Cyber security in Australia has reached a watershed moment. According to new research from Moxie Insights that surveyed 620 Australian executives across 16 market sectors between August and September 2025, 82% of Australian organisations are prioritising the strengthening of risk management and cyber resilience over the next 6-12 months.
The study also shows that while 72% of Australian businesses feel confident in their cyber security preparedness, significant gaps remain between perception and operational reality.
The regulatory landscape has accelerated this shift. CPS 230, which came into effect on 1 July 2025, calls for increased cyber resilience across all regulated industries. Meanwhile, the Office of the Australian Information Commissioner (OAIC) recorded 1,113 notifiable data breaches in 2024 – a 25% increase year-on-year.
This is a strategic response to an undisputable reality: the question is no longer "if" your organisation will face a cyber incident, but "when" and how quickly you'll recover.
In this blog, we explore the five critical imperatives that are reshaping Australian cyber security strategy, offering business leaders a roadmap from reactive defence to proactive cyber resilience.
Imperative 1: Cyber Resilience is the True Measure of Strength
The shift towards cyber security resilience represents more than just tactical adjustment; it's a complete reimagining of cyber security's role in business continuity. 74% of Australian organisations are now preparing their business for a ransomware incident in the first 24 hours, acknowledging that rapid threat response and recovery capabilities matter more than impenetrable defences.
Vannessa Van Beek, Global CISO at Fortescue, a global metal mining company based in Australia, captures this transformation perfectly: "Security is shifting from trying to eliminate every risk to building systems that can withstand and recover."
This mindset shift from "prevention at all costs" to "contain, recover, continue" reflects the harsh realities facing Australian businesses.
Of course, the regulatory environment is driving much of this change: CPS 230's operational cyber security resilience requirements demand that organisations demonstrate their ability to maintain critical operations during disruptions.
However, implementation remains inconsistent. The research reveals that only 19% of organisations continuously update their cyber security roadmaps, whilst 27% only reassess after incidents or regulatory mandates. This reactive approach undermines resilience objectives that require proactive, continuous improvement.
Moreover, leading Australian organisations are adopting the "Minimum Viable Company" approach – ensuring they can restore critical operational capability within hours, not days or weeks. This involves regular clean-room recovery testing, integrated crisis management procedures, and clear stakeholder communication plans that extend from technical teams to board-level reporting.
The business case for resilience extends beyond Australian cybersecurity compliance. Organisations with mature resilience capabilities can turn potential disruptions into competitive advantages, maintaining customer confidence and market position when competitors struggle to recover.
Imperative 2: Identity is the New Control Plane
Identity has emerged as the primary battleground in modern Australian cyber security, with 57% of Australian organisations considering phishing as the most concerning attack vector. This threat has evolved far beyond simple business email compromise (BEC) campaigns, encompassing sophisticated voice phishing (i.e., vishing) attacks that bypass traditional security controls through social engineering.
Threat research from the eSentire Threat Response Unit (TRU) echoed similar findings; identity-driven threats have increased by 156% between 2023 and 2025, now representing 59% of all confirmed threat cases. What's more, mid-market organisations have become particularly susceptible to identity-based threats likely due to constrained resources, valuable digital assets, and less mature security operations programs.
The July 2025 Qantas breach, conducted by a cybercriminal group known as Scattered Lapsus$ Hunters, illustrates this evolution well. Investigators traced the incident affecting six million customers to a vishing attack targeting a company call centre in Manila, where attackers used AI-powered voice cloning to impersonate legitimate personnel and extract sensitive information.
Given the rise of phishing attacks, it's no surprise that 41% of Australian organisations cite Identity and Access Management (IAM) complexity as a pressing concern, yet many are struggling with fundamental implementation issues.
The challenge is compounded by detection blind spots – 23% of businesses are severely impacted by alert fatigue, considering current alert volumes "unmanageable" with teams frequently missing or delaying critical incidents. When identity signals are excluded from monitoring solutions, often due to cost considerations, organisations lose visibility into account takeovers and privilege escalations.
Australian organisations are responding by implementing adaptive access controls that move beyond static MFA to risk-based authentication. This includes deploying Identity Threat Detection and Response (ITDR) capabilities, following myGov's lead in passwordless authentication by adopting passkeys, and enforcing least privilege principles with automated provisioning and regular access reviews.
The business impact of getting identity right extends beyond security. As Sam Fariborz, CISO at David Jones, an Australian department store company, notes: "Security uplift is a multi-year journey requiring organisation-wide support. Setting the right expectations with the board is important and success cannot rest solely with the cyber security team; it demands shared responsibility."
Imperative 3: Supply Chain Cyber Security Risk is Severely Underestimated
Australia's interconnected business ecosystem creates both opportunities and vulnerabilities, with more than 2.6 million small and mid-sized businesses serving as potential entry points into larger enterprises.
The research reveals concerning gaps in how organisations manage these relationships, with many enterprises requiring suppliers to accept uncapped financial responsibility without ensuring corresponding cyber security capabilities.
The interconnectedness of third-party supply chain partnerships means that even sophisticated enterprises remain vulnerable through their weakest supply chain links.
As a result, the partnership landscape is evolving; in fact, 36% of Australian organisations are pursuing strategic, deep, and long-term partnerships, moving beyond transactional vendor relationships to genuine strategic alliances. This shift reflects growing recognition that supply chain security requires collaborative approaches rather than contractual obligations.
The Healthcare industry provides a compelling case study of these challenges. Sanja Marais, CISO at Aspen Medical, explains: "Our security is only as strong as the weakest link in that chain. Even if we secure our own systems, vulnerabilities in our partners' systems or processes can expose us."
Healthcare organisations operate in deeply interconnected environments where patient care depends on secure data flows between multiple providers and platforms.
Leading organisations are implementing comprehensive third-party risk management frameworks that span the entire relationship lifecycle – from procurement through retirement. This includes vendor tiering systems that categorise suppliers by risk level, continuous monitoring of supplier security postures, and incident response procedures that account for supply chain considerations.
Meanwhile, the regulatory environment is also evolving to address these risks. Essential Eight supplier requirements and Defence Industry Security Program (DISP) considerations are pushing organisations to demand higher Australian cyber security standards from their supply chains, whilst sovereignty considerations add geopolitical dimensions to vendor selection.
Imperative 4: AI as Corporate Shield, Not Sword
Artificial intelligence (AI) represents both the greatest opportunity and most significant risk facing Australian cyber security teams. According to Moxie Insights, 55% of organisations plan to increase adoption of AI security solutions over the next 12-24 months, yet only 31% express strong confidence in their existing AI and automation capabilities.
Phil Skelton, Senior Director, International at eSentire, perfectly captures this duality: "As organisations race to adopt AI across their operations, security leaders are increasingly being asked to serve as the trusted experts guiding secure AI transformation. This mandate comes with both opportunity and risk; while AI unlocks efficiency and innovation, it also introduces new attack surfaces and uncertainty."
AI as an Attack Vector
However, the same AI technologies that enhance Australian cyber security defence also magnify the potential of cyberattacks. Sophisticated threat actors are using AI to craft more convincing phishing campaigns, automate reconnaissance, and develop adaptive malware that evades traditional detection methods. The Qantas vishing attack demonstrated how AI-powered voice cloning can bypass human verification processes.
More prolifically, a Chinese nation-state threat actor group used Anthropic's Claude to orchestrate a cyber espionage campaign. This is the first ever reported AI-orchestrated cyberattack during which 80-90% of the group's attack operations occurred autonomously – from recon to data exfiltration.
As Anthropic notes, "The barriers to performing sophisticated cyberattacks have dropped substantially—and we predict that they'll continue to do so. With the correct setup, threat actors can now use agentic AI systems for extended periods to do the work of entire teams of experienced hackers: analyzing target systems, producing exploit code, and scanning vast datasets of stolen information more efficiently than any human operator."
Using AI for Australian Cyber Defense
On the defensive side, AI is transforming threat detection and incident response capabilities – 56% of organisations will increase their adoption of data security solutions, enabling faster analysis of vast datasets and more accurate anomaly detection than human teams can achieve alone.
The technology shows particular promise in addressing Australia's skills shortage challenges. Prashant Singh, Cyber Security Manager at the Department of Education Western Australia, observes: "Organisations will leverage AI and automation to accelerate detection, address workforce constraints and streamline processes."
Moxie Insights' research also reveals that successful AI security implementation depends more on governance frameworks than technical capabilities. Danielle De Laine, Head of Cloud Security and Identity at Versent, warns: "Tools are only as good as the people driving them. There aren't enough skilled professionals to make effective decisions and full reliance on AI is not yet viable."
Skelton reinforces this point: "At the end of the day, AI will empower people, but it cannot replace the human expertise, judgment and partnership required to protect critical operations. When it matters most, organisations need both technology and trusted human defenders to stand guard."
Imperative 5: Strategic Partnerships Drive Depth and Measurable Outcomes
The evolution of Australian cyber security partnerships reflects broader changes in how Australian organisations approach risk management and operational capability: 27% of organisations are now extensively outsourcing core security functions, whilst 58% prioritise deep expertise over broad coverage when selecting partners.
This shift coincides with growing recognition of capability gaps in traditional approaches. The research shows that 65% of Australian organisations struggle to demonstrate clear measurable impact from cyber security investments, whilst only 33% have fully integrated security stacks. These challenges are driving demand for partners who can deliver both technical capability and business outcomes.
Modern partnership evaluation has moved far beyond cost and basic compliance. Australian organisations now prioritise strategic guidance (53%), deep expertise (58%), and proven track records (49%) when selecting security partners.
May Lam, CIO at Australian Payments Plus, describes the new expectations: "Partners are expected to align with our higher mission – sovereignty, national good – and resilience expectations. Governance cadence, KPIs, KRIs and SLAs are explicit and reciprocal."
Meanwhile, Jonas Masakadza, Group IT Manager at Legend Corporation, has implemented a five-point value assessment framework that evaluates potential partners across threat coverage, integration capability, operational readiness, compliance impact, and total cost to outcome. This systematic approach ensures that partnerships deliver measurable risk reduction rather than additional complexity.
The trend towards strategic partnership depth reflects broader market consolidation, with organisations moving from managing 30-80 security tools across multiple vendors to integrated ecosystems delivered by fewer, more capable partners.
Building Cyber Security Resilience into Australian Businesses
The transformation from prevention-focused to resilience-enabled cyber security program represents more than tactical evolution. Whilst 72% of Australian businesses express confidence in their cyber security preparedness, the evidence suggests that sustainable cyber security resilience requires addressing these five imperatives systematically.
The regulatory environment will continue driving change throughout 2025-2026. CPS 230 implementation, Essential Eight maturity expectations, and evolving privacy requirements create both compliance obligations and competitive opportunities for organisations that embrace resilience thinking.
Moreover, success demands moving beyond traditional metrics towards outcomes-based measurement. As Hani Arab, CIO at Seymour Whyte, concludes: "Security is no longer just about keeping the lights on, it's about enabling the organisation to innovate and grow with confidence."
Australian businesses that master these five imperatives – building resilience capabilities, securing identity as the control plane, managing supply chain risks, governing AI deployment, and developing strategic partnerships – will find themselves better positioned not just to survive cyber incidents, but to maintain competitive advantage in an increasingly digital economy.
To learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next Level MDR, connect with an eSentire Security Specialist now.
GET STARTEDABOUT THE AUTHOR
Mitangi Parekh Content Marketing Director
As the Content Marketing Director, Mitangi Parekh leads content and social media strategy at eSentire, overseeing the development of security-focused content across multiple marketing channels. She has nearly a decade of experience in marketing, with 8 years specializing in cybersecurity marketing. Throughout her time at eSentire, Mitangi has created multiple thought leadership content programs that drive customer acquisition, expand share of voice to drive market presence, and demonstrate eSentire's security expertise. Mitangi holds dual degrees in Biology (BScH) and English (BAH) from Queen's University in Kingston, Ontario.