AI-driven cyber threats rise as human error & outdated systems persist

This year's Cyber Security Awareness Month has placed particular emphasis on human behaviour, critical infrastructure, advanced cyber threats, and the role of cross-sector collaboration in bolstering Australian cyber resilience.

AI-driven threats on the rise

Verizon Business' 2025 Data Breach Investigations Report has found that the use of artificial intelligence (AI) in malicious cyber activities has doubled within two years. The report highlights that state-sponsored actors are now increasingly relying on AI to enhance their influence campaigns, craft highly convincing phishing messages, and even assist in malware and exploit development.

In addition to the external threats posed by these actors, organisations face new internal risks arising from employees' use of generative AI tools. Verizon's findings indicate that 15% of employees regularly access generative AI platforms via their work devices. Of these, 72% use personal accounts, while 17% use corporate accounts that lack integrated security authentication. This usage often occurs without alignment with company security protocols, as staff upload confidential documents or proprietary code to external AI services.

These findings underscore that AI is creating a dual challenge: it not only empowers external threat actors but also heightens the potential for internal data exposure due to widespread employee adoption.

Third-party risk and regional threats

The Verizon DBIR also points to an evolution in cyber espionage tactics. State-affiliated groups remain the primary actors, but nearly one-third of cases now involve a financial motive in addition to traditional espionage. There is a marked shift from phishing to the exploitation of software vulnerabilities as the dominant method of initial compromise.

The Asia-Pacific region in particular faces significant pressure, with "System Intrusion" incidents accounting for 83% of all regional data thefts. Compounding this, breaches linked to third parties have doubled compared to 2023, increasing the complexity of digital supply chain security. Rapid vulnerability patching, enhanced third-party vetting, and improved detection and response protocols are highlighted as essential defences.

Human error is still a main vulnerability

According to Lincoln Goldsmith, Director of Enterprise Channels & Alliances, APAC at Semperis, human error continues to be the principal weakness in organisational cybersecurity. Data from the Office of the Australian Information Commissioner indicates that approximately 30% of data breaches in Australia are caused by human errors.

Phishing attacks, weak or stolen credentials, insecure configurations, and excessive user privileges-often a result of poor security awareness and cyber hygiene-are among the most common ways attackers gain initial access and move within a network.

"The simplest cyber practices are often the most effective at preventing breaches and data loss before they happen. Measures like password protection, multi-factor authentication and regular patching don't require technical skills, just consistency, like brushing and flossing."

Goldsmith draws parallels between establishing security routines and daily personal habits, noting that good cyber hygiene can greatly reduce individual and organisational risk, especially in complex environments with extensive identity infrastructure.

Critical infrastructure remains out of focus

Leon Poggioli, Regional Vice President, ANZ at Claroty, argues that while public campaigns often stress the importance of digital hygiene for individuals, Australia's cyber resilience efforts must extend to operational technology (OT) and critical infrastructure.

Poggioli notes that cyber-physical systems underpin sectors such as mining, energy, transportation, and water, yet remain largely invisible in much of the public discourse on cybersecurity. He highlights the growing risk as legacy industrial systems, often without cyber protections, become interconnected with modern IT networks, making them viable targets for cybercriminals and nation-state actors.

Poggioli suggests raising public awareness through community engagement and education, as well as encouraging OT stakeholders to prioritise regular risk assessments, patching and network segmentation to block lateral movement by attackers.

"Stakeholders should collaborate with cybersecurity experts to bridge the IT-OT gap, ensuring these systems aren't just functional but fortified."

Workplaces and community partnerships

Cross-sector partnerships are an important line of defence, according to E-Yang Tang, Vice President, Security, Resiliency and Network, Kyndryl A/NZ. Tang notes that effective cybersecurity is rooted in people, education, and accessible tools, not merely technology. Vulnerable sectors, such as not-for-profits, often lack the resources to defend themselves and greatly benefit from initiatives like the Cyber Resilience Programme, led jointly by the University of Technology Sydney and the Kyndryl Foundation. This programme delivers foundational cybersecurity training to not-for-profit staff and volunteers.

"These kinds of collaborations show how systemic change can happen: by uniting expertise, sharing responsibility and investing in people. By working across sectors, we can build communities with the confidence and capability to stay safe online, both today and in the long term."

Cyber Security Awareness Month, say industry voices, is an opportunity not just for individuals, but for organisations and communities to review, reinforce, and extend their protective measures against the evolving spectrum of threats facing Australia's digital and physical infrastructure.