When a boutique accountancy firm in Newcastle discovered in early 2024 that its email system had been used to send fraudulent invoices to clients, the immediate financial damage was around $18,000. The long-term damage was harder to quantify. Three clients left. One client sued. The firm's cyber insurance policy — which it had taken out barely 12 months earlier — covered the remediation costs, but not the lost revenue or the months the partners spent managing the fallout instead of billing work.

The attack itself was straightforward: a business email compromise, where an attacker gained access to an email account and monitored it quietly for several weeks before impersonating the firm in invoice payment requests. The entry point was a password that had been compromised in an unrelated data breach and reused across multiple accounts — a practice that affects an estimated 65 percent of small business employees, according to a 2023 Deloitte survey.

Small businesses are not attacked less often than large ones. They are attacked differently — with methods calibrated to the lower security posture and higher likelihood of payment that small organisations typically present.

Understanding the Actual Threat

The Australian Competition and Consumer Commission's Scamwatch data for 2024 showed that businesses with fewer than 20 employees reported the highest per-incident losses from cybercrime. The ACCC attributes this to two factors: smaller businesses tend to have less segmentation between systems (meaning a compromise spreads faster), and they are less likely to have incident response procedures that limit damage.

Business email compromise — like the Newcastle accounting firm experienced — is the most financially damaging category for small businesses. It does not require sophisticated hacking; it requires only a valid password and some patience. Phishing remains the most common delivery mechanism for ransomware. And credential stuffing attacks, where attackers try username and password combinations leaked from one breach against hundreds of other services, succeed routinely against businesses using weak or reused passwords.

The three controls that would have prevented the Newcastle incident cost almost nothing to implement: multi-factor authentication on the email account, a unique password for the email system, and a breach monitoring service that alerts when company email addresses appear in known data breach dumps. Services like HaveIBeenPwned's domain monitoring are free.

The Essentials, Priced Honestly

The managed security market has developed small business packages that bundle genuine protection at accessible price points. A realistic security posture for a 10 to 20 person business typically includes the following:

Business-grade email security with sandboxed attachment scanning and advanced phishing protection runs between $6 and $15 per user per month through providers like Microsoft Defender for Office 365 or Proofpoint Essentials. For a 15-person firm, that is $90 to $225 per month — less than a single recovered working day if a phishing attack succeeds.

Endpoint detection and response has come down significantly in price as the market has matured. Small business tiers from CrowdStrike, SentinelOne, and Malwarebytes for Teams start at $6 to $10 per device per month and provide real-time behavioural monitoring rather than the signature-based detection of traditional antivirus, which is largely ineffective against modern malware.

Cloud-based backup with immutable retention — meaning backup data cannot be deleted or modified by a ransomware attack — is available through providers like Acronis or Veeam for $50 to $150 per month depending on data volume. This is the most consistently underinvested control among small businesses, and the one most directly responsible for whether a ransomware attack is a recoverable incident or a fatal one.

The Human Layer

Technology controls reduce risk significantly. They do not eliminate the role of human judgment. The single highest-leverage awareness investment for small businesses is training employees to recognise and report business email compromise attempts — specifically, requests that deviate from normal invoice approval processes or ask for banking detail changes. These attacks work because they are plausible. They stop working when people have been told to slow down, verify through a separate channel, and be suspicious of urgency.

Security awareness training platforms designed for small businesses — KnowBe4 and Proofpoint Security Awareness Training offer small business tiers — run monthly simulated phishing campaigns and short training modules for $3 to $5 per user per month. The simulation data is instructive: organisations that run regular phishing simulations see click rates on simulated phishing emails drop from an industry average of around 33 percent to below 5 percent over 12 months.

Cyber insurance deserves mention, not as a substitute for controls but as a backstop for the risks that remain after them. The premium on a small business policy covering business email compromise, ransomware, and regulatory notification costs has risen sharply since 2021, but policies starting at $800 to $1,500 per year remain available for businesses that can demonstrate basic security hygiene. Most insurers now require MFA on email and remote access as a condition of coverage.

The realistic security budget for a well-protected small Australian business in 2026 is $500 to $1,200 per month, depending on headcount. That is materially less than the average cost of a single incident — and the incidents, for unprotected businesses, are not hypothetical.