The Australian Signals Directorate's Annual Cyber Threat Report puts the average cost of a cybercrime for a business at $80,850. If you run a small business, your figure is even lower at $56,600. These numbers might sound manageable. They are not the full story.
At Cubit Cyber, we warn every client that a material cyber incident can easily cost a business up to $250,000 once everything is counted. The gap between the government figure and reality is not a rounding error. It reflects a difference in what gets measured and when.
Why the official figure doesn't capture the real damage
The ASD's cost estimates come from self-reported losses lodged through ReportCyber at the time the crime is reported. When a business first contacts authorities, they are usually calculating the immediate, visible hit: the amount wired to a fraudulent account in a Business Email Compromise, or the ransom demand displayed on an encrypted screen.
That is the entry cost. It is not the total cost.
What businesses rarely account for at the time of reporting is the months-long financial fallout of actually recovering. The technical rebuild. The lawyers. The fines. The customers who quietly leave and never come back. By the time all of that accumulates, the real bill looks nothing like the initial figure.
The ACSC number captures what happened. Our $250,000 figure captures what it costs to survive it.
The cost of getting your network back
Recovering from a serious cyber incident is not a matter of running a restore from backup and being operational the next morning. For most medium-sized businesses hit by ransomware or a destructive intrusion, the network needs to be scrubbed, rebuilt from a clean state, and hardened against re-entry.
For medium-sized Australian businesses, technical recovery and remediation alone has recently averaged $97,000 per incident. That covers your managed service provider rebuilding the environment, re-imaging endpoints, restoring data, and verifying the attacker no longer has a foothold.
If the incident requires a formal forensic investigation, costs go higher. Digital forensics and incident response (DFIR) specialists in Australia typically bill between $140 and $170 per hour. Figuring out how attackers got in, what they accessed, and whether they left anything behind can take days.
What goes into a technical recovery
- Complete rebuild of compromised servers and workstations
- Forensic investigation to identify the root cause and attack path
- Verification that no persistent backdoors remain
- Restoration and integrity checks of backups
- Security hardening to prevent the same entry point being used again
Most businesses underestimate how complex this is until they are in the middle of it.
Operational downtime: the cost that compounds daily
While your IT team and MSP are fighting to rebuild the network, your business is largely paralysed. Sales stop. Staff cannot access critical systems. Supply chain partners are left waiting, and payroll keeps running regardless.
A recent Splunk survey of Australian and New Zealand businesses found that leaders face an average financial loss of $251,000 strictly from unplanned downtime and system outages caused by cyber events. That figure does not include recovery costs. It is purely the commercial value of days or weeks where the business cannot function.
For a business operating with thin margins, even a week of disruption can create a cash flow crisis that outlasts the incident itself. How your team responds in the first hour determines how quickly that clock stops.
Legal and regulatory exposure
Cyber insurance data shows legal and regulatory costs jumped by 18% in 2025, driven by the growing complexity of breach response: notifying affected customers, engaging privacy lawyers, responding to regulator enquiries, and sometimes defending enforcement action.
Under recent updates to the Privacy Act, the consequences for mishandling a breach have escalated sharply:
- Administrative fines of up to $330,000 for individual compliance failures
- Penalties of up to $3.3 million for repeated or serious privacy interferences
These apply to businesses that fail to notify affected individuals promptly, fail to report to the Office of the Australian Information Commissioner within required timeframes, or are found to have had inadequate security controls before the breach.
Even if you avoid a formal fine, engaging privacy counsel typically costs tens of thousands of dollars. Cyber insurance can absorb some of this, but only if you qualify for a claim.
The revenue you never get back
Lost business is the heaviest long-term cost of a cyber incident, and it is the one that shows up last.
When customer data is exposed, trust goes quickly. Some clients leave without a word. Prospective customers who hear about the incident walk away. Partners may pull back while confidence is low.
Reputational damage can suppress revenue for months or years after the technical recovery is complete. An estimated 65% of Australian businesses fail within 12 months of a major cyber event. The incident rarely kills the business immediately. The months of costs, lost clients, and disrupted revenue that follow often do.
What the $250,000 figure actually looks like
When Cubit Cyber tells clients to plan for up to $250,000, we are not padding numbers. We are adding up costs that are real and frequently underestimated.
| Cost component | Estimated range |
|---|---|
| Technical recovery and MSP rebuild | $70,000 to $120,000 |
| DFIR specialist investigation | $20,000 to $50,000 |
| Operational downtime and lost productivity | $50,000 to $250,000+ |
| Legal fees and regulatory response | $20,000 to $80,000 |
| Customer churn and lost pipeline | Variable, often the largest item |
The ACSC's $80,850 captures one line of that table. Usually the smallest one.
Prevention costs a fraction of recovery
Every post-incident review turns up the same finding: the controls that would have prevented the breach cost far less than the breach itself. A managed security programme, a tested incident response plan, and regular backup validation are all measurably cheaper than what follows.
Cubit Cyber sees this every time we engage with a business after an incident. The deferred investment is always smaller than the bill.
Summary
The $80,850 figure from the ASD reflects what businesses report when they first contact authorities. It does not reflect what they ultimately pay. By the time technical recovery, legal response, downtime, and lost revenue are counted, a serious incident regularly reaches $250,000 for Australian small and medium businesses.
If you want to know where your business stands before that happens, get in touch with Cubit Cyber for a free initial consultation.