Why This Matters for Melbourne SMBs
There’s a persistent myth that cybercriminals only target large corporations. The reality — well documented by the Australian Cyber Security Centre — is the opposite. Small and medium businesses are targeted heavily, precisely because they hold valuable data (client files, financial records, personal information) but typically invest far less in security than their enterprise counterparts.
For a law firm, accounting practice, medical clinic, or real estate agency in Melbourne, a successful cyberattack can mean encrypted client files, a regulatory breach notification, professional indemnity exposure, and clients who never come back. Understanding the specific threats you face is the first step to protecting against them.
The ACSC received over 94,000 cybercrime reports in 2023–24 — one every six minutes. Professional services (legal, accounting, consulting) were among the most targeted sectors. The average cost of a cybercrime incident for an Australian SMB exceeded $46,000 for small businesses and $97,000 for medium businesses — not including regulatory penalties or reputational damage.
1. Phishing
Phishing is the most common entry point for cyberattacks on Australian businesses. It involves sending fraudulent emails — or sometimes SMS messages (smishing) or voice calls (vishing) — that trick recipients into revealing credentials, clicking malicious links, or opening infected attachments.
Modern phishing is highly targeted. Attackers research their victims using LinkedIn, company websites, and social media. A phishing email arriving in a receptionist’s inbox might appear to be from their managing partner, reference a real client matter, and include a link to a convincing fake Microsoft 365 login page. The staff member enters their credentials, and the attacker now has access to their email account.
Targeted phishing that uses personal details to appear legitimate — often impersonating a colleague, supplier, or the ATO. Common in accounting firms during tax season.
Fake Microsoft 365 or Google login pages that capture usernames and passwords, giving attackers access to email, SharePoint, and connected applications.
Office documents, PDFs, or ZIP files that execute malicious code when opened — often delivering a ransomware dropper or remote access tool.
Protection: Multi-factor authentication (MFA) is the single most effective control — even if credentials are stolen via phishing, MFA prevents the attacker from logging in. Email filtering, Safe Links and Safe Attachments in Microsoft 365, and staff awareness training complete the picture. See our Microsoft 365 Security Checklist for configuration guidance.
2. Ransomware
Ransomware is malicious software that encrypts your files — documents, databases, client records — and demands payment (typically in cryptocurrency) for the decryption key. Modern ransomware groups are sophisticated criminal enterprises with customer service portals, negotiation teams, and data leak sites. They don’t just encrypt; they often exfiltrate data first and threaten to publish it unless a second ransom is paid.
For professional services firms, a ransomware attack is catastrophic. Law firms hold privileged client communications. Accounting firms hold TFNs and trust account data. Medical practices hold patient health information. The combination of operational shutdown, potential data disclosure, and regulatory reporting obligations creates a severe, multi-front crisis.
Most ransomware groups now exfiltrate data before encrypting systems. Even if you can restore from backups and avoid paying the ransom, you may still face a data breach notification obligation under the Privacy Act if client data has been exfiltrated. Backups are necessary but not sufficient.
Protection: The ACSC Essential Eight provides the clearest framework for reducing ransomware risk — covering application patching, MFA, application control, macro blocking, and tested offline backups. For a detailed breakdown, read our Ransomware Protection guide for Melbourne businesses.
3. Business Email Compromise (BEC)
Business email compromise is a form of fraud that causes more financial damage globally than ransomware. It doesn’t require malware — it requires only a convincing email and a momentary lapse in verification. An attacker either compromises a legitimate email account or creates a spoofed address that closely mimics a trusted party, then uses it to request fraudulent payments or sensitive data.
Common BEC scenarios in professional services include: a supplier’s email account is compromised and attackers send new bank account details to that supplier’s clients; a staff member receives an email appearing to be from the managing partner requesting an urgent payment; or a fake invoice arrives that matches a legitimate supplier’s format exactly.
The Australian Competition and Consumer Commission’s Scamwatch data consistently shows BEC and invoice fraud among the highest-value scam types targeting businesses. Conveyancers and real estate agencies are particularly exposed, given the large sums transferred in settlement transactions.
Protection: DMARC, DKIM, and SPF email authentication records make it significantly harder to spoof your domain. Verification procedures for payment instruction changes — always via a separately confirmed phone number, never by replying to the suspicious email — are essential. Conditional access policies that flag unusual login locations also help catch account compromises early.
4. Credential Theft & Account Takeover
Attackers don’t need to break down the front door if they have a key. Stolen credentials — usernames and passwords — are traded in bulk on dark web marketplaces, often from historical data breaches at other services. If your staff reuse passwords, a breach at an unrelated site can give attackers access to your Microsoft 365 environment, practice management software, or cloud storage.
Credential stuffing attacks automate this process: attackers take lists of known email/password pairs and try them against cloud services at scale. Without MFA, a single successful match gives the attacker full account access — including the ability to forward email rules to hide activity, access shared files, and move laterally to other accounts.
Credentials from unrelated breaches (e.g. a shopping site) tested against your business systems. Extremely common and highly automated.
Malware installed on a device that records every keystroke, capturing passwords as they are typed. Often delivered via phishing.
Attackers who have stolen credentials repeatedly trigger MFA push notifications until a fatigued user approves the request to make them stop.
Protection: MFA on all accounts is non-negotiable. Phishing-resistant MFA (number matching, hardware keys) is more secure than simple push approval. A password manager eliminates password reuse. Conditional access policies in Microsoft Entra ID (formerly Azure AD) can block logins from unusual locations or devices.
5. Unpatched Software & Known Vulnerabilities
Every piece of software has vulnerabilities. The difference between a patched vulnerability and an unpatched one is that attackers actively scan the internet for the latter. When a security patch is released, attackers reverse-engineer it to understand the underlying vulnerability and begin exploiting unpatched systems within hours. A Melbourne law firm running an unpatched version of a remote access tool or practice management application is visible to automated scanners worldwide.
This isn’t theoretical. The ACSC’s regular reports on Australian cyber incidents consistently identify unpatched known vulnerabilities as one of the top three causes of significant breaches. Many of the most damaging incidents could have been prevented by routine patching.
Protection: Automated patch management is the only practical solution for businesses with more than a handful of devices. Patching applications within 48 hours of a critical patch release and within two weeks for lower-priority patches is the Essential Eight benchmark. This applies to operating systems, browsers, Microsoft 365 applications, and all line-of-business software.
6. Insider Threats
Not all security threats come from outside the organisation. Insider threats include both malicious insiders — current or former staff who intentionally misuse access — and accidental insiders who cause breaches through negligence or error. In professional services, the most common accidental insider incidents involve sending sensitive documents to the wrong recipient, misconfiguring cloud storage to allow public access, or falling for a social engineering attack.
The access management problem is particularly acute when staff leave. Without a formal offboarding process that immediately revokes system access, departed employees may retain access to client files, email, and cloud storage for months or years.
Staff should only have access to the systems and data they need for their current role. A reception staff member does not need access to the practice management database or financial records. Regular access reviews — quarterly is reasonable for most SMBs — identify over-provisioned accounts before they become a liability.
Protection: Role-based access controls, a documented onboarding/offboarding checklist that includes system access provisioning and deprovisioning, and regular access reviews. Privileged identity management for admin accounts, with just-in-time access rather than standing admin rights.
7. Supply Chain & SaaS Risk
Modern businesses rely on dozens of cloud applications — practice management, document storage, accounting, payroll, communication tools. Each of these is a potential attack surface. Supply chain attacks target software vendors and service providers with the goal of reaching their customers: a compromised update to a widely-used application can deliver malware to thousands of businesses simultaneously. The 2020 SolarWinds attack is the most prominent example, but the technique is increasingly used against SMB-targeting software vendors.
SaaS risk also includes the accumulation of connected applications. Every application granted access to your Microsoft 365 or Google Workspace environment via OAuth can read, write, or share your data. Poorly reviewed OAuth consent grants are a growing source of data exposure in professional services.
Protection: Regular review of connected applications and OAuth consent grants. Vendor security assessments for critical software vendors. Application allow-listing prevents unauthorised software from executing, even if delivered via a legitimate update channel. Keep the number of connected SaaS applications to the minimum necessary.
Bringing It Together: A Risk-Based Approach
The threats above can feel overwhelming when listed together. The practical approach is to address them in order of impact and likelihood, which is exactly what the ACSC Essential Eight framework does. Rather than trying to achieve perfect security across all threat categories simultaneously, the Essential Eight identifies eight mitigation strategies that address the most common attack vectors and prioritises them by maturity level.
Enable MFA on everything
Multi-factor authentication is the highest-impact single control. It blocks the majority of credential theft and phishing-driven account takeovers. Start with Microsoft 365 and any remote access tools, then expand to all cloud services.
Patch applications and operating systems regularly
Automate patching for operating systems and common applications. Critical patches should be applied within 48 hours; routine patches within two weeks. This removes the majority of the unpatched vulnerability attack surface.
Implement email security controls
Configure DMARC, DKIM, and SPF for your email domain. Enable Microsoft Defender for Office 365 Safe Links and Safe Attachments. These controls address phishing, BEC, and malware-bearing attachment attacks simultaneously.
Maintain and test backups
Tested, offline or immutable backups are your recovery option if ransomware succeeds. Backups that are connected to the same network as your systems can be encrypted alongside your primary data — offline or immutable copies (like Azure Backup with soft-delete) are essential.
Review and restrict access regularly
Apply least-privilege access controls and run a quarterly review of who has access to what. Ensure departed staff accounts are disabled immediately. Restrict admin rights to dedicated accounts used only for administrative tasks.
Frequently Asked Questions
What is the most common computer security threat for small businesses?
Phishing is the most common entry point. Most data breaches and ransomware attacks begin with a phishing email that tricks a staff member into clicking a link or entering credentials on a fake website. Multi-factor authentication and email security controls significantly reduce this risk.
What is business email compromise (BEC)?
Business email compromise is a form of fraud where an attacker impersonates a trusted party — a supplier, senior staff member, or client — and uses email to request fraudulent payments or sensitive information. It causes more financial damage globally than ransomware and is particularly common in professional services and real estate.
How can I protect my Melbourne business from cybersecurity threats?
The ACSC Essential Eight is the best starting framework for Australian businesses. It covers patching, MFA, application controls, backups, and more. Even reaching Maturity Level 1 dramatically reduces your risk across most common attack types. A managed IT provider with cybersecurity expertise can assess your current posture and prioritise the highest-impact improvements.
What is the difference between a virus and ransomware?
A virus is malicious software that self-replicates and can damage files or systems. Ransomware is a specific type of malware that encrypts your files and demands payment for the decryption key. Modern ransomware often also exfiltrates data before encrypting, creating a double-extortion scenario where the attacker both demands payment to decrypt your files and threatens to publish your data.
Are small businesses really targeted by hackers?
Yes — consistently. The ACSC received over 94,000 cybercrime reports in 2023–24, and SMBs account for a disproportionate share. Attackers target small businesses because they hold valuable data but typically have weaker security controls than larger organisations. Professional services firms — law, accounting, medical — are especially targeted due to the sensitivity of the data they hold.
Next Steps for Melbourne Businesses
If you’re unsure where your business currently sits against the threats described in this guide, a cybersecurity assessment is the fastest way to find out. At Melbits, we work with law firms, accounting practices, medical clinics, and professional services businesses across Melbourne. We understand the specific software, regulatory obligations, and risk profile of your sector.
We offer a free initial consultation that includes a high-level review of your security posture and a prioritised list of the changes that would have the biggest impact. If you want a formal assessment against the ACSC Essential Eight, we can provide a written gap report suitable for insurers, board reporting, and regulatory purposes.