Cyberattacks in the age of AI – why your workforce isn’t ready

Dominika Zerbe-Anders

Jul 21, 2025 – 11.00am

Subscribe to gift this article

Gift 5 articles to anyone you choose each month when you subscribe.

Already a subscriber?

This Industry Insight is produced in commercial partnership with KPMG

The people within an organisation play a critical role in shielding it from potential cyber threats. Many organisations have long taken steps to build a cyber-resilient workforce by implementing training, conducting phishing campaigns and establishing various internal policies.

Yet, when a serious cyber incident occurs, it’s evident that these efforts have not led to effective action.

Dominika Zerbe-Anders, KPMG Australia cyber risk partner.

Most cyber incidents still occur as a result of human error. Generic training, misplaced trust on compliance over risk management, rushed decisions, and ignoring warning signs under pressure are all precursors.

At the senior levels of an organisation, an over-reliance on a plan, rather than building the right skills and a synchronised response, further compromises an organisation’s ability to react effectively.

According to KPMG’s Keeping Us Up At Night survey, protecting and dealing with cyber risks is the second-biggest challenge facing Australian business leaders and their organisations this year.

The problem isn’t a lack of effort. It’s a misunderstanding of what it takes to shift behaviour at scale.

Most organisations rely on generic approaches to address targeted human risk, and don’t effectively train and influence their workforce to take ownership and be part of the solution in managing cybersecurity threats. Once an attack has occurred, many senior leaders haven’t exercised or validated their response, nor considered how they will continue delivering core business services in the face of major disruption.

The focus needs to be on building that muscle memory before the threat occurs, rather than relying on antiquated plans and unfamiliar procedures in the aftermath.

So what are high performing organisations doing to overcome the obstacles to progress?

Sustainable behavioural change

Relying on once-a-year training to reduce human cyber risk is the approach taken by many businesses. But behavioural science shows that awareness alone doesn’t lead to action. People don’t change their behaviour just because they’ve completed a module. Behaviour shifts when it’s: specific to the risk they face; practised in a realistic setting; and reinforced by their environment – not just once a year but regularly and consistently.

Businesses should be using targeted, role-specific interventions, such as simulations, team-based scenarios, and micro-reinforcement tied to individual roles. Moving away from annual training towards a corporate ecosystem where cybersecurity is part of everyone’s daily responsibility, will drive a shift in behaviour change and develop a culture of shared responsibility.

Cyberattacks increasingly target people with access – senior leaders, finance teams, and staff who can approve transactions or access sensitive systems. When organisations identify their top human risks and focus their efforts on the roles most likely to be targeted, they are on the path to building stronger cyber resiliency.

As AI drives increasingly sophisticated and high-volume attacks, it is a corporate imperative that your people form an active part of your defence strategy.

In practical terms, that means understanding who is exposed to potential fraud, impersonation, or unauthorised access - and preparing them with the right behavioural expectations, decision support, and real-world practice.

When people understand and are prepared for the threats they’re exposed to, they respond faster, flag issues earlier, and stop attacks before they escalate.

Around the boardroom, those who prepare for a major disruption by rehearsing their crisis response and continuity strategies are better placed to weather the disruption of a cyberattack. The reality is, most plans only consider short-term disruption and fail to prepare an organisation for wide-reaching and long-term operational, reputational and financial disruption.

Start with better measurement

Cyber awareness and culture do not need to be abstract. They can and should be measured. But that means looking beyond who completed training or clicked on a phishing email.

If that’s all you’re tracking, you can’t tell whether your program changes behaviour, reduces risk, or delivers real value.

Using behavioural insights and data can help you track how often suspicious activities are escalated, pinpoint systemic and risky behaviours, and measure how human-centric patterns shift over time. These indicators reveal whether secure behaviours are becoming more consistent or where breakdowns are still happening - before they lead to a security incident.

You’re not alone if you’re unsure whether your people are part of your defence or your exposure. Most organisations assume their training or culture efforts are working, but they aren’t measuring, reinforcing, or designing for the behaviours that matter.

Dominika Zerbe-Anders is a KPMG cyber and business resilience partner focusing on human-centric cyber risk and operational resilience. She holds a master’s by research degree in critical infrastructure resilience and leads the KPMG cyber learning unlock solution.

To find out more, please visit KPMG.