Cyberattacks in Australia: How much do they cost SMEs?

Published on 22/05/2022 by Laura Burgess

Cyberattacks in Australia are rising as both the digital age and the pandemic have given hackers an advantage. Ransomware attacks impact SMEs more than just financially, but how much damage is really being done to companies who aren’t efficiently protected against cybercriminals?

Header image depicting an office employee searching for cybersecurity software

Since the pandemic, cyberattacks in Australia are rising as employees continue to remote work and cybercriminals increasingly target small to midsize enterprises (SMEs). This is likely because SMEs have smaller budgets for IT security and protection against ransomware attacks, compared to larger organisations. Employees remote working could be using their own unsecured network and may also end up victims of phishing emails. As a result of ransomware, SMEs not only lose money but can suffer from reputational damage and loss of consumer trust.

Software Advice wanted to find out just how much ransomware attacks cost Australian SMEs. To do this, we asked a total of 202 IT specialists, who work across different industries, about the security measures and cybersecurity programs their companies have in place. The full methodology is at the bottom of the page.

How many SMEs suffer from ransomware attacks?

Cybercriminals using ransomware pose a significant threat to businesses as they can disrupt operations and entail expensive recovery costs. Digital transformation has seen the adoption of cloud computing and cloud-based subscription services, increasing the opportunities for cybercriminals to strike. Ransomware attacks, the most common form of cyberattack, are a threat to any business and should not be underestimated.

What is ransomware?

Ransomware is malware that encrypts computer files and blocks users from accessing their own systems. Cybercriminals will demand a ransom payment, often in the form of cryptocurrencies, in return for the encryption keys. These criminals may also threaten public release of the stolen data if payment is not made.

Small businesses are most at risk of ransomware threats as they often have fewer resources and a lack of security expertise, leaving them more vulnerable to viruses and trojans from downloads and spam emails. Software Advice found that more than 4 out of 10 SMEs have been victims of a ransomware attack, according to the IT specialists surveyed. This can be broken down as 27% of survey takers who said their company ‘faced a ransomware attack once’ and 14% who said their company has ‘faced several’ attacks.

Pie chart showing if companies have been victims of ransom attacks

The majority (39%) of those whose company has experienced one or more ransomware attacks said that these have occurred since the pandemic started (from 2020 onwards). 37% reported that the attacks happened pre-Covid, and an additional 24% of ransomware victims reported attacks happening both “before 2020 and since the pandemic began”.

Initially, COVID-19 saw businesses investing in technology solutions as a way to survive and combat issues such as remote working, restrictions on face-to-face business operations, and online retail ordering, for example. But as SMEs have continued to grow digitally, so has the risk of being a target for online attacks, meaning strong cybersecurity measures are vital.

The top 5 industries to report data breaches (January – June 2021)

A recent report by the Office of the Australian Information Commissioner (OAIC) found that the top industry sectors to notify them of data breaches were:

  • Health service providers
  • Finance
  • Legal, accounting, and management services
  • Government
  • Insurance

Healthcare organisations reported data breaches the most during this time, which may be the result of many medical practices implementing telemedicine during the pandemic.

In April 2021, multiple hospitals in Queensland were hit by a ransomware attack, which infected emails and booking systems and left staff reverting to using paper-backed processes.

What cybersecurity measures are SMEs using?

Different types of cybersecurity strategies exist so that organisations can protect their company assets and critical information. We wanted to know what cybersecurity measures companies are already taking. The top five include antivirus software (77%), anti-malware software (70%), data backup infrastructure (62%), keeping software up-to-date (62%), and training employees in awareness and protocols (56%).

Bar graph showing cyber security measures that SMEs already have in place

Overall survey results show that SMEs are not fully implementing the best practices for protection against ransomware attacks. For example, only half (49%) of survey takers said their company uses anti-spam software, which is a simple yet incredibly useful tool, especially for smaller businesses. The software aims to check and block any potentially dangerous incoming emails (known as phishing), which is one of the main entry points for cybercriminals.

Ensuring the security of endpoint devices, which is the practice of securing entry points of desktops, laptops, and smartphones, was also only selected by half (51%) of SME representatives. This is even more critical in the age of remote working. Cyber-insurance subscriptions, which may help an organisation cover data recovery costs, were also implemented by only 50% of SMEs. Such measures should be taken seriously by all companies, as protecting against hackers can save on company costs and value in the long run. Implementing cybersecurity measures may also help with the productivity of staff members, as cyberattacks can make it impossible for employees to work. 

What are the types of ransomware attacks?

Ransomware attacks can be divided into two main types:

  • Locker ransomware: A virus that locks the user out of files and data on the computer, making them inaccessible until a ransom is paid. It does not involve encryption.
  • Crypto-ransomware: A program that encrypts valuable files on a computer or mobile device, making them unusable, and requires a decryption key to unscramble the code. 

Software Advice found responses divided fairly evenly between the types of ransomware being used to target SMEs. Locker ransomware affected 36% of SMEs, according to the group who have been victims of an attack, whilst 35% said crypto-ransomware. Both types of ransomware were reported to have affected a further 30% of respondents’ companies.

A combined total of half of the respondents (53%)  in the group who were targeted by cybercriminals said their company paid off the ransom. 40% of IT staff did not pay anything yet they managed to get their data back, which may prove to be frustrating for those who did pay but were unable to retrieve their stolen data. Only 7% of companies did not pay the ransom and did not retrieve their stolen data. 

Infographic showing what happened to the SMEs who tried to recover data after an attack

What is the average cost of a cyberattack for Australian SMEs?

A recent report by Savvy highlights how Australians lost over $300 million to cyber scams in 2021 and, overall, saw an 84% spike in scams since the previous year. But what does this mean for SME representatives surveyed by Software Advice? Out of the group who were affected by a ransomware attack and paid for it, one in four (27%) said their company paid between $30,001 and $60,000 for the ransom —regardless of whether they retrieved the stolen data back or not.

Comparatively, 39% of IT professionals in the UK (who took the same survey by Software Advice) revealed that their company paid between $60,001 and $115,000 (or £33,001 and £67,000) when they were victims of an attack.

Bar graph comparing how much Australian and UK SMEs pay for ransomware attacks

Software Advice found that UK SMEs tend to not only pay higher ransom fees than Aussie companies for the price of a ransomware attack, but they also suffered from higher financial damages to the business. The damages taken into consideration include downtime, people hours, device and network costs, and lost opportunities, as well as the ransom fee.

Bar graph comparing the financial costs of ransomware attacks on businesses in both Australia and the UK

The most common amount of financial damages incurred in the UK was between $70,001 and $145,000 (or £42,001 and £84,000), reported by 37% of UK respondents whose company paid ransomware demands. In Australia, business costs of between $30,001 and $70,000 were the most commonly reported by 32% of IT staff. However, the highest ransom price of over $750,001 was paid by one Australian SME.

How do ransomware attacks impact companies?

Ransomware attacks may not only be a financial burden for companies but can also impact business in other critical ways. A potential attack could compromise a client’s data, the ability of the company to operate, or the business reputation within the network.

As mentioned previously, the healthcare industry in Australia is hit by cybersecurity breaches more than in other sectors. A notable incidence, similar to the aforementioned situation in Queensland, also occurred at a major health network with hospitals based in Melbourne. As a result of the attack, hospital staff were unable to access internal emails and IT systems. More importantly, surgeons were forced to cancel elective surgeries, leaving many patients upset.

Malware can shut down computer access to patients’ scans or medical history, which are needed to provide patient care. The pandemic already saw a lot of surgeries put on hold, which created a backlog of patients who required treatment. A delay in treatment due to ransomware also makes it difficult for doctors to schedule new patients. According to 64% of the IT professionals who experienced a ransomware attack, a ‘loss of time and productivity’ was the most selected answer when asked about the biggest impact that it has had on their company. 

Infographic showing the most problematic impacts of ransomware attacks on SMEs

The other problematic impacts of a ransomware attack chosen by survey takers, included:

  • Loss of reputation (38%)
  • Loss of clients (35%)
  • Loss of employees (12%)

Clearly, the costs of a cyberattack go beyond the price of the ransom, but the good news is that SMEs can protect themselves from threats by implementing an array of security measures.

The next article in this two-part series explains why preparation is key in combatting ransomware attacks. Implementing the right tools in combination with employee training can help companies avoid being blackmailed in the first place. We also look at the risks associated with paying off an attack and why reporting it to an official body, which can provide support, should be a priority. 

Looking for cybersecurity software? Check out our catalogue!


To collect this data, Software Advice interviewed 436 professionals in March 2022 in Australia (202 respondents) and the UK (234 respondents). Candidates had to fulfil the following criteria: 

  • Australian or UK resident
  • Between the ages of 18 and 65 
  • Employed full- or part-time at a company with 2 to 250 employees 
  • Work in the IT department of their company 
  • Able to identify the definition of ransomware as “Malware that locks files or computers and asks for money to unlock them”.

This article may refer to products, programs or services that are not available in your country, or that may be restricted under the laws or regulations of your country. We suggest that you consult the software provider directly for information regarding product availability and compliance with local laws.

About the author

Laura is a Content Analyst, researching and giving insight on tech trends to help SMEs. Graduate of Bath Spa University, UK. Based in Barcelona after years of living in Australia.

Laura is a Content Analyst, researching and giving insight on tech trends to help SMEs. Graduate of Bath Spa University, UK. Based in Barcelona after years of living in Australia.