Contact Us
Contact Us
Contact Us
Contact Us
Whitepaper

Australian Cyber Security: A Fresh Outlook for 2026

Grey solid medium
White outline thick 3pt
Tony Campbell

By Tony Campbell

Service Line Manager, Enterprise Security

Download PDF

Topics

ENTERPRISE SECURITY
CYBER SECURITY
WEAPONISED AI
SOVEREIGN TECH

What's in this report:

At a glance

Australia’s cyber threat landscape is accelerating, and pressure on leaders is rising as trust expectations and regulation tighten.

This whitepaper captures five key lessons from 2025, drawn from major incidents that tested preparedness, resilience, third-party risk and attacker sophistication.

It also outlines six predictions for 2026, including the AI cyber arms race, growing exposure across critical infrastructure and smart environments, and secure-by-design becoming essential.

What’s next?

  • Focus on the fundamentals. Strengthen identity controls, patching, segmentation, incident readiness and supplier assurance.
  • Align security investment to business risk and compliance realities. Build an adaptive security program that can evolve with AI-driven threats.
  • Use governance, transparency and measurable resilience to turn security into a clear trust advantage.

Executive Summary.

Murray Thompson

Murray Thompson

Group Executive, Advisory & Transformation

Despite the 2023-2030 National Cyber Security Strategy and evolving legislation to better protect our nation, citizens and critical infrastructure, Australians are still facing significant fallout from ever-increasing and changing data breaches.

The shifts we’ve seen over the past 12 months in the threat landscape are frightening. AI model-driven attacks are now a reality; organisational risk exposure is becoming increasingly difficult to quantify; and sustained media coverage of national security incidents is eroding trust and confidence in both Australia’s public and private sectors.

With increased activity comes a heightened rush to adopt agents and lean into automation to combat it. We also saw a litany of new technologies emerge in 2025, both on the offensive and defensive sides of cyber security. While each offers clear benefits to users, they also add complexity and risk.

Each new capability demands updated data handling practices and stronger governance, particularly for technology programs integrating AI into operations and client-facing delivery.

Across every industry, one message remains consistent: we are in a period of turbulent change, and cyber threats are not going away. In fact, if anything, they are getting worse, while CIOs, CISOs and technology leaders are being tasked with doing more with less.

They must keep their organisations safe while managing the ongoing skills deficit, budget pressure, and growing regulatory scrutiny. The sheer volume of data breaches in 2025 should be a wake-up call, but we are numbed to the near-constant announcements coming from some of our country’s biggest brands. These high-profile incidents led to millions of Australian citizens’ records being exposed on the dark web. The consequences were real: lost revenue, leadership accountability, and long-term damage to community trust.

We saw a marked increase in ransomware activity across every market sector, as well as ransomware attacks against critical infrastructure providers and their operational networks. Attackers are growing bolder as the economy tightens its belt, leveraging these attacks on essential services to threaten nationwide disruption.

Defenders, in turn, have been forced to balance day-to-day cyber monitoring and incident management with the need to demonstrate compliance and to align their security posture with AI and automation programs, while elevating governance to meet tighter regulatory expectations.

It’s no surprise that artificial intelligence sits at the heart of our threat picture. AI is on every board and CEO agenda, reshaping how we both attack and defend systems while transforming the business. AI threatens to introduce autonomous, continuous, self-evolving cyberattacks to test our agentic defences. The key question is whether we have the skills, operating models, and controls to manage this next phase confidently and safely.

AI is on every board and CEO agenda, reshaping how we both attack and defend systems while transforming the business.

Looking ahead to 2026, we face a dual challenge.

  1. We must learn from 2025 and close the cyber hygiene gaps. Core security capabilities, such as incident response, vulnerability management, and supply chain security, still require focused, sustained investment.
  2. We need to prepare for the next wave of threats and innovation: AI-driven systems, smart infrastructure, and an expanding digital perimeter that now includes everything from wearables to smart city grids. Cyber risk must be treated as a business risk.

In this report, Kinetic IT identifies five key learnings from 2025 and six predictions for 2026.

We provide neutral, fact-based insights grounded in an Australian context, informed by global trends and what we see here, at home, to help business leaders make practical, defensible decisions about cyber risk. 

2025: A Tough Year for Blue Teams.

Tony Campbell

Tony Campbell

Service Line Manager, Enterprise Security

Key Learnings.

For many organisations, 2025 wasn’t the best year. Threat actors hit Australia hard, and the cracks in defences were exposed for all to see.

The mega-breaches that tested some of our largest brands revealed basic security failures and forced regulators to further tighten the screws on compliance oversight. Ransomware and digital extortion were rife, and no industry sector remained unscathed.

Supply chain attacks and third-party risk rose sharply, becoming everyone’s problem—from large enterprises to small businesses. Meanwhile, attackers began weaponising AI at scale, while defenders scrambled to strengthen governance, resilience, and Essential Eight-style controls. 

The following sections unpack five key insights from this turbulent year—systemic weaknesses, ransomware escalation, supply chain fragility, AI-driven threats, and the defensive shifts shaping cyber strategy for 2026 and beyond.

Navigate to:
Icon 1
Mega-breaches exposed systemic weaknesses
Icon 2
Ransomware and double extortion hit new heights
Icon 3
Supply chain risk became everyone’s problem
Icon 4
Attackers weaponised AI, defenders raced to catch up
Icon 5
Resilience and governance took centre stage

1. Mega-breaches exposed systemic weaknesses.

2025 was dominated by the fallout from massive data breaches that shook public trust and forced regulatory reform. Incidents like Optus and Medibank revealed how basic lapses—such as unsecured APIs and missing MFA—can compromise millions of records. The impact was severe: weeks of disruption, tens of millions in costs, and reputational damage. These breaches triggered a national reckoning, with tougher penalties (up to AUD$50 million) and proposals to ban ransomware payments.

The clear lesson? Cyber security is now a board-level issue, and simple oversights are no longer acceptable.  

2. Ransomware and double extortion hit new heights.

Ransomware evolved into a brutal double-edged weapon in 2025. Attackers didn’t just encrypt data—they stole it, using leaks as leverage. Medibank’s refusal to pay led to sensitive health records being dumped online, highlighting the moral and legal dilemmas organisations face. No sector was safe: retail chains, law firms, and even government agencies were caught in the blast radius. These attacks underscored two issues:

  1. Third-party breaches can quickly escalate into everyone’s problem;
  2. Overall organisational resilience through non-cyber controls, like backups, training and rehearsed failovers, as well as resilience in your partnerships, is critical to long-term success.

3. Supply chain risk became everyone’s problem.

In 2025, high-profile third-party breaches like MOVEit made it clear that organisations were only as secure as their weakest supplier, with regulators increasingly holding companies accountable for their vendors’ cyber hygiene.  

The takeaway? Point-in-time assessments are giving way to shared assurance, continuous monitoring and board-level ownership of supply chain risk.

4. Attackers weaponised AI, defenders raced to catch up.

AI became a game-changer for attackers. Generative AI supercharged phishing campaigns, making them slick and convincing, while deepfake scams and adaptive malware raised the stakes. Over 60% of phishing emails in Australia were AI-generated, and some malware could morph to evade detection. Defenders responded with AI-driven threat detection, but the gap remains – 70% of businesses admit attackers are moving faster.

The takeaway? AI is a double-edged sword, and success depends on agility, innovation, and hardening systems against emerging threats. 

5. Resilience and governance took centre stage.

On the defensive side, 2025 was about strengthening fundamentals. Boards stepped up oversight, budgets grew, and frameworks like the Essential Eight became baseline expectations. Regulators demanded proof of controls such as MFA and patching, while new rules like APRA CPS 230 pushed operational resilience to the fore.  

Organisations ran crisis simulations, improved backups, and tightened reporting timelines.

The message is clear: breaches aren’t always preventable, but robust governance and resilience can make the difference between disruption and disaster.

What is APRA CPS 230?

CPS 230 is the standard set by the Australian Prudential Regulation Authority (APRA) which requires entities to manage operational risk, maintain critical operations during disruptions, and strengthen oversight of service providers.

Web Assets 01

1. Weaponised AI and the cyber arms race.

In 2026, AI will redefine cyber conflict. It’s already embedded in criminal toolkits, and alongside machine learning, it will become standard for both attackers and defenders. Expect more sophisticated phishing and social engineering, powered by AI-generated content and deepfakes so convincing that spotting pretext without advanced tools will be near impossible.

Adversaries will use AI to accelerate attacks, boosting speed, scale, and stealth. Autonomous “agentic” malware will emerge, capable of scanning networks, finding vulnerabilities, and adapting tactics on the fly. Crime-as-a-service will deploy AI bots to run hyper-realistic phishing campaigns, complete with synthetic voices and deepfake videos impersonating trusted contacts. 

We’ve already seen the first major breach attributed to AI in 2025 and AI deepfakes cause misinformation chaos following the fallout in Venezuela. This trend will surge in 2026, with zero-day exploits hitting cloud and critical systems faster than defenders can react. 

All this said, there are opportunities as well. AI isn’t just an attacker’s weapon—it’s a game-changer for defenders. In 2026, intelligent automation will enable faster detection, smarter correlation, and near-instant response, dramatically reducing dwell time.

AI-powered Security Operation Centre (SOC) agents will handle routine triage, freeing human analysts to focus on complex strategies. Predictive analytics will help anticipate attacks before they strike, while AI-driven threat hunting will uncover patterns that traditional tools miss.

Combined with adaptive security frameworks and ISO 42001 standards, these capabilities can transform resilience, turning cyber security from reactive firefighting into proactive risk management.

AI isn’t just an attacker’s weapon—it’s a game-changer for defenders.

Defenders will respond in kind. Security teams will increasingly rely on intelligent SOC agents to automate detection, correlation, and responseAI “Tier Zero” analysts will handle triage, sift logs, prioritise alerts, and even execute containment actions in seconds—turning what was cutting-edge into standard practice.

By year’s end, AI-driven triage and incident analysis will be commonplace. But widespread AI adoption brings new risks. Organisations must enforce strict identity and access controls for AI agents to prevent hijacking. Expect new frameworks to emerge, including ISO 42001 for AI Management Systems, and standards focused entirely on AI threat models.

The challenge for 2026? Harness AI’s defensive power without letting it become the ultimate attack vector. 

2. Room temperature quantum computing.

Every now and again, an important scientific breakthrough drops so quietly into our lap that the wider tech world barely blinks. With everyone so busy arguing about AI ethics or whether the latest LLM has achieved consciousness (it hasn’t, by the way), you may have missed the big news in quantum computing that appeared late 2025 from Stanford: room-temperature quantum communication. 

Now, before the hype merchants start screaming about the rise of the robots, let’s look at what this really means, and translate the significance without any of the creator-style mystique.

Quantum communication normally needs ultra-cold, laboratory conditions, and it’s so fragile that even breathing near the equipment can ruin the experiment. But now researchers have managed to send quantum signals at room temperature, using a novel method that stabilises those notoriously fragile quantum states.

Why does this matter? 

If you work in cyber security, this should make you sit up a bit straighter. This is not a marginal improvement. This is the first sniff of that post-encryption world drifting through the window like a freshly baked loaf of bread. 

Quite honestly, this is huge, yet the headlines didn’t explode because it’s not packaged as an AI story. But quantum communication, especially the sort that doesn’t require a cryogenic freezer the size of a small caravan, is the beginning of a strategic shift, because once quantum communication becomes affordable, portable, and industrial rather than academic, we enter the age of guaranteed interception detection. 

Quantum key distribution can show you exactly when someone has listened in, since every interaction with the system causes a state change. 

Imagine your Security Information & Event Management (SIEM) tool being able to tell you that someone tried to read your encryption key, and here’s their address and the time of day.

Watch this space. 

For all big organisations, this means more than the usual “update your TLS configs” guidance thrown out. It means we need to start thinking about quantum-resilient architectures (not just quantum-safe algorithms), and building future-proofed threat models, where we have determined the dependencies on vendors who may not yet be ready. 

So, the big question is, where does this leave us? The reality is that this is a massive engineering simplification for anyone building a quantum computer.

While this breakthrough on its own won’t redefine cybersecurity tomorrow, it does represent an exciting part of the quantum computing timeline where the tech stops being a thought experiment and becomes a race to commoditise.

We need to start thinking about quantum-resilient architectures... and building future proofed threat models.

3. Cyber security converges with wearable tech.

In 2026, securing medical devices and wearables will become a top priority as the Internet of Medical Things (IoMT) expands and these technologies become increasingly embedded in daily life. Last year, it was anticipated that 85% of healthcare providers were using IoMT for patient monitoring or smart facilities. Global wearable shipments have reached around 534 million units showing huge demand.

This rapid adoption delivers huge benefits, but it also creates a vast and vulnerable attack surface. Expect the first major cyberattacks on medical devices in active use, from ransomware disrupting hospital equipment to malicious tampering with insulin pumps or heart monitors.  

These risks are real, with researchers already demonstrating such exploits, and regulators responding in kind. Australia’s Therapeutic Goods Administration (TGA) is likely to follow the US equivalent, which now mandates a Software Bill of Materials (a list of ingredients in IoMTs, so to speak), threat models, and updated plans for new devices. Now, any device lacking encryption, access controls, and patchability will struggle to gain approval. Healthcare providers will also face pressure to segment clinical networks and enforce MFA, in line with the new Health Sector Cyber Security Performance Goals plan. 

Wearables bring their own challenges. With over one-third of adults using health trackers, the data they collect—heart rate, location, sleep patterns—are prime targets. Breaches of fitness platforms or insurer wellness programs could expose deeply personal information. Expect moves toward security certification for consumer IoT health devices, building on Australia’s voluntary IoT “Trust Mark” and emerging smart device standards.

Opportunities in this space arise from the convergence of healthcare and cyber security, driving secure innovation. AI-powered anomaly detection will monitor medical equipment for hacking attempts, while secure-by-design principles will become standard for device makers.

These advances promise not only stronger safeguards but also greater trust in technologies that keep us healthy. In 2026, resilience and security will be as integral to medical tech as accuracy and reliability. 

Web Assets 03 scaled

4. Smart cities and critical infrastructure under siege.

As cities race toward hyper-connectivity, the attack surface is expanding at breakneck speed. By 2024, over 83,000 IoT sensors had been deployed globally in smart city projects, and that number will soar in 2026 as councils roll out intelligent lighting, smart grids, and app-connected services.  

Every connected system is a potential entry point if security is weak. We’ve already seen warning signs: hackers tampered with chemical levels at a water treatment plant, and a European city’s transit system was crippled by a 2023 hack. In 2026, expect at least one major city to suffer a coordinated cyberattack – ransomware taking down IT networks and connected services is a real possibility. Nevada’s 2025 ransomware incident, which shut down state services and law enforcement databases, shows how quickly things can spiral.  

Now consider NEOM: the futuristic mega-city rising in Saudi Arabia, designed to run on a fully integrated digital infrastructure. A successful attack on such environments could disrupt energy grids, autonomous transport, healthcare systems, and even governance in ways we can barely imagine today. The pace of development means we must model these attack scenarios faster than ever, because the consequences of failure will be systemic and potentially catastrophic. 

The good news is that governments are responding. Australia’s Cyber Security Strategy (2023–2030) prioritises critical infrastructure protection, and sector-specific standards are emerging – think NIST SP 800-82 for power utilities and encryption mandates for IoT devices. Cities will run cyber emergency drills, map every connected asset, and enforce network segmentation to contain breaches. Collaboration will grow too, with national task forces and information-sharing hubs to tackle common vulnerabilities. The convergence of IT and OT means security teams must bridge gaps between traditional network defence and industrial control systems. In short, 2026 will test whether smart cities can also be safe cities. 

In terms of opportunities, the same technologies that create risk can also strengthen resilience. AI-driven monitoring will help detect anomalies across thousands of sensors, while automated response systems can isolate compromised networks in seconds. Shared threat intelligence between cities will accelerate learning and reduce duplication. By embedding cyber security into urban planning, treating it like road maintenance or policing, municipalities can turn smart cities into secure, adaptive ecosystems. Done right, digital innovation will enhance citizen safety, not undermine it. 

Every connected system is a potential entry point if security is weak.

5. Digital Government faces heightened threats.

As government services digitise, the stakes for cyber security are rising fast. Citizen portals, payment systems, and confidential databases are prime targets for both cybercriminals and nation-states.  

Between 2018 and 2024, over 500 ransomware attacks hit U.S. state and local governments, costing an estimated AUD$52.9 billion in recovery and downtime. Australia has seen its share too, with local councils in Queensland and NSW disrupted by ransomware and data theft. In 2026, expect attackers to escalate tactics, moving beyond data theft to manipulation, such as altering permit records or health data to sow chaos. With elections looming in some jurisdictions, risks extend to electoral systems and disinformation campaigns, as hacktivists and state actors seek to undermine trust. 

Governments are responding. Australia’s National Office for Cyber Security and dedicated Cyber Security Coordinator, established in 2023, will mature into whole-of-government defence hubs. Expect large-scale cyber drills, tighter breach notification laws, and critical services designated as “Systems of National Significance” under the SOCI Act. International collaboration will deepen through alliances like Five Eyes and Interpol, with joint defence operations and rapid-response pacts becoming the norm. Cyber deterrence will also evolve; sanctions on foreign hackers, similar to those Australia imposed after the Medibank breach, will become more common. In short, 2026 will see governments as both high-value targets and key players shaping global cyber resilience. 

The opportunities here are significant for both government organisations and their partners. Digitisation at scale offers a chance to lead by example. Advanced threat intelligence sharing, AI-driven monitoring, and automated incident response can make public services more secure and resilient. International partnerships will strengthen collective defence, while new standards and frameworks will raise the security baseline across sectors. Done well, digital government can set the benchmark for trust and transparency – turning cyber security from a vulnerability into a cornerstone of public confidence.

Web Assets 04 1 scaled

6. Secure by design is not optional.

This year will mark the tipping point where the adage of ‘secure by design’ moves from slogan to standard. Regulatory pressure is driving this shift in both Australia and overseas.

We have the Security of Critical Infrastructure (SOCI) Act, for example, pushing risk management into the heart of every critical infrastructure organisation.

While the European Union’s Cyber Resilience Act, due to be enforced by late 2026, will require connected device makers to address vulnerabilities and maintain updates. Australia is following suit, with imminent smart device standards set to arrive in March 2026 and pushing regulators to treat cyber negligence like financial negligence. The UK and the U.S. are exploring liability for insecure software, meaning vendors that fail to embed security risk fines, lawsuits, and market exclusion. 

Market insurance providers increasingly require evidence of controls before issuing policies. In practice, expect widespread adoption of DevSecOps, “shift-left” testing, and secure coding training. Products will ship with MFA enabled, encryption by default, and sensible privacy settings. Governments may introduce consumer-facing security labels for IoT devices, similar to energy rating labels, to raise the baseline and eliminate low-hanging fruit like default passwords. Continuous compliance monitoring will replace annual audits, with dashboards providing real-time visibility into security posture.  

By the end of 2026, breaches caused by blatant negligence – such as ignoring critical patches – will face zero tolerance from regulators and partners. Security will no longer be bolted on; it will be woven into innovation. 

This shift creates a competitive edge for forward-thinking organisations. Secure-by-design products will become a differentiator, winning trust and contracts in sectors where resilience is non-negotiable. Continuous monitoring and DevSecOps will streamline compliance and reduce breach risk, while consumer security labels will build confidence in connected devices. Embedding security early not only mitigates threats but accelerates innovation, turning cyber security from a cost centre into a value driver.

Web Assets 05 1

Turning insights into action for 2026 and beyond.

As we look ahead to 2026, one thing is clear: Cyber security in Australia has moved beyond a purely technical concern. It is now inseparable from national resilience, organisational trust and the confidence Australians place in the systems they rely on every day. The events of 2025 exposed uncomfortable truths about the fragility of our digital environment, but they also created clarity. We now know where the gaps are, what attackers are capable of, and what is required to respond with intent rather than urgency. 

The coming year will test organisations on two fronts. The first is discipline. Many of the most damaging incidents of recent years were not caused by novel or exotic attacks, but by failures to execute the basics consistently: identity controls, patching, segmentation, incident response readiness and third-party assurance. These fundamentals are no longer optional hygiene measures. They are the minimum standard expected by regulators, insurers, boards and the community. 

The second test is adaptability. Technologies such as AI, connected medical devices, smart infrastructure and digital government platforms are expanding the attack surface faster than traditional operating models can keep pace. At the same time, breakthroughs such as quantum communication signal that long-standing assumptions about encryption, trust and interception will not hold indefinitely. In this environment, cyber security must evolve from static controls to adaptive systems – capable of learning, responding and improving in real time. 

Encouragingly, this challenge also presents an opportunity. Organisations that embed cyber risk into business decision-making, invest in resilience alongside prevention, and adopt secure-by-design principles will not only reduce their exposure – they will gain a competitive advantage. Trust, reliability and transparency are fast becoming differentiators, particularly in government, healthcare, critical infrastructure and regulated industries. 

For leaders, the mandate is clear. Cyber security must be treated as a shared responsibility, supported by strong governance, skilled people and partners who understand both technology and context. Automation and AI can amplify defensive capability, but only when paired with clear accountability, sound data practices and robust oversight. 

At Kinetic IT, our perspective is grounded in what we see across Australian organisations every day: Cyber security works best when it is practical, proportionate and aligned to real-world outcomes. By learning from 2025 and acting decisively in 2026, organisations can move from reactive defence to proactive resilience – protecting not just systems and data, but the trust that underpins our digital future.

Thank you to Tony Campbell for authoring this report.

Tony Campbell

Tony Campbell

Service Line Manager, Enterprise Security

ContentsToggle Table of Content

Fill out the form to access this webinar content.

Provide your details to watch this on demand webinar and read the companion guide.

ISG Provider Lens™ ServiceNow Ecosystem Partners 2024 Report.

Name

We respect your privacy and will never share your information. Privacy Policy