Tech Translated

IT Security & Technology Blog

Practical IT insights for Australian businesses. Our team covers cybersecurity advisories, compliance updates, and plain-English explainers on the technology your business relies on, published regularly as the landscape shifts.

Whitepaper hero graphic: Ransomware hit 1 in 3 Australian organisations and a quarter of staff won't report mistakes

Author: Dan Briggs  |  Published: 6 July 2026  |  Reading time: 17 minutes

Executive summary: Two research reports released in the first week of July 2026 tell an uncomfortable story about Australian workplaces. The RSM Australia 2026 Cyber Security Report, published on 2 July 2026, found that 35 per cent of the 155 medium and large Australian organisations surveyed were targeted by ransomware in the past 12 months, and one in five suffered a data breach — yet 97 per cent of the same organisations said they were confident in their ability to protect sensitive customer information. In the same week, KnowBe4 research covering 200 employees and 75 leaders across Australia and New Zealand found that one in four employees are too embarrassed to report a security mistake, and 56 per cent admit that time pressure leads them to knowingly make risky decisions. Put those together and you get the real risk picture for 2026: the attack will probably get in through a person, and that same person may sit on the news for hours or days. This whitepaper explains what both reports found, what your legal reporting obligations now look like under Australia’s ransomware payment reporting rules (enforced since 1 January 2026), and gives you a practical no-blame reporting playbook you can put in place this month.

What the RSM report found: confidence versus reality

The RSM Australia 2026 Cyber Security Report surveyed business and IT leaders from 155 medium and large Australian organisations. The headline finding, reported by Cyber Daily on 3 July 2026, is blunt: 35 per cent of surveyed organisations were targeted by ransomware or a cyber extortion attempt in the past 12 months. Among organisations with more than 1,000 employees, that figure rose to 49 per cent — essentially a coin flip.

The finding that should worry business owners more is the gap between confidence and outcomes. According to the RSM Australia 2026 Cyber Security Report, one in five surveyed organisations suffered a data breach in the past 12 months, while 97 per cent said they were confident in their ability to protect sensitive customer information. Both numbers cannot be right. When a fifth of organisations are breached in a single year but nearly all of them believe their data is safe, the confidence is doing the work that controls should be doing.

RSM partner Ashwin Pal put it plainly: the findings should be raising serious questions for boards, executives and IT leaders, and senior management needs to be demanding proof of resilience through testing, metrics and independent assurance. That word — proof — is the one to hold onto. Confidence is a feeling. Evidence is a test result, a restore log, a tabletop exercise report with dates on it.

There is genuine good news in the report. Cyber security investment keeps growing, with 91 per cent of organisations expecting to increase their security budgets over the coming year, and 59 per cent now test their incident response plans at least quarterly. Both figures are meaningfully better than what we saw across the market even three years ago. But budgets and plans are inputs. The RSM data shows the outputs — breach and ransomware rates — are still moving in the wrong direction, which suggests money is not always landing where the actual risk sits.

And where does the actual risk sit? Overwhelmingly, with people under pressure clicking, approving, replying and — critically — staying quiet afterwards. That is where the second report comes in.

The quiet problem: staff who will not speak up

In the same week as the RSM report, security awareness firm KnowBe4 released research titled From Agentic Risk to Human Wins, with an Australia and New Zealand sample of 200 employees and 75 business leaders. As Cyber Daily reported on 3 July 2026, one in four ANZ employees said they are too embarrassed to report a security mistake.

Sit with that for a moment. If you have 20 staff, roughly five of them would hesitate to tell you they clicked a bad link, approved a dodgy MFA prompt, or emailed a spreadsheet to the wrong address. Not because they are careless — because they are embarrassed, or worried about blame.

The same KnowBe4 research found that 56 per cent of employees admit time pressure and distractions cause them to knowingly make risky decisions — they know the correct process and skip it anyway because they are busy. And the deepfake numbers expose how far apart leaders and staff have drifted: 88 per cent of leaders were confident their employees could identify deepfake content, while 85 per cent of employees said such content is now too realistic to reliably spot.

Dr Kawin Boonyapredee, CISO adviser at KnowBe4, described the leadership-employee gap as a cultural challenge: if employees are concerned about blame or judgement, they hesitate to speak up, and that silence creates risk that even the most advanced security controls cannot mitigate. It only takes one unreported mistake or one delayed escalation for an incident to become something much larger.

We would go further. In our experience, the reporting gap is the single most underpriced risk in Australian small and mid-sized businesses — bigger than any individual missing patch, because it multiplies every other weakness you have.

What silence actually costs

Here is a pattern we see repeatedly in the client environments we support across Sydney, Brisbane, Melbourne and Central West NSW, and it lines up exactly with what KnowBe4 measured: serious incidents almost never announce themselves through a security dashboard first. They surface as an ordinary help desk ticket — my mailbox is doing something odd, a client says they got a strange invoice from us, I cannot open my files — and by the time that ticket lands, the initial mistake is often 24 to 72 hours old. The click happened on Tuesday; we hear about it on Thursday or Friday. The gap between the mistake and the report is where the damage compounds: mail rules get planted, credentials get resold, invoices get altered, and a nuisance becomes a crisis. When staff report within the hour — and some of our clients have built exactly that culture — the same incident is usually a password reset, a session revocation and a short investigation rather than a claim on the cyber insurance policy.

The dollars back this up. According to the Australian Signals Directorate’s Annual Cyber Threat Report 2024–25, published in October 2025, ASD received over 84,700 cybercrime reports in the 2024–25 financial year — one every six minutes. The average self-reported cost of cybercrime for a small business rose 14 per cent to $56,600 per incident, and the average across businesses overall rose 50 per cent to $80,850. For a professional services firm or a hospitality group running on tight margins, that is not an IT line item. That is a quarter’s profit.

Those averages hide the time dimension, and time is the thing your reporting culture controls. Almost every cost driver in an email compromise or ransomware event — how many mailboxes were touched, whether the attacker reached your accounting system, whether backups were tampered with, whether client data left the building — scales with how long the attacker had before someone raised a hand. Your firewall cannot buy back those hours. Your staff can.

Attackers understand workplace psychology better than most managers do. The criminal groups behind today’s attacks — increasingly organised as ransomware-as-a-service franchises — deliberately engineer their lures around embarrassment and urgency: fake HR complaints, fake unpaid-invoice threats, fake IT support calls that make the victim feel complicit. A staff member who has just been talked into installing a remote access tool is precisely the person least likely to volunteer that information. Your incident response plan needs to assume that shame is part of the attack chain.

Reporting obligations that now carry penalties

The internal reporting gap matters more in 2026 because the external reporting clock is now enforced by law. Australia’s mandatory ransomware payment reporting scheme, created under the Cyber Security Act 2024, commenced on 30 May 2025. If your business has an annual turnover above $3 million (or you are responsible for a critical infrastructure asset) and you make a ransomware or cyber extortion payment — or someone makes one on your behalf — you must report it to the Australian government within 72 hours, according to the Department of Home Affairs factsheet.

The first six months ran as an education-first grace period. That is over. Since 1 January 2026, the Department of Home Affairs has moved to an enforcement posture, and non-compliance risks civil penalties of up to 60 penalty units — currently $19,800 — as law firm Gadens and others have detailed. The penalty is not the real cost, though. The real cost is discovering, mid-crisis, that nobody in your business knows the obligation exists, which report goes where, or who is authorised to decide any of it.

Here is the external reporting landscape as it stands in July 2026:

Obligation Who it applies to Deadline Where it goes
Ransomware payment report (Cyber Security Act 2024) Businesses with annual turnover above $3 million, and responsible entities for critical infrastructure assets, that make a ransom or cyber extortion payment Within 72 hours of the payment being made Department of Home Affairs / ASD via ReportCyber
Notifiable Data Breaches scheme (Privacy Act 1988) Most organisations with annual turnover above $3 million, plus health providers and some others regardless of size Assess a suspected breach within 30 days; notify the OAIC and affected individuals as soon as practicable once an eligible breach is confirmed Office of the Australian Information Commissioner (OAIC)
Cybercrime report (voluntary but strongly recommended) Any business or individual As soon as possible ReportCyber at cyber.gov.au
Cyber insurance notification Any policyholder Per policy — often within 48–72 hours, and before incurring response costs Your insurer or broker

Notice the shape of the problem: every external clock starts ticking from the moment of the incident, not from the moment management finds out. If a staff member sits on a mistake for three days out of embarrassment, they have not just delayed your response — they may have quietly consumed your entire legal notification window before you knew you had one.

Why mid-sized organisations are quietly winning

One of the most interesting findings in the RSM report got the least attention: organisations with 201 to 1,000 employees consistently outperformed both smaller and larger businesses across a range of security measures, particularly digital identity management. Pal noted they are leading adoption by a meaningful margin across every identity measure, including biometric and password-less authentication, and suggested that among the largest organisations, complexity, bureaucracy and rollout friction erode the effectiveness of controls. The 1,000-plus cohort also lagged on awareness training and crisis communication planning — despite being attacked the most.

The mid-market sweet spot makes sense when you break it down. These organisations are big enough to have dedicated security ownership, budget and standardised systems, but small enough that a decision made on Monday is rolled out by Friday, and staff still know who to call when something feels wrong. No six-month change advisory pipeline. No diffusion of responsibility across four departments.

Our observation from a decade of managing IT for Australian SMBs is that a small business does not need 200 staff to get mid-market results — it needs the two ingredients that make the mid-market work: standardisation and short reporting lines. A 15-person accounting practice with enforced MFA, one standard way of sharing files, a tested backup and a boss who reacts to bad news with thanks rather than blame will outperform a 2,000-seat enterprise on the metrics that decide whether an incident becomes a disaster. This is also, frankly, the argument for working with a managed IT provider: you are borrowing the standardisation, tooling and disciplined identity management of a much larger security operation while keeping the short reporting lines of a small one. The baseline controls to standardise on have not changed even as the framework around them is refreshed — see our recent whitepaper on ASD retiring the Essential Eight and what the new Essentials framework means.

The view from our clients: Sydney, Brisbane and the Central West

The RSM survey covered medium and large organisations, but we would argue its confidence-gap finding applies with more force to the smaller end of town, and with particular force outside the capital cities.

Across our Central West NSW client base — accounting and legal practices, agribusiness suppliers and not-for-profits in Orange, Bathurst and Dubbo — the typical firm has 5 to 40 staff, no internal IT role, and one person (usually a practice manager or partner) who absorbed responsibility for technology by default. In that environment, the KnowBe4 numbers are not abstract. When one in four employees nationally will not report a mistake, and your entire escalation path is one busy person who also runs payroll, the odds of a Tuesday click surfacing before Friday are poor. Regional professional services firms also now hold more sensitive data than ever: since 1 July 2026, accountants, lawyers and real estate agents captured by Australia’s tranche 2 anti-money-laundering reforms are collecting and storing more client identity documents, which makes them richer targets at exactly the moment their reporting obligations tightened.

Sydney and Brisbane hospitality clients show the other version of the same problem. Venues run on casual staff, shared devices behind the bar, and constant time pressure — the exact conditions the KnowBe4 report links to knowingly risky decisions, and the same venues where basic controls are still patchy, as we covered when recent research found most hospitality venues still skip MFA. A duty manager mid-service who realises they entered the venue’s email password into a fake supplier portal is not going to interrupt a full dining room to confess, unless you have made it explicitly, repeatedly clear that the call is welcome at any hour and that nobody has ever been punished for making it.

The common thread from our incident work in both settings: the businesses that came through incidents cheaply were not the ones with the most expensive tools. They were the ones where the first phone call happened fast.

A no-blame reporting playbook for your business

You cannot buy a reporting culture, but you can build one in about a month. Here is the playbook we implement with clients, in order.

  1. Write a one-page no-blame reporting policy — this week. One sentence matters most: staff who promptly report a security mistake will never face disciplinary action for the mistake itself. Have the owner or managing partner sign it, not IT. Shame is a leadership problem, so the fix has to visibly come from leadership.
  2. Give staff one reporting channel, and make it easy. A monitored email address, a phone number, or the Report button in Outlook — pick one primary path and put it on posters, in onboarding, and in email signatures for internal mail. If reporting takes more than 60 seconds, busy people will not do it. Remember the KnowBe4 finding: 56 per cent already skip correct process under time pressure. Design for that reality.
  3. Say thank you in public, every time. When someone reports a phish — even a false alarm, even something they clicked — acknowledge it in the team channel or the Monday meeting. What gets praised gets repeated. Some of our clients keep a lighthearted tally; the winner is whoever reported fastest, not whoever avoided clicking.
  4. Rehearse the first hour. Run a 45-minute tabletop twice a year: a staff member admits they approved an MFA prompt they should not have. Who do they call? Who isolates the account? Who decides on external notifications? The RSM report found 59 per cent of medium and large organisations now test incident response at least quarterly — smaller firms should manage twice a year at minimum.
  5. Map your external reporting obligations before you need them. Print the table above, fill in your insurer’s hotline and your IT provider’s emergency number, and confirm who in the business is authorised to make the calls. If your turnover is above $3 million, make sure at least two people know the 72-hour ransomware payment reporting rule exists.
  6. Close the technical gaps that punish slow reporting hardest. Enforce MFA everywhere, restrict mail forwarding rules, keep one tested offline or immutable backup, and turn on the alerting that surfaces compromise even when humans stay silent. Culture is the fix for the first hour; controls are the fix for the days you do not get a first hour.
  7. Retrain for 2026 threats, not 2019 threats. If 85 per cent of employees say deepfakes are too realistic to reliably spot, training that ends with spot the dodgy email is out of date. Shift the lesson from detection to verification: any unusual request involving money, credentials or software installs gets verified on a known number, no matter how convincing the voice or video looks.

Here is the same playbook as a quick-reference action table:

Action Owner Timeframe Cost
Signed no-blame reporting policy Owner / managing partner This week Nil
Single 60-second reporting channel IT provider / practice manager This week Nil to minimal
Public recognition of reporters Team leaders Ongoing Nil
First-hour tabletop exercise Leadership + IT provider Within 30 days, repeat six-monthly One hour of staff time
External obligations map (72-hour rule, NDB, insurer) Leadership Within 30 days Nil
MFA, forwarding restrictions, immutable backup, alerting IT provider Within 60 days Modest — mostly included in existing licences
Verification-based awareness training IT provider / HR Next training cycle Modest

None of the culture items costs money. That is worth emphasising in a year when 91 per cent of organisations are increasing security budgets: the highest-return security control available to Australian businesses in 2026 is a sentence from the boss, repeated until it is believed — if you see something or you did something, tell us straight away, and you will be thanked for it.

Frequently asked questions

Do we have to report a ransomware attack in Australia?

It depends on what happened. If your business has an annual turnover above $3 million and you make a ransom or cyber extortion payment, you must report it to the Australian government within 72 hours under the Cyber Security Act 2024, with civil penalties of up to $19,800 for non-compliance now being enforced. Separately, if personal information was accessed or disclosed in a way likely to cause serious harm, the Notifiable Data Breaches scheme requires you to notify the OAIC and affected individuals. Reporting the attack itself to ReportCyber is voluntary but strongly recommended.

Should we pay a ransom?

The Australian government strongly discourages paying. Payment does not guarantee data recovery, may expose you to sanctions risk depending on who receives the money, and marks you as a payer for future attacks. If payment is ever contemplated, it should only happen with legal advice, insurer involvement and awareness of the 72-hour reporting obligation. The better investment is a tested, isolated backup that removes the attacker’s bargaining power before the question ever comes up.

How do we get staff to actually report mistakes sooner?

Remove the two things stopping them: fear and friction. Put in writing, signed by the owner, that prompt reporting of a mistake will never lead to discipline for the mistake itself. Then give staff one reporting channel that takes under a minute to use, and publicly thank every reporter — including the false alarms and the people who clicked. Businesses that do this consistently see near-miss reports rise within weeks, which is exactly what you want: every report is a rehearsal for the one that matters.

We are a small firm with no IT team. Where should we start?

Start with the free items: the no-blame policy, the single reporting channel and the external obligations map — all achievable inside a fortnight. Then have a professional confirm your technical baseline: MFA on every account, mail forwarding locked down, one backup an attacker cannot reach, and monitoring that raises the alarm when humans do not. A managed IT provider gives a 10-person firm the same standardised controls and short escalation path that the RSM data shows mid-sized organisations use to outperform everyone else.

If the numbers in this whitepaper feel uncomfortably plausible for your business, that is worth a conversation. All IT Services supports professional services firms, hospitality venues and not-for-profits across Sydney, Brisbane, Melbourne and Central West NSW — and we have run the first hour of an incident more times than we can count. Call us on 1300 425 548 or get in touch online for a plain-English review of your reporting readiness, your obligations, and the controls that decide how much a bad Tuesday ends up costing.