Somewhere along the way, cyber became ‘IT’s problem.’ That’s worth reconsidering

Blogs

Every board has a fraud policy. A safety policy. A whistleblower policy. Somewhere along the way, cyber earned a much shorter conversation, often filed under “IT problem” rather than “board problem.” That’s an odd place for it to sit, given how common the problem has become.


According to the RSM Australia 2026 Cyber Security Report, a survey of business and IT leaders across 155 medium and large organisations, roughly one in three had been targeted by ransomware or an extortion attempt in the past year alone. Among organisations with more than 1,000 employees, that figure rose to almost one in two. Despite this, a genuine ransomware board discussion remains surprisingly rare. It’s the kind of discussion where someone asks “if this happened to us next month, what would actually happen?” and the room has a real answer, not a general reassurance.


Ransomware isn’t an occasional, unlucky event anymore. It has become a routine cost of doing business in Australia, yet it rarely gets the same standing on the board agenda as other everyday risks.


What ransomware actually is, in plain terms

Before going further, it helps to be clear on what the term actually covers. In simple terms, ransomware is malicious software that locks an organisation out of its own systems and files, or steals sensitive data, and then demands payment to restore access or to prevent that data being published. Attackers typically get in through a phishing email, a stolen password, or an unpatched piece of software, so the entry point is often mundane rather than technically sophisticated.


Two well-known Australian cases illustrate the pattern. In 2022, health insurer Medibank (Published by Queensland Government) had customer data stolen after a contractor’s login credentials were compromised. The attackers demanded a ransom to prevent the data being published, Medibank declined to pay, and personal and medical information was later released online. Similarly, in 2023, financial services provider Latitude Financial (Published by Office of the Privacy Commissioner- New Zealand-Australia) suffered a large-scale data breach after employee credentials were stolen, and the attackers again sought a ransom that the company declined to pay. Both cases show why this is a governance issue rather than a purely technical one. The decisions involved, whether to pay, what to disclose, and when, sat squarely with each organisation’s leadership, not its IT team.


Why this matters at the governance level

Directors aren’t expected to understand the technical mechanics of ransomware. However, they are expected to show they’ve asked sensible questions and acted on the answers, particularly for a risk this common. That’s the standard regulators, insurers and increasingly customers are applying, often reflected in basic cyber governance principles.


The numbers back this up. ASD’s own Annual Cyber Threat Report for the 2024 to 2025 financial year confirms ransomware remained the most disruptive cybercrime threat facing Australian organisations that year, with the frequency of attacks continuing to rise. The seriousness of this shift is reflected in policy too. The Australian Government has now introduced mandatory ransomware reporting for businesses with turnover above $3 million, alongside critical infrastructure entities. The government doesn’t legislate reporting requirements for a rare event. It does so for one that’s become common enough to need consistent, comparable data.


Because ransomware now touches so many organisations, it also touches accountability, reputation, insurance cover, regulatory notification obligations and staff wellbeing all at once. Treating it as “something the IT team handles” leaves a governance gap that’s hard to explain after the fact, especially once a regulator or insurer asks what the board actually knew and did.


What we’re seeing in the real world

Interestingly, the RSM data points to a pattern worth sitting with. Larger, more complex organisations aren’t necessarily better prepared, even though they’re more frequently targeted. The same report found that organisations with more than 1,000 staff lagged behind mid-sized organisations on cyber awareness training and crisis communication planning. Meanwhile, cyber security investment is rising broadly, with most organisations expecting to increase their security budgets over the coming year.


We see something similar in the organisations we work with. Ransomware comes up in conversation often enough that most leaders assume it’s “just part of doing business now,” which, statistically, it is. Yet that familiarity can work against good governance. Because it’s so common, it’s easy to talk about it in general terms without ever testing whether the organisation could actually respond well. As organisations grow and structures become more layered, that follow-up question tends to get asked less often, not more, even as the risk itself becomes more frequent.


What “good” looks like

Given how common ransomware attacks have become, a sensible organisation, regardless of size, can generally show the following:

  • One place where the board can see its main cyber risks explained on a simple dashboard, in plain English, not technical jargon
  • A tested incident response plan, reviewed at least once a year, not just written and filed away
  • Clarity on who within the organisation is authorised to make key decisions during an incident, including any decision about ransom payment
  • Evidence of recent staff awareness activity, along with a record of who has actually completed it
  • The ability to produce a simple cyber summary for the board or an insurer within a day, not a fortnight

None of this requires directors to become cyber experts. It simply requires the organisation to treat a common risk as a common risk, rather than a rare one it hopes to avoid.


How to start the conversation

If your board hasn’t had a genuine ransomware readiness discussion recently, the starting point doesn’t need to be complicated. Begin by mapping what already exists: current policies, any past incidents or near misses, recent staff training records, and the last time the incident response plan was actually tested rather than just reviewed on paper. In practice, that mapping exercise is a lightweight version of a proper cyber security risk assessment.


Even if that picture turns out to be messy or incomplete, putting it in one place makes the gaps immediately visible. From there, given how frequently these incidents now occur across Australian organisations, the board can ask management targeted, ongoing questions instead of a single round of reassurance seeking.


Get started with 4walls

None of this requires a dramatic overhaul. It starts with an honest look at what your board can currently see, and what it can’t.

If you want a quick read on where things stand, our 3 minute cyber starting point check is a reasonable place to begin. For a more considered look, our Board cyber check in walks through the same questions raised here, in the context of your own organisation. Either way, the goal isn’t a bigger security budget. It’s a board that can speak to its own risk with confidence, at 4walls.au.


Get started with 4walls »

Related resources

Blogs
Somewhere along the way, cyber became ‘IT’s problem.’ That’s worth reconsidering
Blogs
What WWDC 2026 reveals about the digital safety gaps most Australian organisations still have not closed
Blogs
Malware, spyware and adware: what your staff are accidentally letting in and how to stop it