Australia's official cyber security numbers: ASD received over 84,700 cybercrime reports in FY2024-25, one every 6 minutes on average. The average self-reported cost for a small business was $56,600 per report, up 14%. The OAIC logged 1,205 data breach notifications in 2025, the highest annual total since the scheme began.
Cyber security statistics get quoted loosely, and vendor surveys with small samples are often presented as national data. This page sticks to the official Australian sources: the Australian Signals Directorate's Annual Cyber Threat Report, the OAIC's Notifiable Data Breaches statistics, and the National Anti-Scam Centre's Targeting Scams report. Every figure carries its source and reporting period, and where a number could not be verified against the published report, it has been left out.
Key statistics at a glance
- Over 84,700 cybercrime reports were made to ASD in FY2024-25, an average of one every 6 minutes (ASD Annual Cyber Threat Report 2024-25).
- The average self-reported cost of cybercrime for a small business was $56,600 per report, up 14% year on year (ASD Annual Cyber Threat Report 2024-25).
- The average self-reported cost of cybercrime to large business rose 219% in FY2024-25 (ASD Annual Cyber Threat Report 2024-25).
- Email compromise was the largest self-reported cybercrime type for business at 19% of business reports, with business email compromise fraud involving financial loss at 15% and identity fraud at 11% (ASD Annual Cyber Threat Report 2024-25).
- 1,205 data breaches were notified to the OAIC in calendar 2025, up 8% on 2024 and the highest annual count since mandatory reporting began in 2018 (OAIC Notifiable Data Breaches statistics, calendar 2025).
- Combined scam losses reported across Scamwatch, ReportCyber, IDCARE, AFCX and ASIC reached $2.18 billion in 2025, up 7.8% on 2024 (National Anti-Scam Centre Targeting Scams report, 2025 calendar year).
- Payment redirection scams, the category covering business email compromise, cost Australians $166.8 million in 2025, up 9.3% from $152.6 million in 2024 (National Anti-Scam Centre Targeting Scams report, 2025 calendar year).
How often are Australian businesses attacked?
The broadest official measure is cybercrime reporting to the Australian Signals Directorate. In FY2024-25, ASD received over 84,700 cybercrime reports through ReportCyber, which works out to an average of one report every 6 minutes (ASD Annual Cyber Threat Report 2024-25). That figure is slightly down on the roughly 87,400 reports ASD received the previous year (ASD Annual Cyber Threat Report 2023-24), but ASD attributes little comfort to the dip: reporting is voluntary, so the true incident count is higher than the reported one.
The reports split across individuals, businesses and government. For the business share, the pattern is consistent year to year: email-borne fraud dominates, and small and medium businesses carry a disproportionate share of the reports relative to their security budgets. On the data breach side, the OAIC's Notifiable Data Breaches scheme recorded 1,205 notifications in the 2025 calendar year, an 8% increase on the 1,112 notified in 2024 and the highest annual total since the scheme commenced in 2018 (OAIC Notifiable Data Breaches statistics, calendar 2025). Frontrow covers the breach data in more depth in a separate guide; the headline here is simply that mandatory breach notifications have never been higher.
What does a cyber incident cost an Australian small business?
ASD publishes the average self-reported cost of cybercrime per report, broken down by business size. In FY2024-25 the average for a small business was $56,600 per report, a 14% increase on the prior year (ASD Annual Cyber Threat Report 2024-25). For comparison, the average self-reported cost for an individual was $33,000, up 8% over the same period (ASD Annual Cyber Threat Report 2024-25).
Costs rose across every size band, and the sharpest movement was at the top end: the average self-reported cost of cybercrime to large business increased by 219% in FY2024-25 (ASD Annual Cyber Threat Report 2024-25). Two caveats worth stating plainly. These are averages of self-reported direct losses, so a handful of large incidents can move the number significantly. And they exclude the harder-to-count costs, such as downtime, customer notification, legal advice and lost work, which for most businesses exceed the direct loss.
Which attack types hit businesses most?
ASD ranks the self-reported cybercrime types affecting Australian businesses. In FY2024-25 the top three were email compromise at 19% of business reports, business email compromise fraud involving a financial loss at 15%, and identity fraud at 11% (ASD Annual Cyber Threat Report 2024-25). Taken together, the two email categories account for roughly a third of everything businesses reported. The most common way an Australian business loses money to cybercrime is not an exotic exploit; it is someone getting into, or convincingly imitating, a business email account.
The breach data points the same way. Of the 1,205 breaches notified to the OAIC in 2025, the majority, 716 notifications, were attributed to malicious or criminal attack, with the remainder split between human error and system faults. Health service providers were the most commonly affected sector, accounting for 19% of notifications, or 225 breaches (OAIC Notifiable Data Breaches statistics, calendar 2025).
How much is lost to business email compromise?
The National Anti-Scam Centre tracks payment redirection scams, the category that covers business email compromise: a criminal intercepts or imitates a legitimate business conversation and redirects a real payment to their own account. In the 2025 calendar year, payment redirection scams cost Australians $166.8 million, up 9.3% from $152.6 million in 2024 (National Anti-Scam Centre Targeting Scams report, 2025 calendar year). That made it the second-largest scam category by losses, behind investment scams.
- Investment scams: $837.7 million in reported losses in 2025 (National Anti-Scam Centre Targeting Scams report, 2025 calendar year).
- Payment redirection (business email compromise): $166.8 million (same source and period).
- Romance scams: $139.9 million (same source and period).
- Phishing scams: $97.6 million (same source and period).
- Remote access scams: $69.9 million (same source and period).
Across all categories and reporting bodies, combined reported scam losses reached $2.18 billion in 2025, a 7.8% increase on 2024 (National Anti-Scam Centre Targeting Scams report, 2025 calendar year). Reported losses understate the real total, because many victims never report.
What should a business do about it?
The pattern in the official data has been stable for years: most reported business losses come through email compromise, stolen credentials and redirected payments. Those are precisely the attacks the Australian Signals Directorate's Essential Eight is designed to blunt, particularly multi-factor authentication, patching, application control and restricted admin privileges. For a business running on Microsoft 365, most Essential Eight controls map directly onto licensing it already owns, especially at the Business Premium tier.
Frontrow Technology helps Australian businesses implement the Essential Eight on Microsoft 365 and runs its own tenant at Essential Eight Maturity Level 2, so the advice it gives clients is the configuration it operates on itself. A sensible starting point is an honest maturity assessment: measure the current tenant against Maturity Level 1, close the email and identity gaps first, and treat payment redirection controls as a business process fix as much as a technical one.
Statistics compiled July 2026 from the most recent published editions of each source: the ASD Annual Cyber Threat Report 2024-25 (published October 2025), OAIC Notifiable Data Breaches statistics for calendar 2025, and the National Anti-Scam Centre Targeting Scams report covering 2025 activity. Figures describe the periods stated, not calendar 2026.