Australian organisations face cyber compliance overload as attacks accelerate

Australian organisations navigating cyber compliance Australia requirements face one of the most complex regulatory environments in the world, while cybercriminals operate without constraint, speed limits, or compliance obligations. This imbalance creates systemic risk.

Expanding Cyber Compliance Requirements in Australia

Organisations must comply with an expanding web of cybersecurity and privacy requirements, from the Security of Critical Infrastructure (SOCI) Act and the Notifiable Data Breaches Scheme to APRA CPS 234, the Privacy Act 1988, the Cyber Security Act 2024, and the Australian Signals Directorate (ASD) Essential Eight.

Glenn Maiden, Chief Security Officer and Director Threat Intelligence, Australia and New Zealand, Fortinet, said, “These frameworks are critical for strengthening national resilience. However, the cumulative compliance burden consumes time, budget, and skilled resources that could otherwise be directed toward proactive threat defence.”

Cybercriminals Scale Faster Than Defenders

The challenge lies not in regulation itself but in the growing asymmetry between defenders and adversaries. Fortinet’s 2025 Global Threat Landscape Report highlights the scale of the issue. In 2024 alone:

• active scanning activity surged 16.7 per cent globally, reaching 36,000 scans per second
• more than 97 billion exploitation attempts were recorded across industries
• compromised credentials for sale on the darknet increased by 42 per cent year-on-year
• infostealer malware logs shared in underground forums grew by 500 per cent

Glenn Maiden said, “Cybercriminals automate reconnaissance, compress the time between vulnerability disclosure and exploitation, and industrialise their operations. They do not need to complete risk assessments, draft compliance reports, or navigate governance committees. They simply move at machine speed.”

Overlapping Regulations Create Operational Drag

For Australian boards and executive teams, compliance remains non-negotiable. The SOCI Act mandates enhanced obligations for critical infrastructure operators. APRA CPS 234 places accountability on financial services entities. Meanwhile, the Privacy Act and Notifiable Data Breaches Scheme impose strict timelines.

However, these requirements often overlap without full harmonisation. Security teams must manage multiple reporting cycles, varied maturity assessments, and conflicting interpretations. As a result, operational drag increases.

Glenn Maiden said, “Too often, we see security teams spending time on evidence collection exercises for frameworks that measure the same controls in slightly different ways.”

Why Attackers Still Win on Basic Weaknesses

Attackers continue to exploit long-standing vulnerabilities because organisations struggle to maintain cyber hygiene across large environments.

Gaps in identity management, patch delays, misconfigurations, and fragmented visibility remain common entry points.

Glenn Maiden said, “In some cases, the effort required to demonstrate compliance eclipses the effort required to strengthen resilience.”

Critical Infrastructure Faces the Heaviest Burden

The compliance burden falls heavily on operators of critical infrastructure. As OT environments converge with IT and cloud platforms, scrutiny increases.

The SOCI Act’s requirements, combined with standards such as IEC 62443, force organisations to maintain detailed inventories, segmentation, and response capabilities. At the same time, attackers actively scan OT protocols like Modbus TCP and SIP.

How Organisations Can Reduce Compliance Friction

The solution is not deregulation; it is simplification and integration. Compliance should result from strong security architecture, not operate as a separate function.

This requires:

• robust identity and access management based on zero trust
• unified visibility across environments
• continuous threat exposure management
• automation in detection and response
• board-level focus on measurable risk reduction

The Case for Regulatory Harmonisation

As Australia strengthens cybersecurity legislation, coordination becomes critical.

Glenn Maiden said, “Harmonisation across frameworks would reduce duplicated effort and allow organisations to focus on proactive defence.”

Cybercriminals are not constrained by policy, borders, or reporting deadlines. Organisations must meet compliance obligations. However, they cannot afford to let regulatory complexity slow response and recovery.

Resilience depends on reducing both cyber risk and operational friction at the same time.

About Cyber News Live

Stay ahead with Cyber News Live! First, we deliver real-time reporting and sharp threat intelligence. Additionally, we provide educational content for professionals, practitioners, and curious minds. From there, whether it’s breaking breach alerts or deep dives into attack vectors, we cover it all. Ultimately, our mission is clear: we make complex cyber topics understandable. And beyond that, we ensure critical knowledge stays accessible to everyone.