Cyber lessons from 2025: why human risk will define 2026

In 2025, Australia’s cybersecurity landscape told a story of escalating complexity and persistent human risk. Last year’s breaches were signals of systemic vulnerabilities and behavioural blind spots that attackers continue to exploit. Here’s what stood out.

Public sector and superannuation

Highly regulated sectors such as government agencies and superannuation funds faced some of the most damaging breaches of the year. The Department of Communities and Justice saw hackers infiltrate systems and access 9000 sensitive court files, while the Australian Human Rights Commission leaked 670 confidential documents submitted via webforms. REST Super reported exposure of 8000 accounts, and AustralianSuper suffered direct financial theft totalling $500,000.

These incidents underscore a critical truth that even highly regulated sectors are not immune when security controls fail to account for human behaviour. Attackers know these institutions command public trust, and they weaponise that trust through phishing and credential theft.

Education institutions

Education emerged as another prime target. Western Sydney University had more than 10,000 student records stolen and used for fraudulent emails. Scotch College and other schools, including Loyola College and Belmont Christian College, also reported breaches that disrupted operations and eroded confidence.

Part of the reason attackers focus on this sector is the sheer volume and sensitivity of the data these institutions hold, including ID numbers, contact details, financial details, health records and even family members’ information. Combined with sprawling IT environments and tight budgets, this makes education a high-value target. When identity management and awareness training lag behind, attackers seize the opportunity. These breaches highlight the urgent need for stronger authentication and behavioural safeguards in academic settings.

Consumer and lifestyle

Brands Australians interact with daily were not spared. Qantas grappled with voice phishing attacks that compromised data of six million customers. Fullerton Hotel lost 148 GB of corporate and personal data to ransomware gangs, while iiNet saw cybercriminals extract hundreds of thousands of email addresses, phone numbers and even modem setup credentials.

Consumer-facing organisations are prime targets because they hold vast troves of personally identifiable information (PII) and payment data, which can be sold or weaponised for fraud.

2025’s attacks revealed that social engineering tactics are evolving beyond email. Voice phishing and ransomware campaigns exploit routine customer interactions, bypassing technical controls and preying on human trust. This highlights the need for layered defences: strong authentication for staff, segmentation of critical systems, and proactive monitoring for anomalies.

What these breaches reveal about human risk

The breaches of 2025 highlight three critical realities about the evolving threat landscape.

1. Attackers exploit trust, routine and familiarity

Cybercriminals have learnt that the easiest way in is through what feels normal. When a message looks like a HR update, an IT notice or a routine customer service email, people rarely pause to question it. This year’s Qantas breach is a prime example: attackers used voice phishing to impersonate internal staff, exploiting the trust employees place in familiar processes. Similarly, Western Sydney University’s compromise began with fraudulent emails that mimicked legitimate academic communications.

KnowBe4’s Q3 2025 Phishing Simulation Roundup reinforces this behavioural blind spot: 89.8% of the most-clicked phishing subject lines referenced internal topics, and nearly half mentioned HR. Two of the top-performing phishing templates even included the recipient’s company name, proving that personalisation amplifies trust and drives engagement with malicious content. This points to the fact that individuals and businesses are most vulnerable when attackers craft messages that blend seamlessly into the rhythm of daily work.

2. Human error and security awareness gaps remain a major factor

Technology can only go so far when human behaviour doesn’t keep pace. Many of last year’s breaches were enabled by simple mistakes: clicking on a malicious link, reusing passwords or failing to verify an unexpected request. At iiNet, attackers exploited weak credential hygiene and gained access to sensitive customer data, including modem setup passwords — a lapse that turned a single point of compromise into a systemic failure.

KnowBe4’s Phishing by Industry Benchmarking Report 2025 shows why this matters: organisations in Australia and New Zealand start with a baseline phish-prone percentage of 36.8%, among the highest globally. While sustained training can reduce this significantly, the gap persists when education is generic or infrequent. Awareness programs must be contextual and adaptive to stop attackers from exploiting the same behavioural weaknesses.

3. Systems and processes lack resilience against modern threats

Last year’s breaches exposed how fragile organisational ecosystems can be when security is treated as a bolt-on rather than a foundation. The Qantas voice phishing attack succeeded because internal processes for identity verification were weak, where staff could grant access without multi-factor checks. At Fullerton Hotel, ransomware crippled operations because backups were not segmented and recovery protocols were slow, allowing attackers to escalate impact. iiNet’s breach revealed another systemic flaw: storing modem setup passwords alongside customer data created a single point of failure, amplifying the consequences of credential theft.

Together, these insights shift the conversation from technology alone to behaviour and process. Cybersecurity isn’t just about patching systems; it’s about anticipating how trust and routine can be weaponised, and building organisational structures that can absorb shocks when prevention fails.

Looking ahead: building resilience for 2026

If 2025 was a year of hard lessons, 2026 must be the year of decisive action. The breaches we’ve seen underscore that resilience is built through people, processes and leadership, in addition to technology itself. Below are things that organisations and individuals need to prioritise this year.

For organisations

• Treat human risk as a strategic priority: Behavioural vulnerabilities are at the heart of most breaches and managing them requires more than annual training. Continuous, contextual education that reflects real-world attack scenarios is essential to shift habits and reduce risk.
• Adopt adaptive, AI-driven defences: Attackers are using automation and machine learning to scale their campaigns, which means static controls won’t keep up. AI-powered threat detection and response can help organisations anticipate patterns and neutralise attacks before they escalate.
• Integrate security across the ecosystem: Too often, security responsibilities are fragmented across departments, creating blind spots attackers exploit. Embedding security into every workflow and system improves resilience.
• Build a leadership-led security culture: Cybersecurity starts at the top; when executives champion security as a business imperative, it cascades through the organisation. Leaders must model best practices and make security part of strategic decision-making.

For individuals

• Stay alert to social engineering tactics: Whether it’s a convincing email, a phone call, or a message that feels routine, the human element remains the most exploited attack surface, which means personal vigilance is non-negotiable. Question before you click or share.
• Commit to contextual, adaptive training: Generic modules won’t prepare you for the sophistication of modern attacks. Seek out programs that simulate real-world scenarios and evolve with emerging threats.
• Strengthen authentication and password hygiene: Multi-factor authentication should be standard practice, and passwords must be unique and complex. These simple steps can dramatically reduce the likelihood of compromise.
   

The next 12 months will challenge organisations to rethink what resilience really means. It’s no longer enough to react to threats or rely on yesterday’s playbook. Success in 2026 will come from building security into the rhythm of business, where technology, people and leadership move in lockstep. That means anticipating how attackers will evolve, embedding security into every decision, and creating a culture where vigilance is second nature.

The breaches of 2025 were a warning; the response in 2026 will determine who thrives and who falls behind.

Image credit: iStock.com/Just_Super