For many small and medium businesses, cybersecurity can still feel like something that mainly impacts large enterprises or government agencies. But the reality is very different now. Cybercriminals are targeting businesses of every size, and AI is making those attacks faster, more convincing, and harder to spot.
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) reported more than 84,700 cybercrime reports in FY2024–25, which is one report every six minutes, and the average self-reported cost of cybercrime for businesses rose to $80,850. For small businesses, the average reported cost was $56,600, while medium businesses reported an average of $97,200.
Countries like Australia and New Zealand are also firmly on the radar of global threat actors. Microsoft’s threat intelligence ranked Australia among the top 10 countries most frequently impacted by cyber threats in early 2025, and its nation-state activity data also showed Australia among the most active countries in the Asia-Pacific region.
What has changed is not just the volume of attacks, but the way they are being carried out.
AI is now helping attackers scale phishing, identity fraud, social engineering, and impersonation at a level that would have taken far more time and effort in the past. Microsoft notes that threat actors are using generative AI to create more convincing fraudulent messages, automate parts of attacks, generate deepfakes, and improve the speed and reach of phishing campaigns.
That matters because email, identity, and trust are exactly where many SMB attacks begin. The ACSC said the top cybercrimes reported by Australian businesses included email compromise, business email compromise fraud, and identity fraud. Microsoft’s Digital Defense Report reinforces the same pattern globally, showing that phishing-resistant MFA still blocks more than 99% of unauthorised access attempts, while identity compromise remains one of the most important attack paths.
AI is also making social engineering more effective. Microsoft found that AI-automated phishing emails achieved a 54% click-through rate compared with 12% for standard attempts, and the company also warned about the rise of deepfakes, synthetic identities, and AI-generated fake websites, voices, and chats being used to impersonate trusted people and brands.
At the same time, attackers are becoming quieter. Picus found that 80% of the top 10 most prevalent MITRE ATT&CK techniques in 2026 were focused on evasion and persistence rather than immediate disruption, which shows a clear shift from “smash-and-grab” attacks to long-term hidden access. Its report describes this as the rise of the “Digital Parasite,” where attackers aim to live inside the environment, steal identities, and stay undetected for longer.
That trend lines up closely with Microsoft’s findings. The Digital Defense Report noted that attackers are increasingly “logging in” rather than breaking in, often using stolen credentials, tokens, password stores, infostealers, and cloud identity abuse to access business data quietly. Microsoft also observed data collection in 80% of reactive incident response engagements and confirmed that data exfiltration is now a normal part of many attacks.
For Australian & New Zealand SMBs, this creates a very practical challenge.
Most smaller businesses do not have a large security team, a 24/7 Security Operations Centre (SOC), or time to manage a patchwork of disconnected tools. They need security that is built in, integrated, and easy to operate day to day. That is exactly why Microsoft 365 Business Premium is such a strong starting point. Microsoft positions Business Premium as a solution for businesses with up to 300 users, combining productivity, identity protection, device management, phishing protection, ransomware protection, and data protection in one platform.
Out of the box, Microsoft 365 Business Premium includes Microsoft Entra ID Plan 1 for identity and access management, Microsoft Intune Plan 1 for device and app management, Microsoft Defender for Business for endpoint protection, Microsoft Defender for Office 365 Plan 1 for email and collaboration security, and Microsoft Purview capabilities for information protection and data loss prevention.
That matters because it gives SMBs a strong baseline against the exact threats being seen in the Australian and New Zealand markets. Entra ID and Conditional Access help protect identities, Intune helps enforce device compliance and secure access, Defender for Business helps stop ransomware and endpoint threats, Defender for Office 365 helps reduce phishing risk across email and collaboration, and Purview helps classify and protect sensitive information before it is accidentally or deliberately shared.
But for many SMBs, especially those handling customer data, financial information, legal documents, health records, or growing cloud estates, the baseline may not be enough anymore.
That is where the Microsoft Defender Suite for Business Premium and Microsoft Purview Suite for Business Premium add-ons start to deliver real value.
The Microsoft Defender Suite for Business Premium extends Business Premium with Microsoft Entra ID P2, Microsoft Defender for Identity, Microsoft Defender for Endpoint Plan 2, Microsoft Defender for Office 365 Plan 2, and Microsoft Defender for Cloud Apps. Microsoft describes this as giving SMBs stronger identity protection and governance, advanced endpoint detection and response, automated investigation and response for email and collaboration, advanced hunting, SaaS security, and better control over shadow-IT.
That upgrade is important because modern attacks do not stay in one place. They move across identities, endpoints, email, and cloud apps. When Microsoft warns about device code phishing, OAuth abuse, infostealers, BEC, cloud identity compromise, and attackers using legitimate tools and platforms to blend in, the Defender Suite directly addresses those gaps by extending visibility and response across the whole attack chain.
In practical terms, this means an SMB can move beyond just blocking obvious threats and start identifying risky sign-ins, suspicious user behaviour, compromised credentials, malicious SaaS activity, and post-breach movement inside the environment. It also means security teams and partners can investigate incidents faster and respond more effectively before a phishing email becomes a ransomware event or a stolen password becomes a major data breach.
The Microsoft Purview Suite for Business Premium is just as important, especially in a world where the attacker’s end goal is often data theft.
Microsoft says the Purview Suite for Business Premium helps SMBs secure data, devices, apps, and AI with built-in automation, and includes capabilities such as Information Protection, Data Loss Prevention, Insider Risk Management, Audit, eDiscovery, and Data Lifecycle Management. Microsoft also highlights that it helps protect businesses from oversharing, risky prompts, and unintended data exposure across Microsoft 365, Copilot, and AI experiences.
This is a big deal for businesses because once data leaves the business, the impact is no longer just technical. It becomes a business risk, a legal risk, and often a reputation risk as well. Microsoft’s report makes it clear that data access, staging, and exfiltration are now central parts of modern attacks, while the ACSC continues to warn that Australian businesses are attractive targets because they hold sensitive and valuable data.
Purview helps tackle that problem from the inside out. It allows businesses to classify sensitive information, apply protection that travels with the file, reduce accidental or unauthorised sharing, detect insider risk, improve investigation readiness, and maintain stronger visibility through audit trails. For SMBs with limited compliance resources, that is often the difference between hoping sensitive data is protected and actually knowing where it is, how it is being used, and when something looks wrong.
The bigger point here is that AI has changed the economics of cybercrime.
Attackers can now produce more believable lures, run faster campaigns, automate more of the attack chain, and target smaller businesses that may not have enterprise-grade defences in place. At the same time, the attack path has shifted from loud disruption to silent access, identity abuse, and long-term data theft.
For small and mid-sized businesses, this means cybersecurity should no longer be treated as a bolt-on or a nice-to-have. A solid Microsoft 365 Business Premium foundation gives businesses the essentials they need to protect identities, devices, email, and data. Adding the Defender Suite and Purview Suite takes that foundation further by bringing more advanced detection, response, governance, and data protection capabilities into a platform that is still designed for the realities of the SMB market.
In other words, this is not about buying more security for the sake of it. It is about giving SMBs a practical, integrated way to defend against the kind of modern attacks that are already happening now — especially the AI-assisted, identity-led, and data-focused attacks that are only going to become more common from here.
References:
Annual Cyber Threat Report 2024-25 factsheet for businesses and organisations
Microsoft-Digital-Defense-Report-2025-v5-21Nov25
Picus-RedReport2026
