Delayed detection is turning cyber incidents into million‍-‍dollar losses

During a breach, every hour of delay increases the likelihood that a contained incident becomes a business-wide disruption. That escalation usually starts with lateral movement — when an attacker shifts from initial access to moving across the environment towards high-value systems and sensitive data.

Recent research highlights the impact on Australian organisations. Incidents involving lateral movement result in an average of eight hours of downtime per event. This is the moment a contained breach escalates into a business-wide disruption or a large-scale data theft.

Recent Australian breaches across sectors such as telecommunications, health care and financial services have shown how quickly this can unfold. Once inside, attackers are often able to move across interconnected systems, increasing the scale of disruption and the volume of data exposed. The impact extends well beyond IT, affecting customer trust, regulatory scrutiny and business continuity.

While no organisation can prevent every breach, the ability to quickly detect and contain an intrusion, particularly by limiting lateral movement, is critical to reducing impact. Yet across industries in Australia, detection and response times remain too slow.

Cybersecurity priorities have shifted. The benchmark is no longer how many attacks are blocked at the perimeter, but how effectively an organisation can withstand the attacks that inevitably get through. True cyber resilience is defined by how quickly threats are detected, contained and eradicated.

The limits of prevention-first thinking

Cybersecurity has become a standing boardroom priority. Gartner estimates global cybersecurity spending climbed to US$213 billion in 2025, up more than 10% on 2024 levels. In Australia, organisations are set to spend more than AU$7.5 billion on information security in 2026, reflecting continued investment in new tools and platforms.

That investment has created a sense of confidence, and the belief that more spending equals stronger protection. But when breaches occur, that confidence often collapses. In fact, nine in 10 organisations reported experiencing disruptive cyber incidents in the past year. The message is clear: most security strategies are proactive in theory, not in practice.

The disconnect lies in prevention-first thinking. Organisations have focused on keeping attackers out, rather than preparing for the inevitable: what happens when they get in. As a result, breaches still occur, and teams are often ill-prepared to stop them from spreading.

All security is reactive to some degree. True proactivity means accepting that compromise is inevitable, and being ready to respond decisively. This requires a shift in focus: from building higher walls to limiting the blast radius when those walls are breached.

Why detection still falls short

Despite record spending, the volume of successful breaches continues to rise. A key reason is that prevention relies on fast, accurate detection, and achieving that is becoming harder.

Analysis shows that security teams in Australia now face an average of more than 2000 alerts per day. A staggering 83% of security leaders say their teams simply cannot keep up. Every missed alert is a potential foothold for an attacker.

False positives make matters worse. Australian teams lose more than 15 hours a week investigating alerts that go nowhere, while 40% of network traffic lacks the context needed for confident investigation. The result is predictable: overwhelmed analysts, delayed responses, and attackers who exploit the confusion.

On average, teams take more than 13 hours to identify a missed alert that has already triggered an incident. That window gives attackers ample time to move laterally, access sensitive systems and deepen the damage. This significantly increases recovery time and cost.

Visibility and context are critical to stopping lateral movement

The growing size and complexity of modern IT environments compounds these challenges. In response, many organisations collect more data, hoping visibility alone will improve outcomes. Instead, it increases visibility without improving clarity — making it harder to spot and stop lateral movement early.

What is missing is context. Understanding which alerts matter, how they relate to one another, and what they reveal about attacker behaviour.

AI and machine learning play an important role here. Research shows that 80% of security leaders believe these technologies are critical to detecting lateral movement faster and reducing alert fatigue.

Security graphs are a powerful example. By mapping how workloads, users and systems interact, graphs expose potential attack paths and high-risk connections. When combined with AI, they can correlate thousands of signals across hybrid and multi-cloud environments, revealing relationships and behaviours that humans cannot easily identify.

This transforms detection from guesswork into informed decision-making.

Proactivity today is about containment

Better detection is essential, but it is only half the solution. Once a breach is identified, the priority must shift immediately to stopping its spread.

This is where visibility and context become just as critical for response as they are for detection. Once attackers breach the perimeter, the ability to contain lateral movement determines whether an incident becomes a minor disruption or a multimillion-dollar crisis.

By proactively segmenting networks, isolating critical workloads and removing unnecessary access, organisations can slow attackers. This friction exposes malicious activity earlier, reduces dwell time and limits impact. This is the practical foundation of cyber resilience.

Containment does not replace prevention; it completes it. It is what turns a breach into a manageable incident instead of a business-wide crisis.

What this means for Australian business leaders

Perfection in cybersecurity is not realistic. Breaches are inevitable. This reality demands a change in mindset.

True proactivity is measured by how quickly an organisation can detect, contain and recover — not by prevention rates at the perimeter. For business leaders, this means treating containment as a strategic resilience investment rather than a purely technical control.

This includes reviewing segmentation strategies to ensure critical assets are properly isolated, assessing whether security tools provide the context needed for rapid decisions, and shifting metrics away from perimeter prevention towards detection and containment speed.

Organisations that adapt to this reality will suffer fewer disruptions, recover faster, and protect trust with customers, regulators and partners — even when breaches occur.

Image credit: iStock.com/amgun