AI is a great tool for innovation, and cybercriminals across the globe are all too happy to use it to innovate. AI-powered cyber threats are not only increasing but also accelerating in speed and scale, placing immense pressure on the region’s security systems, budgets, and cybersecurity personnel, according to Fortinet’s latest report.

What was once viewed as a theoretical risk is now tangible and growing in reality with more than 75% of companies in New Zealand reported encountering AI-driven cyber threats in the past year. “These threats are scaling fast, with a 2X increase reported by 60% and a 3X increase by 30% of organisations,” the report said. 

Australia is facing a similar wave, with at least 51% of organisations confirming they’ve been targeted by AI-enabled attacks, 76% of whom reported a doubling in threat volume, and 16% experiencing a three-fold increase. Despite the rise in AI-driven attacks, “only 32% of organisations say they are very confident in their ability to defend against them. Meanwhile, 15% admit that AI threats are outpacing their detection capabilities — exposing a significant preparedness gap,” it said.

This new wave of cybercrime is stealthier, often bypassing traditional defences. Threat actors are leveraging AI to evolve malware dynamically, execute smarter brute force and credential stuffing attacks, impersonate executives via deepfake technology, and weaponise zero-day vulnerabilities. 

In New Zealand, the threat landscape is even broader, with adversarial AI, data poisoning, and deep fake social engineering emerging as prominent risks. Despite the rise in cyber attacks, “only 14% of organisations say they are very confident in their ability to defend against them. Meanwhile, 43% admit that AI threats are outpacing their detection capabilities, and 14% organisations in New Zealand have no ability to track AI-powered threats at all,” the report mentioned.

Cyber risk is now constant, not crisis-driven

Fortinet’s findings highlight a fundamental shift in how organisations experience cyber risk — it’s no longer episodic, but continuous. In Australia, the most frequently reported threats include denial-of-service (60%), software supply chain attacks (59%), cloud vulnerabilities (59%), ransomware (56%), and insider threats (51%). 

In New Zealand, the pattern is similar but even more pronounced, with supply chain attacks topping the list at 73%, followed by cloud vulnerabilities at 70%, denial-of-service attacks at 60%, phishing at 54%, and ransomware at 50%, it said.

More strikingly, the threats causing the greatest disruption are often not the most visible. In both countries, quiet but highly dangerous vulnerabilities, such as unpatched systems, insider breaches, cloud misconfigurations, and human error — are now seen as more damaging than headline-grabbing attacks like phishing or ransomware. These threats tend to evade detection and exploit internal gaps in visibility, governance, and architecture. Traditional attacks like phishing and malware are still increasing, but only at a modest 5%, likely due to better awareness and endpoint defences.

The cost of being attacked is going up

The most alarming part of the report is the rise in complex threats that scale fast and cause deeper damage. In Australia, ransomware has surged by 20%, while supply chain attacks have increased by 15%. Denial-of-service attacks have grown by 12%, and both zero-day exploits and cloud vulnerabilities have risen by 10%. These types of attacks are not only hard to detect but also difficult to contain, given their ability to exploit gaps across IT ecosystems. New Zealand reflects a similar trend, with rapid growth in supply chain breaches, IoT/OT threats, and zero-day attacks.

The business consequences are increasingly severe. In Australia, 54% of organisations reported monetary losses from breaches, and 34% faced costs exceeding US$500,000. In New Zealand, the financial toll is even more striking, 66% of respondents said their organisations suffered direct financial loss due to cyber incidents, with 30% losing more than US$500,000, the report said. Other common impacts include data breaches, privacy violations, operational downtime, loss of customer trust, and regulatory penalties.

And yet cyber teams are understaffed

One of the biggest structural weaknesses revealed by the survey is a persistent shortfall in cybersecurity staffing and expertise. In both Australia and New Zealand, only 7% of the average organisation’s workforce is allocated to internal IT, and just 13% of those are focused on cybersecurity. That equates to fewer than one full-time cybersecurity professional per 100 employees, a dangerously low ratio given today’s escalating threat landscape.

Leadership and specialisation are also lacking. Only 15% of organisations in either country have a dedicated Chief Information Security Officer (CISO), while 63% continue to combine cybersecurity with broader IT responsibilities. Just 6% have dedicated threat-hunting or security operations teams. This limited resourcing is compounded by rising challenges: 54% of organisations report feeling overwhelmed by the sheer volume of threats, 52% struggle to retain skilled cyber talent, and 44% cite tool complexity as a key contributor to fragmentation and burnout in security teams.

We're not investing enough in cybersecurity

Even as cyber risk rises, spending is struggling to keep up. Across both Australia and New Zealand, companies dedicate just 15% of their IT budgets to cybersecurity, which represents only about 1.4% of total company revenue. In Australia, 80% of organisations said their cybersecurity budgets have increased — but most of those increases are still below 10%. In New Zealand, just 50% of companies reported an increase in spending, and again, the majority of those increases were relatively modest.

There is a notable pivot from infrastructure-heavy investment to more strategic, risk-based spending. Both countries are prioritising identity and access security, Zero Trust/SASE frameworks, network protection, cloud-native application protection, and overall cyber resilience. However, critical areas such as OT/IoT security, DevSecOps, and employee security training continue to receive inadequate funding — leaving some of the most vulnerable attack surfaces under-protected.

Organisations are a;sp embracing convergence as a way to gain control. Over 90% of respondents in both countries are either actively converging their security and networking systems or evaluating how to do so. The goal is to simplify architecture, streamline operations, and improve detection and response capabilities.

In Australia, 74% of organisations are already well into their consolidation journeys, while in New Zealand, that number sits at 63%, the report mentioned. However, challenges persist, especially around managing disparate tools. Nearly half of all respondents cite tool management as a key issue, not because they have too many, but because their tools often lack integration. Organisations are now viewing vendor consolidation as a way not just to cut costs, but to improve support, speed up detection, resolve issues faster, and enhance overall security posture. Among the top drivers for consolidation: faster support (59%), cost savings (53%), better tool integration (53%), and improved threat visibility and response (51%).