Australian companies could risk becoming "low-hanging fruit" for cyber criminals due to a lack of education and an unwillingness to properly deal with threats.

Industry giants including the big four banks actively work to combat threats but many small and medium businesses do not properly protect data, and then cave in to demands from crooks who hijack their systems, according to financial services firm Deloitte.

Australian firms are not taking security seriously enough, says Deloitte.

James Nunn-Price, who leads Deloitte's Asia Pacific Cyber unit, said companies were failing to report ransomware — which locks users out of their computers until they pay a fee — and instead perpetuate the practice by coughing up the cash.

"I'm amazed at how many Australian businesses pay the money ... certainly some super funds, insurers and corporates pay the money because it's just easier to pay a few hundred dollars and then they wonder why six weeks later they get hit again," Mr Nunn-Price told reporters on Monday.