Most “cyber threats in 2026” articles are vendor marketing dressed as analysis. This isn’t that. Below is what’s changed in the public data over the past 12 months, mapped against what we see in client environments — drawn from IBM’s 2025 Cost of a Data Breach Report and the ACSC’s Annual Cyber Threat Report.
The headline number that matters
IBM’s 2025 report puts the average cost of a data breach in Australia at USD $2.55 million (about AUD $3.9m). That number is widely cited and on its own says very little — it’s an average across very different organisations. The number that should worry SMB leaders is the global mean time to identify and contain a breach: 241 days. Nine months in which an attacker has dwell time inside the environment. Down from 258 days in 2024, but still nowhere near operational.
For Australian organisations specifically, the 2024 IBM data put the local MTTI+MTTC at 266 days — eight days slower than the then-global average. The 2025 report doesn’t break out Australia’s lifecycle separately, but there’s no public data suggesting we’re suddenly faster than the global mean.
Three shifts changing the playbook
Below are the three patterns that have changed how we think about controls in 2026. They’re not speculative — they’re what the public data shows and what we see in client environments week to week.
1. AI-assisted phishing has overtaken obvious-tell phishing
IBM’s 2025 data shows phishing has replaced stolen credentials as the #1 initial attack vector (16% of all breaches, average cost USD $4.80m). The shift matters because the emails themselves have moved past obvious tells — LLM-generated copy, correct logo treatments, plausible vendor pretexts. Generative AI also halved the time required to craft a convincing phishing email, according to IBM. Detection now relies more on protocol signals (sender domain authentication, link analysis, behavioural cues) than on user judgment.
2. Supply-chain compromise is now the second-most-common (and longest-dwell) attack vector
Vendor and supply-chain compromise jumped to second place (15%) in 2025, with the highest mean time to identify and contain of any vector at 267 days. Translation: when one of your software vendors is breached, the attacker spends close to nine months inside the supply chain before anyone notices. SMBs increasingly inherit risk from the SaaS stack they buy. Vendor risk management has stopped being an enterprise concern.
3. Token theft has not gone away — and vanilla MFA isn’t enough
Adversary-in-the-middle phishing kits (EvilProxy and similar) are cheap, effective, and reduce the value of SMS- or push-based MFA. The fix isn’t more MFA — it’s phishing-resistant MFA (FIDO2 / passkeys) plus conditional access policies that detect unusual session contexts. The IBM 2025 data confirms compromised credentials remain the highest-cost vector at USD $4.67m on average, just behind phishing.
What actually moves the needle
From the IBM 2025 data: organisations with extensive use of security AI and automation save an average of USD $1.9 million per breach and reduce identification and containment time by 80 days. That’s not us editorialising. It’s what the data shows.
The controls that public benchmarks correlate with the fastest containment times are, in order:
- 24/7 managed detection and response (MDR) with tier-2 analyst response — not just SIEM with alerts going to a dashboard
- EDR with auto-isolation on behavioural detections
- Phishing-resistant MFA (FIDO2 / passkeys), not SMS or push notifications
- Documented and rehearsed IR playbook with named owners
- Immutable backups with tested restores
Notice what’s not on that list: any specific product. The pattern that matters is having operationalised controls — not which vendor logo is on the dashboard.
The harder question for leaders
Most boards we speak to ask “are we secure?”. The better question is “how would we know if we weren’t?”. If the answer is “we’d notice”, the gap is the 241-day dwell time. If the answer is “our MSP or MDR provider would tell us within a defined window”, you’re asking the right question. The follow-up is whether the contract actually says that, and whether the provider has the detection capability to back it up.
Cybersecurity buying in 2026 is less about which tools you have and more about whether someone is paid, contractually, to read the alerts at 3am — and act on them.
What to do this quarter
Three things any business leader can act on inside a single quarter, in order of cost-effectiveness:
- Roll out phishing-resistant MFA (passkeys) on the 10–15 accounts with privileged access. Most Microsoft 365 tenants ship with the capability — it just needs to be enabled and enforced. Roughly a day of work.
- Run a tabletop exercise. One hour, with leadership, walking through a ransomware scenario from detection to communications. The gaps surface themselves.
- Test your backups. Not “verify they ran”. Actually restore a server to a test environment and time it. If you can’t, that’s the answer.
If any of those feel daunting to scope, that’s the discovery-call conversation. Book 15 minutes — we’ll talk you through what good looks like for a business your size.
Related reading
- Symsafe cybersecurity services — the Secure MSA plan
- Essential Eight, explained for Australian SMBs
- EDR vs MDR — what AU SMBs actually need
Sources: IBM, “Cost of a Data Breach Report 2025: The AI Oversight Gap”, August 2025. ACSC Annual Cyber Threat Report (latest edition).