The threat landscape for Australian SMEs has not quietened. Ransomware groups have industrialised their operations, business email compromise attacks have become harder to detect, and credential theft is happening at a scale that would have seemed implausible five years ago. This is what we are seeing right now.
Ransomware: the persistent top threat
Ransomware remains the most damaging threat to Australian businesses. The crews running the most active campaigns against Australian targets are not sophisticated state actors — they are organised criminal groups running repeatable playbooks. They buy access to compromised credentials, move laterally through unprotected networks, and deploy encryption tools against organisations that have no working backups.
What has changed is the targeting. Attacks that once focused on large enterprises are now routinely deployed against businesses with twenty to two hundred staff. The ransom demands have scaled accordingly, making the calculation grimly rational for some victims.
The controls that stop most ransomware are not complicated: MFA on all external access, patched systems, offline backups, and restricted administrative privileges. These are four of the ACSC Essential Eight controls.
Business email compromise
Business email compromise (BEC) caused more financial loss to Australian businesses than any other cybercrime category last year. The most common variant involves an attacker gaining access to a legitimate email account, monitoring it for payment conversations, then redirecting funds to a different account at the right moment.
Detection is difficult because the attacker is operating from a legitimate account. Prevention requires MFA, Conditional Access policies that flag logons from unexpected locations, and internal processes that require out-of-band verification for any change to payment details.
Credential theft and identity attacks
Phishing, credential stuffing, and adversary-in-the-middle attacks against Microsoft 365 environments are running at high volume against Australian organisations. Attackers are particularly focused on accounts without MFA — and increasingly on MFA fatigue, where users are bombarded with push notifications until they approve one to make it stop.
The shift to phishing-resistant MFA — passkeys, FIDO2 hardware keys — is where the ACSC is pushing for ML3 compliance. For most SMEs, enforcing any MFA while also enabling number matching in Microsoft Authenticator is a significant improvement over the current baseline.
Supply chain and third-party risk
Attackers are increasingly targeting managed service providers and software vendors as a path into multiple clients simultaneously. If your MSP has access to your environment, their security posture is part of your risk profile. Ask your technology providers about their own Essential Eight alignment, MFA enforcement, and incident response capability.
The five controls that block the most attacks
The ACSC's annual threat report consistently points to the same remediation priorities. The gap between knowing and implementing remains the primary reason incidents occur.
- Multi-Factor Authentication — stops credential attacks outright.
- Patching within 48 hours for critical vulnerabilities on internet-facing systems.
- Application control — prevents execution of attacker tooling on workstations.
- Restricting administrative privileges — limits lateral movement after initial access.
- Regular, tested, offline backups — the only reliable recovery mechanism against ransomware.
Most of the breaches we respond to were entirely preventable. Not because the organisation lacked sophisticated tools — because it had not implemented the basics.
Frequently asked questions
Is my SME actually a target?
Yes. Automated scanning tools do not distinguish between organisations by size. If your internet-facing systems have unpatched vulnerabilities or accounts without MFA, they will be found. The question is not whether attackers are interested in your industry — it is whether your defences are weaker than the next target.
Which ransomware groups are targeting Australian businesses?
Several ransomware-as-a-service operations are actively targeting Australian organisations. Specific group names and branding change frequently. The ACSC publishes current threat advisories at cyber.gov.au — that is the authoritative source for active campaigns.
What is the single most effective thing I can do today?
Enforce MFA on all external access — email, remote desktop, VPN, cloud services. This single control stops the majority of current attacks. It takes less than a day to implement and the impact is immediate.
