Cyber Threats Are Evolving in 2025—Is Your SME Ready?

Key Findings from the Report

Released late last year, the ASD Cyber Threat Report reveals several alarming trends, including an increase in:

• Ransomware attacks employing advanced techniques to disrupt operations and extort payments.
• Phishing schemes involving malicious QR codes to trick individuals into revealing personal information or downloading malware.
• Data breaches targeting Australian businesses, using methods such as search engine optimisation poisoning, and
• Emerging threats leveraging artificial intelligence, such as to create deepfake videos for impersonation.

Why SMEs Are at Risk

Cybercriminals often perceive SMEs as ‘easy targets’ due to the latter’s limited resources for cybersecurity measures. In fact, about half of Australian SMEs invest less than $500 a year in cybersecurity tools and resources. Many businesses lack the strong systems or dedicated teams required to effectively prevent or respond to attacks.

As well, many SMEs haven’t had the opportunity to fully understand and address cyber risks, often putting cybersecurity in the ‘too hard basket’ due to technical jargon and uncertainty about where to start. Some SMEs mistakenly believe they are not at risk, despite the potential severe impacts of a cyber incident on their business.

Human error continues to be a major factor. Employees, especially those without regular cybersecurity training, can unintentionally expose the business to risks by falling for phishing emails, using weak passwords and or neglecting to use two-factor authorisation to log into your systems. If your SME could do with some cybersecurity upskilling, check out the CyberWardens program run by Council of Small Business Organisations of Australia.

Proactive Steps to Protect Your Business

A bright light is that you can take steps to reduce your risk. Cybersecurity doesn’t have to be overwhelming, and even small actions can have a huge impact.

Start by implementing these measures:

• Train your team: Make sure all staff can identify and respond to cyber threats such as phishing.
• Implement access controls: Restrict sensitive data access to employees with specific roles and responsibilities.
• Use multi-factor authentication (MFA): Adding an extra layer of security to sensitive systems makes it harder for attackers to breach access.
• Back up your data regularly: Reliable backups can be a lifesaver if ransomware hits.
• Update software and systems: Regular updates close security gaps that hackers could exploit, and
• Develop an incident response plan: Outline the steps to take if a cyber incident occurs. Include procedures to identify, contain, eradicate, and recover from threats, as well as communication strategies for engaging stakeholders.

While prevention is key, your SME can’t eliminate all risks. That’s where cyber insurance plays a role. A tailored policy can cover costs such as data recovery, legal fees as well as the financial fallout from business interruptions due to cyberattacks.

Management liability and employment practices liability insurance are equally important. These policies offer extra protective layers, covering legal costs and damages related to employee disputes or procedural breaches. As cyber threats evolve, these coverages become essential for SMEs seeking to secure their future.