In the current cyber-risk landscape, it’s no longer sufficient to focus purely on firewalls, antivirus software or encryption. According to the newly released QBE report, “Cyber Blind Spots and Generational Habits Shaping Workplace Risk”, the human element remains the most unpredictable factor in a company’s cyber resilience.
Here are some of the most significant findings that matter for businesses across sectors and what you as a business leader should do about them.
- Overconfidence is leading to blind spots
The report finds that almost 60% of employees believe they’ve never made a cyber mistake at work. Even more striking, 86% say they feel confident they can spot cyber-threats. But here’s the catch: many incidents go undetected and human errors are among the primary causes of breaches. QBE flags the gap between confidence and reality as a key vulnerability.Action for you: Conduct a frank assessment of cyber-awareness across your organisation – ask not just can they detect threats? but do they assume they will never commit an error?
- Generation gaps in behaviour – surprise risk areas
One might assume younger employees, digital natives, have better cyber hygiene – but the data tells a different story. According to the report:
– 55% of Gen Z respondents said they “always/often/sometimes” dismiss security warnings, compared with 27 % of Baby Boomers.
– 72% of Gen Z reported using the same password (or slight variation) across personal and work accounts; for Baby Boomers that figure was 53%
– 46% of Gen Z delayed or avoided major software updates because it felt like a hassle – again, higher than older generations.Action for you: Tailor cyber-training and awareness programs to account for generational behaviour differences – younger staff may need more emphasis on consistent habits, password management and updates.
- A culture of “IT’s problem, not mine” undermines resilience
When asked who they would blame if a breach occurred, 31% of employees pointed to their IT department – far ahead of executives (13%) or third-party providers (5%). The distinct message here: many employees still view cyber risk as an IT problem, not a business-wide responsibility.Action for you: Embed cyber-risk ownership at all levels – from leadership down. Make sure everyone knows their role in prevention, detection and response – not just relying on IT or outsourced providers.
- Trust and reputation matter as much as a technical recovery
Interestingly, the report found that after a breach, what matters most to consumers in Australia and New Zealand is openness and the organisation’s willingness to take steps to prevent recurrence – more so than just speed of recovery.For example, 34% of respondents said openness was the most important factor following a breach. Younger consumers (Gen Z and Millennials) were less likely to offer a second chance after a breach than Baby Boomers.
Action for you: Make sure incident-response planning covers not just technical remediation but also communication strategy, transparency and customer trust rebuilding. Cyber insurance may cover financial loss, but reputational damage often costs more in the long run.
- Cyber Insurance – More than a policy, a resilience partner
QBE emphasises that cyber insurance is no longer just a “pay-out after a breach” measure, it should form part of a connected approach that includes behaviour, governance, training and technical controls. QBE’s model combines threat briefings, expert response access, governance templates and tabletop simulations.Action for you: As business owners, ensure that any cyber insurance cover is matched by active risk-management support, not simply a “tick-the-box” policy.
Ask questions such as: What incident-response capabilities are included? What training and awareness support is offered?
Why this matters for Our clients
At Phoenix, we serve a broad spectrum of organisations. From small-to-medium enterprises through to larger corporates – all operating in an environment where cyber-threats are evolving fast and where human behaviour remains the wildcard.
This QBE report reinforces that while technology investment remains essential, people, culture and shared responsibility are equally critical to building real cyber resilience.
If you haven’t reviewed your cyber-risk posture lately (or sat down with your staff to assess behaviours around passwords, updates, device usage and security warnings), now is a timely moment. We’re here to help you map your exposures, strengthen your culture and ensure your insurance cover isn’t just a policy, but part of a broader cyber-resilience strategy.
