Most Brisbane business owners know cybercrime is a problem. Far fewer know what it actually looks like when it lands on them — or that the single most expensive attack in Australia right now is aimed squarely at the kind of work Brisbane does every day: moving payments between builders, subcontractors, law firms, and clients.
This guide explains the cyber threats Brisbane businesses are facing today, which industries are most at risk, and the practical steps you can take to reduce your chances of becoming the next target. Whether you run a small business or a growing organisation, understanding these risks is the first step towards stronger cyber security.
In short: In Australia today, a cybercrime is reported roughly every six minutes, and the average cost to a business has risen 50% to around $80,850. The costliest attack isn’t sophisticated hacking — it’s Business Email Compromise, where criminals impersonate a supplier or executive to redirect a payment. That hits Brisbane’s core industries hardest: construction, property, and professional services. The good news is that the defences that stop it are neither expensive nor complicated.
What Brisbane businesses are actually facing
The most reliable picture of the threat comes from the Australian Signals Directorate (ASD), the federal agency responsible for cyber security. Its most recent Annual Cyber Threat Report (2024–25) found:
- A cybercrime is reported in Australia on average every six minutes.
- The average self-reported cost of cybercrime to a business rose 50% to around $80,850.
- Business Email Compromise remains the costliest cybercrime for Australian businesses.
- Ransomware made up about 11% of incidents, and 35% of ransomware victims had their stolen data published online.
- 39% of ransomware incidents were discovered by ASD — not by the victim, meaning many organisations don’t realise they’ve been breached until someone tells them.
These are national figures, not Brisbane-specific ones. But that’s rather the point: attacks are overwhelmingly opportunistic and automated, scanning the whole internet for weaknesses. Criminals don’t check your postcode before they target you.
Why Brisbane’s biggest industries are in the firing line
Here’s the part that makes this local rather than generic. Brisbane’s economy is built on construction, property, professional services, and resources — industries defined by large payments moving between lots of different parties. That is precisely the environment Business Email Compromise exploits.
The attack is simple and devastating. A criminal gets access to (or convincingly imitates) an email account somewhere in the chain. They watch, wait for a real invoice or settlement to come up, then send a message that looks entirely legitimate: “Our bank details have changed — please use this account.” The money goes to the criminal, and it’s usually gone for good.
A construction progress payment. A conveyancing settlement. A subcontractor’s invoice. An architect’s fee. Each is a perfect target — a big, expected payment between parties who email each other constantly and don’t think twice about it.
That’s why the sectors below carry particular exposure:
- Construction, infrastructure, and trades. Progress payments and subcontractor invoices are prime targets for payment redirection, where a single diverted transfer can cost hundreds of thousands of dollars.
- Professional services — law, conveyancing, accounting, engineering, and architecture. Trust-account transfers and property settlements are a favourite target, and these firms are also increasingly asked to prove their security before winning work.
- Government suppliers and contractors. With the Queensland Government headquartered here, many Brisbane businesses supply the public sector — which means meeting security expectations, and being attractive to attackers as a route into larger systems.
- Health and life sciences. Hospitals, clinics, and research organisations hold highly sensitive data. Nationally, ransomware attacks on healthcare doubled over the last year.
- Resources and energy. Companies headquartered in Brisbane hold valuable commercial data and, in some cases, run critical infrastructure — making them high-value ransomware targets.
- Technology and startups. Fast-growing firms hold valuable intellectual property and customer data, and often postpone security until later.
The three attacks behind most local incidents
You don’t need to be technical to recognise them:
- Business Email Compromise (BEC) and payment redirection. The costliest attack in Australia, described above. It doesn’t require breaking any technology — just fooling a person at the right moment.
- Ransomware. Attackers lock your systems and steal your data, then demand payment — often threatening to publish the data even if you can restore from your own backups.
- Phishing and stolen passwords. Fake emails and reused or weak passwords remain the most common way attackers get their first foothold.
Notice the pattern: two of the three target your people, not your technology. That’s why training and simple verification habits matter as much as any software you buy.
Security is already a condition of winning work
This isn’t a future trend — it’s happening now. Government departments and large corporates increasingly ask suppliers to demonstrate their security posture before awarding a contract: Do you use multi-factor authentication? Are you aligned to the Essential Eight? Are you ISO 27001 certified? How will you protect the data you handle?
For Brisbane businesses that supply the Queensland Government or larger organisations, a weak or missing answer can lose the work — no matter how strong the rest of the bid is. The most practical starting point is the Essential Eight, Australia’s baseline security framework, and the one buyers ask about most often.
8 practical steps to protect your Brisbane business
Good cyber security isn’t about spending a fortune — it’s about getting the fundamentals right. Here are eight steps, in roughly the order of impact.
- Turn on multi-factor authentication (MFA) everywhere. This single step blocks the large majority of password-based attacks. Start with email and banking.
- Verify every change to payment details — by phone. Before paying a new or changed account, confirm it using a phone number you already have, not one from the email. This one habit stops most BEC losses.
- Back up your data — offline and tested. Keep secure, offline backups and actually test that you can restore them. This is your best defence against ransomware.
- Keep everything updated. Apply software and system updates promptly — unpatched systems are one of the easiest ways in.
- Train your team to spot phishing and payment scams. Your people are your front line. Teach them to pause and verify anything unexpected, especially involving money.
- Limit who can approve payments and access systems. Fewer people with the keys, and a second pair of eyes on large transfers, means fewer chances for a costly mistake.
- Have an incident response plan. Know who does what before something goes wrong. Isolating a problem quickly — and knowing your reporting obligations — makes an enormous difference to the outcome.
- Test your defences and get expert help where it counts. Penetration testing finds your gaps before criminals do, and round-the-clock monitoring means a breach is caught in hours rather than months.
When should a Brisbane business get professional help?
Consider bringing in a cyber security partner if any of these sound familiar:
- You handle sensitive customer, patient, or financial data and aren’t confident it’s properly protected.
- You’re being asked to prove your security posture to win government or large-corporate work.
- You regularly transfer large sums and have no formal process for verifying payment changes.
- You need to meet a compliance obligation — such as the Essential Eight or ISO 27001 — and don’t know where to start.
- You’ve had a near-miss, a scam attempt, or an actual incident, and realised you weren’t ready.
- You’re growing quickly and security has been an afterthought.
There’s real value in working with a Queensland-based team that understands local business — one that can meet you in person when it matters and speaks plainly rather than in jargon.
How Cyber Ethos supports Brisbane businesses
Cyber Ethos is a Queensland-based cyber security firm led by Dr. Kiran Kewalramani — a PhD-qualified specialist with CISSP, CISA, and GAICD credentials and over 20 years of experience. We help businesses across Brisbane and South East Queensland protect what they’ve built, in language everyone in the room can understand.
We support local organisations with penetration testing, 24/7 managed security monitoring, incident response and ransomware recovery, Essential Eight uplift and ISO 27001 support, and vCISO and cyber advisory — senior security leadership without a full-time hire.
Whether you’re a construction firm, a law or accounting practice, a health provider, or a growing tech company, we can help you get the fundamentals right and stay protected as you grow.
Ready to protect your Brisbane business? Book a consultation with Cyber Ethos, or call 1800 CETHOS (1800-238-467).
Reporting a cyber incident
If your business is dealing with a cyber incident, you can report it to the national authorities through Report Cyber, and get urgent help from the Australian Cyber Security Hotline on 1300 CYBER1 (1300 292 371), available 24/7. Depending on your industry and the nature of the incident, you may also have obligations to notify the OAIC or other regulators.
Frequently asked questions
Do Brisbane businesses really get targeted by cybercriminals?
Yes. Most cyber attacks are opportunistic and automated, scanning the entire internet for weaknesses regardless of location — criminals don’t check your postcode first. With a cybercrime reported in Australia roughly every six minutes and the average business cost now around $80,850, being in Brisbane offers no protection. Preparation does.
What’s the most common cyber attack on Brisbane businesses?
Business Email Compromise, where a criminal impersonates a supplier or executive and tricks someone into paying money to the wrong account or changing bank details. It’s the costliest cybercrime in Australia, and it hits Brisbane’s core industries — construction, property, and professional services — hardest, because they move large payments between many parties.
How much does cyber security cost for a small Brisbane business?
Far less than most people expect, and far less than an incident. Many of the most effective protections — multi-factor authentication, verifying payment changes by phone, backups, staff awareness, and prompt updates — cost little more than the time to set them up properly. Beyond the basics, services like monitoring or an Essential Eight uplift are scaled to your size and budget.
What’s the single most important thing my business should do first?
Turn on multi-factor authentication (MFA) everywhere you can, starting with email and banking. It’s free or low-cost, quick to set up, and blocks the large majority of password-based attacks — making it the highest-impact first step almost any business can take.
Do I need cyber security to win government or corporate contracts?
Increasingly, yes. Tenders now commonly ask suppliers to prove their security posture, through security questionnaires or expectations to meet frameworks like the Essential Eight or ISO 27001. Businesses that can demonstrate strong security are better placed to win work; those that can’t are often filtered out early.
Does Cyber Ethos provide cyber security services in Brisbane?
Yes. Cyber Ethos is a Queensland-based cyber security firm supporting businesses across Brisbane and South East Queensland with penetration testing, managed security, incident response, compliance, and virtual CISO services. Call 1800 CETHOS (1800-238-467) to arrange a free consultation.
