Australian organisations are reporting some of the highest levels of concern globally over identity-driven cyberattacks, as new research points to increasing ransomware exposure, extended recovery times, and continued ransom payments, developments closely watched by cyber and financial lines insurers.
Rubrik’s latest Rubrik Zero Labs report, “Identity Crisis: Understanding & Building Resilience Against Identity-Driven Threats,” finds that Australian organisations are expanding the use of AI within identity systems while managing associated security risks. According to the study, 99% of Australian organisations have either implemented, or plan to implement, AI models or AI agents within their identity infrastructure. At the same time, 98% of local security leaders identified identity-driven attacks as their primary cyber concern, the highest level reported among the countries surveyed.
Rubrik reported that AI agents are increasingly given access to sensitive data and core systems. If those agents are compromised, attackers can use them as a pathway into internal environments and increase the impact of an intrusion. “AI agents are a force multiplier – the only question is whether that force is positive or negative. When compromised and used maliciously, AI agents can cause 10 times the damage in one-tenth of the time. We’ve already seen the impact compromised human identities can have, and it’s clear agentic identities are the next frontier,” said Kavitha Mariappan, chief transformation officer at Rubrik.
The Rubrik report found that 35% of Australian organisations experienced a ransomware attack in the past 12 months, the highest share of respondents globally. Among those affected, 95% reported paying a ransom to recover data or stop the incident, a proportion second only to Singapore. Despite the frequency of ransom payments, recovery times remained lengthy. None of the Australian organisations surveyed said they could restore normal operations within one hour of a ransomware incident, and almost 23% reported that recovery took longer than 24 hours.
Expectations for future incidents also indicated limited confidence in rapid restoration. No Australian respondent believed their organisation could fully restore service operations within 12 hours of a major compromise, while 34% expected it would take at least a week. For identity infrastructure specifically, more than 78% said it would take more than 24 hours to recover after a breach. “The figures in this report underline a sobering reality – ransomware remains one of Australia’s most persistent and costly cyber threats. Traditional defences clearly aren’t enough. It is critical for Australian organisations to adopt a proactive security posture, one that prioritises rapid recovery, because paying ransoms only fuels the criminal ecosystem,” said David Rajkovic (pictured), vice president, Rubrik A/NZ.
In response to these risks, Australian organisations reported plans to expand internal capabilities around identity. According to Rubrik, 92% of local respondents intend to recruit professionals dedicated to managing or improving digital identity management. The survey also noted a shift toward cloud environments. Australian respondents reported the highest level of movement toward cloud and software-as-a-service platforms among the countries studied, with 88% indicating greater reliance on those services.
Rajkovic said the data shows Australian organisations continuing to adopt new technologies while working to address security gaps. “The report highlights a nation that understands the threats and is keen to forge ahead with innovation, but unfortunately, our nation lacks investment into appropriate security controls. To prevent innovation from outpacing risk management as organisations adopt AI, mechanisms to monitor and audit agentic actions, enforce real-time guardrails for agentic changes, fine-tune agents for accuracy, and, finally, undo agent mistakes will be critical,” he said.
Rubrik’s Zero Labs survey was conducted in late September 2025 among 1,625 IT security decision-makers at companies with more than 500 employees across the US, EMEA, and APAC, including Australia.
Other cybersecurity studies show that ransomware and broader cyber incidents remain common across Australia and the wider region. Opentext Cybersecurity reported that 40% of Australian organisations experienced at least one ransomware incident in the past year, with nearly half of those targeted multiple times. One-third of affected firms chose to pay, and 41% of those payments exceeded US$250,000. Some organisations did not achieve full data restoration, indicating ongoing operational and reputational effects even where ransoms were paid.
In a separate global survey for Arctic Wolf, 85% of organisations in Australia and New Zealand reported at least one cyber incident in the last year, compared with a global average of 76%. The research found that organisations in the region were more likely to pay extortion demands: Almost 75% of respondents acknowledged paying ransoms to avoid data leaks. Among those, 91% engaged third-party negotiators, but fewer than half obtained a reduction in the ransom amount.
Some security leaders are publicly advising organisations not to pay extortion demands, even as survey data shows payments remain widespread. Fortinet Australia chief security officer Glenn Maiden has urged companies to “never ever pay the ransom” when confronted with cyber extortion. His comments follow reports that 66 companies have made ransom payments to online extortion groups since May 2025, during a period that has seen increased use of AI tools in cyberattacks. “More often than not, the bad guys will leave you alone for x amount of time, then come back and hit you again,” Maiden told Sky News.
