Cyber Security: Emerging threat environment 2026

Third-party access

Bucchianeri says while AI today acts as a force multiplier, regardless of individual targets or motives, attackers are increasingly hitting enterprise networks by exploiting weaknesses at different points across supply chains. In cyber security circles, this is known as a third party incident, especially when looking at IT service suppliers, software vendors and cloud platforms where breaches can quickly cascade through the ecosystem. Bucchianeri says such vulnerabilities, mainly centred on identity compromise, can be especially difficult to detect as services gets outsourced further down the chain and credentials become even less transparent. “When you outsource to a third party, whatever service it is, they may not have the same level of rigour around their screening and security processes as you do and so provide a more vulnerable access point,” he says.

“This is something to really guard against as these intrusions in the supply chain become more mainstream. These attacks are increasingly going many layers down to exploit vulnerabilities, as criminals and other actors seek to gain access to your organisation in this way.” 

The question of identity can also encompass business impersonation risk for large corporates and institutions. These are seen in fake business emails and invoicing scams – now turbocharged by AI - which can spill into the supply chain, often made up of other large businesses too. “In these cases, cyber criminals are increasingly exploiting peak operational periods — when payment volumes surge, people may be stressed or tired and internal controls may be less stringent,” Bucchianeri says. “These attacks leverage trust and timing, creating a heightened risk of financial and reputational damage.”

Insider threat 

Closely intertwined to third-party and supply chain risk, is the threat of a breach arising from someone inside the organisation, whether through malice, negligence or compromise. “This is where ‘logging in’ is the new ‘breaking in’,” Bucchianeri says. “It may come from human error, or intent, or increasingly using usernames and passwords harvested and sold on the dark web.” While the “insider” here may sometimes have first gained access through exploiting a third-party supplier, it’s useful to think of defending against insider risk as managing the individualised people risk within an organisation. Underscoring the human and social engineering risk factor here, the ACSC threat report has shown phishing as providing initial access in 38% of attacks for the period. “Organisations need to maintain rigorous cyber security hygiene alongside strong fraud and scam awareness programs, supported by ongoing training and intelligence monitoring,” Bucchianeri says. “This also translates into stringent probity checks when hiring, and security education and diligence extended to partners as much as possible.” He says good practice is to ensure an organisation and suppliers maintain regulatory compliance in the jurisdiction, plus having a named, accountable person in charge of IT security. In Australia, the ACSC’s Essential Eight framework is the recommended baseline to implement. These key principles include measures like regular patching, employing phishing-resistant multi factor authentication, and backing up data to mitigate against serious attacks like ransomware and identity-based data breaches. The ACSC is part of the Australian Signals Directorate (ASD) foreign intelligence network, with access to a deep array of security information shared among our Five Eyes alliance partners in the US, UK, New Zealand and Canada.

Constant vigilance 

At  NAB, Bucchianeri oversees one of Australia’s largest security teams, with expert safeguards and threat testing that extends across the bank’s international operations over multiple time zones. He says NAB has made significant investment to do so, but the threats being faced and principles of best practice defence apply to organisations of every level, prioritised and scaled appropriately to budget and sector. The overall strategy of visibility, coverage and effectiveness means mapping the organisational environment, including all data storage, to be able to detect and investigate potential malicious activity and then ensure there are the right controls to cover these points safely and effectively. In today’s threat landscape this means having in place a zero-trust architecture, which assumes a compromise regardless of the user or location, and ramping up AI-enabled defences. Having playbooks and threat testing, while sharing intelligence with government and industry peers, also form strong defensive pillars. Given the realities of the threat environment and consequences of a successful attack, Bucchianeri says a cyber strategy for large organisations should also include having robust resilience programs to ensure continuity of operations should a breach occur. This is increasingly looked at as part of national defence given the implications for breaches in critical infrastructure across the economy, including the financial system, amid heightened geopolitical risks faced today. Another priority on the near-term horizon is preparing for a world of post-quantum cryptography to help secure against attacks from highly-powerful quantum computers of the future. “The complexity and constantly evolving nature of the cyber security environment in 2026 and beyond can feel a bit like carrying water in a net,” Bucchianeri says.

“But at the end of the day I do sleep pretty well knowing we have a strong team here, all keeping the essential building blocks of defence in place.

"We support the sharing of information and are here to help our customers navigate today’s emerging threat environment and stay ahead of the latest developments together.”