SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Ps ulrike niemann headshot
#
Firewalls
#
VPNs
#
Network Security

Three-quarters of consumers more worried about cybersecurity, survey finds

Fri, 31st Oct 2025
By Ulrike Niemann, Content Marketing Manager, PR Consultancy

Mastercard's 2025 consumer cybersecurity survey landed on a number that matters: 76% of respondents reported heightened anxiety about digital security compared to two years ago. That's three-quarters of consumers admitting they're more worried now than they were in 2023.

For CISOs, this might seem like a consumer problem. But is it really?

Your employees are these anxious consumers. They're experiencing more sophisticated attacks at home, learning to distrust every digital interaction and carrying that mindset straight into the work environment. Some organisations now mandate VPN use for remote access to corporate resources. Network protections help, certainly. But they don't address the human uncertainty that AI-powered attacks exploit so effectively.

The survey points to AI as the primary reason for consumer anxiety. Not vague concerns about technology. Real encounters with threats that feel different from anything people have seen before.

What changed between 2023 and now

The old-day phishing attempts had patterns. Template-based emails. Grammar mistakes you could spot from across the room. Generic greetings that screamed "mass attack." Security teams built training programmes around these tells. It worked back then.

Now? Security teams report a 1,265% increase in phishing attacks linked to generative AI since 2023. This number is not a mistake or a typo. AI-generated phishing content is grammatically flawless, contextually appropriate, and personalised using data scraped from social media profiles and breached databases. The old detection methods often fail because there are no patterns to detect.

When traditional warning signs disappear, even tech-savvy users struggle to recognise the risks. Gen Z respondents in the consumer cybersecurity survey showed higher engagement with scam content despite their digital fluency. This demographic will soon make up most of your workforce. They recognise threats exist but often lack the technical knowledge to evaluate them properly. Awareness without capability creates its own problems.

So you've got anxious employees who can't reliably distinguish legitimate communications from attacks. That's not a training gap. That's a structural problem.

How anxiety shows up in enterprise environments

Employee anxiety doesn't clock out at 5 PM. It shows up in ways that directly affect your security operations:

  • Alert overload. Worried employees flag everything half-suspicious. Your security operations centre drowns in reports. Half turn out to be legitimate business communications. The other half need more investigation. Sorting through this volume creates the exact alert fatigue that lets real threats slip past unnoticed.
  • Friction in authentication flows. When employees distrust digital interactions, they abandon legitimate password reset procedures. They ignore security prompts because "it might be fake." Help desk queues grow. And ironically, people start working around security controls, which creates new vulnerabilities.
  • Shadow IT expansion. Anxious employees adopt unauthorised tools to protect themselves. Browser extensions promising improved security. Password managers nobody vetted. VPN services discovered through online forums. Each one creates visibility gaps in your network.

The 76% anxiety figure shows how quickly threat capabilities have changed. When a single threat actor can generate thousands of targeted phishing variants in an afternoon, pattern-based defences start breaking down.

Security awareness training hasn't kept pace

Most organisations still teach threat recognition using outdated playbooks. Check sender addresses. Hover over links. Watch for urgent language demanding immediate action.

These tactics addressed threats that followed predictable patterns. AI-driven attacks don't.

They learn from successful campaigns. They change faster than quarterly training updates. An attack method you identify and incorporate into training materials this quarter might be irrelevant by next. The adaptation cycle has completely outpaced the training cycle.

Perhaps the approach needs rethinking. Instead of teaching employees what threats look like, teach them how threats behave. Pattern recognition gives way to behavioural analysis.

Does this request fit normal business processes? Is this how the person typically communicates? Would this action be unusual, considering current projects and priorities?

These questions get people thinking and engaging rather than just relying on the usual "don't click suspicious links" posters in the break room. Employees must understand scammers' motivations, typical attack sequences, and the reasoning behind your company's security measures. Awareness training that barely scratches the surface won't hold up against scammers with large language models and datasets.

What this means for security decision-makers

You're managing a dual challenge. Threats are becoming more sophisticated with each passing quarter. Your team is more aware of the risks out there, but they're more uncertain about how to handle them.

Technology alone won't solve this. Neither will training alone. You need both, integrated thoughtfully and updated regularly.

Start by acknowledging that employee anxiety is directly affected by real changes in the environment. Don't dismiss concerns and treat them as overblown. Use that heightened awareness to improve.

Then, examine your security stack. Does it address threats that change in real-time? Can it detect anomalous behaviour even when individual actions appear real? Are your verification protocols strong enough to stop attacks that slip past traditional filters? Are annual reviews really enough?

The answers will probably lead to some uncomfortable infrastructure changes and difficult budget conversations. But the cost of inaction is demonstrably higher.

Moving forwards without perfect solutions

The challenge isn't finding a perfect solution. There isn't one. AI capabilities will keep progressing. Threat actors will keep adapting. Your security approach needs to match that pace.

Maybe that means quarterly architecture reviews instead of annual ones. Perhaps it requires dedicating security team members to focus exclusively on new AI-driven threats. It might involve completely rethinking how you measure security effectiveness.

What it definitely means is taking consumer anxiety seriously. When three-quarters of people report increased cybersecurity anxiety, they're signalling a problem that affects enterprise security directly.

CISOs who treat this as purely a consumer issue miss the connection. Your employees are consumers. Your partners are consumers. The human element of your company's security is changing in response to changing threats.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Fortinet unveils Secure AI Data Centre with 69% power saving
Exclusive: Google on AI-powered attacks & cyber threats in Australia
Hexaware boosts cybersecurity with strategic CyberSolve acquisition
Forrester predicts AI errors to cost B2B firms over USD $10 billion
Drata appoints Aneal Vallurupalli as CFO amid global expansion

Top stories

DroneShield secures AUD $7.6m US deals as orders & pipeline surge
Fortinet unveils Secure AI Data Centre to protect large models
Bitdefender unveils Security Data Lake to cut alert overload
Harnessing the power of ICT to propel your enterprise forward: Five key trends you need to be across in 2026
The cybersecurity imperative for smart factories