A new report from QBE Insurance reveals that cyber risk in the workplace is shaped by employee behaviour, not just technology.

A new report from QBE Insurance reveals that cyber risk in the workplace is shaped by employee behaviour, not just technology. The findings point to vulnerabilities driven by everyday habits, misplaced confidence, and a lack of shared responsibility.

An analysis of survey data from more than 1,700 Australians and New Zealanders has revealed striking comparisons and key insights into consumer and employee attitudes and behaviours toward cyber risk awareness.

The research uncovered a striking blind spot, nearly 60% of employees believe they've never made a cyber mistake at work. This overconfidence is reinforced by 86% of respondents saying they feel confident in spotting cyber threats, despite the reality that many breaches go unnoticed.

"While confidence can be valuable, overconfidence can create risk and delay recovery action. Many breaches aren't immediately visible and attackers often wait, or pass stolen data to others who exploit it later." Serene Davis, Global Head of Cyber, QBE Insurance

Among the most surprising insights, Gen Z employees - often seen as the most digitally fluent - are more likely than older generations to dismiss security warnings (55%), delay critical software updates (46%), and reuse passwords across personal and work accounts (72%), contributing to a heightened risk profile.

How often do you dismiss a security warning on your device?

How often do you use the same password (or slight variation), across work and personal accounts?

Have you ever knowingly delayed or avoided a password change or major software update because it felt like a hassle?

"These cyber hygiene behaviours from our younger generations can open the door to cyber threat actors, who are increasingly relying on human error to exploit an organisation's cyber security. Younger generations are often juggling multiple devices, apps, and logins, and can be less tolerant of security measures that interrupt their workflow. This can increase the likelihood of human error, which is the leading cause of most cyber incidents." Serene Davis, Global Head of Cyber, QBE Insurance

Who would you blame for a cyber breach?

The research revealed a gap between how employees view cyber responsibility and how organisations actually manage it. When asked who they would blame if a breach occurred, 31% of workers pointed to their IT department, far outpacing executives (13%), third-party providers (5%) and even hackers or cyber criminals (26%).

"In an effective cybersecurity culture, responsibility needs to be shared and understood across the organisation, from the front desk to the boardroom. Unfortunately, for too many businesses, cyber remains siloed as 'an IT problem,' leaving leaders underprepared to manage during a crisis and employees unsure where they stand," Ms Davis said.

Rebuilding trust after a breach

Reputation is as critical to resilience as technology, and how leaders communicate and demonstrate accountability can determine whether trust is restored or permanently eroded.

34% of Australians and New Zealanders say that openness is the most important factor following a breach. This is followed closely by the expectation that the organisation takes steps to prevent recurrences (31%). By contrast, only 11% view speed of recovery as a priority, suggesting that while technical recovery is critical, communication and customer engagement strategies must be tailored to the market and demographic groups.

The willingness of consumers to forgive is also conditional. 40% of Australians say they would give a breached company another chance, compared with 47% in New Zealand. Baby Boomers are the most forgiving (50%), while Gen Z (37%) and Millennials (39%) are less inclined to offer a second chance. This reflects generational expectations where younger consumers raised in a digital-first environment see cyber resilience as a baseline obligation rather than an added safeguard.

"Cyber trust is both vital and fragile. Organisations that communicate transparently, take accountability, and demonstrate meaningful change are best placed to preserve customer confidence and protect brand equity. In today's environment, reputation is not restored through speed of recovery alone, it is earned through openness, leadership, and a demonstrable commitment to doing better." Serene Davis, Global Head of Cyber, QBE Insurance

The value of cyber insurance

Cyber resilience requires a connected approach, linking risk management, governance, staff behaviour, and financial protection.

• Preparedness and protection: While financial cover is critical, it often doesn't fully account for the real impact, especially the cashflow strain from business interruption, or the significant costs of legal counsel, IT forensics, and remediation. That's why QBE offers, threat briefings, expert response access, governance templates, and table-top simulations.
• Global insights, local expertise: QBE combines global threat intelligence with local knowledge to offer relevant, region-specific support, from regulatory guidance in Australia to emerging threats in New Zealand.
• Tailored for organisations of all sizes: Large companies may have strong IT setups but face more resistance to security protocols. SMEs tend to be more agile but lack resources. QBE adapts solutions to each organisation's size and sector.
• Building long-term resilience: Ultimately, cyber insurance must be more than a financial backstop. QBE aims to embed resilience across the organisation, before, during, and after a crisis. Attackers exploit human and technical gaps. Resilience demands a cross-functional response.