1300 688 648 Get In Touch
BackView All
View All Services

Can’t find what you’re looking for? Call 1300 688 648 for expert IT assistance


A cyber attack is any deliberate attempt by an outside party to access, disrupt, steal from, or destroy your business’s computer systems, data, or network. That’s it. No Hollywood drama, no state-sponsored hackers in hoodies. For most Australian businesses, it looks a lot more ordinary than the movies suggest — and it can be just as costly.

If you run a professional services firm in Australia and you’ve been wondering what all the fuss about cybersecurity is actually about, this is the post to start with. Over the next twelve weeks, we’re covering the whole landscape. This week, we start at the beginning.

The Most Common Types of Cyber Attacks Facing Australian Businesses

Not all attacks are the same. Here are the five types that show up most often for Australian businesses, especially firms in the 20 to 100 person range.

Ransomware

This is the one that makes the news. An attacker gets into your systems, encrypts your files so you can’t open them, and demands a ransom payment to unlock them. Your entire business can be brought to a halt overnight. Recovery without backups can take weeks. We’ll go deeper on ransomware in a dedicated post later in this series.

Phishing

Phishing is a deceptive email (or sometimes a text message or phone call) designed to trick someone into handing over their login credentials, clicking a malicious link, or opening an infected attachment. It is by far the most common starting point for attacks on Australian businesses. The Australian Signals Directorate’s Annual Cyber Threat Report consistently identifies phishing as a leading initial access method.

Business Email Compromise (BEC)

BEC is a targeted scam where an attacker impersonates a senior person in your business — or an external supplier — to trick employees into transferring money or sharing sensitive information. The emails often look completely legitimate. Australian businesses lose millions to BEC every year.

Malware

Malware is malicious software. It’s an umbrella term that covers ransomware, spyware, trojans, and other programs designed to do damage or steal data. It usually gets in through a phishing email, a compromised website, or an unpatched piece of software.

Distributed Denial of Service (DDoS)

A DDoS attack floods your website or systems with traffic until they collapse under the load. It’s less about stealing data and more about taking you offline. For businesses that rely on their website or an online platform to operate, even a few hours of downtime is expensive.

Each of these will get a full breakdown later in this series. For now, the key point is that they all have one thing in common: they require a way in. That’s called a vulnerability, and most can be closed.

Who Gets Attacked? (Hint: Probably You)

There’s a dangerous myth that cyber attacks only happen to big companies or government agencies. It’s wrong, and it’s costing Australian small and medium businesses every day.

The Australian Signals Directorate (ASD) reported in its 2022-23 Annual Cyber Threat Report that small and medium businesses accounted for a significant proportion of cybercrime reports. The average cost of a cybercrime incident for a small business was over $46,000. For medium businesses, it was over $97,000.

Here’s why smaller businesses are actually the primary target for many attackers:

  • They hold valuable data (client records, financial information, intellectual property) but often have weaker defences than large enterprises.
  • They are frequently suppliers or service providers to larger organisations, making them a back door into bigger targets.
  • They’re less likely to notice an intrusion quickly, giving attackers more time to operate undetected.
  • They’re less likely to have dedicated IT security staff or up-to-date incident response plans.

A 30-person accounting firm, a regional law practice, or a consulting group with a handful of offices is not too small to be a target. In many cases, that size makes them a preferred target.

What Attackers Are Actually After

Understanding motivation helps you understand risk. Most cyber attackers want one of three things.

  • Money. This is the most common driver. Ransomware demands, fraudulent transfers via BEC, and stolen financial credentials all convert directly into cash. Organised criminal groups operate like businesses, targeting companies where the return on effort is highest.
  • Data. Client records, employee information, medical data, legal files, and commercial contracts are all valuable. Data can be sold on underground marketplaces, used for identity fraud, or leveraged for extortion.
  • Access. Sometimes the goal isn’t your business specifically. It’s getting a foothold in your systems to reach a client, partner, or supplier. This is called a supply chain attack, and it’s increasingly common in the professional services sector.

How It Actually Happens: A Realistic Scenario

Forget the movie version. Here’s how a typical attack unfolds for a 30-person professional services firm in Australia.

On a Tuesday morning, an employee in the accounts team receives an email. It appears to be from the firm’s cloud storage provider, asking them to verify their login because of “unusual activity.” The email looks professional. The link in the email opens a page that looks like the real login screen. The employee enters their username and password.

Nothing obvious happens. The employee closes the tab and gets back to work.

In the background, the attacker now has valid credentials for that employee’s account. Over the next few days, they quietly look around. They identify the firm’s client files, financial records, and email history. They also notice the employee has access to the firm’s accounting software.

On Thursday, an email arrives in the firm’s bookkeeper inbox. It appears to come from the managing partner, who is travelling. It asks the bookkeeper to urgently process a payment to a supplier. The email looks genuine. The bookkeeper processes the payment.

By the time the fraud is discovered, the money is gone and the attacker has exfiltrated a copy of client data. The incident triggers a mandatory data breach notification under the Privacy Act. The firm must notify affected clients. A forensic investigation follows. Recovery takes months.

This is not a worst-case scenario. It’s a common one.

What Happens After an Attack: The Real Cost

The ransom payment or stolen funds are often the smallest part of the total cost. Here’s what businesses actually face after an incident.

  • Downtime. Systems may be unavailable for hours, days, or longer. Every hour offline has a direct cost in lost productivity and revenue.
  • Forensic investigation. You need to understand what happened, what was accessed, and how the attacker got in. This requires specialist expertise and takes time.
  • Legal and regulatory obligations. Under the Notifiable Data Breaches scheme, Australian businesses must notify the Office of the Australian Information Commissioner and affected individuals when a breach is likely to cause serious harm. Failure to do so carries its own risk.
  • Reputational damage. Clients expect their data to be protected. A breach can damage trust in ways that take years to rebuild, particularly in professional services where confidentiality is part of the value proposition.
  • Recovery and remediation. Cleaning infected systems, restoring data from backups (if they exist and are intact), and rebuilding environments is expensive and disruptive.

For a business without cyber insurance and without tested backups, a serious incident can be existential. We’ve seen it happen.

The Honest Truth: Most Attacks Are Preventable

Here is the part that often surprises business owners. The majority of successful cyber attacks do not exploit exotic, cutting-edge vulnerabilities. They succeed because of basic security gaps that could have been closed.

Weak or reused passwords. No multi-factor authentication. Outdated software with known vulnerabilities. Employees who haven’t received security awareness training. No tested backup and recovery process.

The Australian Government’s Essential Eight framework is a set of eight baseline mitigation strategies that, when implemented, reduce the risk of the most common attacks dramatically. You don’t need to be perfect. You need to be harder to attack than the next business on the list.

If you want to understand where your business stands, our managed cybersecurity services include a security assessment that maps your current posture against the Essential Eight and identifies your most critical gaps.

What Copilot and AI Can Do for Your Security Posture

Microsoft Copilot and AI-assisted tools are increasingly useful for businesses that want to improve their security posture without adding headcount. A few practical applications worth knowing about:

  • Security policy drafting. Copilot can help draft or update acceptable use policies, incident response plans, and data handling procedures — documents that many businesses know they need but never get around to writing.
  • Monitoring and alert triage. AI-assisted tools in Microsoft 365 Defender and Sentinel can surface anomalous activity faster than manual review, helping IT teams or managed service providers identify threats earlier.
  • Incident communications. When something goes wrong, communicating clearly and promptly with clients and staff matters. Copilot can help draft breach notifications, internal updates, and regulatory correspondence under pressure.

These tools don’t replace a security strategy. They make executing one more practical for a business that doesn’t have a dedicated security team.

What to Do Right Now If You Think You’re Under Attack

If something feels wrong — unusual system behaviour, unexpected emails, files that won’t open, strange login alerts — don’t wait.

  1. Isolate the affected device. Disconnect it from your network (unplug ethernet, turn off Wi-Fi). This stops the spread.
  2. Do not turn it off. Powering down can destroy forensic evidence that investigators need.
  3. Call your IT provider immediately. Not an email. A phone call. Time matters.
  4. Do not pay a ransom without speaking to a specialist first. Payment does not guarantee recovery and can create additional legal complications.
  5. Preserve evidence. Take screenshots, write down what you observed and when, and keep any suspicious emails.
  6. Check your backups. Identify whether you have clean, recent backups and where they are stored.

If you don’t have an IT provider you can call, or you’re not sure your current provider has the cybersecurity capability to respond, book a call with our team. We can assess your situation and help you understand your options.

Frequently Asked Questions

What is a cyber attack in simple terms?

A cyber attack is when someone deliberately tries to access, damage, or steal from your business’s computer systems or data without permission. It can be carried out by criminals, competitors, or sometimes even disgruntled former employees.

Do cyber attacks happen to small businesses in Australia?

Yes, frequently. The ASD’s Annual Cyber Threat Report shows that small and medium businesses make up a substantial share of cybercrime victims in Australia. Attackers often target smaller businesses because they hold valuable data but typically have fewer defences in place.

What is the most common type of cyber attack in Australia?

Phishing is the most common initial access method. A deceptive email tricks an employee into handing over credentials or clicking a link that installs malware. From there, attackers may deploy ransomware, conduct business email compromise fraud, or quietly exfiltrate data.

What should I do immediately after a cyber attack?

Isolate the affected device from your network, call your IT provider immediately, preserve evidence, and do not pay any ransom without specialist advice. Speed matters — the faster you contain the incident, the less damage it can do.

Is my business required to report a cyber attack in Australia?

If a data breach is likely to result in serious harm to any individuals whose data was affected, you are required to notify the Office of the Australian Information Commissioner and those individuals under the Notifiable Data Breaches scheme. Your IT and legal advisors can help you assess whether a notification obligation applies.

How can I protect my business from cyber attacks?

Start with the Australian Government’s Essential Eight framework. Implement multi-factor authentication, keep software updated, control who has access to what, and ensure you have tested backups. Our managed cybersecurity services can help you implement these measures and maintain them over time.

This post is part of Otto IT’s 12-part Cybersecurity for Business series. Next week: What Is Ransomware and How Does It Affect Australian Businesses?

Ready to understand where your business stands? Book a free security conversation with our team.

managed it support articles

Related Blog Articles

Discover more insights to optimise your business with the latest IT trends and best practices. Stay ahead of the curve by learning how to leverage cutting-edge technology for success. Explore expert advice and valuable guidance to navigate the evolving world of IT solutions

Learn More