Stay in the know
Receive timely insights and briefings from HSF Kramer, tailored to keep you informed and ahead
Australians appear to have developed an increasingly cavalier attitude to cyber safety after a string of high-profile data breaches, with a new survey finding only half (52%) have immediately taken, or would take, the recommended actions to keep themselves safe after a breach.
A national survey of 1,000 Australians conducted for law firm Herbert Smith Freehills Kramer (HSF Kramer) found a sense of acceptance or resignation is also setting in, with almost half (43%) of all people saying that while they’re worried about breaches, they accept the chance of their personal data falling into the wrong hands as a ‘risk of modern life’.
One in ten (8%) went even further and said they felt fatigued or resigned because breaches seem ‘unavoidable’.
With the majority of Australians (55%) experiencing at least one data breach over the last year, Cameron Whittfield, partner and APAC Cyber Security Head at HSF Kramer, said the findings should raise concerns for both business and government alike, particularly in the way breach response is managed.
“It seems many Australians now feel that a data breach is a foregone conclusion and that there’s nothing they can do about it,” he said.
"This approach is fundamentally misguided: it's like knowing someone has taken your keys and making no effort to change locks. Digital crime is not going anywhere, and it requires a collective effort to combat."
Generational divide means one-size-fits-all approach no longer enough
The survey also found a significant generational divide in approaches to data safety, with just 36% of people aged 18-24 immediately taking the remedial steps recommended after a breach, compared to almost two-thirds (63%) of respondents aged 65 and above.
Younger (digitally native) Australians were more likely to feel that their data was ‘already out there’ or are otherwise complacent about the risks, believing that any remedial action they take following a breach wouldn’t make a difference (17%), compared to just 3% of those aged 65 and above who felt similar.
Whittfield, whose team advises companies impacted by cyber incidents, said the results are an important reminder that organisations and their advisers cannot get complacent.
"The generational divide makes it clear a ‘one-size-fits-all' approach just won’t cut it anymore. If a large proportion of Australians are unlikely to exercise recommended precautions, we may need to change our support model and offer more tailored support," he said.
Noting it's also common for technology providers to exclude responsibility for the security of their services, pushing it down the supply chain, Whittfield said the industry must also change its attitudes about who is responsible for keeping people secure after a breach.
"We need to ensure responsibility is best allocated to those most equipped or motivated to manage the risk - and this will often not be the consumer," he said.
Australians split on ransom payments to keep data safe
The survey also found Australians are split on whether organisations should pay ransom demands following a data extortion attack: a small majority (52%) believe ransoms should never be paid, while one in 10 (9%) believe a ransom should always be paid in order to keep data safe. A further 39% are on the fence, believing the decision to pay should depend on the data accessed.
Whittfield said the split opinion shows that payment of an extortion demand may not have the reputational harm we once thought. Based on experience, Whittfield believes many consumers will likely ask why an extortion demand has not been paid.
“In some respect, the general understanding of ransom demands comes from Hollywood fantasy or high-profile kidnapping. But in the cyber context, a payment for a data breach is typically for a promise not to release stolen data. This commitment is inherently unreliable. When an attacker has your data, there’s no guarantee they won’t keep a copy after receiving payment; in fact, they usually do,” Whittfield explained.
“There have also been cases of cyber criminals reneging on their promise, and leaking stolen data after receiving payment or putting the information up for sale on the dark web. Companies paying ransoms are placing their trust in criminals."
Whittfield said it's important to distinguish between incidents that are simply about data theft, and those that impact on the operation of a business, as this is an important factor in making a payment decision.
"The potential for an attack to impact or cripple our critical infrastructure is our worst nightmare,” he said.
The Australian Government advises organisations against paying ransoms, and in 2025 introduced mandatory reporting on cyber ransom payments. However, Whittfield believes the survey results may create a growing pressure point for organisations, particularly when not paying a ransom demand may cause material harm to an individual or create an operational incident with impacts on both individuals and the wider economy.
"With almost half of consumers believing a payment should at least be considered as something that could protect them, organisations may face questions no matter what they decide," he said.
“On the one hand, paying a ransom may help a company avoid a catastrophic operational impact, but on the other, paying a ransom sustains an attacker's business model, rewards criminal behaviour, and creates the incentive to do it again.”
Urgent rethink needed on support for victims
With thinking on ransom payments mixed, Whittfield said a key issue is organisations have only a handful of tools at their disposal to keep affected individuals safe once data has been compromised.
An organisation can pursue an injunction through the courts, which aims to stop third parties from accessing and disseminating the stolen records. The other tools available, including referring people to support services such as IDCARE, providing credit monitoring services, or providing document repeat services. These rely on affected individuals taking action to make use of the suggested services.
However, with the survey finding young Australians aren't taking these recommended actions and putting themselves further at risk, Whittfield said the cyber community may be coming to a crossroads.
"Effective support that meets consumer needs will require a combination of organisational support mechanisms and third-party assistance services, as well as a level of personal accountability," he said.
"Australians should be able to trust that the organisations they give their data to will keep it safe. As well as focusing on preventing data breaches, as a community we need to think about better tools to support the ultimate victims of breaches, which don't rely on the individual to call upon the support.”
Key national insights at a glance
The survey, undertaken for HSF Kramer by SenateSHJ, can be accessed below.
For further information on this news article, please contact:
External Communications Manager
Sydney
Herbert Smith Freehills Kramer is proud to have been the lead sponsor of the Living Wage Foundation’s new report marking 25 years of the Living Wage …
HSF Kramer has provided tax advice to superannuation fund Aware Super in relation to its participation in the A$1.5 billion acquisition of Melbourne’s …
Leading global law firm Herbert Smith Freehills Kramer celebrates the first anniversary of its Luxembourg office, marking a significant milestone in the …
Receive timely insights and briefings from HSF Kramer, tailored to keep you informed and ahead