As Cyber Security Awareness Month continues, blueAPACHE is proud to support the Australian Cyber Security Centre’s (ACSC) national initiative. Each week highlights a critical theme aligned to the official CSAM campaign – and this week, the focus is on the most unpredictable element in cybersecurity: people.
Human Risk: Why It Matters
People remain the pivotal factor in cyber risk. Despite advances in automation and AI-driven defenses, phishing, social engineering, and identity compromise remain the top attack vectors.
KnowBe4’s 2025 Phishing Benchmarking Report reveals that organisations in Australia and New Zealand record a baseline phish-prone percentage (PPP) of 36.8% – one of the highest globally. This means over a third of employees are likely to click on deceptive content before training even begins.
For large enterprises (1,000+ employees), the risk is even greater, with human error now implicated in the majority of reported breaches. Effective risk management, therefore, must integrate human risk metrics into every layer of cyber defense – alongside continuous monitoring across both local and cloud environments.
The Power of Training: Turning Weakness into Strength
The positive side of the story is that training works.
After 90 days of Security Awareness Training (SAT), the average organisation’s PPP drops by nearly 20%, and after a year, this can fall to single digits, according to KnowBe4.
In sectors such as banking, long-term programs have delivered over 90% improvement in phishing resilience, proving that informed employees can shift from being the largest risk to an indispensable line of defense.
Today’s Threats: AI, Deepfakes, and Critical Infrastructure
Cybercriminals no longer rely solely on traditional phishing.
In 2025, AI-enhanced phishing, QR-code scams, and voice/video deepfakes have rapidly escalated. Critical infrastructure sectors – energy, water, and transport – are increasingly being targeted, prompting legislative measures such as the Cyber Security Act 2024, which mandates ransomware reporting and sets cybersecurity standards for smart devices.
In this new environment, rapid, adaptive training and secure reporting channels are no longer optional; they’re essential for compliance and resilience.
Making the Human Firewall Measurable
To truly embed human risk management, organisations should:
- Encourage instinctive reporting: Provide one-click phishing-report buttons, require 15-minute escalation for payment or payroll change approvals, and track report volume and SLA adherence.
- Verify transactions in layers: Use out-of-band callbacks, dual-approval workflows, and “hold-to-verify” checks for financial or identity-related requests.
- Enforce strong access controls: Deploy multi-factor authentication (MFA) across all administrative functions, finance, and SaaS logins, prioritising phishing-resistant methods (FIDO2, passkeys) and monitor for fatigue or bypass attempts.
- Train with realism: Use short, frequent micro-simulations, region-specific case studies, and tailored onboarding training to maintain engagement year-round.
Compliance and Culture
Frameworks like ISO 27001 and the ACSC Essential Eight maturity model provide a strong foundation, but security culture goes beyond compliance. Comply to Essential Eight areas that emphasise faster patching, phishing-resistant MFA, and restricted admin privileges, underscoring the importance of continuous improvement.
Cybersecurity is not a seasonal campaign – it’s a daily practice of awareness, measurement, and accountability.
blueAPACHE x KnowBe4: Your Partner in Human Risk Management
blueAPACHE partners with KnowBe4, a global leader trusted by more than 70,000 organisations, to deliver a unified Human Risk Management solution.
KnowBe4’s AI-driven platform integrates behaviour-based awareness training, real-time coaching, and measurable benchmarking, empowering Australian and New Zealand businesses to turn their people from the largest attack surface into their strongest security asset.
Call to Action
Kick off your Human Risk Uplift Program with blueAPACHE.
Leverage real metrics to baseline your workforce, implement phishing-resistant MFA, and apply staged verification playbooks to reinforce cyber awareness across all teams.
Together, let’s strengthen the human firewall – and build a cyber safe culture that endures well beyond October.
Sources:
- KnowBe4 Phishing Benchmarking Report 2025
- ACSC Cyber Security Awareness Month – Cyber Security Awareness Month 2025
- ACSC Essential Eight Maturity Model – Essential Eight maturity model | Cyber.gov.au
- Cyber Security Act 2024 – Cyber Security Act 2024 – Federal Register of Legislation