As cyber risks rise, SMEs should reassess and strengthen their data management and security practices in 2025.

The past year has highlighted the increasing importance of cybersecurity for Australian businesses, with key milestones and changes announced, such as Privacy Act Tranche 1, the SOCI Act, and the Cyber Security Act. For many small and medium business enterprises (SMEs), the growing risk in the digital landscape demands a proactive approach from everyone. The Office of the Australian Information Commissioner (OAIC) reported a 9% increase in data breaches during the first half of 2024 compared to the previous six months. Similarly, the Australian Cyber Security Centre (ACSC) noted an 8% rise in the average cost of cybercrime for small Australian businesses during the same period.

The information and data collected and managed – whether personal, health, or financial information – can hold significant value for malicious operators. Yet, many SMEs have not begun addressing these risks and often lack clear visibility into their data risk landscape. For some, understanding what data they have, where it’s stored, and how it is protected is still a work in progress.

2025: An opportunity for a fresh start

2025 offers an opportunity to reassess and improve your data management and security practices. As the cyber threat landscape becomes increasingly sophisticated, attackers are using advanced tools and tactics to exploit vulnerabilities. To effectively navigate these challenges, SMEs must treat data protection as an ongoing priority. It is important to understand that building a robust and resilient data protection isn’t a one-off task. It is also not the responsibility of just one specific person or team. Data flows through every corner of a business – from finance and operations to marketing and customer service – making it a shared responsibility. Safeguarding it requires a coordinated effort from every individual in the business.

What’s next?

SMEs can turn the tide by adopting a three-stage approach: review, revamp, and reinforce. Here are some steps SMEs and individuals can take to improve their data management and security practices for the information they collect.

1. Review – understand the data landscape

Larger businesses:

• Review and identify what data is collected, stored, and managed across your organisation and gather as much context as possible about it. The more information you have, the better equipped you'll be to make decisions to protect it.
• Map where your data is stored, whether on-premises, in the cloud, or with third-party vendors. This clarity reduces the risk of overlooked vulnerabilities.  
• Review your current data security policies and procedures to identify any gaps in protecting your data. Assess existing tools and measures, such as access controls and encryption, and determine their effectiveness.
• Identify any changes to the regulatory requirements that may apply to your data, such as the Privacy Act 1988, and ensure compliance with these regulations.

Sole practitioners:

• Review organisational data security policies and familiarise yourselves with the requirements. Be aware of your role and understand your responsibilities in safeguarding your organisation's data.
• Review the types of data you work with and ensure critical and sensitive data are handled securely.

2. Revamp: strengthen your data management strategies

Larger businesses:

• Where possible, consolidate your data in a centralised system. Dispersing data across multiple systems and applications increases the attack surface, making it easier for attackers to exploit vulnerabilities and more resource-intensive to protect.
• Regularly back up your data and ensure that backups are stored securely and are accessible for recovery in case of a breach or system failure.
• Implement secure configuration and access controls across all systems where data is stored. This includes setting up role-based access, ensuring least-privilege access, and enforcing multi-factor authentication where possible.
• Update systems and applications holding your data with latest security patches.

Sole practitioners:

• Protect data by practicing good cyber security hygiene. This includes using strong passwords or passphrases, enabling multi-factor authentication, and ensuring all devices used for work are updated with the latest security patches. 
• Be vigilant when sharing or transferring data. Double-check what information you’re sharing and ensure it’s only accessible to those who need it. Avoid sharing more data than is necessary, and use secure channels, such as encrypted email or secure file-sharing platforms, to transfer sensitive information.

3. Reinforce: foster a culture of strong data security

Larger businesses: 

• Foster a security-first culture by conducting regular training and awareness programs to educate employees on the importance of cyber security and their role in protecting organisational data. Monitor the effectiveness of such programs and make necessary adjustments.
• Maintain a clear, actionable, and tested incident response procedure and ensure that all employees are aware of the steps to be taken in an event of a data breach.

Sole practitioners:

• Be vigilant and exercise caution with unsolicited communications. Be aware of phishing emails, suspicious links, or other social engineering tactics that attackers may use to compromise data. Always verify the authenticity of requests before sharing organisational data.
• Take ownership of your role in protecting the data by adhering to the organisation's policies, report any suspicious activity, and stay informed on the latest cybersecurity threats and best practices. 

As you start 2025, assess your data landscape, refine your data management strategies, and strengthen a security-first culture. These steps will help you navigate cyber threats and  build resilient data security for the future. 

Brenton Steenkamp is the lead partner heading up Clayton Utz's cyber security practice. 
Andreas Ostenfeldt is a highly experienced cybersecurity expert, specialising in cyber crisis management and incident response.