← Field Notes
·7 July 2026·4 min read

SMEs Rushed Into AI. Nearly Half Left Cyber Defences Behind.

OECD data: 46% of SMEs have no meaningful digital security while 61% use AI tools. Australian breach costs hit $56,600 and are climbing 14% a year.

The OECD just put a number on something most business owners sense but have not quantified. In its 2026 D4SME survey of more than 2,000 SMEs across 12 OECD countries, 61 per cent now use at least one AI-enabled application. In the same survey, 46 per cent report having no or only minimal digital security measures in place. Those two numbers describe the same businesses.

This is not about sophisticated nation-state attackers. It is about ordinary businesses adding AI tools — phone agents, scheduling platforms, accounting features — without upgrading the security around them. Every AI tool connected to your business data is a door. Nearly half of SMEs have not fitted a lock.

The OECD classified 76 per cent of AI-using SMEs as 'AI novices' — businesses running off-the-shelf tools for isolated tasks without integration or governance. That sounds low-risk until you map what those tools access. An AI phone agent reads your customer database and calendar. An AI bookkeeping feature processes every financial transaction. An AI quoting tool handles pricing data and client specifications. Each one is a data pathway. Without multi-factor authentication and proper access controls, each one is also an entry point.

Twenty-two per cent of surveyed SMEs had already experienced a digital security breach. One in five. And the OECD found limited clarity among SMEs on data governance, privacy, and IP rights — gaps that widen with every AI tool connected.

46%

Have no or minimal digital security

OECD D4SME survey, 2,000+ SMEs across 12 countries

22%

Have already experienced a breach

One in five surveyed firms

$56,600

Average small business cyber cost in Australia

ASD Annual Cyber Threat Report, up 14%

The ASD's Annual Cyber Threat Report for 2024-25 puts the average cyber crime cost for Australian small businesses at $56,600 — up 14 per cent year on year. Medium businesses: $97,200, up 55 per cent. The ASD received 84,700 cybercrime reports across the period — one every six minutes.

These costs predate the sharpest phase of SME AI adoption. Business email compromise — intercepting or fabricating invoices to redirect payments — remains the most common attack with financial loss, at 15 per cent of reported incidents. AI makes those attacks more convincing, and AI tools processing financial data without adequate security make them easier to execute.

For a trades business running on 5 to 10 per cent margins, a $56,600 breach is a year's profit wiped out. For a professional services firm holding client financial data, the reputational cost compounds the direct loss. We wrote earlier this year about insurers narrowing AI coverage and adding exclusions to cyber policies. A business with minimal security may find it has neither the defences nor the insurance to absorb the hit.

Average cyber crime cost by business size

Source: ASD Annual Cyber Threat Report 2024-25

Small business
$56,600 (+14%)
Medium business
$97,200 (+55%)
Large organisation
$202,700 (+219%)

First, enable multi-factor authentication on every platform that touches business data — accounting software, CRM, email, AI tools. The ASD lists MFA as the single most effective control against credential-based attacks. It is free on virtually every business platform and blocks the majority of account compromises.

Second, audit what your AI tools can actually access. Most SMEs grant broad permissions during setup and never revisit them. Open each tool's settings and revoke anything it does not need. An AI scheduling agent needs calendar access, not your financial records. An AI quoting tool needs pricing data, not your employee files.

Third, run the ASD's free Cyber Security Assessment Tool at cyber.gov.au. It takes 15 minutes and maps your posture against the Essential Eight framework. The same site provides step-by-step guidance written for small businesses. The OECD found that 65 per cent of SMEs who had not accessed government support were unaware it existed. The ASD's resources are among the best in the world. Most Australian businesses have never looked at them.

Key takeaways

61 per cent of SMEs now use AI, but 46 per cent have no or minimal digital security — and 76 per cent of AI-using firms are classified as 'AI novices' operating without governance or strategy, per the OECD's 2026 D4SME survey of 2,000+ businesses.
The average cost of cyber crime for Australian small businesses hit $56,600 in 2024-25, up 14 per cent year on year. Medium businesses: $97,200, up 55 per cent (ASD Annual Cyber Threat Report).
Every AI tool connected to business data is a potential entry point. Without multi-factor authentication and proper access controls, AI adoption widens the attack surface faster than most businesses realise.
Three free steps reduce exposure immediately: enable MFA everywhere, audit AI tool permissions, and run the ASD's Cyber Security Assessment Tool at cyber.gov.au.

Sources

OECD — Empowering SMEs in the Age of AI (D4SME Survey, April 2026)

ASD — Annual Cyber Threat Report 2024-2025 (October 2025)

Assumptions & methodology
  1. The OECD D4SME survey was conducted between Q4 2025 and Q1 2026 across more than 2,000 SMEs in 12 OECD countries. The 46 per cent security figure and the 61 per cent AI adoption figure describe the same surveyed population, but the OECD does not report the intersection — the proportion of AI-using firms specifically that lack security. Given the overlap, a substantial share of AI-adopting SMEs are operating without meaningful digital defences.
  2. The ASD cost figures ($56,600 small, $97,200 medium, $202,700 large) are from the Annual Cyber Threat Report 2024-25, published October 2025. These reflect self-reported costs per incident and likely understate total impact due to under-reporting.
  3. The 65 per cent unawareness figure — SMEs who had not accessed government support and did not know it existed — is from the same OECD D4SME survey. In Australia, the ASD's free Small Business Cyber Security Guide and Cyber Security Assessment Tool are available at cyber.gov.au.
  4. The reference to insurers narrowing AI coverage relates to an earlier CoterieLabs field note covering Lloyd's of London and Australian insurer policy exclusions for AI-related claims.

Next

Payday Super Is Live. Two-Thirds of Employers Didn't Prepare.

Read →

Field Notes are general commentary on AI trends for Australian businesses. They don’t constitute professional advice. Talk to your accountant, lawyer, or IT adviser before acting on anything specific to your situation — or talk to us if you want help working out where AI fits.

Want to know where your AI tools are creating security exposure?

A short conversation can map the gap between what your tools access and how they are secured. Book a call to talk it through.

Book a call →