Australian insurers and businesses are navigating a rapidly evolving cyber threat environment, with artificial intelligence emerging as both a tool for attackers and a source of internal risk.
This year’s Cyber Security Awareness Month has brought renewed attention to the ways AI is reshaping cyber risk, particularly as threat actors and employees alike leverage advanced technologies.
Recent findings from Verizon Business’ 2025 Data Breach Investigations Report indicate that malicious use of AI has doubled in the past two years.
State-backed groups are increasingly deploying AI to automate influence operations, generate sophisticated phishing campaigns, and assist in developing new forms of malware.
The report also highlights a growing internal challenge: a significant proportion of employees are using generative AI platforms at work, often through unsecured personal accounts or corporate accounts lacking proper security controls.
This behaviour, frequently occurring outside established security guidelines, has resulted in sensitive data being uploaded to third-party AI services, increasing the risk of data exposure.
The report notes, “AI is now a factor in both external attacks and internal vulnerabilities, requiring organisations to address risks on multiple fronts.”
The complexity of the cyber threat landscape is further heightened by the increasing prevalence of third-party breaches and supply chain vulnerabilities.
According to the Verizon report, nearly a third of cyber espionage cases now involve financial motives, and there is a noticeable shift from phishing to the exploitation of software flaws as the primary method of initial compromise.
Within the Asia-Pacific region, including Australia, “System Intrusion” incidents account for the vast majority of data thefts.
The frequency of breaches linked to third-party vendors has doubled since last year, underscoring the importance of robust supply chain risk management.
The report recommends that organisations prioritise timely patching, thorough vetting of third-party partners, and the implementation of advanced detection and response measures.
Despite advances in technology, human error continues to be a leading cause of data breaches in Australia.
Lincoln Goldsmith, director of enterprise channels & alliances, APAC at Semperis, points to data from the Office of the Australian Information Commissioner showing that roughly 30% of reported breaches stem from mistakes made by staff.
Common issues include falling victim to phishing, using weak or compromised passwords, misconfiguring systems, and granting excessive user permissions.
“The simplest cyber practices are often the most effective at preventing breaches and data loss before they happen. Measures like password protection, multi-factor authentication, and regular patching don’t require technical skills, just consistency, like brushing and flossing,” Goldsmith said, as reported by Security Brief.
The conversation around cyber resilience in Australia is expanding to include operational technology (OT) and critical infrastructure.
Leon Poggioli, regional vice president, ANZ at Claroty, notes that while public campaigns often focus on individual digital hygiene, there is a need to address the vulnerabilities of industrial systems that underpin sectors such as energy, water, and transport.
Legacy OT systems, which often lack modern cyber protections, are increasingly connected to IT networks, making them potential targets for both cybercriminals and nation-state actors.
Poggioli recommends that organisations increase awareness, conduct regular risk assessments, and implement network segmentation to prevent attackers from moving laterally within critical systems.
Cross-sector collaboration is emerging as a vital strategy in building cyber resilience.
E-Yang Tang, vice president, security, resiliency and network, Kyndryl A/NZ, highlights the value of partnerships that bring together expertise, training, and resources.
Initiatives such as the Cyber Resilience Programme, which provides foundational cybersecurity education to not-for-profit organisations, demonstrate the impact of shared responsibility and investment in people.
The Insurance Council of Australia (ICA) is advocating for enhanced cybersecurity requirements for businesses, in response to the increasing sophistication of cyber attacks and the growing use of AI by malicious actors.
In a submission to the Department of Home Affairs, the ICA identified emerging risks such as AI, quantum computing, and the challenges of managing consumer data.
The council emphasises that small and medium-sized businesses (SMBs) are particularly vulnerable to automated and AI-driven attacks, which differ from the more targeted threats faced by larger enterprises.
Among its recommendations, the ICA calls for greater accountability for technology vendors, suggesting that developers of widely used software should be subject to clearer obligations, supported by a government-backed framework.
The council also supports workforce development initiatives that would enable cybersecurity professionals to work with SMBs, sharing expertise and embedding best practices.
The ICA further recommends expanding mandatory ransomware reporting requirements to cover a broader range of organisations.
