SMEs Rushed Into AI. Nearly Half Left Cyber Defences Behind.
OECD data: 46% of SMEs have no meaningful digital security while 61% use AI tools. Australian breach costs hit $56,600 and are climbing 14% a year.
The gap nobody measured until now
The OECD just put a number on something most business owners sense but have not quantified. In its 2026 D4SME survey of more than 2,000 SMEs across 12 OECD countries, 61 per cent now use at least one AI-enabled application. In the same survey, 46 per cent report having no or only minimal digital security measures in place. Those two numbers describe the same businesses.
This is not about sophisticated nation-state attackers. It is about ordinary businesses adding AI tools — phone agents, scheduling platforms, accounting features — without upgrading the security around them. Every AI tool connected to your business data is a door. Nearly half of SMEs have not fitted a lock.
What AI adoption looks like without security
The OECD classified 76 per cent of AI-using SMEs as 'AI novices' — businesses running off-the-shelf tools for isolated tasks without integration or governance. That sounds low-risk until you map what those tools access. An AI phone agent reads your customer database and calendar. An AI bookkeeping feature processes every financial transaction. An AI quoting tool handles pricing data and client specifications. Each one is a data pathway. Without multi-factor authentication and proper access controls, each one is also an entry point.
Twenty-two per cent of surveyed SMEs had already experienced a digital security breach. One in five. And the OECD found limited clarity among SMEs on data governance, privacy, and IP rights — gaps that widen with every AI tool connected.
46%
Have no or minimal digital security
OECD D4SME survey, 2,000+ SMEs across 12 countries
22%
Have already experienced a breach
One in five surveyed firms
$56,600
Average small business cyber cost in Australia
ASD Annual Cyber Threat Report, up 14%
The Australian cost is concrete and climbing
The ASD's Annual Cyber Threat Report for 2024-25 puts the average cyber crime cost for Australian small businesses at $56,600 — up 14 per cent year on year. Medium businesses: $97,200, up 55 per cent. The ASD received 84,700 cybercrime reports across the period — one every six minutes.
These costs predate the sharpest phase of SME AI adoption. Business email compromise — intercepting or fabricating invoices to redirect payments — remains the most common attack with financial loss, at 15 per cent of reported incidents. AI makes those attacks more convincing, and AI tools processing financial data without adequate security make them easier to execute.
For a trades business running on 5 to 10 per cent margins, a $56,600 breach is a year's profit wiped out. For a professional services firm holding client financial data, the reputational cost compounds the direct loss. We wrote earlier this year about insurers narrowing AI coverage and adding exclusions to cyber policies. A business with minimal security may find it has neither the defences nor the insurance to absorb the hit.
Average cyber crime cost by business size
Source: ASD Annual Cyber Threat Report 2024-25
Three fixes that cost nothing
First, enable multi-factor authentication on every platform that touches business data — accounting software, CRM, email, AI tools. The ASD lists MFA as the single most effective control against credential-based attacks. It is free on virtually every business platform and blocks the majority of account compromises.
Second, audit what your AI tools can actually access. Most SMEs grant broad permissions during setup and never revisit them. Open each tool's settings and revoke anything it does not need. An AI scheduling agent needs calendar access, not your financial records. An AI quoting tool needs pricing data, not your employee files.
Third, run the ASD's free Cyber Security Assessment Tool at cyber.gov.au. It takes 15 minutes and maps your posture against the Essential Eight framework. The same site provides step-by-step guidance written for small businesses. The OECD found that 65 per cent of SMEs who had not accessed government support were unaware it existed. The ASD's resources are among the best in the world. Most Australian businesses have never looked at them.
Key takeaways
▶Assumptions & methodology
- The OECD D4SME survey was conducted between Q4 2025 and Q1 2026 across more than 2,000 SMEs in 12 OECD countries. The 46 per cent security figure and the 61 per cent AI adoption figure describe the same surveyed population, but the OECD does not report the intersection — the proportion of AI-using firms specifically that lack security. Given the overlap, a substantial share of AI-adopting SMEs are operating without meaningful digital defences.
- The ASD cost figures ($56,600 small, $97,200 medium, $202,700 large) are from the Annual Cyber Threat Report 2024-25, published October 2025. These reflect self-reported costs per incident and likely understate total impact due to under-reporting.
- The 65 per cent unawareness figure — SMEs who had not accessed government support and did not know it existed — is from the same OECD D4SME survey. In Australia, the ASD's free Small Business Cyber Security Guide and Cyber Security Assessment Tool are available at cyber.gov.au.
- The reference to insurers narrowing AI coverage relates to an earlier CoterieLabs field note covering Lloyd's of London and Australian insurer policy exclusions for AI-related claims.
Next
Payday Super Is Live. Two-Thirds of Employers Didn't Prepare.
Field Notes are general commentary on AI trends for Australian businesses. They don’t constitute professional advice. Talk to your accountant, lawyer, or IT adviser before acting on anything specific to your situation — or talk to us if you want help working out where AI fits.
Want to know where your AI tools are creating security exposure?
A short conversation can map the gap between what your tools access and how they are secured. Book a call to talk it through.
Book a call →