Are you cyber ready?
The cyber challenge through the eyes of Australia’s legal leaders

Australian businesses continue to grapple with their cyber resilience and contend with new cyber threats, all in a financially constrained environment. We have observed two significant challenges: How to maximise cyber investments and how to support organisations to avoid ‘cyber fatigue’? These challenges are exacerbated when cyber attacks fall out of the headlines and return on investment is hard to quantify.

Now in its third year, the HSF Kramer Cyber Risk Survey serves as a unique touchstone, seeking the views and experiences of legal leaders across corporate Australia.

This year, we received more input from general counsels (or equivalent) than ever before, from a diverse range of sectors including consumer services, financial services, resources, health and energy.

Consistent with our experience, legal leaders continue to play a central role in organisational cyber security, with a significant uptick in their own cyber education, simulation participation and incident response involvement. This reflects the role legal experts play, especially when an incident occurs, often being called upon to navigate complex regulatory compliance, urgently finalise critical communications, engage with key stakeholders and assess impacts, and lead remediation and recovery workstreams. It also reflects the magnitude of legal risks – and the long legal tail – inherent in any material incident.

This year, 68% of respondents believe cyber threat has increased in the past 12 months compared with 80% in 2024. One may perceive this as running contrary to the evidence, including the Australian Signals Directorate (ASD) reporting that the number of ransomware attacks and common vulnerabilities and exposures increased from 2023-24.¹ It is possible some respondents are experiencing cyber fatigue, or simply acclimatising to the risk. What is clear is that more than two thirds of respondents believe cyber risk is growing year-on-year.

Last year, we focussed on the technology challenges and the need for basic cyber hygiene, often solved with fundamental technology investment and practices. This year, we see a significant shift back to individuals: the human element. This is seen both in terms of: (a) cyber resilience, with responsibility to defend against cyber risks required across all individuals in an organisation, and (b) on the attack side, where we are now seeing highly sophisticated social engineering techniques, exacerbated by the use of AI and attacks perpetuated by criminals whose first language is English.

We are now seeing boards reviewing their reporting processes around cyber, stepping back from traffic-light metrics focussed on technology projects, to reports that appreciate cyber risk is being managed across all aspects of the business.

Technology risk assessments are also shifting. The rise of generative and agentic artificial intelligence is similarly an ‘all company’ opportunity and risk, and we are seeing the assessment combine with cyber security. That’s because we can’t assess our approach to AI without considering the security elements.

Of course, our adversaries are also experimenting with AI. This year’s survey found that, of respondents who believe cyber risk has increased, 75% attribute the increase to the emergence of new and more sophisticated tech driven cyber threats. However, while there is no doubt emerging technology does present new risks, many organisations are still failing to get basic cyber hygiene right.

Of concern, only 45% of respondents believe their boards are ‘cyber mature’ and fewer than 40% of boards participated in a simulation in the last 12 months. The number of boards receiving cyber education dropped from 70% in 2024 to 59% in 2025.

Through this survey, we aim to make a meaningful and thought-provoking contribution to Australia’s cyber security discourse. We also hope to support legal leaders by giving them the confidence to play a central role in protecting our nation’s companies and their customers from cyber threats.

In an uncertain world, one thing we can be sure of is that cyber security will remain central to managing and mitigating organisational risk.

We hope this report goes some way to help avoid complacency and shine a light on new cyber challenges, through the lens of our legal leaders –those who are invariably on the front line.

Cameron Whittfield
Partner – Head of Asia-Pacific Cyber Security

Footnotes

1. ASD, Annual Cyber Threat Report 2023-2024.