The State of Cyber Security in Australia 2026: What the Data Actually Says

by | Blog

First Published:

July 17, 2026

Content Written For:

Small & Medium Businesses

Large Organisations & Infrastructure

Government

Read Similar Articles

Australia’s cyber threat environment did not ease in 2026, and the data tells a consistent story. Across the Australian Signals Directorate, the OAIC, and the world’s leading global reports, three things decide who gets hurt: unpatched internet-facing systems, stolen identity, and third parties you do not control. Almost everything else is detail.

This is a practitioner’s read of the numbers that matter for an Australian mid-market business, what they mean, and the controls that actually reduce risk. Every figure below is sourced and dated. The full designed report, synthesising seven of the world’s leading threat sources, is available to download further down.

Australia is under sustained pressure

The Australian Signals Directorate recorded more than 84,700 cybercrime reports last financial year, roughly one every six minutes (ASD ACSC Annual Cyber Threat Report 2024-25). Data-breach notifications climbed to 1,205 in 2025, an eight per cent rise and an all-time high, and 59 per cent of those breaches came from malicious or criminal attack (OAIC, 6 July 2026).

The cost scales steeply with organisation size. Average self-reported losses run to about $33,000 for individuals, $56,600 for small business, $97,200 for medium business, and $202,700 for large organisations, the last of which jumped 219 per cent year on year (ASD 2024-25). In other words, the bigger you get, the more a single incident costs, and the less room you have to absorb it.

The year’s landmark Australian incidents make the pattern concrete. Qantas had a third-party contact-centre platform breached, exposing around 5.7 million customers (detected June 2025). iiNet, part of TPG Telecom, lost roughly 280,000 records through a single stolen employee credential, including about 1,700 modem setup passwords (August 2025). The Genea IVF breach saw the Termite group exfiltrate around 940GB of highly sensitive patient data, published despite a court injunction (February 2025). None of these were exotic. They were third parties, stolen credentials, and unpatched exposure, the same recurring themes behind Medibank, Optus and Latitude.

What the world’s leading reports agree on

The most useful signal in 2026 is how strongly the major global reports converge.

The Verizon Data Breach Investigations Report 2026 found that vulnerability exploitation is now the number-one way attackers gain initial access, at 31 per cent of breaches, up from 20 per cent and, for the first time in the report’s 19-year history, ahead of stolen credentials (Verizon DBIR, 19 May 2026). Third-party involvement reached 48 per cent of breaches, a 60 per cent year-on-year jump, and ransomware was present in 48 per cent of breaches.

Mandiant’s M-Trends 2026 agrees on the top vector, placing exploits first at 32 per cent for the sixth consecutive year, with voice phishing (vishing) now the number-two vector at 11 per cent (Mandiant M-Trends, 24 March 2026). Social engineering has moved to the phone.

The IBM Cost of a Data Breach 2025 put the global average breach cost at USD $4.44 million, and found that organisations using AI and automation in security saved USD $1.9 million per breach on average (IBM, 30 July 2025). It also flagged an emerging risk: 13 per cent of organisations suffered a breach of an AI model or application, and 97 per cent of those lacked proper AI access controls.

The CrowdStrike Global Threat Report 2026 reported an average adversary breakout time of 29 minutes, with the fastest observed at 27 seconds, and noted that 82 per cent of detections were malware-free, relying on legitimate logins and trusted tools (CrowdStrike, 24 February 2026). Fake-CAPTCHA social-engineering lures surged 563 per cent.

Put together, the evidence points to three closable pathways: unpatched exposure (especially edge devices), stolen identity, and third parties. Prioritise accordingly.

Who is in the crosshairs

Sector targeting in Australia follows the data. The most-notified sectors in 2025 were Health at 19 per cent, Finance at 13 per cent, and Australian Government at 10 per cent of breach notifications (OAIC, CY2025).

SectorExposurePrimary vector
HealthCriticalRansomware and data theft
FinanceCriticalCredential theft and fraud
GovernmentHighNation-state persistence
Technology and TelcoCriticalSupply chain and credentials
EducationHighPhishing and APT activity
Legal and ProfessionalHighData exfiltration
Free report
The State of Cyber Australia 2026
✓  Seven global threat sources, synthesised for AU mid-market
✓  The numbers that actually matter this year
✓  What to do about it, in plain English
Get your copy
No spam. Unsubscribe anytime.

What to actually do

The report sets out eight priorities. In order of leverage for most Australian mid-market organisations:

  1. Deploy phishing-resistant MFA everywhere. Push-notification MFA is being bypassed by prompt-bombing and adversary-in-the-middle attacks. Move privileged accounts, then all accounts, to FIDO2 keys or passkeys.
  2. Treat edge devices as a priority threat surface. With vulnerability exploitation now the top vector, internet-facing devices and VPNs need continuous monitoring, emergency patching and segmentation. A regular penetration test finds the exposure before an attacker does.
  3. Govern AI before it governs you. With 97 per cent of AI-related breaches tracing to missing access controls, establish approval workflows, data classification and audit trails, and deal with shadow AI.
  4. Meet your ransomware-reporting obligation. Since 30 May 2025, businesses with $3 million or more in annual turnover must report ransomware payments to the Australian Government, with broader duties for critical infrastructure under the SOCI Act.
  5. Audit and remediate supply-chain risk. Third-party involvement reached 48 per cent of breaches. Run a structured vendor risk management programme with questionnaires, contractual controls and continuous monitoring.
  6. Start post-quantum cryptography planning. The ASD has set a 2030 deadline for quantum-safe cryptography. Inventory cryptographic assets and begin the migration conversation with vendors now.
  7. Invest in continuous detection. With a 29-minute average breakout time and 82 per cent of detections malware-free, assume breach. Managed detection and response, logging and threat intelligence are what shorten containment.
  8. Close your Essential Eight gaps. The common shortfalls remain patching cadence, privileged access management, user-application hardening and MFA completeness. We recommend Maturity Level 2 as the practical target for mid-market.

Where to start

If you do nothing else this quarter, get phishing-resistant MFA onto your internet-facing services, patch your edge devices, and confirm your backups actually restore. Those three block the majority of what this report describes. APRA-regulated entities should also read these findings against their CPS 234 obligations.

The full State of Cyber Australia 2026 report has the complete data, the sector detail and the eight recommendations in one designed document. Download it above, or if you would rather talk through where your organisation stands, get in touch.

Sources: ASD ACSC Annual Cyber Threat Report 2024-25; OAIC Notifiable Data Breaches (CY2025 and January to June 2025); Verizon DBIR 2026; Mandiant M-Trends 2026; IBM Cost of a Data Breach 2025; CrowdStrike Global Threat Report 2026; Cyble Australian breach reporting 2025.