Australia's Cyber Security Shift - The Defining 2025 Moments Steering 2026
e2 Cyber • December 11, 2025

An honest reflection on the turning points shaping capability, investment and risk


As 2025 draws to a close, Australia’s cyber security landscape has faced mounting challenges. Shifting threats, increasing pressure on infrastructure, evolving talent shortages, and the growing role of artificial intelligence have made this one of the most testing years for cyber security in recent memory. Jacob Bywater, Director at e2 Cyber, reflects on how the year unfolded for government, business, and everyday Australians, and outlines the practical steps organisations and individuals must take to prepare for 2026.


A Year of Wake-Up Calls

Jacob sums up 2025 simply: “We’ve been going really hard and really fast at a lot of implementation, adding tools and deliberately trying to improve and get better across the country in all industries and all sectors.” He explains that the rapid investment in cyber security was never going to be sustainable indefinitely. “We’re starting to realise that budgets do have caps, and a lot of businesses really are asking questions around the value they are getting out of the products and what they’ve implemented in the last two to three years.”


That tension defined the year. From large enterprises to small businesses, organisations shifted from a rapid deployment mindset to one focused on resilience, sustainability, and operational maturity. “2025 saw a big drive into operational security, looking at what is actually required every single year within cyber security, opposed to things that may have been done as projects,” Jacob says. For many, cyber security stopped being a “project” and became part of the everyday business function.

Jacob notes that the shift has required organisations to look beyond the shiny new tool and focus on the ways people interact with technology. “We started to see the organisations that were succeeding were those that made security part of culture, rather than something imposed from above,” he explains. This mirrors observations in our blog on transitioning from compliance to culture, where embedding security as part of everyday business practice improves both adoption and effectiveness.

The shift could not have come at a more pressing time. The 2024–25 Annual Cyber Threat Report from the Australian Cyber Security Centre (ASD’s ACSC) shows why. Over the year, the Centre responded to over 1,200 cyber security incidents, an increase of 11% from the previous year, and issued more than 1,700 notifications of potentially malicious cyber activity, up 83%.


The Real Threat Landscape

Jacob stresses that while high-profile breaches make headlines, most risks come from the basics. “We see a lot of incidents trace back to misconfigurations, improper deployments, incorrect user settings, and poor identity hygiene. Human error is often the starting point,” he says.


He adds that threats are broad and evolving. State actors and cyber criminals alike are increasingly targeting organisations of all sizes. “It’s not just about technology; it’s about people, processes, and the way organisations prioritise risk.” For example, during 2025, several organisations experienced breaches due to improper implementation of cloud configurations, highlighting how human oversight often has larger consequences than sophisticated attacks.


Jacob also points out that smaller organisations often underestimate the risks they face. “A breach in a small business can be just as devastating as in a large enterprise,” he explains. This aligns with what we have seen and reported on cyber security salaries, where market pressures and limited resources mean smaller businesses may struggle to retain skilled staff capable of managing complex threats.


What Worked in 2025

One of the key lessons from 2025 was the value of maximising existing tools. “Organisations are looking at what they can get out of what they already have,” Jacob explains. Many have seen success simply by using platform features and device protections more effectively, coupled with improved configurations and awareness.

Automation and AI-enabled tools also proved valuable. “We’ve seen good outcomes when technology is combined with well-trained humans who know what to look for and when to escalate. You can’t automate judgement,” Jacob says.


Jacob adds that success often comes from integrating security with business operations rather than keeping it isolated. “Security teams that collaborate with finance, HR, and IT operations have much better visibility over risk and can respond faster,” he observes. By aligning cyber security with broader organisational goals, teams can prioritise resources more effectively and reduce unnecessary duplication of effort.


Fundamentals Still Matter

Jacob emphasises that even basic controls, applied consistently, can significantly reduce risk. Multi Factor Authentication, strong passwords, software updates, and regular backups remain crucial. “A control doesn’t have to be complex to be effective,” he notes.

Organisations that prioritised workforce awareness and education also saw measurable benefits. Jacob highlights the importance of creating a culture where cyber security is everyone’s responsibility. He gives a practical example: in one client organisation, improved staff training on phishing scenarios led to a measurable reduction in click rates on suspicious emails, proving that human behaviour remains central to defence.


Talent Pressures and Market Dynamics

The cyber workforce remained under pressure in 2025. Jacob points out that Australia faces a supply shortage rather than a skills shortage. “There are plenty of people with training and willingness, but the number of genuine entry-level roles is limited. Many trained individuals never get meaningful entry opportunities.”


The year also saw organisations favouring specialist contractors over permanent hires, particularly for roles in cloud, identity, compliance, and AI oversight. “Roles that were considered essential two years ago are now seen as nice-to-haves,” Jacob notes.

Despite this, demand remains strong for mid-level professionals with 3–10 years of experience who can adapt across multiple domains. “Flexibility, adaptability, and the ability to translate technical expertise into business outcomes are now more important than any single certification or tool knowledge” which shows how experience and skill versatility often dictate opportunities and remuneration.


There is a renewed importance of nurturing emerging talent. “We cannot rely on senior professionals alone; we need structured entry-level pathways, apprenticeships, and mentorships to sustain the workforce into the next decade.” Investment in developing staff is not only a pipeline solution but also a risk mitigation strategy, as skilled and aware employees reduce vulnerability across the organisation.


With that said, there are no magic wands to fix the broken pipeline, it’s going to be an industry wide solution that will truly manage this industry wide problem.


The Role and Limits of AI in Defence

AI and automation accelerated in 2025, but Jacob cautions against overreliance. “AI has increased the ability to access information if you want to go looking for it, but it is not a silver bullet. Without human expertise, it is very hard to validate what is credible and what is not.”


The future of cyber defence will be a partnership of human judgement and machine scale. “Technology amplifies us, but it cannot replace the context, nuance, and ethical decisions humans bring.” Jacob believes the most effective teams are those that combine AI-driven analytics with human-led interpretation and prioritisation. For example, AI can flag anomalies, but humans must decide whether those flags constitute immediate risk or require escalation.


Looking Ahead to 2026

There are several lessons from 2025 that will guide preparation for 2026:

  • Focus on effective use of existing tools rather than chasing novelty.
  • Prioritise human-centred security through training, awareness, and culture.
  • Maintain visibility and controls over third-party risk.
  • Adopt AI strategically to support human judgement.
  • Strengthen pathways for entry- and mid-level talent to sustain the workforce.


“Cyber security in 2026 will demand foresight, adaptability, and integration across business, technology, and human factors. Those who combine strong fundamentals, smart technology, and empowered people will be the ones who not only survive but thrive.”

Jacob highlights that regulatory pressure and AI-driven threat evolution will continue to challenge organisations. “Businesses that take a proactive, strategic approach will be in a far stronger position than those that react to incidents as they happen,” he notes. This reflects our ongoing research into shifting skill demands and the importance of integrating security into business strategy.


e2 Cyber: Turning Lessons into Action

For e2 Cyber, 2025 reinforced that resilience comes from combining strong fundamentals, operational insight, and human expertise. Jacob Bywater explains, “Our role is to ensure businesses are not only responding to immediate threats but building long-term resilience. Technology is essential, but without the right people, processes, and understanding, even the best systems can fail.”


Throughout the year, e2 Cyber has supported organisations by optimising investments, strengthening workforce capability, and embedding strategic practices that reduce risk. From improving identity and access management to embedding cyber-aware cultures, these actions translate lessons learned into sustainable practices. Such approaches allow teams to focus on higher-value work, while still mitigating everyday risks that often generate the most impact.


Looking forward, e2 Cyber will continue partnering with businesses to navigate the evolving threat landscape. By combining human judgement with technology, providing insight into market trends, and supporting talent development, e2 Cyber helps organisations turn lessons from 2025 into practical advantage.

Jacob concludes, “Resilience is built incrementally, through deliberate practice, continuous learning, and collaboration across teams and sectors. We help ensure organisations are prepared for both the known and the unexpected, creating a foundation for long-term security success in a world where cyber risk is unavoidable but manageable.”


Final Thoughts for 2025

For e2 Cyber, 2025 has been a year of reflection, learning, and recalibration. “What we have seen is that resilience is not built overnight. It comes from combining strong fundamentals, operational insight, and human expertise, and embedding security into culture rather than treating it as a separate function.”

The year reinforced that technology alone cannot secure an organisation. Success depends on people, processes, and an awareness-driven culture. By focusing on human-centred security, practical use of existing tools, and proactive workforce development, organisations can reduce risk and build long-term strength.


Looking ahead to 2026, Jacob emphasises the importance of anticipation and adaptability. “The threats are evolving, AI is becoming more sophisticated, and regulatory expectations are increasing. Organisations that combine strategic foresight, empowered people, and smart technology will be the ones that not only survive but thrive.”

For e2 Cyber, this means continuing to partner with businesses to turn lessons from 2025 into actionable advantage. From developing talent pipelines to strengthening operational practices, the focus is on enabling organisations to manage risk confidently while preparing for the challenges ahead. Jacob concludes, “2025 has taught us that cyber security is never static. Continuous improvement, collaboration, and a people-first approach are what allow organisations to meet today’s threats and anticipate tomorrow’s opportunities.”


From all of us at Team e2 Cyber, thank you for being part of our 2025 journey and here’s to a successful and secure 2026!


Keen to explore what's in store for you or your team with our dedicated cyber recruitment specialists?

Let's Chat
AISA Logo on black background with futuristic cyber swirls

EXPLORING AISA CYBERCON 2025 - AND WHAT'S AHEAD IN AUSTRALIAN CYBER

By e2 Cyber November 10, 2025
CyberCon Melbourne 2025 insights with Payton Vercoe on workforce design, human-centric security, AI, and leadership shaping Australia’s cyber security future
Woman with glasses coding on computer monitors.

CYBER SECURITY IN TRANSITION: FROM COMPLIANCE TO CULTURE

By e2 Cyber October 14, 2025
Australia’s cyber landscape is shifting from compliance to culture, where leadership, accountability and resilience define the evolution of cyber security.
e2 cyber director Jacob Bywater sits in interview at desk with sepia filter and curtains

CYBER SECURITY - A TOP TO BOTTOM BUSINESS PRIORITY

By Jacob Bywater August 26, 2025
Jacob Bywater shares why Australian cyber security is everyone’s responsibility in a company, where businesses can go wrong, and how to build cyber resilience.
More Posts