← Back to Blogs

58% Unprepared: Are We Sleepwalking Into the Big One

Ami Hofman · January 7, 2026

In the last two years we’ve seen breaches that once belonged in Hollywood scripts: Optus, Medibank, Latitude Financial here in Australia with MGM Resorts in the US and Marks & Spencer in UK as a few recent examples.

These weren’t just embarrassing headlines. They caused billions in losses, eroded trust, and proved attackers can outpace us with AI, automation and patience.

Surely that would’ve been the wake-up call? Apparently not.

A recent survey shows almost 60% of organisations still admit they aren’t prepared for a major cyber event. That’s like admitting you don’t have smoke alarms but trusting the neighbours will call the fire brigade for you.

Why the disconnect?

If you talk to executives in Australia, you’ll hear the same lines:

  • “We’re not a prime target.”
  • “We’ll deal with it if it happens.”
  • “We’re compliant with the Essential Eight.”

Let’s be honest. Those are excuses. Compliance is the bare minimum, not a bulletproof vest. Attackers don’t stop at Level 1 maturity just because that’s where you chose to plant your flag.

Unlike financial misconduct, where penalties and jail time are real, cyber negligence rarely carries consequences. Ask yourself: when was the last time an Australian executive went to jail for grossly inadequate cyber oversight? Exactly.

The stakes are higher now

  • State-backed groups are embedding themselves in our energy, health and transport networks.
  • Breakout times—the window between breach and lateral movement are now measured in minutes, not days.
  • Supply chain fragility (think MOVEit, SolarWinds) means attackers don’t even need to come through your front door.
  • Human error still fuels most breaches, even as AI-powered attacks multiply.

Australia’s economy runs on a handful of critical providers. If just two or three go down at once, we’re looking at genuine national disruption.

What needs to change?

Here’s where we stop talking and start doing. Four shifts, already in play overseas, that Australia must adapt fast:

1. Build a National Cyber Dome

Think of it as air traffic control for cyber. A government-led, always-on capability fusing intelligence, detection and response across defence, intelligence and industry.

  • Europe is already building a “European Cyber Shield.”
  • Israel is working on a national “Cyber Dome” model.
  • The US runs the JCDC, an alliance between CISA, industry and international partners.

Australia can’t sit this one out. Opt-out should not be an option for critical operators.

2. Mandate adversary simulations

Tabletop exercises are useful. They’re not enough.

  • UK CBEST and EU TIBER-EU run intelligence-led red teaming against banks.
  • DORA now makes this mandatory for critical EU financial institutions.
  • Even here, Australia’s CORIE framework is proving the model works.

Quarterly or biannual red team tests, aligned to real-world threats, with results reported to regulators. Fail? Fix. Retest.

3. Push the bar higher for the Top 500 critical operators

Essential Eight is a start. It’s not the finish line.

  • NIST CSF 2.0 now emphasises governance and supply chain.
  • EU NIS2 forces critical sectors to meet higher baselines.
  • US pipelines and ports face mandatory cyber standards.

Australia should identify the ~500 entities that matter most for our economy and raise their minimum bar. Continuous monitoring. International-grade frameworks. Public accountability.

4. Make negligence personal

Big fines are one thing. But as long as cyber remains a “cost centre,” little changes.

  • GDPR fines hit €1.2bn in 2024 alone.
  • Australia’s Privacy Act penalties now reach A$50m or 30% of turnover, yet enforcement is patchy.

Executives need to feel personal accountability. More audits. Surprise exercises. Escalating penalties. Where negligence is systematic and wilful, yes, disqualification or personal penalties should be on the table.

Time for a mindset shift

Every breach shows the same thing: people act only after disaster. Executives often ask, “Why invest when nothing’s happened yet?”

That’s like refusing to buy a seatbelt because you haven’t had a crash.

Australia cannot afford to wait for a Category 5 cyber storm to force change. We need to act now:

  • Fund a national cyber dome.
  • Mandate real-world simulations.
  • Raise the bar for our most critical operators.
  • Enforce accountability at the board level.

The carrot has failed. It’s time for the stick.

Cyber resilience isn’t about avoiding fines or surviving audits. It’s about protecting the systems that keep our nation running.

This is Australia’s come-to-Jesus moment. The question is: will we act now, or keep waiting until the headlines write the story for us?