Expert tips to strengthen your cyber defenses

Cybercrime is increasingly one of the most significant threats to Australian businesses, costing millions each year. But it’s not just about the financial consequences. A hack could lead to exposed trade secrets, regulatory fines, lawsuits, and loss of consumer trust and overall brand reputation.

The 2022 Optus data breach underscores the far-reaching consequences of cyber vulnerabilities. Beyond financial losses, the company lost about 10% of their users within six months. The breach also triggered significant legal implications with fines and class-action lawsuits lodged against them.

Cyber-attacks are also becoming more sophisticated due to advancements in AI. This is a big concern. While extensive research is underway to develop better detection tools, Dr. Sharif Abuadbba, a deepfake expert in our Data61 team, warns against over-reliance on these technologies.

“It becomes an AI versus AI competition. This makes it unreliable, so the details and context of incidents end up needing to be reviewed anyway,” Sharif said.

Organizations need to stay ahead by continuously reviewing, preparing and innovating their cybersecurity measures. Check out these expert-backed tips to strengthen your cyber defenses and protect your business.

1. User education can make all the difference

Employees are your organization’s first line of defense against cyber threats—whether they’re managing visitor logs or handling classified documents. As Dr. Lauren Ferro, Human-centric Security Research Scientist also with our Data61 team, reminds us, human error is a business’ primary vulnerability.

“People let down their guard, thinking they have nothing useful for a cybercriminal to take. However, these individuals can be used as the gateway into their organization. Employees need to be informed of the risks and potential consequences,” Lauren said.

“Cyber risks extend beyond work. Personal information shared on social media can be used to create highly personalized attacks that compromise security,” she said.

She also advises that education be continuous, with regular updates on the latest developments and threats to watch out for.

2. Encourage employees to feel confident saying no

For businesses in Australia, email compromise is the most prominent cybersecurity threat. Examples of this include fake invoices or requests to transfer money, often appearing to come from trusted sources.

“An email from a familiar contact isn’t always legitimate,” Lauren said.

Email compromise typically occurs through phishing, where attackers trick employees into revealing sensitive information or clicking on malicious links. Once they gain access, cybercriminals can manipulate email threads, impersonate executives, and divert funds.

Sharif highlighted the importance of empowering employees to confidently refuse actions that deviate from established business processes.

“If they’re following agreed business processes, even if it’s the CEO requesting an urgent funds transfer, they shouldn’t fear getting in trouble. Use well-defined, well-documented processes within your organization as a measure to detect and defeat deep fakes, even if you don’t have the tools,” Sharif said.

3. Move beyond theoretical training

While most organizations offer cybersecurity training through online modules, one of the most effective ways to prepare employees for the reality of a cyber-attack is an immersive simulation. Interactive training helps employees test their knowledge and identify weaknesses in a safe and controlled environment.

Lauren highlights the effectiveness of Corporates Compromised, an immersive cybersecurity tabletop exercise that we developed with the Cyber Security Cooperative Research Center (CSCRC). The exercise places participants in various organizational roles and guides them through simulated cyber-attack scenarios. Participants gain hands-on experience without the risk.

“It is important that these practical exercises exist. By engaging directly with a cyber-attack and seeing the consequences of their decisions play out, participants gain tangible insights and experience,” she said.

4. Proactively protect your customers

Cybersecurity breaches are not just about losing financial assets. Organizations also have their brand reputation and consumer trust at risk.

“When we talk about cybersecurity, trust is a huge thing,” Lauren said.

“A cyber-attack affects more than just data—it impacts public trust, investors and other stakeholders. It’s hard enough getting people to trust the quality of your product or service, let alone regain it when breaches happen.”

One way to build consumer trust is to show that their cybersecurity is actively being considered. For example, organizations can ensure that multi-factor authentication is available for customer logins and that users can easily control the data that is being collected.

5. Be prepared—assume the worst

With threats and attacks becoming increasingly common, organizations should assume that they will be attacked, or that a threat will slip through the cracks.

Sharif suggests using proactive protocols and zero-trust policies. These mean that requests should be assumed fake until verified.

Jamie Rossato, our Chief Information Security Officer, also provides his tips for a good incident response plan.

“Anyone who plays sports will know that it’s the preparation you put in before the event that ultimately determines your effectiveness,” Jamie said.

“How are we prepared for the incidents that we believe are likely to happen? Or that we can see impacting other organizations?”

“Do all stakeholders understand their roles and responsibilities? Are they trained to act?”

“The response should be able to be performed even with a key player missing,” he said.

Protecting your organization

For organizations, cybersecurity in this modern age is not just about protecting assets, but also about protecting reputation and consumer trust. By prioritizing education, training and preparation, your organization can stay cybersafe.