The Australian SMB Security Audit — May 2026

Why I did this

Australian small and medium businesses are a primary target for cybercriminals, and have been for years. The Australian Federal Police logged $152.6 million in business email compromise losses in 2024 alone — a 66% jump on the prior year. The ACSC's threat reports describe attacker access times measured in hours, not days. Ransomware groups specifically pursue mid-market organisations because they are large enough to pay but small enough to lack mature defences.

Most public reporting on this lands on enterprise breaches — Medibank, Optus, Latitude, Toll. Those make the news because they affect millions of people at once. The day-to-day reality is different: it is law firms in Wagga, dental practices in Bundaberg, builders in Toowoomba, accounting firms in Bendigo. Quiet, repetitive losses that rarely make the news but devastate the businesses involved.

This study is an attempt to put numbers on that. I scanned 144 real Australian SMBs across seven sectors using only externally-visible signals — the same view an attacker has before they make any decision about whether to target a particular business.

Methodology

The scan set comprised 151 Australian business domains selected from public directories and Yellow Pages-style listings, weighted toward regional centres (Bundaberg, Ballarat, Toowoomba, Albury–Wodonga, Wagga Wagga, Bendigo, Geraldton, Mackay, Townsville, Newcastle, Geelong, and others). Seven domains failed to resolve in DNS — likely defunct, renamed, or transferred — leaving an effective sample of 144 live businesses.

The seven sectors were:

• Legal: 20 firms (solicitors, conveyancing, family law)
• Medical: 20 practices (GPs, dentists, physiotherapy)
• Construction & Trades: 20 (builders, electricians, plumbers, roofers)
• Accounting & Financial Services: 20
• Real Estate: 20 (independent agencies only — no national franchises)
• Manufacturing & Industrial: 20 (fabrication, engineering, food production)
• Professional Services: 30 (recruitment, marketing, architecture, surveying, veterinary, childcare)

All scans were conducted using Mockingjay Scanner v2, which runs 12 non-intrusive external checks: SPF, DMARC, DKIM, MTA-STS, TLS-RPT, SSL/TLS certificate, CAA, HTTP security headers, technology fingerprinting with NVD CVE matching, breach exposure via Hudson Rock infostealer intelligence and the XposedOrNot breach database, an 11-port TCP connect scan, and a mapping to ISM and Essential Eight controls.

No credentials were used. No systems were modified. No vulnerabilities were exploited. The scan is equivalent to what any threat actor can perform without insider access. Affected businesses are not named in this report. Critical findings will be communicated privately and individually through responsible disclosure.

The big picture

Of the 144 businesses scanned, the grade distribution was:

By risk level, 70% of the sample rated CRITICAL, 27% HIGH, and 3% MEDIUM. Not a single business in the sample rated LOW risk on external posture alone.

The picture this paints is not one of a handful of outliers dragging down the average. The middle of the distribution is the problem. Roughly half of all the businesses scanned are quietly running with the same handful of fundamental gaps.

Email security: a tale of two halves

Email authentication is the strongest predictor of whether a domain can be impersonated in invoice fraud and phishing campaigns. There are three controls that matter — SPF, DKIM, and DMARC — and they need to work together.

SPF is the bright spot — 85% of businesses have it. DKIM coverage is reasonable at 61%. DMARC is where it falls apart.

Only 20% of businesses have DMARC set to actually do something when it detects a spoofed email. Another 36% have DMARC published but configured in monitor-only mode (p=none) — meaning their domain still gets spoofed, the mail still gets delivered, the DMARC record just collects reports about it. The remaining 44% have no DMARC at all.

The reason this matters is concrete and current.

This is not a hypothetical attack. AFP reports that BEC losses to Australian businesses hit $152.6 million in 2024, with construction being the worst-affected sector, payment redirection being the most-reported scam by Australian small businesses, and a 66% year-on-year increase. Every business in the sample with no enforcing DMARC is contributing to that statistic — its domain can be spoofed today, by anyone, with no technical barrier.

The modern email controls — MTA-STS, TLS-RPT, and CAA — were essentially absent from the sample. 99% had no MTA-STS. 98% had no TLS-RPT. 96% had no CAA record. These are not the highest-impact gaps individually, but their absence at near-universal rates is a useful proxy for security maturity: it suggests the businesses have done no recent work on their externally-facing configuration in years.

Web security: the headers nobody set

HTTP security headers protect a website's visitors from a category of attacks that have nothing to do with the website's own server. Cross-site scripting, clickjacking, content injection, MIME-type confusion — these all happen in the user's browser, and they are prevented by a handful of HTTP response headers that take minutes to configure.

The six headers we checked are HSTS, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy. Almost three-quarters of the sample had none of them. Only four businesses out of 144 had all six.

Why this matters becomes clearer with one of the most studied attacks of the last decade.

An Australian SMB is not BA. But the attack class — third-party JavaScript injection, formjacking, clickjacking — applies to any website that takes a form submission, processes a payment, or even just embeds external scripts. With no Content-Security-Policy, the site has no whitelist of where its own scripts are allowed to load from. With no X-Frame-Options, the site can be embedded invisibly in a hostile page and its users tricked into clicking buttons they cannot see. These attacks happen daily and the fix is six lines of web server configuration.

SSL/TLS certificates were a bright spot — 92% of the sample had valid, current certificates, almost all on TLS 1.3. This is the one area where the modern web's defaults have actually pulled SMB security forward.

Network exposure: the ransomware front door

The port scan checked 11 common TCP services. The headline number is that 74% of the sample had unexpected open ports, but most of those are false positives for businesses fronted by Cloudflare (where ports 8080 and 8443 are part of the CDN's edge infrastructure, not the customer's origin).

Filter those out and you are left with the genuinely dangerous exposures: six businesses had Windows file sharing (SMB, port 445) exposed directly to the internet.

These exposures were distributed across five sectors: legal, medical, construction, accounting, and manufacturing. Each one is, in security terms, an open invitation.

Australia's own experience with this is well documented. Toll Group — a 40,000-employee logistics company — was hit by ransomware twice in three months in 2020 via exposed remote services, lost 220 GB of corporate data on the dark web, and required a multi-year rebuild. Colonial Pipeline (US, 2021) was breached via a single VPN account with a leaked password, triggered a US presidential emergency declaration, and paid a $4.4 million ransom.

The point is not that any of the six exposed businesses in this sample are about to be hit. The point is that there is no technical barrier preventing it. Their SMB port is reachable from any computer on the internet right now.

Credential exposure: the Medibank scenario

The breach exposure check looks for two things: active infostealer logs (employee credentials currently being sold on dark web marketplaces by malware that captured them from compromised home or work devices) and historical data breach exposure (role-based email addresses appearing in past breaches of third-party services).

Seven businesses in the sample had credentials currently for sale on infostealer marketplaces. One of those was a recruitment agency with three separate stolen credentials. Another was a childcare centre.

The mechanism by which this becomes a breach is well understood in Australia, because the country has already seen the most damaging example of it on a national scale.

The Snowflake compromise of 2024 hit the same pattern at scale. UNC5537 used credentials harvested by infostealers, some dating back to 2020, to compromise around 165 organisations including Ticketmaster (data on ~560 million customers), Santander, and AT&T. Mandiant confirmed that over 80% of the compromised accounts had prior infostealer credential exposure that had never been rotated.

The conditions for that attack exist at 5% of the businesses in this study right now. Whether they have MFA on every administrative interface is a question that cannot be answered from outside. Whether they are aware of the exposure at all is a question that, until this study, they had no easy way to ask.

By sector

Some sectors carry the failure rate disproportionately. Below: percentage of businesses in each sector grading at F (critical), and percentage grading at A or B (acceptable).

Sector	n	Grade F	Grade A or B
Manufacturing	20	30%	0%
Medical	20	25%	0%
Construction	20	25%	5%
Accounting	20	15%	5%
Professional Services	30	7%	10%
Legal	20	5%	5%
Real Estate	20	5%	0%

Manufacturing was the worst sector by F-grade rate, with 30% of engineering and fabrication firms scoring critical. This sector is a known target for ransomware groups pursuing operational disruption and intellectual property theft.

Medical performed second-worst. Twenty-five percent scored F, and not a single medical practice in the sample scored above C. This is the sector with the heaviest regulatory exposure under the Privacy Act, the most sensitive data, and — based on this study — the least mature externally-visible security posture.

Real estate had the lowest ceiling — no business in the sample scored above C. Real estate agencies are a frequent target of settlement-fund redirection scams, where attackers compromise an agent's email and reroute deposit transfers to criminal accounts.

Legal was the best of the regulated sectors but still had 95% sub-B. Law firms hold privileged client information and are under increasing pressure from the legal profession's own regulators to demonstrate cybersecurity competence.

What this means if you run an MSP

If you are a managed service provider with Australian SMB clients, you already know they ask you about security and you already know most of them have not paid for any actual security work. This study is, in effect, a sample of what their public infrastructure looks like.

The findings suggest three things:

1. The gaps are predictable. Across 144 businesses in seven sectors, the same handful of issues kept appearing. DMARC unenforced. Security headers missing. CAA absent. Where the issues exist, they are highly likely to exist in your own client base in similar proportions.
2. The gaps are cheap to fix. Most of what this study flagged costs minutes per client, not days. DNS records. Web server header configuration. Removing exposed services from the public internet. The capability to fix them is well within the reach of any competent MSP.
3. The cost of not fixing them is in the millions, per the cases cited. Mobius v Inoteq is $235,000 plus a court judgment. Medibank is on the path to a nine-figure settlement. Toll Group rebuilt large parts of its infrastructure from scratch. None of those losses were inevitable.

Running an external scan against a client's domain takes 40 seconds. The output is a one-page summary that turns "you should care about security" into "here are the seven specific things failing on your domain right now." It changes the conversation, and it does so in the only way that actually works with SMBs: by showing them their own exposure, not someone else's slide deck.

Limitations and caveats

This study has the limits of any externally-visible assessment. It does not measure MFA, patching, backups, internal segmentation, application security, employee training, or any of the controls that require internal access to evaluate. A business with a perfect external posture can still be breached through a phished password and an unpatched workstation. Of the eight Essential Eight controls, only one (Patch Applications) is externally assessable, and only partially.

What an external scan does measure is the attack surface that determines whether a business gets targeted in the first place. Attackers do reconnaissance. They look for the easy entries. The businesses with no DMARC, no headers, exposed SMB, and credentials on dark web markets are the ones that get selected.

What happens next

The 16 businesses in this study with critical findings — SMB exposure, active credential exposure, or historical breach exposure — are being notified individually through responsible disclosure. They will receive a description of what was found and how to fix it. No pitch, no follow-up.

The aggregate data is being published here so MSPs, sector bodies, and Australian businesses generally can use it as a baseline. If you have questions about the methodology, want the per-check raw statistics, or want to discuss what an external scan would find on your own clients' domains, the contact details are below.