The Gold Coast runs on small business. Cafés, restaurants, tour operators, hotels, clinics, salons, trades, and thousands of owner-operated firms: an economy built on serving people, taking payments, and moving fast.
That creates a cyber weakness most owners have never thought about, and it isn’t the one you’d expect. It’s not sophisticated hacking. It’s the simple question of who has access to your systems, and what happens when they leave.
In short: In Australia today, a cybercrime is reported roughly every six minutes and the average cost to a business has risen 50% to around $80,850. Small businesses are targeted precisely because they’re seen as less defended. Gold Coast hospitality and tourism carry a particular risk: a large casual workforce, shared logins, and card payments flowing through booking and point-of-sale systems. The fixes are cheap and mostly about discipline, not technology.
What Gold Coast businesses are actually facing
The clearest picture comes from the Australian Signals Directorate (ASD), the federal agency responsible for cyber security. Its most recent Annual Cyber Threat Report (2024-25) found:
- A cybercrime is reported in Australia on average every six minutes.
- The average self-reported cost of cybercrime to a business rose 50% to around $80,850.
- Business Email Compromise, where criminals impersonate a supplier or executive to redirect a payment, remains the costliest cybercrime for businesses.
- Ransomware made up about 11% of incidents, and 35% of ransomware victims had their stolen data published online.
- 39% of ransomware incidents were discovered by ASD, not by the victim.
These are national figures rather than Gold Coast ones. But that’s the point: most attacks are opportunistic and automated, scanning the whole internet for weaknesses. Criminals don’t check your postcode, and they don’t skip a business because it’s small. Often the opposite: smaller organisations are targeted on the assumption they’re an easier mark and more likely to pay quickly to get trading again.
The Gold Coast’s blind spot: access, turnover, and shared logins
Here’s what makes the local risk distinctive. Hospitality and tourism run on a casual, seasonal, high-turnover workforce. Staff come and go constantly, often at short notice, and in the rush of a busy season the admin follows later, if at all.
The result is a pattern that shows up again and again in businesses like these:
- Shared logins. One password for the booking system or the POS, known by everyone on shift, and by everyone who’s ever worked a shift.
- Accounts that outlive the staff member. People leave, and their access doesn’t. Old logins sit there for months, unused and unwatched, which makes them perfect for an attacker: nobody notices activity on an account nobody’s thinking about.
- Passwords passed around informally. Written on a note by the terminal, sent over a group chat, or simply told to the next person.
- Manager-level access for everyone, because it was easier than setting up proper roles.
None of that is negligence. It’s what happens when you’re busy and short-staffed. But it means a single leaked or shared password can hand over your booking system, your customer data, or your payments. And because the login is legitimate, nothing looks obviously wrong.
Add card payments running through POS and booking platforms, and a busy trading period where nobody’s watching the back office, and you have the Gold Coast’s real cyber profile.
Which Gold Coast businesses are most exposed?
- Hospitality and tourism. Booking systems, card payments, and high staff turnover: the combination above. Also frequent targets for fake booking and refund scams.
- Retail. Any business taking card payments holds data worth stealing, and POS systems are a known target.
- Health and allied health. Clinics, dental, physio, and allied practices hold highly sensitive patient records. Nationally, ransomware attacks on healthcare doubled over the last year.
- Construction and trades. Progress payments and subcontractor invoices are prime targets for payment redirection, where one diverted transfer can cost hundreds of thousands.
- Professional services. Law, conveyancing, and accounting firms are hit hard by Business Email Compromise, especially around settlements and trust accounts.
- Not-for-profits and community organisations. Often holding sensitive client data on tight budgets, and targeted on the assumption they’re lightly protected.
The three attacks behind most local incidents
- Phishing and stolen passwords. Fake emails and reused or shared passwords remain the most common way attackers get their first foothold, and the most relevant risk for a business with lots of casual staff.
- Business Email Compromise (BEC) and payment redirection. A criminal gets into (or imitates) an email account, waits for a real invoice, then sends “our bank details have changed.” It’s the costliest attack in Australia.
- Ransomware. Attackers lock your systems and steal your data, then demand payment, often threatening to publish it even if you can restore from backups.
Notice that all three target your people and their credentials, not clever technical exploits. That’s genuinely good news, because it means the defences are within reach of any business.
8 practical steps to protect your Gold Coast business
None of these require a big budget. They’re ordered roughly by impact.
- Turn on multi-factor authentication (MFA) everywhere. This single step blocks the large majority of password-based attacks. Start with email, banking, and your booking or POS system.
- Give every staff member their own login. No shared accounts. It costs nothing, and it means you can see who did what, and switch off one person without changing everyone’s password.
- Remove access the day someone leaves. Make it part of your offboarding, alongside handing back the keys. An old account is an open door.
- Verify every change to payment details by phone. Before paying a new or changed account, confirm it using a number you already have, not one from the email. This one habit stops most BEC losses.
- Back up your data, offline and tested. Keep secure, offline backups and actually test that you can restore them. This is your best defence against ransomware.
- Keep everything updated. Apply software and system updates promptly, including your POS and booking platforms. Unpatched systems are one of the easiest ways in.
- Train your team, including casuals, to spot scams. Your people are your front line. Teach them to pause and verify anything unexpected, especially involving money or passwords.
- Get expert help where it counts. Penetration testing finds your gaps before criminals do, and round-the-clock monitoring means a breach is caught in hours rather than months.
For a structured baseline to work towards, the Essential Eight is Australia’s recommended framework, and it turns “improve our security” into eight concrete strategies.
When should a Gold Coast business get professional help?
Consider bringing in a cyber security partner if any of these sound familiar:
- You have shared logins, or you’re not sure who still has access to your systems.
- You take card payments and aren’t confident that data is properly protected.
- You handle sensitive customer or patient information.
- You’ve had a near-miss, a scam attempt, or an actual incident, and realised you weren’t ready.
- A larger client, insurer, or partner has started asking how you secure your systems.
- You’re growing quickly and security has been an afterthought.
There’s real value in working with a Queensland-based team that understands local business, one that can meet you in person when it matters and speaks plainly rather than in jargon.
How Cyber Ethos supports Gold Coast businesses
Cyber Ethos is a Queensland-based cyber security firm led by Dr. Kiran Kewalramani, a PhD-qualified specialist with CISSP, CISA, and GAICD credentials and over 20 years of experience. We help businesses across the Gold Coast and South East Queensland protect what they’ve built, in language everyone in the room can understand.
We support local organisations with penetration testing, 24/7 managed security monitoring, incident response and ransomware recovery, Essential Eight uplift and ISO 27001 support, and vCISO and cyber advisory, which gives you senior security leadership without a full-time hire.
Whether you’re a hospitality group, a health practice, a trades business, or a professional firm, we can help you get the fundamentals right and stay protected as you grow.
Ready to protect your Gold Coast business? Book a free consultation with Cyber Ethos, or call 1800 CETHOS (1800-238-467).
Reporting a cyber incident
If your business is dealing with a cyber incident, you can report it to the national authorities through ReportCyber at cyber.gov.au/report, and get urgent help from the Australian Cyber Security Hotline on 1300 CYBER1 (1300 292 371), available 24/7. Depending on your industry and the nature of the incident, you may also have obligations to notify the OAIC or other regulators.
Frequently asked questions
Is my small Gold Coast business really a target for cybercriminals?
Yes, and often because it’s small. Most attacks are opportunistic and automated, scanning the entire internet for weaknesses regardless of location or business size. Criminals know smaller businesses tend to have weaker protections and are more likely to pay quickly to get trading again. With a cybercrime reported in Australia roughly every six minutes and the average business cost around $80,850, size is no shield.
What’s the biggest cyber risk for a hospitality or tourism business?
Access. A casual, high-turnover workforce often leads to shared logins, passwords passed around informally, and old accounts that stay active long after staff leave. Because those logins are legitimate, an attacker using one doesn’t look suspicious. Giving every person their own account, turning on multi-factor authentication, and removing access on someone’s last day fixes most of it, at almost no cost.
How much does cyber security cost for a small Gold Coast business?
Far less than most people expect, and far less than an incident. The most effective protections (multi-factor authentication, individual logins, removing old accounts, verifying payment changes by phone, backups, and staff awareness) cost little more than the time to set them up properly. Beyond the basics, services are scaled to your size and budget.
What’s the single most important thing my business should do first?
Turn on multi-factor authentication (MFA) everywhere you can, starting with email, banking, and your booking or POS system. It’s free or low-cost, quick to set up, and blocks the large majority of password-based attacks. That makes it the highest-impact first step almost any business can take.
Does Cyber Ethos provide cyber security services on the Gold Coast?
Yes. Cyber Ethos is a Queensland-based cyber security firm supporting businesses across the Gold Coast and South East Queensland with penetration testing, managed security, incident response, compliance, and virtual CISO services. Call 1800 CETHOS (1800-238-467) to arrange a free consultation.
