Chapter 4 — Threat exposure & response

We have seen that cyber security is being funded and explored the different strategies and controls being employed by Australian organisations. 

But what happens when strategic investment meets operational reality?

We asked what is really happening on the ground and found that incidents are common, but success is mixed. 

Ransomware attacks are common: over a third of organisations say they have experienced an attack in the past year. That incidence rate rises sharply with company size, with almost half of all larger organisations experiencing an attack. 

This jump is to be expected given the increased exposure of larger organisations. A higher headcount means broader attack surfaces and greater complexity, plus bigger organisations are more likely to be high-value and highly-visible targets.

Data breach incidents also rise with scale and exposure. This is consistent with larger organisations facing more attacks.

However, it’s worth keeping in mind that larger organisations are also significantly more likely to have the monitoring capability, dedicated security teams and detection tooling to identify incidents when they occur.

Smaller organisations usually operate with leaner teams and limited monitoring infrastructure, so it is likely that they experience attacks or breaches without realising it.  

This would be consistent with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) assessment that “the vast majority of cybercrime continues to go unreported.”

Smaller organisations should not take comfort from low breach numbers if those numbers reflect limited visibility rather than adequate protection.

Among organisations that experienced a cyber attack, the majority report that existing controls were completely successful in preventing infection. 

That is a genuinely positive finding, and a sign that baseline controls are in place and doing meaningful work across Australian organisations.

However, success rates soften in larger and multinational firms. This does make sense; as the volume of attacks increases, it becomes more statistically likely that one will succeed. What matters is how this is reported to leaders. 

Seeing that the vast majority of threats were contained may lead to complacency and false confidence. Partial success, in this context, means damage was sustained. Larger organisations should consider whether their controls are “partially successful” or simply “not catastrophic.” Boards should be asking what the residual exposure looks like when controls don’t work completely.

AI governance fundamentals are now widely implemented across the market, but once again it is mid-sized organisations that lead across most practices. 

Smaller organisations manage to keep up in terms of AI guidelines, but have adopted fewer AI governance measures overall, which can be attributed to lacking the resources to do more.  

Surprisingly, larger firms also lag behind, particularly when it comes to staff training on responsible AI development and use, where less than half of large organisation respondents report having such programs in place.

This pattern is consistent with the broader theme emerging across this report. Organisations with 201–1,000 employees are large enough to fund strategic initiatives and respond proactively to an evolving threat landscape. They are also small enough to manage internal stakeholders effectively, to bring their people through change rather than simply mandate it.  

Larger and multinational organisations seem to rely more heavily on structure, formal frameworks and technology for their protection. Where they struggle is in connecting those frameworks to their people and embedding new practices consistently across the organisation. AI governance is simply the latest domain in which that gap is showing up. 

While we saw earlier that security budgets increase with size, the returns on that investment are not linear. 

Larger organisations spend more in absolute terms and allocate a higher proportion of their IT budget to security, yet they experience more incidents and report lower rates of complete control success than their mid-sized peers.

A number of factors are likely at play. Greater organisational complexity creates more potential points of failure. The rollout of security tooling and policy across large, geographically dispersed workforces is slower and less consistent than in smaller organisations. And the bureaucratic friction that accompanies scale can delay the implementation of improvements.