Executive summary 

Australian organisations are spending more and feeling more confident, but the data reveals that scale is not a reliable proxy for maturity. 

The organisations getting cyber security most right are mid-sized, and the reasons why should concern every large enterprise in Australia.

Australia's cyber security landscape continues to evolve as organisations respond to ransomware, AI-enabled cyber attacks, data breaches and increasing regulatory expectations. The RSM Australia 2026 Cyber Security Report benchmarks cyber maturity across 155 Australian organisations, examining cyber investment, governance, AI security, incident response and organisational resilience.

 

 Key findings 

RSM Australia surveyed Australian business and IT leaders from 155 medium to large organisations in 2026. What we discovered should raise serious questions for boards, executives and IT leaders. 

Organisations with 201-1000 employees outperform both smaller and larger operations across multiple areas of cyber security.

91% of organisations expect their cyber security budget to increase in the coming year.

1 in 5 organisations experienced a data breach in the previous 12 months, with incidents more common in larger organisations. 

35% reported a ransomware attack or demand, increasing to 49% among organisations with more than 1,000 employees.

97% express confidence in their ability to protect sensitive customer data, despite contrary evidence

35% of larger organisations consider AI security a key tool in managing cyber risk. 

 Questions every board should ask about cyber security in 2026 

 

Despite a significant number of reported incidents, respondents displayed a high level of confidence in their organisation’s ability to protect sensitive customer data. Executives should demand proof of resilience through testing, metrics and independent assurance.

If you would like to conduct an independent review of your organisation's cyber posture, RSM Australia provides specialised cyber security and resilience services designed to assess, test and improve your cyber maturity and resilience. 

Technical controls and formal risk frameworks are stronger than training, crisis readiness and whole-of-organisation response capability. Leaders should keep in mind that resilience is as much organisational as it is technical. Training and crisis comms readiness can lag, particularly in complex organisations where rollout is harder. 

Boards should ensure ownership is clear across IT, risk, legal, and communications. Prioritise regular incident response testing, executive participation, and cross-functional coordination to build real cyber muscle.

Effective cyber resilience extends beyond technology. Our crisis management and business continuity specialists help organisations test response plans, strengthen governance and improve organisational readiness.

Cyber maturity improves with scale up to a point, then plateaus or declines, with organisations between 201–1000 employees often showing stronger controls and readiness than larger enterprises. This suggests that organisation complexity, increased levels of bureaucracy and rollout friction can erode the effectiveness of security controls.

 Boards overseeing larger organisations should test whether their governance structure, accountability and decision frameworks are still fit for their current scale.

Explore our enterprise risk management and business transformation services to strengthen governance as your organisation grows.

While AI security is a priority area for large organisations, their mid-sized peers are outperforming them in AI maturity. This reinforces APRA’s concern that AI adoption and AI-enabled threats are moving faster than governance and resilience practices. While AI can also be used to strengthen cyber defences, it is critical to identify and address gaps in risk management.

AI presents both significant opportunities and emerging cyber risks. Discover how RSM's AI and Data Analytics and Cyber Security & Resilience Services help organisations implement secure, well-governed AI solutions.

 Introduction 

Cyber security has emerged as a core priority for Australian organisations. 

This may reflect the current state of the world in 2026, where heightened geopolitical tensions, particularly in the Middle East, dominate headlines and raise serious concerns about cyber warfare. The rapid development and uptake of AI also contributes significantly to the current elevated threat environment with a corresponding alarming rise in AI-supported cyber attacks that increases as models improve. Add that to a recent history of high-profile data breaches in Australia and it becomes less surprising that Australian organisations are taking cyber security seriously.

This report is a follow-up to our previous research on cyber security in Australia. Our goal at the time was to understand the extent of cyber security readiness in the Australian commercial landscape and to compare that with results from the US and UK. For this survey, we wanted to understand how things have changed in Australian cyber security over the past 18 months.
 

Image removed.  

 

 

Image removed.  

What we have discovered is a surprising trend where improvements in operational security and cyber resilience scale with organisation size to a point, before experiencing diminished returns. 

This suggests a sweet spot, at least from a cyber security perspective, for a headcount between 201 and 1000 employees. This trend persisted across multiple areas of security preparedness. 

At the same time, we are deeply concerned by a burgeoning overconfidence across all participants, with 97% reporting confidence in their organisation’s ability to protect sensitive customer data. This may reflect a drop in data breaches experienced in the past 12 months – from 42% in 2024 to 21% in 2026*.

Both improved performance and improved confidence may be due to the increased budgets allocated to cyber security. However, while these are positive signs, the level of confidence reported outpaces operational reality and may signal a softening cyber maturity posture in the near future. 

*Note: Comparisons are limited by differences in sample sizes.

CONTINUE READING:
Chapter 1. Investment & ownership

 Concerned about your organisation's cyber maturity? 

Speak with our cyber security and resilience specialists to benchmark your organisation against this year's findings.

How can we help?

AI Security Assessment for Australian Organisations

RSM is pleased to offer its AI Secure by Design Review and Systems Assessment service that can help organisations identify, mitigate and manage their AI risks.