New research from the Council of Small Business Organisations of Australia (COSBOA) has identified ongoing gaps in cyber security practices among small businesses, with hospitality operators among the more exposed groups. The findings add sector-specific evidence that can inform cyber underwriting standards, sector wordings, and broker discussions with small and medium-sized enterprise (SME) clients about the role of cyber cover, basic controls, and incident preparedness in managing risk transfer.
Released on Feb. 23, COSBOA’s 2026 Small Business Cyber Security Pulse Check Report, produced through its Cyber Wardens program, drew on responses from more than 1,570 small-business owners and employees across multiple industries. “Small businesses are becoming more cyber savvy, but there’s still a dangerous gap in basic safety measures that are leaving small businesses exposed,” Skye Cappuccio, incoming CEO of COSBOA, said, as reported by cyberdaily.
The report found uneven levels of cyber maturity between sectors, with the hospitality industry behind on several baseline measures that many cyber insurers now expect of insureds. Among hospitality respondents, 47% reported using unique passwords or phrases, while 37% said they have cloud-based backups in place. About one-third have multifactor authentication enabled to protect email systems, despite the frequency of email-based attacks against small enterprises. “These findings are a wake-up call to act – and underscore that our work in building the cyber resilience of small businesses is far from over. Cyber criminals are becoming more cunning and sophisticated by the day, fuelled by technologies like AI, but too many small businesses remain reactive,” Cappuccio said.
The study identified data breaches, phishing emails, ransomware, and business email compromise (BEC) as the main cyber threats to hospitality businesses. Recent incidents involving NSW-based Seagrass Boutique Hospitality Group and the Oscars Group, which was named as a victim of the Medusa ransomware group on its darknet leak site, showed how a single compromise can affect multiple venues and their customers. “Our message is simple: don’t be a sitting duck for cybercrime. It takes 10 minutes to start your cyber security journey, but only seconds for a cybercriminal to devastate your business,” Cappuccio said. For insurers and brokers placing hospitality risks, these control gaps are relevant to questions around minimum standards for cover, sub-limits for data and business interruption, and the extent to which training, authentication, and backup practices should influence pricing and terms.
Australian Restaurant and Cafe Association CEO Wes Lambert said the COSBOA results have reinforced concerns about cyber preparedness in the sector. “The latest Cyber Wardens research highlights that hospitality businesses would benefit from additional support to boost their cyber resilience, especially as owners juggle the daily demands of keeping their businesses afloat. They may not realise just how vulnerable they are to cybercrime, but cafes and restaurants hold valuable customer information – from names and email addresses to booking histories. Casual staffing, shared logins, and fast-paced environments all increase the risk of cyberattacks, which is why free programs like Cyber Wardens can make all the difference,” Lambert said.
For brokers, these operational characteristics are often used to initiate conversations about cyber insurance with clients who may still see cover as optional. The reliance on shared logins, third-party booking platforms, and point-of-sale systems can be cited to show how an incident might disrupt trading, trigger notification obligations, and create additional costs that may be addressed in coverage discussions. Insurers may use sector-specific data from COSBOA and other sources to refine underwriting questionnaires, set expectations on controls such as multifactor authentication and backups, and shape risk management guidance for small business policyholders.
National statistics indicate that the issues identified in hospitality form part of a broader pattern of cyber exposure across the Australian economy. In the January-June 2025 reporting period, the Office of the Australian Information Commissioner (OAIC) received 532 data breach notifications, a 10% decline on the previous six months but still close to the highest levels recorded under the Notifiable Data Breaches (NDB) scheme.
Malicious or criminal attacks remained the largest source of breaches, accounting for 59% of notifications, with cyber security incidents the predominant driver. On average, each such incident affected just over 10,000 individuals, indicating the potential scale of a single event in terms of notification, remediation and liability costs. Human error was responsible for 37% of all data breaches (193 notifications), up from 29% in the prior period, suggesting that process, training, and user behaviour remain core components of cyber risk. For cyber, professional indemnity, and management liability insurers, these figures inform assumptions about frequency and severity and contribute to pricing models, retention levels, and aggregate exposure management.
Data from the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) for FY2024-25 shows increased engagement with national support services and evolving threat techniques. The Australian Cyber Security Hotline handled more than 42,500 calls during the year, a 16% increase, and ASD’s ACSC responded to more than 1,200 cyber security incidents, up 11%. The centre also notified entities over 1,700 times of potentially malicious activity, an 83% year-on-year rise. State-sponsored actors continued to target government, critical infrastructure, and business networks, while cybercriminals focused on credential theft, purchasing stolen usernames and passwords on the dark web, and using those credentials to access email, social media, and financial accounts.
Average self-reported cybercrime losses for businesses rose to $80,850 per report, with small businesses reporting average losses of $56,600, medium businesses $97,200, and large businesses $202,700. Denial of service and distributed denial of service activity also increased, with ASD responding to more than 200 such incidents, up more than 280% on the previous year. ASD reported that attackers are exploiting vulnerabilities in internet-facing edge devices and adopting “living off the land” techniques, using legitimate tools and processes to avoid detection. Wider availability of artificial intelligence tools is assessed to enable malicious actors to scale and accelerate operations. Critical infrastructure remained a focus, with ASD’s ACSC notifying critical infrastructure entities of potential malicious activity more than 190 times in the latest reporting period, up 111% year on year.
