A reply to the PwC cyber report — what they got right and what they missed about small business
PwC’s 2025 Digital Trust survey is solid for the ASX 200 and wrong for the corner clinic. Four findings that don’t translate to Australian small business, and the honest version that does.
PwC’s 2025 Digital Trust Insights survey is a sound read on large organisations, but several headline findings do not translate to Australian small business:
- The survey samples the enterprise-and-up segment — organisations with security teams, budgets and regulatory obligations a small business does not have
- Its priorities are correct for the ASX 200 but can mislead an owner-operator about where their own risk actually sits
- The findings that do hold up for small business are the unglamorous basics — email authentication, patching, backups — not the board-level themes the report leads with
A report can be rigorous and still be the wrong size for your business. The honest version for a corner clinic or trades business looks nothing like the keynote slide.
The PwC Digital Trust Insights survey lands every year, and a few of its findings end up cited in every keynote, news article and board presentation for the next twelve months. The 2025 edition has done the same. I have read it twice. I have used parts of it in client conversations. I have also disagreed with parts of it in client conversations, and I want to write down which parts I think hold up for the Australian small business market and which parts I think do not.
What PwC got right
What PwC got right, and right comprehensively, is the picture for the enterprise-and-up segment. The survey samples disproportionately from large Australian businesses: the ASX 200, large mid-market, government, regulated industries. The findings on board engagement, on the cost of major incidents, on the growing role of AI in both attack and defence, on supply-chain compromise as a top concern, are accurate. The methodology is solid. The analysis is the right shape for the audience.
In 2025, PwC's global Digital Trust Insights found that only 2% of executives report their company has implemented comprehensive cyber resilience actions across all areas (PwC, "2025 PwC Digital Trust Survey: Key findings", retrieved 6 May 2026). That number is genuinely useful. It tells boards the expected state is "incomplete," and that the executive who claims they are fully resilient is the one to question.
PwC's Australian cut also found that only 15% of Australian companies have seen generative AI affect their cybersecurity in the last year, compared to 31% globally. That tells me Australian businesses are about a year behind the global curve on the AI-attack and AI-defence transition. Worth knowing.
What it does not represent
What it does not represent, and what cannot be inferred from it because the sample is what it is, is the experience of the Australian small business. The 95% of Australian businesses with fewer than 20 staff. The cafés, the allied health clinics, the solo legal practices, the engineering consultancies with twelve desks. None of them appear in the PwC survey in meaningful numbers, and none of the findings translate cleanly to their context.
There are four findings in particular where the small-business inference goes wrong, and they go wrong loudly, because they are the findings most often repeated in business-press summaries.
Where the small-business inference goes wrong
The first is "cybersecurity is now a board-level issue." For an ASX 200 business, true. For a 12-person allied health clinic, the board is the owner at her dining table on a Wednesday night with a 17 browser tabs and 6 half-finished emails open. The framing does not apply because the role does not exist. The action it implies, schedule a quarterly cyber update for the board, has nowhere to land. The honest framing for small business is "cybersecurity is now an owner-operator issue," which is less ceremonious and substantially more accurate.
The second is "the cost of a major incident now averages $X million." For enterprise, the figures are accurate. For small business, the cost of a major incident is bimodal: either under $20,000, and the business recovers, or terminal, and the business closes within twelve months. The mean is misleading, because it averages a distribution where most values cluster at the low end and the tail kills the business. The owner-operator who reads "$4 million" decides the number is so far beyond their universe that the threat must be too. The threat is not. It is sized differently.
The third is "47% of Australian leaders identified cloud-related threats as their primary concern, followed by 37% pointing to third-party breaches." For enterprise procurement teams with hundreds of supplier relationships, true. For a small business with three suppliers, the accountant, the IT person, and the SaaS vendors, the supply-chain risk is real but the survey's framing does not fit. The small-business supply-chain attack is "your bookkeeper got compromised, and the invoice came from her real address with your real banking details swapped out." That is a different incident shape entirely.
The fourth is the workforce-investment finding: 51% of Australian organisations are under-investing in upskilling their security workforce, compared to 35% globally. For an enterprise that has a security workforce to upskill, that is a meaningful gap. For a 12-person clinic with no security workforce, it has nowhere to land. The clinic's equivalent is "the owner has not had time to read the ACSC guidance," which is not a workforce-investment problem. It is an attention-budget problem.
Where PwC was right and the audience needs to hear it
Where PwC was right and the small-business audience needs to hear it is the emphasis on basic hygiene. Email authentication, multi-factor, backups, incident response. The same small list shows up in their survey, in the ACSC's guidance, and in every credible practitioner's recommendation. PwC says it for the enterprise and the recommendation becomes "ensure your maturity is at ML2." For the small business the same recommendation collapses to "do these four things, full stop, and do not worry about maturity levels." Both are the same advice in different shapes.
Where PwC was wrong, and what the audience needs instead
Where PwC was wrong, and the audience needs to hear that too, is the framing throughout the report that small business "should be moving towards" enterprise-grade security posture. The destination is wrong. A 12-person clinic is not climbing a maturity curve towards becoming a 12,000-person enterprise. It is a different kind of organisation. The right destination for small business is "the basics, done well, with a continuous outside view of whether they are still right." That is not a smaller version of the enterprise destination. It is a different destination.
PwC's survey is a useful document for the audience it was written for. Reading it as a small business owner is a bit like reading the maintenance schedule for a long-haul airliner when you own a Cessna. The principles overlap. The specifics do not. The owner who applies commercial maintenance schedules to their Cessna will either ground themselves on cost or, worse, draw the wrong conclusions about what actually needs doing.
Read the PwC survey. Take what is useful. Recognise where the sample stops representing you. The honest version of cybersecurity advice for Australian small business is shorter, smaller and cheaper than anything in the report, and you can check most of it from the outside. That is not a failure of the report. That is the gap the report was never trying to fill.