← Back to Blogs

Are Australian brands becoming sitting ducks in cyber security?

Ami Hofman · January 7, 2026

Reflections of a concerned practitioner

Picture this: a row of ducks at a carnival shooting range. Most look identical, bobbing along on the conveyor belt. Then there’s one that looks slightly darker, slower, easier to hit. Now swap those ducks for some of Australia’s biggest brands and you start to see the problem.

Despite spending billions, too many Australian organisations are still moving like ducks on rails: predictable, exposed and slow to react. The numbers are sobering: in 2024 alone, the OAIC logged 1,113 notifiable data breaches, the highest ever, with 595 in the second half of the year alone. That’s not a random blip. That’s a pattern.

What about the attackers? They’re not shooting carnival pellets. They’re firing AI-supercharged ransomware, deepfakes and supply-chain compromises and they’re hitting with deadly accuracy.

The Australian Anomaly

Globally, cyber investment is booming. The US federal government alone is throwing $13B at cybersecurity in 2025. The UK leans into managed security services with strong NCSC guidance.

Meanwhile in Australia, we’re conservative to a fault. Our cybersecurity market hit around A$9.2B in 2024, growing at ~8% annually. But here’s the kicker: 86% of Australian organisations remain in the “Exposed Zone” when it comes to readiness.

Why?

Because we love “safe bets.” Compliance checklists. Proven vendors. Generic controls that tick the audit box but often don’t stop the breach. It’s cultural as much as technical. We see it in the so-called tall poppy syndrome: avoid risk, don’t stand out, don’t innovate too quickly.

Problem is, the attackers didn’t get the memo.

The Threat Landscape: Faster, Smarter, Meaner

If 2023 was bad, 2024–2025 has been brutal.

  • Ransomware detections in Australia jumped 126% YoY in 2025.
  • Globally, 90% of organisations faced ransomware in 2024.
  • Supply chain attacks? Up 68% in 2024.
  • Average breach cost in Australia? A$4.26M, with detection and containment taking 266 days, much longer than the global average.

Let’s not forget AI. Generative AI is now the attackers’ best mate:

  • Convincing deepfakes for spear-phishing.
  • Self-adapting malware.
  • Automated reconnaissance at scale.

No wonder 47% of global organisations flagged adversarial AI as their top concern in 2024.

So while adversaries are evolving like Formula 1 race cars, many Australian brands are still pedalling along on tricycles.

Generic vs Bespoke: The False Choice

Let’s get practical.

Generic controls, your off-the-shelf EDR, MFA, firewalls are essential. They’re scalable, affordable and cover 80% of commodity threats. But they’re also predictable. Attackers love them because every environment looks the same.

Bespoke solutions, custom telemetry, tailored detections, sector-specific controls, raise the attacker’s cost. But they’re expensive, slow to build and require scarce skills.

In Australia, our over-reliance on generics has hurt us. Take:

  • Optus (2022): an exposed API, left unmonitored for years.
  • Medibank (2022): no MFA on critical systems, stolen contractor creds.
  • Latitude (2023): compromised employee credentials, millions impacted.

These weren’t failures of fancy tech. They were failures of hygiene, governance and lack of sustainable strategy.

The reality? It’s not bespoke or generic. It’s both. A hybrid security model is the only way forward.

From Ducks to Hard Targets: The Hybrid Way Forward

So how do we stop waddling into the firing line?

1. Bespoke where it matters most. Focus on your crown jewels:

  • Identity & access (behavioural signals, geo-temporal context).
  • Data (custom tagging and exfil detection).
  • OT/ICS baselines in critical infrastructure.
  • SaaS/third-party risk scoring.

2. Generic where it scales. Use commoditised tools for baseline hygiene:

  • Endpoint/EDR for all users.
  • Cloud posture management.
  • Email security hardened by bespoke rules for high-risk workflows.

3. Leverage MSSPs and co-sourcing. With over 50% of Australian agencies facing critical cyber skills shortages, no one can do it alone. Managed providers and hybrid models democratise access to expertise.

4. Shift the metrics. Stop measuring only “controls in place.” Start measuring dwell time, containment and recovery SLAs. That’s what boards and customers care about.

5. Use AI against AI. Pair vendor AI with local data and bespoke features. Generic AI alone won’t cut it, adversaries are already ahead.

Regulation, Culture, and the Push to Change

Thankfully, the regulators aren’t asleep.

  • CPS 234 and CPS 230 have tightened expectations on operational resilience.
  • The Cyber Security Act 2024 introduced mandatory standards and a Cyber Incident Review Board.
  • OAIC penalties now run up to A$50M for repeat offenders.

The stick is getting heavier, but culture still lags and maybe we need a bigger stick. Less than a quarter of Australian SMEs even have a cyber policy or staff training.

We need leadership. We need boards that ask “what would it cost if we were offline for two weeks?” not just “did we pass the audit?”.

2025 and Beyond: Out-Design, Not Out-Spend

Here’s the good news: Australia doesn’t need to out-spend the US or UK. We won’t win that race and to start promoting our own cyber tech innovation to offset cost.

We can out-design. By combining generic hygiene with a sharp bespoke layer, by shifting culture from “compliance” to “resilience” and by embracing collaboration, we can move from sitting ducks to hard targets.

Because at the end of the day, the cyber arms race isn’t about who has more ducks in a row. It’s about who can make their ducks harder to shoot.

Key Takeaways

  • Australia is lagging: record breaches in 2024 prove it and 2025 does not look like we’ve learned the hard lesson.
  • Threats are evolving faster than our controls. AI, ransomware, supply chain, all accelerating and quantum is just around the corner.
  • Generic vs bespoke is a false choice. The hybrid model is the only way forward.
  • Culture and regulation must align: compliance alone won’t keep us safe, we need to find the right balance between keeping regulators happy and managing evolving risk.
  • 2025+ is about design, not just spend. Smarter, faster, more resilient architectures will win. We have hit our glass ceiling and need to pivot hard to keep up to speed with where the threat landscape is going.