Risk and Security Report 2025

82% of Australian business leaders have a holistic security risk management plan, but critical vulnerabilities are still being overlooked – with 70% of organisations failing to conduct due diligence on their key suppliers.

In partnership with YouGov, McGrathNicol’s third annual Risk and Security Report shows that cyber threats continue to dominate executive concerns. Over two thirds of respondents (67%) rank cyber risks among their top five business challenges and almost half (49%) expect cyber risks to increase in severity over the next 12 months. Geopolitics has also emerged as a key challenge, with 80% of organisations anticipating that global changes will impact local operations. Genuine resilience requires comprehensive programs that address the interconnected nature of security risks, including threats to the supply chain, insider risks, financial pressures, and changes to the broader geopolitical landscape. 

Key Takeaways

Increased regulatory efforts are having the desired effect

A comprehensive risk management program includes identification of potential risks, actions taken to mitigate such risks, and crisis planning for scenarios likely to undermine an organisation’s ability to respond and recover. Encouragingly, 82% of respondents say they have a holistic security risk management plan, due in part to regulatory changes.

• Most Australian organisations (90%) have established a single accountable authority to oversee security risk management

• Greater executive visibility and support is being achieved, with 57% of security leaders reporting to the CEO.

Warning signs persist, pointing to a lack of connected thinking

Business leaders remain focused on enhancing their cyber detection and response capabilities. However, in doing so, they are neglecting other areas vulnerable to cyber risk, such as supply chain and counterparty security.

• Critical vulnerabilities are being overlooked, with 70% of organisations failing to conduct due diligence on key suppliers.

• When it comes to performance and supplier evaluations, 71% of organisations are not considering their suppliers’ own security as a key metric.

Elevating resilience must be a board and executive priority

There is a continuing need to enhance and improve preparedness through integrated security and risk management. Business leaders can look to industries such as Financial Services and consider implementing similar ‘best practice’ frameworks as those under APRA CPS 230 and the risk management recommendations under the Security of Critical Infrastructure (SOCI) Act.

• Business Continuity Plans must be continually updated and tested, with 30% of respondents saying their key executives are too busy or do not see the need to address this.

AI – a dual challenge and opportunity

Respondents recognise that AI adoption will drive business benefits but many commented on the potential for new security, governance, regulatory, ethical, and data privacy challenges.

• Forward looking organisations are exploring AI-enabled cyber defences to strengthen their cyber capabilities, automated incident response and continuous security monitoring.

• Organisations must balance innovation with strengthening enterprise-wide risk frameworks including establishing ethical AI use guidelines, training staff in responsible AI use and taking a holistic view when reviewing security investments.