Why ‘one size fits all’ is the wrong approach for cyber security
Published by Liam O’Shannessy, Executive Director, Security Testing & Assurance VIC, on June 16 2026
No two organisations, industries or cyber security environments are the same, yet CyberCX’s Security Testing and Assurance (STA) team often see organisations approach security at the last minute, or reactively, with a ‘one size fits all’ approach.
CyberCX’s newly released 2026 Hack Report lifts the lid on the state of cyber vulnerabilities in our economy and underscores the need for organisations to take a more tailored approach to cyber security.
The report highlights that the cyber risk landscape is continuing to deteriorate while defenders are being rapidly outpaced by threat actors who are well resourced, determined and more creative in their attempts to achieve their malicious objectives.
If organisations want to have a chance at keeping up with the pace at which adversaries are evolving, they must rethink how they manage the risks.
Bring security in from the start
Any approach where security is treated as a tick-box, or a final step, is an approach that is bound to fail. Security must not be added on at the end. It should be built from the outset and shaped around the specific risks organisations face.
The most effective starting point is a security strategy informed by an organisation’s greatest areas of vulnerability, rather than a ‘one size fits all’ approach to security.
This is particularly important as organisations race to adopt AI, leaving governance and security processes often overlooked and introducing new risks into the mix. More than ever, it is critical that the systems being built today are designed to withstand the threats of today, and tomorrow.
Over the past three years, CyberCX’s STA team of 200 penetration testers have uncovered more than 70,000 findings moonlighting as the bad guys. Our team is not concerned with what an organisation is doing well – we care about where vulnerabilities exist – just like the cyber criminals do.
What the findings reveal by industry
From these findings, the STA team identified a severe vulnerability almost a third of the time (29%). These vulnerabilities, if identified by a threat actor first, could result in a serious breach. From there, the team also analysed the severe findings by industry, examining where severe findings were most prevalent and the root causes behind them.
Importantly, the insights by industry illustrated in the Hack Report are not a scorecard of who is doing well or poorly. Rather, it reflects the technology mix and operating environments different industries primarily deal with.
Figure 1: Industry segment comparison – severe findings in 2025
At the lower end of the graph sits industries such as communications, media and technology – which, due to the nature of the industry, typically has security integrated earlier, yet one in five engagements still identified a severe finding.
At the other end are industries such as manufacturing and construction, healthcare, and logistics and transport. These sectors often rely on operational technology and systems with long shelf lives of 10 to 15 years that traditionally have not had a security strategy introduced early. As a result, they face different challenges in their pursuit to secure their systems and build a better security posture.
Comparing this with industry segments affected by breaches in CyberCX’s 2026 Threat Report, released earlier this year, there is rough alignment with industries, with one notable exception – the financial services industry.
Figure 2: As reported in CyberCX’s 2026 Threat Report (page 17) in 2025, Financial and Insurance Services is the most common industry that CyberCX assisted in responding to cyber incidents.
Financial services and insurance do quite well from a vulnerability landscape perspective, but they remain number one in terms of breaches targeted by adversaries. This is a good reminder that adversaries are not just driven by where the vulnerabilities are, but their objectives – money.
The top four root causes driving severe security findings across industries
Exploring the findings further, the data reveals there is no uniform distribution of vulnerabilities across industries. Our STA team identified that different sectors face different root causes and security challenges:
Figure 3: Distribution of severe findings by industry segment, 2023-2025, CyberCX 2026 Hack Report
For example, communications media and technology organisations were 55% more likely to experience application security and development issues, compared to manufacturing and construction, where those vulnerabilities were 47.5% less likely.
This reinforces a key point – industries face different cyber challenges because of the fundamental way they operate. Yet, we continue to see security frameworks take a universal approach. In practice, these generalised approaches rarely reflect the unique risks organisations face.
Too often, organisations approach security as an afterthought – introduced too late in the mix once systems are built, or with blanket strategies that don’t consider the unique risks shaping their sector.
The organisations best positioned to keep pace with the evolving cyber environment will be those that move beyond a reactive approach, and design their approach to security for the unique environment they operate in. The remediation efforts should focus on cyber uplift activities in areas that will provide the greatest return on their investment.
The 2026 Hack Report provides a unique and deep insight into the key trends and issues shaping the cyber landscape for organisations. Download the report to explore the full breadth of insights and ways you can strengthen your cyber defences.
