Skip to main content

      Cyber security is a strategic business risk for the mid-market

      Cyber security has moved decisively beyond being a technical issue, and is now a board‑level priority for mid‑market organisations. For private and mid‑market organisations, it is now a strategic business risk that directly affects value, trust, growth and resilience. The combination of hybrid work, accelerated cloud adoption, expanding digital supply chains, and rising regulatory scrutiny has enlarged the attack surface – just as threat actors adopt artificial intelligence (AI) to operate at unprecedented scale and speed.

      AI has fundamentally changed the threat equation. Attacks that once required skill, time and careful reconnaissance can now be automated, personalised and deployed continuously. The result is a threat environment that is more persistent, more convincing and far harder to detect. Organisations that fail to keep pace face not only operational disruption, but lasting reputational damage and erosion of stakeholder confidence.

      Why cyber security matters

      High‑profile cyber incidents in Australia and overseas demonstrate how quickly a single compromise can escalate into a full business crisis. Australia has recorded its highest number of Notifiable Data Breach reports in recent years, with malicious attacks remaining the dominant cause. For mid‑market organisations, the impacts are often disproportionately severe.

      A cyber incident can freeze operations, delay payroll and payments, interrupt supply chains, and expose sensitive customer or employee data. Financial losses extend beyond ransom demands to include legal costs, regulatory penalties, lost revenue, higher insurance premiums and long‑term customer attrition. In parallel, directors and executives face increasing scrutiny over governance, due diligence and risk oversight.

      Most importantly, many of these incidents did not originate from exotic attacks, but from basic failures in identity security, patching and third‑party access. These gaps are increasingly exploited as entry points by sophisticated adversaries.

      The modern cyber threat landscape

      Old threats have been accelerated by AI, with many of our most damaging cyber attacks relying on well‑known techniques, while AI has dramatically increased the scale, sophistication and success rate of cyber attacks.

      leak_remove

      Persistent threats

      Many cyber attacks use well known techniques that remain highly effective, that include:

      • Phishing and credential theft leading to Business Email Compromise (BEC), invoice fraud and payroll redirection.
      • Ransomware with data exfiltration, targeting organisations directly or via smaller suppliers with weaker controls.
      • Service disruption, including DDoS attacks and 'living‑off‑the‑land' techniques that abuse legitimate system tools to evade detection.
      • The risk lies not only in these threats themselves, but in the false sense of security that can arise when they are perceived as 'old'.
      auto_awesome

      Threats supercharged by AI

      AI has dramatically increased the scale, sophistication and success rate of attacks:

      • AI‑generated phishing now mimics writing style, local language, internal terminology and organisational context.
      • Deepfake audio and video impersonation of executives enables highly convincing payment and supplier‑change fraud.
      • GenAI application risks, including prompt injection, insecure output handling, data leakage, model theft and over‑reliance on automated decisions.
      Attackers no longer need perfect English or custom malware. AI enables convincing impersonation, rapid probing and automated exploitation – at machine speed.
      Gergana Winzer

      Partner, Cyber Security – Mid-Market Lead

      KPMG Australia

      Core cyber risks: Failing to get the basics right

      One of the most significant risks facing mid‑market organisations is not advanced AI attacks – it is inconsistent execution of foundational controls. Poor identity hygiene, unpatched systems, excessive privileges and untested backups continue to account for a majority of breaches.

      Failure to implement the essentials creates compounding risk. A single stolen credential can bypass perimeter controls, enable lateral movement, and undermine investments in monitoring or incident response. In the AI era, these weaknesses are identified and exploited faster than ever.

      Take a practical, risk-based approach to cyber security

      Effective cyber security should enable business strategy, not slow it down. For mid‑market organisations, the goal is right‑sized protection aligned to risk, value and growth ambitions.

      Consistent implementation of the ACSC Essential Eight remains the strongest foundation for cyber resilience:

      • Phishing‑resistant multi‑factor authentication (MFA) for all users
      • Timely patching of internet‑facing applications and operating systems
      • Application control and macro hardening
      • Regular, tested and immutable backups.

      These controls substantially reduce the likelihood and impact of ransomware, data theft and identity compromise.

      Prevention must be paired with rapid detection and response. Endpoint, network and identity telemetry – supported by 24×7 monitoring – reduces dwell time and limits blast radius.

      Identity is the new perimeter. Removing dormant accounts, enforcing least privilege, and continuously reviewing OAuth permissions are critical, especially as cloud and SaaS platforms become primary targets.

      Third‑party compromise has become a systemic risk. Organisations must validate supplier controls and design operational resilience for critical dependencies.

      • Governance
        Use the National Institute of Standards and Technology (NIST) AI Risk Management Framework to set roles, guardrails and testing across Govern–Map–Measure–Manage. 

      • Secure AI Engineering
        GenAI solutions should be treated as high‑risk software. Controls such as input validation, output sandboxing, retrieval isolation and strict secrets management are essential.

      • Fraud resilient processes
        In a deepfake era, visual or voice confirmation is no longer sufficient. Payments and supplier changes must use out‑of‑band verification and dual control.

      Cyber resilience is a whole‑of‑business capability. Organisations should maintain and regularly test incident response plans covering ransomware, data breaches, Business Email Compromise (BEC) and AI‑enabled fraud.

      Rapid containment, clean recovery and clear communication is critical to reducing long‑term impacts.

      Looking ahead: Post quantum cryptography risks

      Quantum computing introduces long‑term risks to today’s cryptography, particularly for sensitive data with extended confidentiality requirements. 'Harvest now, decrypt later' attacks are already a strategic concern world wide.

      Post‑quantum cryptography is no longer theoretical, and early planning protects long‑lived data and avoids rushed transitions later.

      To be prepared, organisations should inventory cryptographic usage, design for crypto‑agility and begin piloting post‑quantum cryptography in high‑value scenarios.

      How KPMG can help

      Organisations that invest in cyber security fundamentals and future‑ready capabilities gain measurable benefits, including reduced incident frequency and severity, stronger customer and partner trust, improved regulatory confidence, and greater operational resilience. Most importantly, security becomes an enabler of innovation rather than a constraint. 

      KPMG supports private and mid‑market organisations with pragmatic, risk‑aligned cyber security uplift – from Essential Eight maturity and 24×7 detection to AI risk governance and post‑quantum readiness.

      Related cyber security insights

      Something went wrong

      Oops!! Something went wrong, please try again

      Get in touch

      A targeted cyber security plan can strengthen identity, uplift detection and build AI‑ and quantum‑ready security. Find out how.

      Cyber security solutions for mid-market businesses

      Protect your business with KPMG’s tailored cyber security solutions. We help prevent, detect, and respond to threats.
      Mid-market cyber solutions
      Three cyber security professionals look at large screen

      Sources

      • ACSC Essential Eight maturity model (updated Nov 2023): cyber.gov.au
      • Microsoft Threat Intelligence – Midnight Blizzard tradecraft and guidance (Oct 2024): microsoft.com/security/blog
      • OAIC Notifiable Data Breaches Report (2024): oaic.gov.au
      • DP World Australia cyber incident statements (Nov 2023): dpworld.com
      • Change Healthcare ransomware timeline and industry impact (2024–2025): TechCrunch, AHA
      • OWASP Top 10 for LLM/GenAI Applications: owasp.org/genai
      • NIST AI Risk Management Framework 1.0 (Jan 2023): nist.gov
      • NIST Post‑Quantum Cryptography standards (FIPS 203/204/205, Aug 2024): csrc.nist.gov
      • ASD/ACSC – Planning for post‑quantum cryptography (updated Sept 2025): cyber.gov.au