Strategy highlights strength of the middle market

As we examine how organisations approach their cyber security strategy, key differences begin to emerge.

In particular, these results highlight how maturity signals change with size and complexity. 

As organisations grow, they shift from fast, informal decision-making to more structured governance and formal frameworks. 

Small organisations tend to blend formal processes with reactive strategies, putting out fires as they occur. Larger businesses, particularly multinationals, engage in more structured, systematic risk management that offer greater control and consistency.

Organisations with 201–1000 employees occupy a meaningful middle ground. They have enough scale to face real governance expectations but retain enough operational agility to react when market conditions change. 
 

 

Cyber insurance has become standard practice across mid-to-large Australian organisations 

Cyber insurance coverage is high across organisations of all sizes, with organisations in the 201–1000 employees segment pulling slightly ahead of both smaller and larger peers. 

The gap is small, but it may reflect an inflection point we have seen throughout these results that gives mid-sized organisations the advantage over larger ones. The middle band have sufficient scale to both justify insurance costs and meet insurer expectations, while very large environments may face complexity hurdles or see costs rise faster than the perceived benefit. 

  

While there are differences in survey sample sizes and demographics, there has been a clear shift in cyber insurance adoption. 

 

 

The relationship between organisational size and cyber insurance uptake has flattened

In 2024, uptake was strongly linked to organisational size, with smaller organisations far less likely to report having cyber insurance. We also saw greater levels of uncertainty among larger firms.  

 

Cyber insurance adoption among small‑to‑mid‑sized organisations has increased substantially since 2024

In 2026, cyber insurance has become a mainstream control across organisations with more than 20 employees, with around two‑thirds reporting coverage regardless of size and consistently low levels of uncertainty.

 This suggests both increased adoption among smaller organisations and improved visibility of cyber insurance arrangements overall. These results may indicate that insurance functions as a first step into cyber protection.

Incident response testing more frequent in multinational organisations 

Incident response testing generally scales with organisational size: larger organisations tend to test quarterly, particularly when they are multinational. Interestingly, large national organisations often land on bi-annual cycles, while smaller organisations are more likely to test annually. This indicates a gap in domestic preparedness and cyber maturity.

More frequent testing is a positive sign, but it is important that organisations don’t fall into the trap of assuming more frequent testing means more security. Boards should be asking not just “how often do we test?” but “what does our testing tell us about our actual readiness, and are we acting on that intelligence?”

Top approaches to managing cyber risk broadly similar, with some nuance 

Some interesting outliers appear when it comes to how organisations of different sizes approach cyber risk management. Cloud security, strategy and risk management and detection and response are the most commonly selected top three approaches.

 However, when it comes to more complex strategies such as zero trust architecture and design or vulnerability management, both larger and smaller organisations were significantly more likely to prioritise these strategies than organisations in the middle band.

The data indicates that large organisations are better at governing systems than people

Large organisations fall behind in training and communication 

One of the more significant findings from this survey is what it reveals about relative weaknesses in large organisations.  

When we look at addressing disruptions and ensuring continuity, threat detection and response was the most common answer from organisations of every size.

However, when we look at resilience training and crisis communication planning, we see a significant drop from larger organisations. 

This suggests that as organisations grow, investment in human and process controls declines. While crisis communication and staff training are more expensive and likely more challenging to implement in larger organisations, the impact of not having those controls in place could be quite significant.

Unfortunately, it seems that the organisations with the most stakeholders to manage are the least likely to have planned for it.

Chapter 4. Threat exposure and response

Ready to strengthen your cyber resilience?

Cyber threats continue to evolve, making governance, accountability and effective security controls more important than ever. Speak with our cyber security specialists about assessing your current cyber maturity and identifying practical opportunities for improvement.

How can we help?

Continue reading...

Frequently asked questions about cyber security governance

Cyber security governance is the framework of policies, responsibilities and decision-making processes that guide how an organisation manages cyber risk. Effective governance ensures cyber security aligns with business objectives, regulatory obligations and overall risk management. 

Learn how RSM's cyber security & resilience services help organisations strengthen governance and resilience.

Security controls help organisations prevent, detect and respond to cyber threats. While technical controls such as firewalls and multi-factor authentication are essential, effective cyber resilience also relies on governance, policies, training and ongoing monitoring. 

Discover how RSM's information and cyber security risk specialists help organisations strengthen their security posture.

Cyber security strategies should be reviewed regularly and whenever significant changes occur, such as business growth, technology upgrades, acquisitions or emerging threats. Regular reviews help ensure governance, security controls and investment remain aligned with organisational risk. Learn more about RSM's risk advisory services.

Cyber security governance is a shared responsibility. Boards set strategic direction and oversee risk, executives provide leadership and accountability, while IT, security and business teams implement and maintain effective controls. Independent assurance can also provide confidence that governance arrangements remain fit for purpose. Learn more about RSM's internal audit services.

A cyber maturity assessment provides an independent view of your organisation's current cyber capability, identifying strengths, gaps and opportunities for improvement across governance, security controls, people and processes. It helps organisations prioritise investment and benchmark progress over time. 

Explore RSM's cyber security & resilience services to learn how we can help assess and improve your cyber maturity.

AI security assessment for Australian organisations

RSM is pleased to offer its AI secure by design review and systems assessment service that can help organisations identify, mitigate and manage their AI risks.