Three priorities for 2026

Test your confidence. 

With such a wide gap between confidence and capability, leaders should reconsider if that confidence is warranted. Boards should expect regular, evidence‑backed reporting that shows not just whether controls exist, but whether they work under pressure. Look for:  

  • Results from recent incident response simulations
  • Learnings from near‑misses and partially successful control failures
  • Independent assurance over critical controls and identity pathways. 

Assess your posture.  

Organisations in the 201–1000 employee range often outperform larger peers, not because they invest more, but because they execute more consistently. For large or fast‑growing organisations, it’s important to review whether cyber maturity is plateauing or declining with scale. Check whether:  

  • Governance structures are slowing decision‑making
  • Accountability is diffused across IT, risk, legal and operations
  • Security initiatives lose momentum during enterprise‑wide rollout. 

Prioritise your people.

One of the clearest gaps discovered in this research is that larger organisations aren’t paying enough attention to their human and organisational controls. Questions to consider:  

  • Are executives actively participating in incident response testing?
  • Is ownership of crisis communications clearly defined and rehearsed?
  • Do staff understand not just policy, but their role during disruption? 

Where do you sit on the cyber maturity ladder?

Foundation: Core controls, insurance cover, baseline governance established 

Operational discipline: Regular testing, defined accountability, reliable detection 

Resilience at scale: Whole‑of‑organisation readiness, tested communications, adaptive response 

How RSM can help

RSM offers tailored solutions to support organisations in strengthening their cyber security posture and building resilience. With deep expertise across governance, risk management, and incident response, RSM partners with clients to identify vulnerabilities, enhance operational discipline, and ensure readiness at scale.  

Whether you need guidance on strategic controls, training for your staff, or expert advice during disruption, RSM can help you navigate the complexities of cyber risk with confidence.

Get in touch below to find out more.

How can we help?

Methodology

This report is a follow-up to our previous research on cyber security in Australia. Given the extensive discussion and airtime this topic has received over the past year, RSM Australia wished to re-survey the Australian market to determine the extent of cyber security readiness in the Australian commercial landscape today, compared to 18 months ago.

The results of that research showed an unprepared commercial landscape in 2024:  

  • 64% of Australian businesses felt prepared to respond to a cyber attack.
  • 42% of medium-sized firms* invested in cyber insurance.
  • 51% of organisations listed protecting against AI-enabled cyber attacks as a key priority.

18 months on, and the picture has changed.  

  • Cyber security spend has increased across the board with most budgets increasing between 4-5%
  • 66% of medium-sized firms** now have cyber insurance.
  • Firms are experiencing fewer data breaches, but more ransomware attacks.

It is important to note that the demographics of those who participated in this year’s survey have significantly changed from the 2024 survey, which makes it difficult to directly compare results.  

Our 2024 survey included many smaller businesses and sole traders, with 56% of participants having fewer than 50 employees.  

For this 2026 survey, we focused on producing more granular insights for larger organisations. Consequently, 75% of participants in the 2026 survey have more than 200 employees.  

We also saw an increase in respondents who work in IT departments, from 32% in 2024 to 67% in 2026.  

We believe these new demographics represent an increase in the relevance of our survey results for boards, CISOs and senior IT leaders.

n=155

C-Suite Executives (CEO, CIO, CTO, COO, CSO, etc)

Network/systems analysts, security leads, IT Managers

Length of interview: 8 minutes

Online survey panel recruited

Fieldwork: Conducted in March 2026

Australia, National inclusion

Focus on larger organisations (96% organisations have 50+ Employees, no sole traders)

Multinational, national and state based commercial, Government, NFP

Significant differences are at the 95% confidence interval, denoted by arrows  

Frequently asked questions

Business leaders should focus on addressing critical risks first, strengthening governance, validating incident response plans, improving third-party risk management and ensuring cyber investments support broader business objectives. Regular reviews and continuous improvement are essential as threats evolve.

Improving cyber resilience requires more than technology. Organisations should establish clear governance, invest in employee awareness, test incident response plans, monitor supply chain risks and regularly assess security controls against changing threats.

Improving cyber resilience requires more than technology. Organisations should establish clear governance, invest in employee awareness, test incident response plans, monitor supply chain risks and regularly assess security controls against changing threats.

Cyber security strategies should be reviewed at least annually, or whenever there are significant business changes, emerging threats, regulatory updates or major technology implementations. Regular testing helps ensure controls remain effective.

Jump back to..

AI Security Assessment for Australian Organisations

RSM is pleased to offer its AI Secure by Design Review and Systems Assessment service that can help organisations identify, mitigate and manage their AI risks.