Technology is now part of almost every small and medium business in Australia. It is used for email, accounting, payroll, banking, customer records, online sales, bookings, quoting, rostering, stock control, websites, phones, remote work, and day-to-day communication.

For many businesses, IT is no longer just “computer support”. It is part of how the business makes money, serves customers, pays staff, collects cash, and keeps operating.

The problem is that many businesses still treat IT as something to fix only when it breaks. This creates a gap between how much the business depends on technology and how well that technology is managed.

When IT is not managed properly, the damage is not just technical. It can affect profit, cash flow, staff productivity, customer trust, legal risk, insurance, and the value of the business.

In Australia, these risks are becoming more serious. Cybercrime is increasing, privacy expectations are higher, and customers are becoming less forgiving when businesses lose data or cannot operate.

The Australian Signals Directorate’s Annual Cyber Threat Report 2024–25 found that the average self-reported financial cost per cybercrime report was approximately $56,600 for small businesses and approximately $97,200 for medium businesses during the 2024–25 financial year.

For many small and medium businesses, one cyber incident at that scale is not a small inconvenience. It can wipe out monthly profit, delay payroll, stop supplier payments, damage customer trust, or put the business under serious pressure.

Reference: ASD Annual Cyber Threat Report 2024–25

IT Problems Are Usually Business Problems

Many business owners think of IT problems as technical issues. A laptop breaks. Email stops working. The internet goes down. A software system is slow. Someone clicks a suspicious link.

But most serious IT problems start earlier than that.

They often come from business decisions such as:

• Delaying upgrades for too long

• Not knowing who is responsible for IT decisions

• Using too many disconnected systems

• Relying on one person who “knows how everything works”

• Assuming backups are working without testing them

• Allowing staff to use weak passwords or shared logins

• Trusting suppliers without checking their security

• Keeping customer data without knowing where it is stored

The technology may fail on the day, but the business risk usually builds up over months or years.

A small business might add systems one at a time: accounting software, a booking tool, a website, email, a CRM, cloud storage, payroll, job management software, and a few shared spreadsheets. Each tool may seem reasonable on its own. Over time, the business ends up with a messy technology environment that nobody fully understands.

That is when problems become expensive.

Pitfall 1: No Clear Technology Plan

Many small and medium businesses do not have an IT plan. They have devices, subscriptions, software, support providers, and problems.

Technology decisions are often made only when something goes wrong. A system breaks, so it gets replaced. A staff member complains, so a new tool is bought. A supplier recommends software, so the business signs up. A customer asks a security question, so the business rushes to respond.

This reactive approach creates waste.

The business may pay for software it barely uses. Different teams may use different systems for the same task. Staff may re-enter the same information into several places. Reports may be slow or unreliable. Owners may not know which systems are critical until one of them fails.

The result is higher cost without better control.

A simple IT plan does not need to be complicated. It should answer basic questions:

• Which systems are most important to the business?

• What data do we need to protect?

• What systems are old, risky, or unsupported?

• What should we standardise?

• What should we stop using?

• Who is responsible for IT decisions?

• What would stop us trading if it failed?

Without this plan, IT spending can become a series of disconnected purchases rather than a useful business investment.

Pitfall 2: Downtime That Stops the Business

When technology stops, the business can stop with it.

Common examples include:

• The point-of-sale system goes down during trading hours

• Email stops working and quotes cannot be sent

• Internet fails and cloud software cannot be accessed

• Accounting software is unavailable during payroll or BAS preparation

• Staff cannot access files needed for jobs or projects

• A booking system fails and customers cannot make appointments

• A website or online store stops taking orders

• A failed software update breaks a key process

The cost of downtime is often bigger than the repair bill.

Staff are still being paid while they cannot work properly. Sales may be lost. Jobs may be delayed. Customers may go elsewhere. Managers lose time trying to fix the problem. Emergency support usually costs more than planned maintenance.

The smaller the business, the less room there often is to absorb these losses.

Reference: Small Business Cyber Security Guide — Cyber.gov.au

Pitfall 3: Hidden Costs From Manual Workarounds

Not every IT problem is dramatic. Some of the most expensive problems are quiet and slow.

A common example is manual work. Staff export information from one system, copy it into Excel, email it to someone else, and then enter it into another system. Customer details are stored in several places. Reports take hours to prepare. Nobody is sure which spreadsheet is the latest version.

These workarounds can feel cheap because the business avoids buying or improving software. But they still cost money.

They can lead to:

• Wasted staff time

• Data entry mistakes

• Late invoices

• Missed follow-ups

• Incorrect stock or job information

• Customer disputes

• Slow reporting

• Poor decisions based on old or incomplete information

A spreadsheet is not the problem by itself. The problem is when a spreadsheet becomes a critical business system with no owner, no backup, no access control, and no clear process.

This affects profit because labour is wasted, invoices are delayed, mistakes increase, and managers cannot clearly see what is happening in the business.

Pitfall 4: Thinking “We Are Too Small to Be Targeted”

Many small businesses believe cybercriminals only target large companies. This is not true.

Cybercriminals often use automated tools. They look for weak passwords, exposed systems, old software, and staff who can be tricked by fake emails or text messages. They do not need to know your business personally to attack it.

The Australian Signals Directorate has reported that common cybercrime threats for businesses include email compromise, business email compromise fraud, and identity fraud. These are especially relevant to small and medium businesses because they often target payment processes and staff trust.

A common example is invoice fraud. A criminal sends an email pretending to be a supplier and asks the business to update bank details. The next payment goes to the criminal instead of the real supplier. The business may still have to pay the real supplier later, meaning it pays twice.

Another example is a compromised email account. If a criminal gains access to a staff email account, they may read invoices, reset passwords, access files, impersonate staff, and send convincing messages to customers or suppliers.

For a small business, this can quickly become a cash-flow problem.

Reference: ASD Annual Cyber Threat Report 2024–25

Pitfall 5: Not Knowing What Customer Data You Hold

Many businesses collect more personal information than they realise.

This may include:

• Customer names, addresses, phone numbers, and emails

• Dates of birth

• Identity documents

• Payment details

• Health information

• Employee records

• Payroll and tax information

• Supplier bank details

• Login details

• CCTV footage

• Job notes, quotes, invoices, and contracts

The risk is not only that data could be stolen. The risk is that the business may not know where the data is, who can access it, how long it has been kept, or what to do if it is exposed.

Under the Privacy Act 1988, many businesses with annual turnover above $3 million must comply with the Australian Privacy Principles. Some smaller businesses must also comply, depending on what they do. This can include health service providers, some credit-related businesses, tax file number handlers, businesses that trade in personal information, and some contractors to the Australian Government.

Reference: Small Business — Office of the Australian Information Commissioner

Where the Notifiable Data Breaches scheme applies, a business may need to notify affected people and the OAIC if a data breach is likely to cause serious harm.

Reference: Notifiable Data Breaches Scheme — OAIC

For a small or medium business, the biggest cost may not be a fine. It may be the cost of investigating the breach, getting legal advice, notifying customers, dealing with complaints, losing trust, and trying to win back work.

The OAIC also notes that serious or repeated privacy breaches can attract large civil penalties.

Reference: OAIC Guide to Privacy Regulatory Action — Civil Penalties

Pitfall 6: Assuming Privacy Does Not Matter Because the Business Is Small

Some small businesses are not covered by the Privacy Act because of their size or type of work. But that does not mean privacy can be ignored.

Privacy and data security may still matter because of:

• Customer expectations

• Supplier contracts

• Government tender requirements

• Cyber insurance questions

• Industry rules

• Payment card requirements

• Employment records

• Confidentiality obligations

• Reputational damage if data is lost

A business may also grow, move into a regulated industry, start handling more sensitive data, or become a supplier to larger organisations that expect stronger security.

In practice, good data handling is becoming a normal business requirement, even for smaller organisations.

Pitfall 7: Outsourcing IT and Then Forgetting About It

Many small and medium businesses outsource IT support. This can be a good decision. Most smaller businesses do not need a full internal IT team.

But outsourcing IT work is not the same as outsourcing accountability.

An IT provider may be responsible for agreed services such as support, monitoring, backups, security tools, or system maintenance. But the business normally remains accountable for the consequences if things go wrong. Customers will call the business, not the IT provider. Suppliers will chase the business for unpaid invoices. Staff will expect the business to fix payroll. Regulators will look at the organisation that collected and controlled the data. Insurers will ask whether the business had reasonable controls in place.

In other words, outsourcing may transfer tasks, but it usually does not transfer business risk.

The business still owns the customer relationship, the data it collects, the decisions about acceptable risk, and the financial impact of downtime, fraud, privacy breaches, or lost information.

Common outsourcing mistakes include:

• No clear agreement about what the IT provider is responsible for

• No regular reporting

• No proof that backups are tested

• No list of business systems and devices

• No process for removing access when staff leave

• No review of administrator accounts

• No clear plan for a cyber incident

• No understanding of where business data is stored

• No plan to move away from the provider if needed

The lesson is simple: outsource technical work if that makes sense, but do not outsource business responsibility.

The RI Advice case is a useful warning for regulated businesses. ASIC’s message was that cyber risk needs to be actively managed, improved over time, and included in incident response and business continuity planning.

Reference: ASIC — What a Federal Court ruling on cybersecurity means for AFS licensees

Pitfall 8: Keeping Old Technology for Too Long

Old technology often stays in a business because replacing it feels expensive and disruptive.

A business may keep using old servers, old accounting systems, unsupported software, old routers, or custom databases built years ago. The usual reason is simple: “It still works.”

But old technology often creates hidden risk.

It can mean:

• Security updates are no longer available

• Support is harder to find

• Recovery after failure takes longer

• New software will not connect properly

• Insurance may become harder to obtain

• Staff lose time using slow systems

• Data is difficult to extract when the business upgrades or is sold

Old systems can become a debt the business eventually has to pay, often during a crisis.

Reference: ASD Annual Cyber Threat Report 2024–25

Pitfall 9: Backups That Do Not Restore

Many businesses believe they have backups. Fewer know whether those backups will actually restore the business quickly.

Common backup problems include:

• Backups are stored where ransomware can also damage them

• Cloud software is assumed to be backed up by the provider

• Some systems are backed up, but others are not

• Backups are never tested

• Backup failure alerts are ignored

• Nobody knows which systems must be restored first

• Nobody knows how long the business can operate without key systems

A backup is only useful if it can be restored in time to protect the business.

The real question is not “Do we have backups?”

The real question is: “How quickly could we keep trading if our main system failed tomorrow?”

Pitfall 10: Weak Passwords and Poor Access Control

Many IT incidents start with access.

If a criminal gets into one account, they may be able to read emails, access files, reset passwords, send fake invoices, view customer information, or impersonate staff.

Common access control problems include:

• Shared logins

• Weak passwords

• No multi-factor authentication

• Too many administrator accounts

• Former staff still having access

• Contractors with long-term access they no longer need

• Staff using personal email for business files

• Business passwords saved on personal devices

Multi-factor authentication, password managers, proper staff offboarding, and limiting administrator access are practical controls that protect cash flow, customer data, and business reputation.

Pitfall 11: Owners Cannot See the Risk

Business owners usually see sales reports, profit and loss reports, bank balances, and debtor reports. They often do not see simple IT risk reports.

That means owners may not know:

• Which systems are unsupported

• Whether backups have been tested

• Whether multi-factor authentication is turned on

• Who has administrator access

• Whether former staff still have logins

• Whether software is patched

• Whether cyber insurance requirements are being met

• Which suppliers can access business data

• Whether incidents are becoming more common

ASIC’s Cyber Pulse Survey 2023 found that many surveyed organisations were reactive rather than proactive in how they managed cyber risk. This is a familiar pattern in smaller businesses: IT gets attention only after something goes wrong.

Reference: ASIC REP 776 — Spotlight on cyber: Findings and insights from the cyber pulse survey 2023

Good reporting does not need to be complex. Owners need a simple view of the risks that could stop the business, cost money, or expose customer data.

Real Examples of Serious Business Impact

Some of the most public Australian examples involve larger organisations, but the lessons apply to smaller businesses as well. In fact, a small business often has less cash, fewer staff, and less time to recover.

Solar Central: Cyberattack Followed by Liquidation

Solar Central Pty Ltd was a family-owned solar installation and retail business in Victoria. Public ASIC insolvency notices show the company entered restructuring in May 2025 and was later placed into liquidation in August 2025. Media reporting linked the collapse to a cyberattack involving identity takeover, stolen funds, fraudulent accounts, and major financial damage to the owners.

The lesson for small businesses is direct: cybercrime can become a cash-flow crisis. If funds are stolen, accounts are taken over, suppliers are not paid, or creditors lose confidence, the business may not have enough time or money to recover.

Useful references:

• Solar Central Pty Ltd — ASIC insolvency notice, restructuring practitioner appointed

• Solar Central Pty Ltd — ASIC insolvency notice, liquidator appointed

MediSecure: Major Data Breach and Administration

MediSecure, an Australian electronic prescription provider, suffered a major cyber incident in 2024. The Australian Government reported that approximately 12.9 million individuals may have had personal and health information relating to prescriptions exposed. The National Office of Cyber Security reported that approximately 6.5 terabytes of data was reportedly taken.

The OAIC later noted that MediSecure entered administration on 3 June 2024.

This shows how serious a data incident can become when sensitive information is involved. The costs can include investigation, legal advice, customer notification, regulator attention, public communication, loss of trust, and business disruption.

Useful references:

• MediSecure Cyber Security Incident — Department of Home Affairs

• MediSecure Cyber Security Incident External Evaluation Report — National Office of Cyber Security

• Statement on MediSecure data breach — OAIC

FIIG Securities: $2.5 Million Penalty

In February 2026, ASIC announced that the Federal Court ordered FIIG Securities to pay $2.5 million in penalties over cyber security failures. ASIC said the case involved failures to protect thousands of clients from cyber security threats for more than four years.

FIIG is not a typical small business, but the lesson matters for professional services, financial services, and other businesses that hold valuable client data. Cyber security can become a legal, regulatory, and reputation issue, not just an IT issue.

Useful reference:

• ASIC action sees FIIG Securities ordered to pay $2.5 million over cyber security failures — ASIC

RI Advice: Cyber Risk as a Governance Issue

ASIC reported that the Federal Court found RI Advice failed to adequately manage cyber security risks after a number of cyber incidents occurred at its authorised representatives between June 2014 and May 2020.

The important lesson is that cyber security is not just the IT provider’s problem. In regulated businesses, owners, directors, and managers may be expected to understand and manage cyber risk as part of business governance.

Useful reference:

• Court finds RI Advice failed to adequately manage cybersecurity risks — ASIC

Medibank and Optus: Privacy Risk at Large Scale

Medibank and Optus are large organisations, but they show how data breaches can become major legal and reputation events.

The OAIC filed civil penalty proceedings against Medibank in relation to its October 2022 data breach. The OAIC also filed proceedings against Optus in relation to the 2022 cyberattack that exposed personal information of millions of Australians.

For small and medium businesses, the lesson is simple: personal information has real value and real risk. If a business holds customer, employee, health, identity, or financial information, it needs sensible controls over who can access it, where it is stored, how long it is kept, and what happens if it is exposed.

Useful references:

• OAIC takes civil penalty action against Medibank — OAIC

• Optus sued by privacy regulator over alleged failures in 2022 cyber attack — ABC News

HWL Ebsworth: Supplier and Professional Services Risk

HWL Ebsworth, a large Australian law firm, experienced a cyber incident in 2023. The National Office of Cyber Security reported that approximately four terabytes of data, or about 2.2 million files, were reportedly taken.

This example matters because many small businesses hold information that belongs to someone else: customers, suppliers, government clients, employees, subcontractors, or larger companies.

A breach may damage not only the business itself, but also its customers and partners. Larger clients may then ask tougher questions before awarding work or renewing contracts.

Useful references:

• HWL Ebsworth Cyber Security Incident Lessons Learned Report — Department of Home Affairs

• Cyber incident affecting HWL Ebsworth — NSW Government

How Small and Medium Businesses Usually Respond

Small and medium businesses often deal with IT risk in one of four ways.

1. They Ignore It Until Something Breaks

This is common, but expensive. The business avoids upfront cost, then pays later through downtime, emergency repairs, lost productivity, rushed replacements, and higher cyber risk.

2. They Outsource Everything and Stop Paying Attention

Outsourcing can work well, but it does not remove accountability from the business. Owners and managers still need to understand what is being protected, what is not, what has been tested, who has access, and what would happen in an incident. An IT provider can help manage risk, but the business still carries the commercial, legal, customer, and operational consequences if the controls are weak.

3. They Buy Tools Without Fixing the Process

New software can help, but it does not fix unclear roles, poor data, bad habits, or weak training. A new tool added to a messy process can make the mess bigger.

4. They Build Simple Discipline

The better approach is usually simple. The business identifies critical systems, protects key data, assigns responsibility, tests backups, trains staff, checks supplier access, and reviews IT risk regularly.

This does not require enterprise complexity. It requires consistency.

What Good Looks Like

A practical IT setup for a small or medium business should include:

• A list of important systems, devices, data, and suppliers

• Someone in management responsible for IT decisions

• Multi-factor authentication on email, finance, remote access, and cloud systems

• Tested backups and a clear recovery plan

• A process for adding and removing staff access

• Regular software updates

• Basic cyber security training for staff

• A process to verify changes to supplier bank details

• A simple incident response plan

• Clear rules for keeping and deleting customer data

• Regular checks of suppliers and cloud systems

• Simple reporting to owners or senior management

• A technology plan linked to business goals

For cyber security, the ASD Essential Eight is a useful Australian reference. Not every small business will implement it in the same way as a large organisation, but the basic ideas are practical: patch systems, use multi-factor authentication, limit administrator access, control risky applications, and keep reliable backups.

Reference: Essential Eight — Cyber.gov.au

Why Better IT Management Helps Profit

Good IT management is not just about avoiding disasters. It helps the business perform better.

It can reduce costs by cutting duplicate software, unused licences, emergency support, manual work, and avoidable downtime.

It can protect revenue by keeping websites, phones, email, booking systems, payment systems, and customer service tools working.

It can improve cash flow by reducing invoice mistakes, stopping payment fraud, and helping invoices go out on time.

It can improve staff productivity by reducing double handling, slow systems, and repeated errors.

It can support growth by making systems easier to scale and making data more reliable.

It can protect business value by making sure systems, data, access, licences, and supplier arrangements are documented and transferable if the business is sold or handed over.

In simple terms, good IT management helps the business save money, protect cash, reduce risk, and operate with less disruption.

Conclusion

The biggest IT pitfall for Australian small and medium businesses is not lack of technology. Most businesses already have plenty of technology.

The real problem is lack of discipline.

Many businesses have cloud software, email, websites, accounting systems, payment tools, customer databases, shared files, and cyber security products. What they often lack is a clear way to manage, protect, maintain, and review those systems.

That creates business risk. Costs rise without visibility. Staff lose time on manual work. Data is stored without control. Cyber risk increases. Suppliers become hidden dependencies. Backups are assumed rather than tested. Privacy obligations are misunderstood. Owners only see IT when something breaks.

Small and medium businesses do not need complex enterprise IT departments. But they do need to treat technology as a business-critical function.

The businesses that manage IT well will not necessarily be the ones with the most software. They will be the ones that know what they depend on, protect the information that matters, recover quickly when something goes wrong, manage their suppliers, and make technology decisions that support the business.