Perspectives on cyber risk: new threats and challenges in 2022

4 minute read + PDF  04.05.2022 Paul Kallenbach, Susan Kantor, Alexandra Consiglio

Our 2022 cyber risk report reveals an increasingly challenging cyber security landscape. Organisations face geopolitical threats, increasing ransomware attacks and new legislation. How can organisations mitigate risk?

For Australian organisations, cyber resilience is more important than ever.

In the seventh edition of our Perspectives on Cyber Risk report, our findings point to a dangerously evolving cyber landscape. Organisations are facing a greater volume of cyber attacks. They are suffering increasingly severe financial and reputational consequences, and are more exposed than ever across complex supply chains.

Lawmakers and regulators are responding accordingly.

Organisations must comply with new laws, including the new Security of Critical Infrastructure (SOCI) legislation and ransomware-specific regulation, and Privacy Act amendments have been proposed.

Privacy and corporate regulators, such as the Office of the Australian Information Commissioner (OAIC), the Australian Securities and Investments Commission (ASIC), the Australian Competition and Consumer Commission (ACCC) and the Australian Prudential Regulation Authority (APRA), have put organisations on notice that they will take enforcement action against those who fail to comply with regulatory obligations and standards.

But with proper planning, there are steps organisations can take to protect their organisations and mitigate against cyber risk.

In this Report, we discuss insights and trends revealed by both our annual survey and our qualitative interviews with information security leaders. We look at the evolving regulatory landscape, how cyber risk measures are impacting specific industries, and what organisations should consider doing now.


Cyber risks are higher than ever and their impacts increasingly severe – every organisation needs to take steps to respond accordingly.”
Paul Kallenbach


Find out about the increasingly threatening cyber risk landscape and what your organisation can do about it.

Cyber risk survey findings

Icon block

of respondents have personally received an obvious phishing email or ransomware security threat in the last 12 months


Icon block

of respondents said that cyber security risk ranks as high risk (top five) on their organisation’s corporate risk register

Icon block

of respondents said they have taken steps to assess their cyber security maturity against an established framework

Icon block

of respondent organisations were subject to at least one cyber security incident in the past 12 months that compromised their systems or data

Key takeaways in Perspectives on Cyber Risk 2022

With ransomware attacks more prevalent, the cyber risk landscape is becoming increasingly threatening.

2020-21 saw a 15% increase in ransomware-related cybercrime compared to the previous financial year, as reported in the Australian Cyber Security Centre’s Annual Report. In 2020-21, the ACSC responded to nearly 160 cyber security incidents related to ransomware.

Many organisations we interviewed told us they had received additional budget to mitigate a ransomware attack – though few had developed a ransomware playbook to implement should one occur.

Governments around the world are responding. The Australian Government released its Ransomware Action Plan in October 2021, which sets out its intention to introduce ransomware-specific laws.

Board awareness and education is a primary concern as the risks escalate and the stakes become higher.

Increased regulation (including the new SOCI laws) impose onerous new obligations on organisations across many sectors of the economy.

Within that context, Board members are increasingly exposed – both legally and reputationally – if they are not making informed and proactive decisions to manage cyber risk.

Australian organisations are finding it difficult to fill specialist cyber security roles.

Many organisations said that finding qualified and experienced IT security personnel continues to be a significant challenge. This is exacerbated by the ‘great resignation’ and global resourcing issues, but the cyber resourcing problem predates them.

Cyber insurance is becoming increasingly difficult to obtain – and is not a panacea.

In our one-on-one interviews, technology and information security leaders told us that cyber insurance is becoming increasingly more expensive and its coverage more limited – both in terms of the extent of policy exclusions, and the lower available limits.

Leaders recognise that cyber insurance is not (and has never been) a panacea for cyber risk. They must continue to take proactive steps to uplift their cyber resilience.

Practical steps to mitigate cyber risk

Icon block

Align cyber security measures with an external framework

Organisations should assess their cyber security maturity, and align it with external frameworks such as the ASD Essential Eight Maturity Model or the NIST Cybersecurity Framework.

Icon block

Conduct cyber incident response plan drills

Cyber incident response plans must be regularly tested and updated to reflect an ever-changing environment. They need to be aligned to broader risk management.

Icon block

Train and educate employees

Human error still plays a key part in many serious cyber incidents. Organisations should not underestimate the insider threat. They should also continue to invest in and improve their security architecture.

Icon block

Understand compliance obligations

Organisations need to urgently address new regulatory obligations under the SOCI laws. They should also consider pre-emptively preparing for the likely imposition of new privacy and cyber-related regulation.

Available now

Perspectives on Cyber Risk 2022

Talk to us about we can help you take proactive steps to uplift your organisation's cyber resilience.