Australian businesses are paying $80,850 per cybercrime incident in 2025. That figure is up 50% in a single year. Here is the full breakdown: what it costs, why businesses fail, what causes it, and what you can do about it.

The cost of data loss for Australian businesses has reached crisis levels. According to the ACSC Annual Cyber Threat Report, the average cybercrime incident now costs Australian businesses $80,850, up 50% in a single year. Small businesses face $56,600 per incident, while large businesses pay $202,700. With a cybercrime report filed every six minutes, the question is not if your business will be affected, but when.
It is 7:43am on a Monday morning. You sit down at your desk with your coffee, ready to tackle the week ahead. You press the power button and wait for the familiar startup sounds. Instead, you are greeted by silence, or worse, a screen displaying a ransom demand for $50,000 in Bitcoin with a 72-hour countdown.
This is not a hypothetical scenario. It is happening to Australian businesses every single day. According to the latest data from the Australian Signals Directorate, a cybercrime incident is reported in Australia every six minutes. That is 240 businesses per day facing potential data loss, operational disruption, and in many cases, the end of their business entirely.
The ASD Annual Cyber Threat Report 2024-25 reveals a disturbing trend: the cost of data loss is accelerating faster than at any point in the past decade. The average cost of a cybercrime incident for Australian businesses has reached $80,850, representing a staggering 50% increase from the previous year.
| Business Size | Avg Cost Per Incident | YoY Change |
|---|---|---|
| Small Business (under 20 employees) | $56,600 | +14% |
| Medium Business (20-199 employees) | $97,200 | +55% |
| Large Business (200+ employees) | $202,700 | +219% |
| Overall Business Average | $80,850 | +50% |
For large businesses, costs have more than tripled with a 219% increase from the previous reporting period. These are not gradual, manageable increases. They represent a fundamental shift in the risk landscape that Australian businesses face.
These headline figures only tell part of the story. They represent the direct cybercrime costs Australian organisations can immediately quantify. The true cost often runs three to four times higher when you factor in hidden expenses that accumulate in the weeks and months following an incident.
When most business owners think about the cost of data loss, they imagine a straightforward expense: pay for data recovery, replace damaged hardware, and move on. The reality is far more complex. Data loss triggers a cascade of expenses that can continue for months or even years, often running three to four times higher than the initial incident.
Revenue lost during downtime, data recovery costs, hardware replacement, emergency IT consulting. According to Gartner, the average cost of IT downtime is approximately $5,600 per minute across industries.
Employee productivity loss, project delays, missed deadlines, supply chain disruptions. Staff cannot process orders, access client records, or communicate effectively while systems are down.
A PwC Australia study found 87% of consumers would consider leaving a business after a data breach, and 71% said they would never return.
Australia's data breach notification statistics underscore the scale of the problem. Under the Privacy Act 1988, penalties for serious breaches reach $50 million. The NDB scheme received 595 breach notifications in H2 2024 alone (up 15%).
"87% of Australian consumers would consider leaving a business after a data breach, and most of them will never come back."
PwC Digital Trust Insights Australia
Beyond these direct costs, management distraction represents a significant hidden expense. Instead of focusing on growth, your leadership team is dealing with crisis response, coordinating recovery efforts, managing insurance claims, and communicating with customers. It costs five to twenty-five times more to acquire a new customer than to retain an existing one, so when a breach drives away 30-50% of your customer base, you are not just losing current revenue. You are multiplying your future customer acquisition costs while giving competitors a gift of warm leads.
The financial impact varies significantly across industries. Healthcare and financial services face the highest costs due to regulatory penalties and the sensitivity of the data involved, while retail and hospitality face lower per-incident costs but higher frequency of attacks.
Healthcare organisations face the highest cost multiplier due to strict regulatory requirements under the Privacy Act and the sensitivity of patient records. The Medibank breach (2022) exposed 9.7 million records and resulted in significant regulatory and legal consequences that continue to unfold.
Financial services carry the highest multiplier. APRA's CPS 234 requires financial institutions to maintain specific cybersecurity capabilities and report breaches within 72 hours. The RI Advice Group case demonstrated ASIC's willingness to prosecute inadequate cyber security practices with a $750,000 fine.
Law firms, accounting practices, and consultancies hold privileged client information. A breach does not just expose data; it can breach legal professional privilege, trigger mandatory reporting to law societies, and expose the firm to malpractice claims. Every hour of downtime directly translates to lost billable revenue.
Retail faces a lower per-incident cost multiplier but higher attack frequency due to the volume of payment card data processed. POS system outages stop sales immediately. E-commerce businesses can lose $10,000-$50,000 per hour during peak trading, and PCI DSS non-compliance can result in merchant account termination.
Construction has a lower digital dependency than other sectors but faces growing risk as BIM models, project management platforms, and digital tendering become standard. Loss of project files, tender documents, or compliance records can delay projects by weeks and trigger liquidated damages clauses in contracts.
Manufacturing faces baseline cost levels but unique operational technology (OT) risks. SCADA and industrial control systems are increasingly internet-connected but often run legacy software with known vulnerabilities. A ransomware attack on production systems can halt an entire factory floor, with losses of $20,000-$100,000 per day in production stoppage.
93% of businesses that experience prolonged data loss (10+ days) file for bankruptcy within 12 months. The cost of data loss for these businesses is not just financial. Most simply do not have the operational resilience to survive an extended period without access to their critical data and systems.
For small businesses specifically, approximately 60% that experience a significant cyber attack or data loss incident close their doors within six months. The cost of a data breach for a small business extends far beyond the initial incident. The combination of direct costs, business disruption, customer loss, and damage to owner confidence proves insurmountable.
The combination of insufficient cash reserves, customer attrition during downtime, incomplete or failed recovery, and the psychological impact on business owners means that for most affected businesses, the question is not whether they can afford to recover, but whether they can survive long enough to recover at all.
Understanding what causes data loss is the first step toward reducing its cost to Australian businesses. While high-profile ransomware attacks dominate media coverage, they represent only a portion of incidents. A comprehensive cybersecurity strategy needs to address all the major causes, not just the ones that make headlines.

The latest data breach statistics from Australia confirm the severity: the ACSC responded to 138 ransomware incidents during FY2024-25, and 39% of these were detected by the ACSC itself rather than by the affected organisations, meaning the businesses did not even know they had been compromised until a government agency told them. Modern ransomware attacks now commonly exfiltrate data before encrypting it, creating a double-extortion scenario.
How much does data loss cost a small business in practice? It depends on your size, industry, and how prepared you are. Use our interactive calculator to estimate the potential financial impact on your business based on ASD and industry data.
Based on ASD Cyber Threat Report 2024-25 and industry research
For small businesses, the cost of a data breach is particularly devastating relative to revenue. If the average incident costs $56,600, and implementing a comprehensive data loss prevention strategy costs $3,000-$5,000 annually, the investment pays for itself if it prevents just one incident over a 10-15 year period. Given that the average business experiences multiple data incidents over its lifetime, the ROI is substantial.
| Protection Measure | Annual Cost | Loss Prevented |
|---|---|---|
| Cloud backup (business-grade) | $600 - $2,400 | $50,000+ |
| Local backup (NAS + drives) | $500 - $1,500 (setup) + $200/yr | $30,000+ |
| Multi-factor authentication | Free - $200 | $50,000+ |
| Staff security awareness training | $500 - $2,000 | $100,000+ |
| Cyber insurance | $1,000 - $5,000 | $500,000+ |
A proper data loss prevention strategy for a small business does not need to be expensive or complex. The 3-2-1 rule combined with basic security hygiene (multi-factor authentication, staff training, and regular patching) covers the vast majority of threat scenarios.
Tap each item you have in place
If you are reading this because you have already experienced data loss, time is critical. The actions you take in the first few hours can significantly impact both your chances of successful recovery and the total cost of the data loss to your business.
Every second of continued operation risks overwriting recoverable data. If the drive is clicking or grinding, power off immediately.
47% of DIY recovery attempts result in permanent data loss that professional recovery could have prevented. Do not risk it.
Note when you discovered the problem, symptoms observed, and actions taken. This helps recovery specialists and insurance claims.
The cost of data protection is measured in hundreds or thousands of dollars. The cost of data loss is measured in tens or hundreds of thousands, or the entire business itself. The businesses that survive are not necessarily the largest or the most technologically sophisticated. They are the ones that took basic precautions before disaster struck. The question is not whether you can afford to protect your data. It is whether you can afford not to.
Wildfire Data Recovery is Brisbane's leading data recovery service with a 96% success rate across 15,221 recoveries. Free diagnosis, No Data No Fee guarantee, and Australia-wide express shipping. Whether you need hard drive recovery, phone data recovery, or enterprise RAID recovery, our Brisbane lab is ready to help.
Monthly insights on data recovery, cybersecurity, and backup strategies for Australian businesses. No spam, unsubscribe anytime.
All statistics and cost figures in this article are drawn from the following authoritative sources. We do not use fabricated or estimated statistics.