do not, a claim can be denied when you need it most.

So the same layers that protect you also make you insurable and keep your premium sensible. Get the security right first, and the insurance becomes cheaper, easier, and far more likely to pay out.

Do you need to hire someone, or can an MSP handle it?

Most small businesses cannot justify a full-time IT security hire, and they do not need to. A good in-house security specialist in Melbourne costs well over $100,000 a year, and a single person cannot cover everything anyway.

For the large majority of small businesses, a managed IT provider is the sensible answer. You get the whole set of layers (MFA, endpoint protection, patching, backups, email security, training) looked after for a predictable monthly fee, by a team rather than one person.

Here is where we will be straight with you, because plenty of providers are not. The layered protection above stops the automated, opportunistic attacks that make up the vast majority of what actually hits small businesses, and that is what a provider like Tech Seek delivers. We are not pretending to be an enterprise security firm. We do not run a 24-hour security operations centre or offer penetration testing, and if your business genuinely needs that level, we will tell you. For a 2-to-80 person Melbourne business, solid layered protection from in-house local technicians is the right answer, not enterprise tooling you do not need.

If you want to know where your business actually stands, a discovery session will tell you, with no obligation.

Getting protected

The "too small to matter" myth is the most expensive idea in small business cyber security, because it is the reason the basics never get done. You are a target, but you are a target who can do something about it.

You do not need to become a security expert or spend a fortune. Start with the layers that matter most: multi-factor authentication everywhere, tested backups out of reach of an attacker, patching that keeps up, and a team that can spot a dodgy email. Those alone put you ahead of most small businesses and stop the bulk of what is out there. The rest you build from there.

You also do not have to do it alone. Tech Seek is a Melbourne MSP with in-house technicians who help local businesses put real, practical protection in place, without the jargon, the scare tactics, or the lock-in contracts. The discovery session is a straightforward place to find out where you stand and what your sensible next step is.

Frequently Asked Questions

Am I too small to be a target?

No, and this is the most dangerous myth in small business security. Most attacks are automated, sweeping the internet for any business with a weak point, and they do not care how small you are. A smaller business with fewer defences is often an easier target than a large one.

Small businesses are more than twice as likely to be hit by ransomware as the average person, according to the Australian Institute of Criminology. Your size is not protection. Your defences are.

How much should a small business spend on cyber security?

There is no fixed figure, but managed security tends to run somewhere in the range of $30 to $200 per user per month depending on depth, and many businesses bundle it into a managed IT plan. Tech Seek's Total Care Membership starts from $545 per month with core security included.

The useful way to think about it is against the roughly $56,600 an average incident costs an Australian small business. The fundamentals are some of the cheapest protection you can buy.

What cyber security does a small business actually need?

The core layers are multi-factor authentication, endpoint protection on every device, managed patching, tested backups, email security, and staff awareness training, with a password manager and firewall underneath. No single product covers you; protection comes from the layers working together.

Start with MFA, backups, and patching. They give you the most safety for the least effort and money.

Is antivirus enough on its own?

No. Antivirus is one layer, and a necessary one, but on its own it does not stop a stolen password being used, a staff member being tricked by a phishing email, or your data being lost if you have no tested backups.

Modern protection is layered. Antivirus, or more accurately modern endpoint protection, sits alongside MFA, backups, patching, and training, not in place of them.

What's the most common cyber threat to small business?

Phishing and email-based attacks are the most common starting point, recorded as the initial access method in well over a third of incidents ASD responds to. The most financially damaging is business email compromise, where an attacker redirects a payment, which costs Australian businesses more than any other scam type.

Both target people rather than technology, which is why staff awareness and multi-factor authentication matter so much.

Do I need cyber insurance, and what do insurers require?

It is worth having, since it covers the substantial costs of an incident, though only around 20% of Australian SMEs currently hold it. Insurers now require security controls before offering good cover: multi-factor authentication, endpoint protection, and tested backups at a minimum.

The same controls that make you insurable also keep your premium down and stop claims being denied. Security and insurance work together, not as alternatives.

How do I protect my business from ransomware?

The most important defence is backups that are tested and kept off-site and disconnected, so even if ransomware encrypts your systems, you can restore without paying. Alongside that, endpoint protection, patching, multi-factor authentication, and securing remote access close the common ways it gets in.

With a clean, tested backup, ransomware is a bad day rather than the end of the business.

What is business email compromise or invoice fraud?

It is when an attacker gets into or convincingly fakes a business email account and redirects a payment, usually by telling a client the bank details have changed. The client pays the criminal, and the money is often unrecoverable.

It is the costliest scam type for Australian businesses. The defence is multi-factor authentication on email accounts, plus a firm rule that any change of bank details is confirmed by a phone call to a known number, never trusted from an email.

What do I do in the first hour if we get breached?

Disconnect affected devices from the network to stop the spread, but do not wipe or rebuild anything, since you will need the evidence. If money has moved, call your bank's fraud team immediately. Then call your IT provider, and report the incident to the Australian Cyber Security Centre through ReportCyber.

Do not rush to pay a ransom, and get expert advice before making that decision. Acting calmly and in the right order makes a real difference to the outcome.

Do I have to report a breach or a ransom payment?

It depends on the incident. If personal information is exposed in a way likely to cause serious harm, the Notifiable Data Breaches scheme requires you to notify the OAIC and the affected people. Businesses over a certain turnover must also report a ransom or extortion payment to the government within 72 hours under the Cyber Security Act 2024.

Some industries carry extra obligations on top, such as NDIS providers . Even where reporting is not legally required, telling the Australian Cyber Security Centre helps, and handling a breach openly protects your reputation.

Is my Microsoft 365 secure by default?

Not entirely. Microsoft 365 has strong security available, but the default settings are not the most secure ones, and many businesses never turn the protections on. Multi-factor authentication, in particular, needs to be enabled and enforced.

It is also worth knowing that Microsoft does not back up your 365 data the way most people assume, so a separate backup is still needed. Getting 365 configured properly is one of the higher-value things a provider does.

Can an MSP handle all this, or do I need to hire someone?

For most small businesses, a managed IT provider is the sensible answer. You get the full set of security layers looked after by a team for a predictable monthly fee, far more cheaply than a full-time hire that would cost well over $100,000 a year.

A good provider is also honest about its limits. The layered protection an MSP like Tech Seek provides stops the attacks that actually hit small businesses; if you ever genuinely need enterprise-level tooling like a 24-hour security operations centre, a good provider will tell you rather than pretend.

Need a hand with this in your business? Tech Seek provides local, in-house IT support for Melbourne small businesses since 2006.

Talk to our team

Stop IT Problems From Disrupting Your Business

Book a free IT risk review and see how responsive local support keeps your team productive.

Call Us Book Free Review