CyberCX Threat Report Charts Worsening Cyber Threats Confronting Organisations in 2026
Melbourne, Australia – Tuesday 3 March 2026
CyberCX Threat Report Charts Worsening Cyber Threats Confronting Organisations in 2026
- AI is increasingly utilised by cyber criminals, but the more immediate risk is staff uploading sensitive material to public AI tools
- Financially motivated cyber attacks took more than twice as long to detect in 2025 than the previous year
- At one in five incidents, Financial and Insurance Services is the most impacted sector
- Cyber Extortion is the most common incident type
CyberCX, part of Accenture and the leading provider of cyber security services across Australia and New Zealand, has released its annual Threat Report based on a sample of over a hundred serious incidents the firm’s Digital Forensics and Incident Response (DFIR) team responded to in 2025.
The Report highlights that cyber extortion – where threat actors lock up an organisation’s systems or steal their data and hold it to ransom – is now the most common type of incident CyberCX responds to, eclipsing Business Email Compromise (BEC) for the first time in a CyberCX Threat Report. Meanwhile, Financial and Insurance Services surpassed Healthcare to become the most impacted sector, accounting for almost one in five incidents CyberCX responded to in 2025.
Other key findings in the CyberCX Threat Report include:
- The age of artificial intelligence (AI) in cybercrime has arrived – AI has reduced the barrier to entry for cyber criminals. For the first time, CyberCX saw threat actors using generative AI to create custom, bespoke commands and malware to reduce the time between initial access to an organisation and achieving their malicious objectives. But the more immediate risk to organisations could be internal, as CyberCX began responding to data spill incidents resulting from employees uploading sensitive material to public-facing AI tools.
- Most attacks are financially motivated, and they are taking longer to detect – Almost six in ten incidents were perpetrated by financially motivated cyber criminals, consistent with previous years. The time it takes for an organisation to detect a financially motivated cyber attack more than doubled from 24 days in 2024 to 68 days in 2025, as threat actors invested more time into accomplishing their objectives once they have initial access.
- Fewer threat actors are advertising stolen data on the dark web – In a potential sign of data breach fatigue, in over a third of double extortion attacks by known ransomware groups the threat actor did not advertise the stolen data on their dedicated leak site (DLS) – up from less than 10% the year before. Approximately half of victims who did not pay a ransom after being advertised on a DLS did not subsequently have their data published – an increase from 24% last year.
- Attackers are bypassing most multi-factor authentication (MFA) solutions – Adversary-in-the-middle (AITM) session hijacking – which provides a method of bypassing MFA by stealing the user’s session – is on the rise as threat actors increasingly have access to low-cost Phishing-as-a-Service (PHaaS) kits. MFA alone is no longer sufficient to keep cyber criminals away.
- Stolen credentials remain the key driver for cyber extortion – The most common initial access techniques for cyber extortion incidents were valid accounts and external remote services as attackers continued to leverage compromised credentials sourced from information stealers and social engineering.
Hamish Krebs, Executive Director of Digital Forensics and Incident Response at CyberCX said, “If there is a cyber security professional or policymaker who feels more optimistic about the global cyber threat landscape now than they did 12 months ago, I haven’t met them.
“We have seen malicious use of automation and AI lowering barriers to entry and unlocking new capabilities of speed and scale. AI is now part of the real cyber threat that organisations in our region and around the world are confronting every day. But there are two sides to this coin, as organisations increasingly face data spills resulting from staff members uploading sensitive and commercial material to public AI tools, reinforcing the importance of AI governance and policies in the workplace.
“Whether it’s financially motivated criminal groups or stealthy state-based actors, disgruntled soon-to-be ex-employees or attention seeking hacktivists, the threat landscape is always evolving. Last year we even supported one organisation who had inadvertently hired three North Korean IT workers who, by all accounts, were model employees and only detected when a third company laptop was issued to the same address.
“The theme of this year’s Threat Report is essentially this: the threats are bigger and better resourced, and the risks are worse than they have ever been. At a time where the global threat landscape is deteriorating and the nature of the threat worsening, we hope that you will read this report and come away better equipped and prepared to weather this storm.”
About CyberCX
CyberCX, part of Accenture, is the leading provider of end-to-end cyber security and cloud services across New Zealand and Australia. With a workforce of 1,400 cyber security professionals, including close to 200 in New Zealand, CyberCX is a trusted partner to private and public sector organisations, helping customers confidently manage cyber risk, respond to incidents, and build resilience in an increasingly complex and challenging threat environment.
