Most small business owners I talk to still picture a hacker as a person. One human, hunched over a laptop, picking targets one at a time. That mental model is now wrong, and the gap between it and reality is where a lot of Australian businesses are getting hurt.
The short version: attackers automated. The tools that write your marketing emails are now writing phishing emails, scanning for unpatched software, and impersonating your suppliers. None of that requires a skilled operator behind every attack anymore. It scales.
Here's what that actually looks like on the ground in 2026, and what's worth doing about it if you run a small or mid-sized business.
The numbers are worse than the headlines suggest
The Australian Signals Directorate's most recent Annual Cyber Threat Report logged a cybercrime report roughly every six minutes across the country, with ransomware notifications up 23% and denial-of-service attacks up more than 280% year on year (cyber.gov.au). The average loss for a small business sits around $56,600 per incident, and that figure climbed 14% in a single year.
The part that should worry you more: defences that used to be "good enough" are failing. In 2024–25, 75% of business email compromise attacks got through despite multi-factor authentication being switched on. MFA is still essential. It's just no longer a finish line.
And Australia is getting hit harder than comparable economies. More than one in two Australian businesses reported a cyberattack in 2024, against 41% in the US and 45% in the UK (Tech Guide).
Why AI tipped the balance
Three things changed at once.
Phishing stopped looking like phishing. The old tells (broken grammar, generic greetings, a "Nigerian prince") are gone. AI writes clean, on-brand emails that reference your actual suppliers and recent invoices. Some attacks now use voice cloning to impersonate a director approving a payment. If your fraud-detection instinct is "I'll know a scam when I see one," that instinct is now a liability.
Target selection became automatic. Attackers run AI scanners that crawl the internet looking for unpatched software and misconfigured systems, then queue up whatever they find. There's no human deciding you're too small to bother with. The system doesn't care how many staff you have. It cares whether port 443 is running something six versions out of date.
The capability ceiling jumped. In April 2026, a research team documented an AI agent that found a previously unknown vulnerability in FreeBSD's kernel, wrote a working exploit, and opened a root shell with no human instruction beyond the first prompt (ValiDATA). That was a research demonstration, not something hitting your inbox tomorrow. But it tells you where the curve is pointing.
CPA Australia put the tension plainly: 71% of Australian businesses planned to integrate more AI into their operations, and the warning was that the same technology arming you with productivity is arming criminals with better tools (CPA Australia Business Technology Report). Adoption is racing ahead of defence. That's the actual risk, more than any single exploit.
The uncomfortable bit: you're now in scope for rules you've never read
Two regulatory realities matter for SMEs and most owners I meet aren't across them.
The Notifiable Data Breaches scheme requires you to report breaches likely to cause serious harm to the Office of the Australian Information Commissioner and to the affected people. It applies to organisations with annual turnover above $3 million, and to smaller businesses in specific sectors like health and credit reporting. As AI-driven breaches get more frequent, the odds of you tripping one of these obligations go up.
There's also a practical squeeze from insurers. Cyber insurance providers increasingly refuse cover, or charge a lot more, for businesses that can't show baseline security controls. So even if a regulator never knocks, your renewal might.
What actually helps (in priority order)
You don't need an enterprise security budget. You need to do the basics properly, because most successful attacks still walk through an unlocked door rather than picking a sophisticated lock.
-
Multi-factor authentication everywhere, with phishing-resistant methods where you can. SMS codes are better than nothing, but app-based or hardware-key MFA holds up far better against the BEC attacks that are bypassing weaker setups.
-
Patch fast, and know what you're running. The automated scanners are hunting for out-of-date software. A simple inventory of your systems plus a habit of applying updates within days closes most of the doors they're trying. The Australian Cyber Security Centre's Essential Eight is the framework to anchor this to, and it's free.
-
Backups you've actually tested. Ransomware is only fatal if you can't restore. Keep at least one backup offline or otherwise isolated, and restore from it once so you know it works before you need it at 2am.
-
Train your team on the new phishing, not the old phishing. Run a short, current session. Show them an AI-written invoice scam, not a 2015 example with typos. Teach a verification habit for payment changes: a phone call to a known number, never a reply to the email.
-
Have a written response plan. One page. Who you call, in what order, what you shut down first. Most of the cost of an incident is the chaos and the downtime, not the ransom. A plan shrinks both.
Where AI helps your defence too
It's not all bad news. The same technology runs on the defensive side. AI-driven monitoring can watch your network and endpoints at a scale no part-time IT person could match, flagging odd behaviour before it becomes a breach. Gartner forecasts Australian organisations will spend more than AUD $7.5 billion on information security in 2026, with security software the fastest-growing slice, much of it AI-driven detection and automated response (SecurityBrief).
For a small business, you won't buy those platforms directly. You'll get them through a provider. Which is the real shift: cyber security has moved from a thing you set up once to a thing you maintain, and most SMEs don't have the in-house capacity for that. Australia is short more than 30,000 cyber security professionals, and 72% of them sit in Sydney, Melbourne and Canberra, so if you're outside those cities the local talent simply isn't there to hire.
The honest takeaway
I don't think AI has created a brand-new category of threat. It's taken the threats that already worked and made them cheaper, faster, and far more convincing. The businesses that get hurt over the next year won't mostly be the ones facing some exotic AI exploit. They'll be the ones who never turned on proper MFA, never patched, and assumed they were too small to be a target.
The fixes are unglamorous and mostly within reach. The hard part is doing them consistently while you're also, you know, running a business.
OrionX helps Australian small and mid-sized businesses tighten up the practical side of this: getting the Essential Eight basics in place, securing the systems and integrations you actually run, and setting up monitoring that catches problems early. If you want a straight assessment of where your business stands, get in touch.
Frequently asked questions
How are AI cyberattacks different from normal cyberattacks?
The methods are mostly the same: phishing, ransomware, exploiting unpatched software. AI changes the scale and quality. Phishing emails are now clean and personalised, target selection is automated so no human decides you're too small, and attacks run faster than a human could manage. The defence basics still work, but weak versions of them (SMS-only MFA, slow patching) fail more often now.
Is my small business really a target if I'm not well known?
Yes. Attackers use automated scanners that find vulnerable systems regardless of company size or profile. They aren't choosing you personally. They're queuing up every unpatched system they can find, and a small business with weak defences is often an easier payday than a large one.
What's the single most important thing to do first?
Turn on multi-factor authentication on email and any system holding money or customer data, using an authenticator app or hardware key rather than SMS where possible. After that, get into a habit of patching software quickly and keep one tested, isolated backup.
What is the Essential Eight and does it apply to small businesses?
The Essential Eight is a set of baseline security controls published by the Australian Cyber Security Centre. It's free, it's designed to be scalable, and small businesses can adopt it at a basic maturity level. It covers things like application control, patching, MFA, and backups, and it's the most practical starting framework for an Australian SME.
Do small businesses in Australia have to report data breaches?
If your annual turnover is above $3 million, the Notifiable Data Breaches scheme requires you to report eligible breaches to the OAIC and notify affected individuals. Some smaller businesses in sectors like health and credit reporting are covered regardless of turnover. Worth checking where you sit before an incident forces the question.
