We have seen that cyber security is being funded and explored the different strategies and controls being employed by Australian organisations. 

But what happens when strategic investment meets operational reality?

We asked what is really happening on the ground and found that incidents are common, but success is mixed. 

Reported breach and ransomware rates are highest in large organisations 

Ransomware attacks are common: over a third of organisations say they have experienced an attack in the past year. 

That incidence rate rises sharply with company size, with almost half of all larger organisations experiencing an attack. 

This jump is to be expected given the increased exposure of larger organisations. A higher headcount means broader attack surfaces and greater complexity, plus bigger organisations are more likely to be high-value and highly-visible targets.

Data breach incidents also rise with scale and exposure. 

This is consistent with larger organisations facing more attacks.

However, it’s worth keeping in mind that larger organisations are also significantly more likely to have the monitoring capability, dedicated security teams and detection tooling to identify incidents when they occur.

Smaller organisations usually operate with leaner teams and limited monitoring infrastructure, so it is likely that they experience attacks or breaches without realising it.  

This would be consistent with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) assessment that “the vast majority of cybercrime continues to go unreported.”

Smaller organisations should not take comfort from low breach numbers if those numbers reflect limited visibility rather than adequate protection.

Controls are working, mostly 

Among organisations that experienced a cyber attack, the majority report that existing controls were completely successful in preventing infection. 

That is a genuinely positive finding, and a sign that baseline controls are in place and doing meaningful work across Australian organisations.

However, success rates soften in larger and multinational firms. This does make sense; as the volume of attacks increases, it becomes more statistically likely that one will succeed. What matters is how this is reported to leaders. 

Seeing that the vast majority of threats were contained may lead to complacency and false confidence. Partial success, in this context, means damage was sustained. Larger organisations should consider whether their controls are “partially successful” or simply “not catastrophic.” Boards should be asking what the residual exposure looks like when controls don’t work completely.

AI governance is strongest in the middle market 

AI governance fundamentals are now widely implemented across the market, but once again it is mid-sized organisations that lead across most practices. 

Smaller organisations manage to keep up in terms of AI guidelines, but have adopted fewer AI governance measures overall, which can be attributed to lacking the resources to do more.  

Surprisingly, larger firms also lag behind, particularly when it comes to staff training on responsible AI development and use, where less than half of large organisation respondents report having such programs in place.

This pattern is consistent with the broader theme emerging across this report. Organisations with 201–1,000 employees are large enough to fund strategic initiatives and respond proactively to an evolving threat landscape. They are also small enough to manage internal stakeholders effectively, to bring their people through change rather than simply mandate it.  

Larger and multinational organisations seem to rely more heavily on structure, formal frameworks and technology for their protection. Where they struggle is in connecting those frameworks to their people and embedding new practices consistently across the organisation. AI governance is simply the latest domain in which that gap is showing up. 

Spending more does not automatically mean better protected 

While we saw earlier that security budgets increase with size, the returns on that investment are not linear. 

Larger organisations spend more in absolute terms and allocate a higher proportion of their IT budget to security, yet they experience more incidents and report lower rates of complete control success than their mid-sized peers.

A number of factors are likely at play. Greater organisational complexity creates more potential points of failure. The rollout of security tooling and policy across large, geographically dispersed workforces is slower and less consistent than in smaller organisations. And the bureaucratic friction that accompanies scale can delay the implementation of improvements.  

Chapter 5. High confidence, uneven proof

 Respond with confidence to evolving cyber threats 

Cyber threats continue to evolve, making preparation just as important as prevention. Whether you're strengthening your incident response capability, reviewing your cyber resilience or preparing for ransomware attacks, RSM's cyber specialists can help your organisation respond with confidence.

How can we help?

Continue reading...

Frequently asked questions about cyber threats and incident response

A cyber incident response plan outlines how an organisation detects, manages and recovers from cyber security incidents such as ransomware attacks, data breaches and other cyber threats. A well-tested plan helps minimise disruption, protect sensitive information and support business continuity. 

RSM's cyber security & resilience services help organisations develop, test and refine incident response plans so teams can respond quickly and confidently when an incident occurs.

Incident response plans should be tested regularly through tabletop exercises and simulated cyber incidents to ensure people, processes and technology work effectively during a real event. Regular testing also helps organisations identify gaps before an incident occurs. 

RSM's crisis management and business continuity consulting team works with organisations to test response plans, identify weaknesses and improve organisational readiness before a cyber incident happens.

After a data breach, organisations should contain the incident, assess its impact, preserve evidence, meet regulatory obligations and implement measures to reduce the risk of future incidents. Independent cyber security specialists can also assist with post-incident reviews and remediation. 

RSM's information and cyber security risk specialists help organisations investigate incidents, strengthen security controls and reduce the likelihood of future breaches.

Cyber resilience is strengthened through a combination of effective governance, security controls, employee awareness, incident response planning and continuous improvement. Organisations that regularly assess their cyber maturity are better positioned to respond to evolving threats. 

Discover how RSM's cyber security & resilience services help organisations improve long-term resilience.

Australian organisations continue to face threats including ransomware, phishing, business email compromise, credential theft and AI-enabled cyber attacks. Understanding the evolving threat landscape is essential to building effective cyber defences and improving organisational preparedness. 

RSM's Cyber Security & Resilience Services helps organisations identify emerging threats, assess cyber risk and strengthen their security posture before incidents occur.

AI Security Assessment for Australian Organisations

RSM is pleased to offer its AI Secure by Design Review and Systems Assessment service that can help organisations identify, mitigate and manage their AI risks.