Cyber Security: The Ultimate Guide for Australian Businesses (2026)

Last reviewed: 24 June 2026

Cyber security is the combination of leadership, people, processes and technology used to protect business systems, accounts, data and operations from unauthorised access, disruption, misuse and loss. For an Australian business, a practical security program should reduce the likelihood of an incident, detect problems early, limit the damage when something goes wrong and support a confident recovery.

That is the straightforward definition. The reality is more demanding. Most organisations now depend on email, cloud applications, online banking, customer records, mobile devices, suppliers and remote access simply to operate. A stolen account can therefore become a payment fraud, a privacy breach, a customer issue and an operational outage within hours. Cyber risk is no longer a specialist topic that can sit entirely with the IT team. It is part of business continuity, financial control, privacy, supplier management and executive governance.

This guide explains cyber security in plain English for Australian business owners, executives, office managers, operations teams and internal IT teams. It covers the threats that matter in 2026, the controls that make the greatest practical difference, the Essential Eight, NIST Cybersecurity Framework 2.0, ISO 27001, secure use of artificial intelligence, incident response, Australian reporting obligations, measurement and a realistic 30–60–90 day improvement plan.

It is designed as an evergreen pillar page rather than a one-off checklist. The aim is to help readers understand how the parts fit together, choose sensible priorities and move from scattered security activity to a repeatable operating rhythm.

Cyber security in one minute

A sound business security program does six things well. It establishes ownership and acceptable risk, knows which systems and information matter, applies safeguards that are proportionate to the risk, monitors for suspicious activity, responds through a rehearsed plan and restores operations from trustworthy backups. These outcomes align closely with the six functions in the NIST Cybersecurity Framework 2.0: Govern, Identify, Protect, Detect, Respond and Recover.

The most valuable first actions are rarely exotic. They include multi-factor authentication, prompt patching, restricted administrator access, secure configuration, reliable backups, tested restoration, centralised logging, security awareness and a clear response plan. Australian organisations can use the Essential Eight as a strong technical baseline, then add governance, data protection, supplier risk, cloud security, monitoring and incident response around it.

A useful way to think about the goal is this: prevent what you reasonably can, make compromise harder, detect what gets through, contain it quickly and recover without improvising.

Key takeaways for business leaders

• Cyber security is an operational and financial risk, not only an IT issue.
• Identity, exposed software, social engineering, suppliers, cloud services and unmanaged AI use are common pathways into a business.
• The best program is risk-based. It protects the systems and information that would cause the greatest harm if unavailable, altered or disclosed.
• The Essential Eight is a practical Australian baseline, but it is not a complete security program on its own.
• Backups only reduce risk when they are isolated appropriately, monitored and successfully restored in testing.
• Leadership should measure coverage, speed and outcomes rather than collecting a long list of tool alerts.

Why cyber security matters to Australian businesses in 2026

The current threat environment makes complacency expensive. The ASD Annual Cyber Threat Report 2024–25 states that ASD’s Australian Cyber Security Centre received more than 84,700 cybercrime reports during the financial year, an average of one report every six minutes. The average self-reported cost per cybercrime report for businesses rose to about $80,850. The average was approximately $56,600 for small businesses, $97,200 for medium businesses and $202,700 for large businesses.

Those figures describe reported financial loss, not the complete business impact. An incident can also cause staff downtime, missed sales, emergency consulting costs, customer notifications, legal work, insurer involvement, compromised negotiations and weeks of management distraction. A business may recover the technology and still need to rebuild confidence with customers, staff and suppliers.

Privacy exposure is equally important. The Office of the Australian Information Commissioner reported 532 notifications under the Notifiable Data Breaches scheme for January to June 2025. Malicious or criminal attacks accounted for 59 per cent of notifications, and cyber incidents affected just over 10,000 people on average during that reporting period. The numbers vary between periods, but the lesson is stable: organisations need both preventive controls and a prepared process for assessing, containing and communicating a data breach.

Global evidence points to a broader attack surface. Verizon’s 2026 Data Breach Investigations Report found that exploitation of software vulnerabilities had become the leading initial access vector in its dataset, while third-party involvement had increased sharply. It also reported rapid growth in unapproved or “shadow” AI use. Australian businesses should not treat those global findings as a precise local forecast, but they are useful indicators of where risk management needs to mature.

The practical change is that business systems no longer sit behind one office firewall. They are spread across Microsoft 365 or Google Workspace, cloud platforms, software-as-a-service applications, staff homes, mobile phones, contractors, software suppliers and automated integrations. Security therefore depends less on one perimeter and more on verified identity, secure configuration, disciplined access, visibility and resilience.

What has changed in the cyber threat landscape

Several shifts are making familiar risks harder to manage. The first is speed. Criminal groups and opportunistic attackers can scan large numbers of internet-facing systems, reuse stolen credentials and automate parts of reconnaissance. Artificial intelligence can help attackers draft convincing messages, localise language and adapt pretexts more quickly. AI does not remove the need for security fundamentals; it increases the value of applying them consistently.

The second shift is the importance of identity. Business data often sits in cloud services that can be reached from anywhere. If an attacker steals a password, session token or approval prompt, they may not need to “hack the network” in the traditional sense. They can sign in, create inbox rules, register an application, change payment details, download files or wait quietly for the right conversation.

The third shift is supply-chain exposure. Organisations depend on payroll platforms, accounting systems, managed service providers, marketing tools, legal portals, building systems and industry-specific software. A supplier may have trusted access or hold a copy of important data. The business remains accountable for understanding the risk even where it cannot control every technical detail.

The fourth shift is operational concentration. A small number of platforms may support almost every employee. An outage or compromised administrator account in Microsoft 365, a core line-of-business application or an identity provider can affect the entire organisation at once. This makes recovery objectives and alternative ways of working essential.

Finally, AI-enabled workflows are introducing new combinations of access and automation. An AI assistant that can read files, send email, update a customer record or trigger a financial process has more potential impact than a simple chatbot. The risk comes from the whole system: the model, its instructions, the data it can access, the tools it can call, the identity it uses, the supplier operating it and the people approving its actions.

What cyber security actually protects

Business security is often described through three outcomes: confidentiality, integrity and availability.

Confidentiality means information is available only to authorised people and systems. It applies to customer records, employee information, commercial documents, passwords, intellectual property and sensitive communications.

Integrity means information and systems remain accurate, complete and trustworthy. A changed supplier bank account, manipulated invoice, altered contract or tampered backup can be as damaging as stolen data.

Availability means people can access the systems and information needed to operate. Ransomware, denial-of-service attacks, failed updates and provider outages can all become availability incidents.

A mature program adds two more business outcomes. The first is accountability: being able to show who performed an action, who approved a change and who owns a risk. The second is resilience: maintaining critical services during disruption and restoring them within an acceptable time.

This broader view prevents security from becoming a narrow exercise in buying protective tools. A business may have modern endpoint software and still be exposed because former employees retain access, backups have never been restored, payment changes are not independently verified or nobody knows who can declare a major incident.

The most common cyber threats to business

Threat names can become confusing, especially when a single incident uses several techniques. The useful question is not merely “what type of attack is this?” It is “how could it reach us, what would it affect and which controls would interrupt it?” The following threats deserve attention in most Australian small and medium businesses.

Phishing and business email compromise

Phishing uses a deceptive email, text message, phone call, QR code or website to persuade someone to reveal information, approve access, open a file or perform an action. Business email compromise, often shortened to BEC, focuses on trusted business conversations and payments. The attacker may impersonate an executive, supplier, staff member or customer, or may operate from a genuinely compromised mailbox.

The most damaging messages are often not obviously malicious. A criminal who has access to an inbox can study normal invoice timing, language and relationships. They may wait for a real payment discussion and insert new bank details. They may create forwarding rules or delete warnings to keep the victim unaware.

Defence requires more than telling staff not to click links. Strong controls include phishing-resistant MFA where practical, secure email configuration, protection against domain impersonation, restrictions on automatic forwarding, monitoring for suspicious mailbox rules, independent verification of payment changes and a culture where staff can pause a transaction without being criticised for causing delay.

Payment controls should be designed as business controls, not informal habits. A new bank account should be verified through a trusted phone number already on file, not a number supplied in the email requesting the change. High-value payments should require appropriate separation of duties. The process should cover suppliers, payroll, refunds and executive requests.

Security awareness training is most useful when it reflects real workflows. Short, regular learning and realistic simulations tend to be more effective than a yearly presentation. The aim is not to “catch” employees. It is to help people recognise pressure, verify unusual requests and report a concern early. Stanfield IT’s Security Awareness Training service can support a structured program.

Credential theft and account takeover

Passwords are stolen through phishing, malware, credential stuffing, insecure storage, fake sign-in pages, compromised devices and breaches at unrelated services. Attackers also target session tokens and MFA processes because these can provide access even where the password itself is protected.

Multi-factor authentication significantly reduces risk, but not every MFA method is equally resistant to phishing. SMS and push approvals are generally stronger than password-only access, while hardware-backed passkeys and FIDO2 security keys can provide stronger resistance to fake sign-in pages. The right choice depends on the system, user group, risk and operational requirements.

Businesses should focus first on complete coverage. Email, remote access, cloud administration, finance platforms and any application holding sensitive data should not be left on password-only access. Administrator accounts should be separate from everyday accounts, used only for administration and protected with stronger controls. Legacy authentication protocols that bypass modern controls should be disabled where possible.

Account lifecycle is equally important. Joiner, mover and leaver processes should create only the access needed for a role, adjust it when responsibilities change and remove it promptly when a person leaves. Shared accounts make accountability difficult and should be eliminated or tightly controlled. Access reviews should include third parties, dormant accounts, service accounts, emergency accounts and application permissions—not only staff usernames.

Identity and Access Management is therefore one of the most important foundations of modern cyber security. It connects HR processes, cloud configuration, business ownership and technical controls.

Ransomware and cyber extortion

Ransomware is malware or attacker activity that denies access to systems or data, usually through encryption or destructive changes. Modern incidents often include data theft and extortion. The attacker may threaten to publish information, contact customers or disrupt services even if the organisation can restore from backup.

Ransomware commonly follows an earlier compromise. The initial access may be an exposed vulnerability, stolen account, remote access tool, supplier connection or phishing message. Attackers may then move through systems, obtain higher privileges, disable security tooling and locate backups before causing widespread disruption.

Prevention therefore depends on layers: timely patching, secure remote access, MFA, restricted administrator privileges, endpoint detection, application control, network segmentation, protected backups and monitoring for suspicious behaviour. Recovery depends on knowing which systems are critical, how they depend on each other and how long the business can operate without them.

Backups are necessary but not sufficient. At least one recovery path should be isolated or otherwise protected from the same administrative compromise that could affect production. Backup deletion and configuration changes should be monitored. Restoration tests should prove that data is usable and that applications can be brought back in the correct order.

The Australian Government advises organisations not to pay a ransom because payment does not guarantee recovery and can encourage further targeting. From 30 May 2025, mandatory ransomware and cyber extortion payment reporting applies to certain entities, including businesses carrying on business in Australia with annual turnover above the prescribed $3 million threshold and relevant critical infrastructure entities. Organisations facing an incident should obtain current legal, insurance and specialist advice rather than relying on a general guide.

Exploitation of vulnerabilities

A vulnerability is a weakness in software, hardware or configuration that can be exploited. Internet-facing systems are especially important because attackers can reach them without first entering the network. Firewalls, VPN appliances, web applications, remote management tools, cloud services and forgotten test systems all require visibility and maintenance.

Traditional vulnerability management can produce thousands of findings. Treating every finding as equally urgent creates noise and delays. Prioritisation should consider whether the vulnerability is known to be exploited, whether the system is reachable from the internet, the value of the affected asset, available compensating controls and the business consequence of compromise.

The process needs clear ownership and service levels. High-risk vulnerabilities on exposed systems may need emergency action, while lower-risk internal findings can follow a planned cycle. Where a patch cannot be applied immediately, the business should consider temporary controls such as disabling a feature, restricting access, segmenting the system or increasing monitoring.

A vulnerability scan is not the same as a penetration test. Scanning identifies known weaknesses at scale. Penetration testing uses controlled techniques to validate whether an attacker could combine weaknesses to achieve a meaningful objective. Both have value, but neither replaces disciplined patching and secure configuration. Stanfield IT offers Vulnerability Management and Penetration Testing for organisations that need deeper assurance.

Cloud and software-as-a-service misconfiguration

Cloud services can be highly secure, but the customer remains responsible for how identities, permissions, sharing, retention and integrations are configured. Common problems include excessive administrator access, public links, unmanaged guest users, weak conditional access, old application permissions, unmonitored forwarding and inconsistent retention settings.

Microsoft 365 deserves particular attention because it often contains email, files, chat, meetings, identities and business workflows. A compromise can therefore affect several functions at once. Security should cover tenant configuration, privileged roles, MFA, conditional access, device compliance, external sharing, audit logging, email protection and data lifecycle settings.

Configuration should be documented and reviewed as the platform changes. Default settings are designed for broad usability, not for the exact risk profile of every organisation. Secure configuration also needs change control so that a rushed exception does not become a permanent gap.

Cloud Security should be treated as an ongoing management discipline rather than a one-time hardening project. New applications, integrations and users can change exposure quickly.

Third-party and supply-chain compromise

A supplier may process sensitive data, host an application, maintain a system, provide remote support or connect through an integration. The business may have limited visibility into the supplier’s internal controls, yet an incident can still affect operations and customers.

Supplier security should begin before the contract is signed. Due diligence should be proportionate to the service. A payroll provider, managed service provider or core platform deserves deeper review than a low-risk marketing tool. Questions should cover data location, access controls, incident notification, subcontractors, recovery capabilities, independent assurance and the process for returning or deleting data at the end of the relationship.

Contracts cannot remove the risk, but they can make expectations clear. The organisation should know how quickly the supplier must report an incident, what evidence it will provide, who is responsible for investigation costs, how service continuity will be handled and whether cyber insurance is required.

Technical controls also matter. Supplier accounts should use MFA and least privilege. Remote access should be time-limited or monitored where practical. Integrations should use scoped permissions rather than broad administrator rights. Trusted access should be reviewed after projects and staff changes.

A good supplier register links the service, business owner, data involved, criticality, access method, contract renewal and latest risk review. Without that basic visibility, third-party risk becomes a collection of questionnaires rather than a manageable program.

Insider risk, mistakes and misuse

Not every incident is caused by an external attacker. Employees and contractors can expose information accidentally, bypass controls to finish work more quickly or misuse access deliberately. Common examples include emailing data to a personal account, sharing a file publicly, retaining access after changing roles, using an unapproved application or sending information to the wrong recipient.

Insider risk should not be framed as distrust of staff. It is a design problem involving access, workflow, supervision, culture and monitoring. People are more likely to use unsafe workarounds when approved processes are slow or unclear. Security teams should therefore understand why people are bypassing controls and improve the process where possible.

Least privilege, data classification, separation of duties, logging, secure offboarding and manager-led access reviews reduce risk. Sensitive actions may require an additional approval or a warning that explains the consequence. Monitoring should be lawful, proportionate and clearly governed.

A supportive reporting culture is one of the strongest controls. An employee who immediately reports a mistaken email or suspicious MFA prompt gives the organisation time to act. Fear of blame causes delay, and delay increases impact.

Website attacks and denial of service

Websites and internet-facing applications can be targeted through vulnerable plugins, insecure code, stolen administrator accounts, automated credential attacks and denial of service. Even a marketing website can affect reputation, lead generation and trust if it is defaced or used to distribute malicious content.

Security basics include supported software, prompt updates, MFA for administrators, secure hosting, limited plugins, web application protection, protected backups, logging and tested restoration. Custom applications need secure development practices, code review and testing appropriate to their risk.

Denial-of-service attacks overwhelm a service or a dependency. Mitigation may involve a content delivery network, rate limiting, provider protections, resilient architecture and an escalation plan. The business should know who to contact and what alternative communication channels it will use if the website or customer portal is unavailable.

Shadow IT and shadow AI

Shadow IT refers to applications, devices or services used without approval or visibility. Shadow AI is the same problem applied to generative AI and agentic tools. Employees may paste customer information into a public assistant, connect an AI tool to cloud storage or create an automated workflow using a personal account.

Prohibition alone rarely solves the problem. People adopt tools because they are useful. A practical program provides approved options, explains which information can be used, defines acceptable use, reviews high-risk integrations and makes it easy to ask for guidance.

The business should maintain an inventory of approved AI use cases and suppliers. Each use case should have an owner, purpose, data classification, access model, human oversight, retention position and fallback. Higher-risk systems need testing for incorrect output, prompt injection, data leakage, unintended actions and loss of control over connected tools.

The ASD guidance on careful adoption of agentic AI services recommends managing AI within established security frameworks, including secure-by-design principles, defence in depth, identity and access management, continuous monitoring and incident response. That is a helpful approach: AI introduces new behaviours, but it still depends on familiar security disciplines.

How to assess cyber risk before buying more tools

Security spending is most effective when it follows a clear view of risk. Without that view, organisations tend to react to the latest headline, renew tools because they have always had them or work through a technical checklist without knowing which business problem it solves.

A cyber security risk assessment connects threats and weaknesses to business consequences. It should answer five questions:

1. What systems, data, services and relationships are most important?
2. What credible events could affect them?
3. Which controls already reduce the likelihood or impact?
4. What level of residual risk remains?
5. Which treatment will reduce the most meaningful risk for a reasonable cost and effort?

The assessment does not need to begin with a complicated model. It needs reliable information, business participation and consistent decisions.

Identify the organisation’s critical services

Start with services the business must deliver, not with a list of devices. Examples include processing customer orders, paying staff, accessing clinical information, completing settlements, operating a production line or responding to clients. For each service, identify the people, applications, data, devices, facilities, suppliers and connectivity it depends on.

This service view often reveals hidden concentration. A business may discover that several critical processes depend on one identity platform, one internet connection, one administrator, one spreadsheet or one vendor. That dependency deserves attention even if it has never caused an incident.

Business impact analysis can help define tolerances. Recovery Time Objective (RTO) describes how quickly a service needs to be restored. Recovery Point Objective (RPO) describes how much data loss the business can accept, measured in time. These are business decisions. Technology teams can explain options and cost, but leaders need to decide what interruption is tolerable.

Build an accurate asset and data picture

You cannot protect what you do not know exists. A practical asset register should cover endpoints, servers, network devices, cloud subscriptions, key applications, domains, websites, service accounts, integrations and important suppliers. It should record the owner, purpose, support status, location, sensitivity and business criticality.

The register should be maintained through normal processes. Procurement, onboarding, project delivery and offboarding should update it. A spreadsheet can be a reasonable starting point for a smaller organisation, provided it has an owner and review cycle. Automation can improve accuracy, but a tool cannot decide business criticality on its own.

Data discovery should focus on where sensitive information is created, stored, shared and retained. Avoid trying to classify every file on the first attempt. Begin with a few useful categories such as public, internal, confidential and highly restricted, then apply handling rules that staff can understand.

Retention matters because old data creates risk without always creating value. The business should keep information for as long as it is required by operational, contractual and legal needs, then dispose of it securely. Data that no longer exists cannot be stolen in a future breach.

Use realistic threat scenarios

A threat scenario turns an abstract risk into a sequence the business can assess. For example: “A finance employee’s Microsoft 365 account is compromised through phishing. The attacker monitors invoices, changes supplier banking details and downloads customer correspondence.”

Another scenario might be: “An unpatched internet-facing appliance is exploited. The attacker obtains administrator access, disables endpoint protection and encrypts core file services and accessible backups.”

Scenarios should be credible for the organisation’s industry, systems and operating model. They should include the affected service, threat actor, likely path, existing controls and consequences. This makes discussions more useful than arguing about whether a generic risk is “medium” or “high”.

Score risk consistently, not theatrically

Many businesses use a likelihood-and-impact matrix. It can be helpful if definitions are clear. Likelihood should consider exposure, attacker capability, known activity and control effectiveness. Impact should consider financial loss, downtime, safety, privacy, legal obligations, customer harm and reputational damage.

The score is a decision aid, not a scientific measurement. False precision can be misleading. It is usually more valuable to explain why a risk is significant, what assumptions were made and what would change the decision.

Each material risk should have an owner with authority to accept, reduce, transfer or avoid it. The technology team can manage controls, but it should not silently accept a business risk on behalf of leadership. Accepted risks should have an expiry or review date because circumstances change.

Convert findings into a prioritised roadmap

A useful roadmap separates urgent exposure from longer-term maturity. Immediate work may include closing a known exploited vulnerability, protecting privileged accounts, fixing an unusable backup or removing access for former staff. Foundational work may include asset management, policies, supplier governance, centralised logging and incident exercises.

Priorities should consider risk reduction, implementation effort, dependencies and operational disruption. A control that appears simple may require communication, training and testing. A control that cannot be sustained after rollout is not complete.

Stanfield IT’s Cyber Security Risk Assessment is designed to translate technical findings into business impact, a practical roadmap and leadership-friendly reporting.

Choosing a cyber security framework

Frameworks help organisations structure decisions, communicate expectations and avoid missing important areas. They are not competing products, and using one does not automatically make a business secure. The best choice depends on the purpose.

An Australian SME may use the Essential Eight as a technical baseline, NIST CSF 2.0 as the overall risk-management structure and ISO 27001 principles to formalise governance and evidence. A regulated or enterprise-facing organisation may need certification, sector requirements or contractual controls as well.

The framework should simplify security, not bury the business in documents. Start with the outcomes that matter, map current controls, identify gaps and keep evidence that proves the controls operate.

The Essential Eight explained

The Essential Eight is a set of prioritised mitigation strategies developed by the Australian Signals Directorate. It is intended to help organisations make it harder for attackers to compromise systems. The eight strategies are designed to complement each other:

• Application control
• Patch applications
• Configure Microsoft Office macro settings
• User application hardening
• Restrict administrative privileges
• Patch operating systems
• Multi-factor authentication
• Regular backups

The Essential Eight Maturity Model describes graduated levels of implementation. ASD advises organisations to choose a target maturity suitable for their environment and aim for the same maturity level across all eight strategies before progressing individual controls further. That balanced approach matters because attackers look for the weakest path.

Application control

Application control restricts the execution of software, scripts, installers and other code to approved items. It is stronger than relying only on antivirus because it reduces the opportunity for unknown or unauthorised code to run.

Successful implementation requires understanding legitimate applications and maintaining rules as the environment changes. A rushed deployment can interrupt work, while an overly permissive policy provides little protection. Start with well-managed device groups, monitor what would be blocked and build a process for approving new software.

Patch applications and operating systems

Patching removes known weaknesses and supports stable, supported technology. The two Essential Eight patching strategies distinguish applications from operating systems, but the operating discipline is similar: know what exists, monitor vulnerabilities, prioritise exposed and high-risk systems, test changes and verify completion.

Unsupported systems create persistent risk because security fixes may no longer be available. Where replacement cannot occur immediately, isolate the system, restrict access and increase monitoring while leadership tracks a dated transition plan.

Microsoft Office macro settings

Macros can automate useful tasks, but they have also been used to deliver malicious code. Controls should restrict macros from the internet, permit only trusted use and protect the configuration from casual change. The business should identify genuine macro-dependent workflows and modernise them where feasible rather than allowing broad exceptions.

User application hardening

Browsers, PDF readers, email clients and other user applications process untrusted content every day. Hardening reduces the features and behaviours attackers can exploit. It may include blocking unnecessary browser features, limiting script execution, restricting embedded content and using protected views.

Hardening should be tested with business workflows. Security and usability are not opposites, but a control that unexpectedly breaks a critical process will be bypassed or removed. Pilot groups and clear exception management help.

Restrict administrative privileges

Administrator access can change security settings, install software, create users and reach sensitive systems. It should be rare, separate from everyday work and reviewed. Staff who administer systems should have a normal account for email and browsing and a distinct privileged account for authorised tasks.

Just-in-time or time-limited privilege can reduce standing access. Privileged actions should be logged, and emergency access should be protected, tested and monitored. Service accounts also need attention because they may hold broad rights and passwords that rarely change.

Multi-factor authentication

MFA requires more than one factor to verify identity. It should cover remote access, cloud services, privileged access and important third-party applications. Organisations should prefer phishing-resistant methods for higher-risk users and systems where supported.

MFA enrolment, reset and recovery processes are part of the control. An attacker who can persuade support staff to reset MFA may bypass the technical protection. Help desk verification, device registration and unusual-enrolment alerts therefore matter.

Regular backups

Backups support recovery from ransomware, deletion, corruption, system failure and human error. They should cover the data and configuration needed to restore critical services, not only files. Copies should be protected from production compromise, encrypted where appropriate and monitored for failed jobs.

Testing should include a complete restoration scenario, not only confirmation that a backup file exists. The business needs evidence that the right data can be recovered within agreed RTO and RPO targets.

What the Essential Eight does not cover by itself

The Essential Eight is deliberately focused. It does not replace risk governance, privacy management, supplier assurance, secure software development, security monitoring, incident communication, physical security or a complete cloud strategy. Organisations should implement additional measures where their environment and risks require them.

Essential Eight Services can help with assessment, target maturity, remediation planning, evidence and practical implementation.

NIST Cybersecurity Framework 2.0

The NIST Cybersecurity Framework 2.0 provides a broad way to understand, prioritise and communicate cyber security outcomes. It is organised around six functions: Govern, Identify, Protect, Detect, Respond and Recover. The functions are not a one-way project plan. They operate together as a continuous system.

Govern

Govern sets the direction. It includes strategy, policies, roles, legal and contractual requirements, supply-chain risk, oversight and risk appetite. The addition of Govern as a core function in version 2.0 reinforces that cyber security needs accountable leadership.

For a smaller business, governance does not need to be bureaucratic. It may include an executive owner, a quarterly risk review, approved policies, a security roadmap, documented exceptions and clear reporting. The important point is that decisions are visible and owned.

Identify

Identify covers assets, business context, risks, improvements and dependencies. An organisation should understand what it relies on, what information it holds, what could go wrong and where current controls are weak.

This function is the bridge between business impact and technical work. It prevents teams from protecting every asset identically or overlooking a critical supplier because it is not physically on the network.

Protect

Protect includes identity management, awareness, data security, platform security and resilience safeguards. It is where many familiar controls sit: MFA, patching, hardening, encryption, access control, backups and training.

Protection should be proportionate and measurable. “We have MFA” is less useful than knowing what percentage of users, administrators and applications are covered, which methods are used and which exceptions remain.

Detect

Detect focuses on finding anomalies, events and control failures. Logs must be collected from the systems that matter, retained for a useful period and monitored against meaningful scenarios. More data is not always better. The aim is timely, actionable visibility.

Detection also includes knowing when preventive controls fail. Alerts for disabled security software, new administrator accounts, unusual forwarding rules, backup deletion and suspicious sign-ins may be more valuable than thousands of low-confidence events.

Respond

Respond covers incident management, analysis, communication, reporting and mitigation. A plan should identify decision-makers, technical responders, legal and privacy contacts, insurers, communications support, suppliers and government reporting channels.

Response quality depends on preparation. Contact details, emergency access, logging, authority and external retainers should be arranged before the incident. A tabletop exercise can reveal gaps without waiting for a real crisis.

Recover

Recover restores assets and operations, communicates progress and incorporates lessons. Recovery should follow business priorities and validated dependencies. Restoring every server is not the same as restoring the customer service or finance process.

Lessons learned should result in owners and deadlines. The review is not about blame. It is about understanding which assumptions were wrong, which controls worked and how to reduce the likelihood or impact of recurrence.

ISO 27001 and an information security management system

ISO/IEC 27001:2022 is the international standard for information security management systems, usually called an ISMS. It defines requirements for establishing, implementing, maintaining and continually improving a structured approach to information security risk.

An ISMS connects scope, leadership, risk assessment, policies, controls, objectives, evidence, internal review and continual improvement. The certificate is issued by an independent certification body after audit; consultants and IT providers can support readiness and implementation but do not issue the certificate.

ISO 27001 can be valuable where customers, tenders, regulators or the board need stronger assurance. It can also improve internal discipline even where formal certification is not the immediate goal. The main risk is treating it as a document project. Policies that do not reflect real practice create fragile compliance and little protection.

A practical implementation begins with a sensible scope, clear responsibilities and an honest risk assessment. Controls are selected because they treat risk, not because every control is automatically mandatory. The Statement of Applicability records which Annex A controls are relevant, why they are included or excluded and how they are implemented.

Evidence should arise from normal operations: access reviews, patch reports, backup tests, training records, supplier reviews, incident exercises and management meetings. This makes the ISMS a management system rather than a folder prepared for an auditor.

Stanfield IT provides ISO 27001 Services and publishes a separate guide to ISO 27001 certification in Australia.

How the frameworks fit together

The frameworks can be used at different layers:

The right starting point is the business objective. A company answering enterprise procurement questionnaires may prioritise an ISO 27001 roadmap. A growing SME with inconsistent technical controls may start with an Essential Eight assessment. An executive team seeking a coherent program may use NIST CSF 2.0 to organise priorities and reporting.

Avoid chasing a maturity score without understanding the outcome. A documented control that is not operating is not mature. A tool that is deployed to only half the environment is not complete. Good assurance combines configuration evidence, operational records, interviews and testing.

How to build a practical cyber security program

A security program is more than a collection of products. It is the way the organisation makes decisions, applies controls, checks whether they work and improves over time. The design should reflect business size, sector, data, threat exposure and tolerance for disruption.

The strongest programs use defence in depth. This means an attacker must overcome several independent layers, and a failure in one layer does not automatically become a major incident. A phishing message may reach an inbox, but secure identity controls can stop account access. A device may be compromised, but least privilege and segmentation can limit movement. An incident may disrupt a server, but tested backups can support recovery.

Leadership, ownership and governance

Every material security program needs a named executive owner. This person does not need to be the most technical leader. They need enough authority to resolve priorities, accept residual risk, sponsor change and ensure the issue remains visible.

Responsibilities should be clear across leadership, IT, finance, HR, legal, privacy, operations and external providers. For example, IT may configure access, but managers approve role requirements and HR triggers onboarding and offboarding. Finance owns payment controls. Legal and privacy advisers support breach assessment and notification. Communications manages consistent messages to staff, customers and media.

Policies should describe real expectations in language people can use. A smaller organisation may begin with an information security policy supported by access control, acceptable use, remote work, backup, incident response, supplier security and AI use policies. Avoid copying a generic template without aligning it to actual systems and roles.

A simple governance rhythm can include monthly operational review, quarterly executive reporting, an annual risk assessment and periodic exercises. Significant changes—acquisitions, office moves, cloud migrations, new critical suppliers or AI deployments—should trigger an additional review.

The board or owners should understand the most important scenarios, the current level of exposure, the roadmap, overdue high risks and recovery readiness. They do not need a stream of technical alerts. They need evidence that the program is controlled and that difficult decisions are being made.

Asset management and secure configuration

Asset management underpins patching, monitoring, insurance responses, incident investigation and software licensing. The organisation should be able to answer: which devices and systems are active, who owns them, what software runs, whether they are supported and whether they are monitored.

Standard builds reduce variation. Workstations, mobile devices, servers and cloud tenants should follow approved configuration baselines. Security settings should be centrally managed where practical, with changes tested and exceptions documented.

Configuration drift occurs when systems gradually move away from the standard. Temporary settings become permanent, local administrator rights accumulate and new cloud features appear with broad defaults. Regular comparison against the baseline helps identify drift before it becomes an incident path.

Disposal is part of the lifecycle. Devices and storage media should be securely wiped or destroyed, access tokens revoked and records updated. Cloud resources should be removed when projects finish so forgotten systems do not remain exposed.

Identity and access controls

Identity has become the main security perimeter for many organisations. A strong identity program begins with a reliable source of truth for people and roles. Access should be created through approved processes, limited to the role and removed promptly when no longer needed.

MFA should be enforced broadly, with stronger methods for administrators, executives, finance staff and high-risk systems. Conditional access can consider device compliance, location, risk signals and application sensitivity. However, rules need testing, monitoring and emergency access arrangements so a configuration mistake does not lock out the whole business.

Least privilege means people and systems receive only the access needed for their tasks. It is not a one-time cleanup. Access grows through projects, temporary coverage and role changes, so reviews should occur regularly. Managers and system owners should confirm access because they understand business need better than IT alone.

Privileged access deserves separate controls. Administrator identities should not be used for everyday email and web browsing. High-risk changes should be logged, and particularly sensitive actions may require approval or time-limited access. Break-glass accounts should be protected, excluded from normal dependencies where appropriate and tested.

Service accounts, application identities and API keys are often overlooked. They should have an owner, purpose, scoped permissions, secure credential storage and rotation or equivalent controls. Secrets should not be embedded in scripts, documents or public code repositories.

Endpoint and mobile device security

Endpoints include laptops, desktops, servers, phones and tablets. They are where users open content and where attackers often gain their first operational foothold. A device program should combine supported operating systems, secure configuration, patching, encryption, endpoint protection and management visibility.

Modern endpoint detection and response can identify suspicious behaviour and support containment, but it is not a substitute for hardening. Devices should restrict local administrator rights, block risky scripts or applications where practical, enforce screen locking and protect storage with encryption.

Mobile devices require their own decisions. The organisation should define whether personal devices can access business information, what management is required, how data is separated and what happens when a device is lost. Mobile application management may protect business data without taking control of personal content, depending on the platform and use case.

Lost or stolen devices should be reported immediately. Remote lock or wipe can help, but encrypted storage and strong authentication reduce the risk before the business acts.

Patching and vulnerability management

Patching is an operating process, not a monthly button. It requires complete asset visibility, trusted update sources, testing, deployment, verification and exception management. Different systems may need different schedules based on exposure and criticality.

Internet-facing and known exploited vulnerabilities should receive priority. Emergency patching should have a defined approval and communication path. The cost of a short planned interruption may be far lower than the cost of waiting for the normal window.

Vulnerability scanning should cover internal, external and cloud environments in proportion to risk. Findings should be assigned to owners and tracked to closure. Reports should distinguish accepted, mitigated and genuinely remediated items.

Penetration testing is valuable after major changes, before launching sensitive applications, when required by customers or standards and as periodic validation. The scope and objective should be clear. A good report explains attack paths, business impact and practical remediation rather than delivering only technical severity ratings.

Email, collaboration and payment security

Email remains a critical business platform and a common route for fraud. Protection should include anti-phishing and malware controls, domain authentication, impersonation protection, safe link and attachment analysis where appropriate, and monitoring for suspicious sign-in or mailbox behaviour.

Domain-based Message Authentication, Reporting and Conformance—DMARC—works with SPF and DKIM to reduce unauthorised use of a domain in email. It should be implemented carefully because legitimate third-party senders need to be identified and aligned before enforcement.

External email indicators can help but should not be the only defence. Attackers can compromise genuine supplier accounts, and employees can become desensitised to banners. Verification procedures for payments, payroll changes, gift cards and sensitive data requests remain essential.

Collaboration tools create additional sharing paths. Guest access, public links, external chat, meeting recordings and connected applications should be governed. The business should know who can invite guests, how long access lasts and how sensitive workspaces are reviewed.

Network security and zero trust principles

Network security controls traffic between users, devices, services and the internet. Firewalls, secure DNS, web filtering, wireless security, segmentation and remote access controls remain valuable, even as more services move to the cloud.

Segmentation limits the spread of an incident. Guest wireless should not provide access to internal systems. Sensitive servers, backup infrastructure, building systems and operational technology may require separate zones. The design should reflect communication needs rather than simply adding more subnets.

Zero trust is a principle, not a single product. It assumes that network location alone is not sufficient proof of trust. Access decisions should consider identity, device, context and the sensitivity of the resource. Sessions and privileges should be limited, and unusual behaviour should be monitored.

For many SMEs, practical zero trust begins with MFA, managed devices, conditional access, least privilege, modern application access and reduced reliance on broad VPN connectivity. The aim is gradual risk reduction, not a disruptive rearchitecture for its own sake.

Cloud and Microsoft 365 security

Cloud security follows the shared responsibility model. The provider secures its underlying platform, while the customer remains responsible for identity, data, configuration, devices, integrations and use. The exact division differs by service.

A Microsoft 365 security baseline should consider privileged roles, MFA, conditional access, legacy authentication, external sharing, mailbox forwarding, audit logs, application consent, device compliance, email protection and data retention. Licensing affects available controls, so the design should match both risk and budget.

Cloud applications should be approved through a repeatable process. The review should consider data, access, integration permissions, supplier security, recovery, contract terms and exit. Single sign-on can improve user experience and centralise control, while automated user provisioning reduces orphaned access.

Cloud logs need to be retained and monitored. Default retention may be shorter than the period needed to investigate a slow compromise. Important events should feed a central monitoring process or managed detection service.

Data protection, encryption and loss prevention

Data protection begins with knowing what information exists and why it is retained. Classification and ownership make technical controls more targeted. Highly restricted data may need tighter sharing, stronger authentication, encryption, additional logging or approval before export.

Encryption protects data in transit and at rest, but key management and access still matter. A legitimate logged-in user may be able to download encrypted cloud data. Encryption should therefore be part of a broader access and monitoring strategy.

Data loss prevention tools can detect or restrict sensitive information leaving through email, cloud sharing, endpoints or applications. They can be useful, but poorly tuned rules create noise and frustration. Start with a small number of high-confidence data types and business scenarios, then expand.

Information should be retained only as long as needed. Disposal should include backups and third-party copies where contractual and legal obligations permit. Privacy, legal and records-management advice may be required for formal schedules.

Backups, disaster recovery and business continuity

Backups protect data; disaster recovery restores technology; business continuity keeps critical operations functioning. The three are related but not interchangeable.

A backup strategy should cover critical data, system configuration, cloud services and dependencies. The widely used “3-2-1” principle—multiple copies, different media or platforms and one copy protected offsite—remains a helpful starting idea, but modern environments also need immutability, separate administrative control and monitoring for deletion attempts.

Restoration tests should be scheduled and recorded. Test a sample of files regularly, then run complete application or service recovery exercises according to risk. The test should confirm data integrity, identity dependencies, network access, licences, credentials and the order of restoration.

Business continuity plans should identify manual workarounds, alternative communications, priority customers, supplier dependencies and decision thresholds. A plan that exists only on the unavailable network is not useful. Key contacts and procedures should be accessible securely during an outage.

Stanfield IT provides Backup and Disaster Recovery and Business Continuity Planning support for organisations that need a more reliable recovery capability.

Logging, monitoring and managed detection and response

Prevention will not stop every event. Monitoring helps the organisation find suspicious activity before it becomes a larger incident. The most useful logs usually come from identity platforms, email, endpoints, firewalls, servers, cloud applications, privileged access and backup systems.

A logging strategy should answer what is collected, how long it is retained, who can access it, which alerts are monitored and what happens when a signal appears. Time synchronisation is important because investigators need to reconstruct events across systems.

Alerting should focus on behaviours that matter: impossible or unusual sign-ins, new administrator accounts, disabled protection, suspicious application consent, mass file changes, mailbox forwarding, unexpected data downloads, backup deletion, malicious process execution and communication with known threats.

Managed Detection and Response combines technology with analysts who investigate and escalate alerts. It is most valuable when responsibilities are explicit. The provider and customer should agree who can isolate a device, disable an account, contact leadership and act outside business hours. Managed Detection and Response can extend a business’s internal capability without requiring a full in-house security operations centre.

Security awareness and a healthy reporting culture

People are part of the control environment, not the weakest link by default. Training should help staff make safer decisions in their actual work. Topics may include phishing, payment verification, password managers, MFA prompts, data sharing, remote work, AI use and incident reporting.

New starters need guidance before they receive broad access. Role-based training should cover finance, executives, administrators, customer service and developers because their risks differ. Short refreshers and timely messages around emerging campaigns can keep security relevant.

Phishing simulations should be used carefully. The goal is to measure and improve reporting, not to shame individuals. Metrics should include how quickly suspicious messages are reported and whether the organisation responds effectively, not only click rate.

Leaders influence culture through their behaviour. An executive who follows payment verification and accepts secure access controls signals that the rules matter. A manager who asks staff to bypass them for convenience does the opposite.

Supplier and managed service provider risk

A third-party program should categorise suppliers by criticality and data access. High-risk suppliers should receive deeper due diligence and regular review. Lower-risk suppliers can follow a lighter process so the program remains proportionate.

Evidence may include independent certifications, audit reports, penetration-test summaries, cyber insurance, policies, incident history, recovery test results and responses to targeted questions. A certificate is useful assurance, but it does not replace understanding the service-specific risk.

Managed service providers often have broad administrative access across customers, which makes identity, privileged access, monitoring and contractual responsibility especially important. The business should know where credentials are stored, how support staff are vetted, how access is approved and how an incident at the provider will be communicated.

Exit planning should be considered at the beginning. The organisation needs a process to retrieve data, transfer knowledge, revoke access and maintain continuity if the supplier relationship ends unexpectedly.

Secure software, websites and change management

Businesses that develop software or customise applications should integrate security into planning, design, coding, testing and deployment. Requirements should cover authentication, authorisation, input handling, logging, secrets, dependencies and privacy.

Third-party libraries and packages need maintenance. A software composition analysis tool can help identify vulnerable dependencies, but someone must own remediation. Build pipelines and code repositories should use MFA, least privilege, branch protection and secure secret management.

Change management reduces both security and reliability risk. Significant changes should be assessed, approved, tested, communicated and reversible. Emergency changes need an expedited process and retrospective review rather than no process at all.

A development, test or staging environment can create risk if it contains production data, uses weak credentials or is exposed to the internet. The same asset and access principles apply.

Physical security and environmental resilience

Cyber security depends on physical access and reliable infrastructure. Network cabinets, server rooms, backup media and administrator workstations should be protected appropriately. Visitor access, keys and building passes need ownership and revocation.

Power, cooling, fire, water and connectivity can cause the same business interruption as a malicious attack. Uninterruptible power, redundant connectivity and environmental monitoring should match the criticality of the site.

Remote work adds physical considerations. Staff should protect screens and conversations, use managed devices, report loss promptly and avoid leaving sensitive material in shared spaces. The organisation should provide a secure, practical way to work rather than assuming employees will invent one.

Cyber security for artificial intelligence and automation

AI adoption should begin with business purpose and risk, not with a tool demonstration. The organisation should know what problem the system solves, which decisions it influences, what information it receives and what actions it can take.

Low-risk use cases may involve drafting public marketing content with human review. Higher-risk use cases may access customer records, legal documents, financial systems, source code or health information. Agentic systems that can call tools and act autonomously need stronger controls because an incorrect or manipulated output can become a real transaction.

A secure AI lifecycle should include supplier assessment, data classification, access design, testing, monitoring, human oversight, incident response and retirement. The model may be provided by one vendor while data connectors, plugins and automation platforms come from others. Review the entire chain.

Prompt injection is a class of attack in which untrusted content influences an AI system’s instructions or actions. A document, webpage or message may attempt to make the agent ignore rules, reveal information or call a tool. Treat external content as untrusted input, limit tool permissions, validate high-impact actions and require human approval where consequences are material.

AI output can be wrong while sounding confident. Security controls should not assume generated analysis, code or decisions are accurate. Testing should consider error, bias, unsafe recommendations, data leakage and adversarial inputs. Important decisions need a responsible person who can challenge the output.

Logging should capture enough information to investigate actions without creating an unnecessary repository of sensitive prompts and data. Retention, access and privacy need deliberate design. The organisation should also know how to disable an integration or revoke an agent’s credentials quickly.

AI policy should be short enough to use. It can define approved tools, prohibited data, review expectations, high-risk use cases, procurement requirements and how to request approval. Training should use realistic examples from the business.

Cyber incident response: what to do before and during an incident

An incident response plan is a decision guide for a stressful situation. It should help the organisation recognise a serious event, bring the right people together, protect evidence, reduce harm, communicate accurately and restore operations. It should not be a 70-page document that nobody can use under pressure.

The plan needs to reflect likely scenarios. A compromised executive mailbox, ransomware on a file server, lost device, exposed customer database, fraudulent payment and supplier breach each require different actions. Short playbooks can sit under the main plan and describe the first decisions for each scenario.

Prepare the response team

Identify the incident lead, technical lead, executive decision-maker and contacts for legal, privacy, communications, HR, insurance and critical suppliers. Smaller organisations may rely on external specialists for several roles, but the internal authority still needs to be clear.

Keep contact details and engagement instructions available outside normal systems. Confirm how the team will communicate if email or chat is compromised. Secure alternatives might include pre-arranged phone bridges, a separate collaboration tenant or an emergency contact list held offline.

Review cyber insurance requirements before an incident. Some policies require the insured to contact an approved breach coach, forensic firm or hotline before engaging other providers or incurring costs. The response plan should record the current policy, contacts and notification process.

External incident response support should be arranged in advance where the organisation lacks specialist depth. Procurement and legal approval during a live incident causes delay. A retainer or pre-agreed terms can shorten the path to help.

Recognise and classify an incident

Not every alert is an incident, and not every incident is a crisis. Classification helps the business apply proportionate resources. Criteria may include the sensitivity of data, number of users, privileged access, active attacker presence, operational disruption, financial exposure and legal obligations.

Staff need a simple reporting route. A suspicious email, unexplained MFA prompt, lost device, unusual payment request or accidental disclosure should reach a monitored channel quickly. The first report may be incomplete; the process should encourage early escalation rather than demanding certainty.

When an event is validated, start an incident record. Note the time, reporter, systems, actions, decisions, evidence and people involved. A reliable chronology supports investigation, insurance, notification and lessons learned.

The first hour

The first hour is about control, not perfect diagnosis. Protect people and safety first. Confirm who is leading. Preserve relevant logs and evidence. Isolate affected accounts or devices carefully. Avoid broad actions that may destroy evidence or alert an attacker unnecessarily unless immediate harm requires them.

For an account compromise, actions may include revoking sessions, resetting credentials through a trusted process, reviewing MFA methods, disabling malicious inbox rules, checking application consent and investigating activity across related accounts. For malware, isolation may be more important than shutting a device down because memory can contain useful evidence.

Do not use potentially compromised channels to discuss the response. Do not contact an extortionist, publish a statement or wipe systems without coordination. These actions can affect safety, recovery, legal privilege, insurance and investigation.

The business should decide early whether it needs specialist forensics, legal advice, privacy assessment, insurer engagement or government support. ASD’s ACSC can be contacted through ReportCyber and the 24/7 Australian Cyber Security Hotline on 1300 CYBER1 (1300 292 371).

Containment, eradication and recovery

Containment limits spread and ongoing harm. It may involve disabling accounts, blocking malicious infrastructure, isolating devices, restricting remote access or segmenting systems. The response team should consider business impact and attacker behaviour before taking broad action.

Eradication removes the attacker’s access and the cause of compromise. Resetting one password may not be enough if the attacker created another account, registered a new MFA method, installed persistence, obtained an API key or compromised an administrator. The investigation should define the affected scope and trusted point of recovery.

Recovery should be staged. Systems need to be restored from known-good sources, patched, reconfigured and monitored. Users may need new credentials. Suppliers and customers may need updated instructions. The team should define heightened monitoring and criteria for returning to normal operations.

Backups should not be connected blindly to a compromised environment. Validate that the recovery infrastructure, administrator accounts and backup copies are trustworthy. Restore critical business services in the agreed order and confirm that users can complete the actual process, not only that servers are online.

Communications and notification

Incident communications should be accurate, timely and appropriate to the audience. Staff need practical instructions. Customers and suppliers may need to know what happened, what information was involved, what the organisation is doing and what they should do. Regulators and government agencies may require specific information and timeframes.

Avoid speculation. Facts will change during an investigation. Use an approved source of truth and record material statements. Legal and privacy advice can help the organisation balance transparency, accuracy, privilege and reporting obligations.

Media or public statements should acknowledge impact without overstating certainty. Silence can create a vacuum, but premature detail can be wrong or help the attacker. The communications lead should coordinate with technical and legal teams.

Post-incident review

A post-incident review should occur while evidence and decisions are still fresh. It should examine the initial path, time to detection, escalation, containment, communication, recovery, supplier performance and control gaps. The review should also record what worked well.

Actions need owners, dates and executive oversight. A familiar failure pattern is producing a strong report and then allowing remediation to compete indefinitely with normal work. High-risk actions should enter the security roadmap and be tracked like any other material business commitment.

Stanfield IT’s Incident Response service can support triage, containment, recovery planning and post-incident improvement.

Australian privacy, breach and ransomware reporting considerations

Cyber security and legal obligations overlap, but they are not identical. A security incident may not involve personal information, and a privacy breach may occur without a sophisticated attack. Organisations should obtain legal advice for their circumstances and verify requirements at the time of an event. This section is general information, not legal advice.

Privacy Act and Notifiable Data Breaches scheme

The Privacy Act 1988 generally applies to Australian Government agencies and many private-sector organisations, including organisations above the relevant turnover threshold and certain organisations covered regardless of turnover. Applicability can be complex, so businesses should not assume they are exempt without checking.

Under the Notifiable Data Breaches scheme, an eligible data breach generally arises where there is unauthorised access to or disclosure of personal information, or loss of information, that is likely to result in serious harm and where remedial action has not prevented that likely serious harm. Covered entities must notify affected individuals and the OAIC when the criteria are met.

Assessment should begin promptly. The organisation needs to determine what information was involved, who was affected, whether the data was protected, who may have obtained it and what harm could result. Remedial action—such as recovering the information, revoking access or resetting credentials—may influence whether serious harm remains likely.

A breach response plan should connect technical investigation with privacy and legal assessment. Technical teams can explain logs, access and data. Privacy and legal advisers can assess notification and communications. Business owners can explain context and possible harm.

Stanfield IT offers Notifiable Data Breaches Readiness support to help organisations prepare evidence, roles and response processes.

Ransomware payment reporting

The Cyber Security Act 2024 introduced mandatory reporting for certain ransomware and cyber extortion payments. The rules commenced on 30 May 2025. The regime captures prescribed reporting business entities, including businesses carrying on business in Australia above the $3 million annual turnover threshold specified in the rules and responsible entities for relevant critical infrastructure assets.

The obligation concerns a payment, not every ransomware incident. Reporting entities should understand the current requirements, including applicable timeframes and information, before an incident. The Department of Home Affairs Cyber Security Act page and current rules are the authoritative sources.

An organisation should not make a payment decision casually. Payment may not restore data or prevent disclosure, may create legal and sanctions issues and may increase future targeting. Engage legal, insurer, law-enforcement and incident-response advisers.

Sector and contractual obligations

Additional requirements may apply to critical infrastructure, APRA-regulated entities, health providers, payment-card environments, government suppliers and organisations operating under specific licences or contracts. Customer agreements may require faster notification than legislation.

APRA-regulated entities need to consider CPS 234 Information Security and CPS 230 Operational Risk Management, including service-provider and continuity requirements. Businesses that store, process or transmit payment-card data need to understand PCI DSS obligations. Government contracts may refer to the Essential Eight, the Information Security Manual or protective security requirements.

Create a legal and contractual obligations register. Record the source, trigger, owner, timeframe, contact and evidence needed. Review it after regulatory changes, new customers, acquisitions and major supplier agreements.

A 30–60–90 day cyber security roadmap

A roadmap should address urgent exposure without losing sight of sustainable operating practices. The following sequence is designed for a typical Australian SME. It needs adjustment for risk, industry and current maturity.

Days 0–30: stabilise the highest risks

Name the executive owner and confirm incident contacts. Identify the critical services, systems, data and suppliers the business cannot operate without. Review administrator and former-user access. Enforce MFA on email, cloud, remote and privileged access, with documented exceptions.

Check internet-facing systems and urgent vulnerabilities. Confirm endpoint protection is active and managed. Review email forwarding, privileged roles and suspicious sign-ins. Validate that backups cover critical systems, are protected from routine administrator compromise and can be restored.

Agree a small set of immediate decisions: how payment-detail changes are verified, how staff report concerns, who can isolate a device or disable an account and which external advisers are contacted during an incident.

The output should be a short risk snapshot, an urgent action list, owners and dates. Do not spend the entire first month perfecting the assessment while obvious gaps remain open.

Days 31–60: standardise core controls

Develop or update secure configuration baselines for endpoints, Microsoft 365, network devices and remote access. Establish patching and vulnerability service levels based on exposure and criticality. Document joiner, mover and leaver processes and begin access reviews.

Centralise priority logging and define alert escalation. Cover identity, email, endpoints, firewalls, cloud platforms and backups according to the environment. Confirm retention supports investigation.

Write a practical incident response plan and scenario playbooks. Confirm the insurer process, legal and privacy contacts, alternate communications and emergency access. Review high-risk supplier access and contracts.

Provide targeted awareness training. Finance and payroll should practise payment verification. Executives should understand impersonation and account-takeover risk. All staff should know how to report a concern quickly.

Days 61–90: prove controls and plan the year

Run a backup restoration test and record the result against RTO and RPO. Conduct an incident tabletop exercise with leadership and operational teams. Test a realistic scenario, decisions, communications and dependencies.

Measure MFA coverage, managed-device coverage, patch compliance, endpoint visibility, backup success, high-risk vulnerability age and access-review completion. Investigate exceptions rather than presenting only averages.

Review approved and unapproved cloud and AI applications. Identify high-risk integrations, personal accounts and sensitive data use. Establish a proportionate approval and governance process.

Complete a 12-month roadmap with costs, owners, milestones and residual risks. Map work to the Essential Eight or chosen framework. Decide which outcomes need internal ownership and where specialist or managed support is appropriate.

The 12-month operating rhythm

After the first 90 days, security should become part of normal management. A useful rhythm may include:

• Daily or continuous monitoring of high-priority alerts and backup failures.
• Weekly review of urgent vulnerabilities, privileged changes and significant incidents.
• Monthly patching, access exceptions, security performance and supplier issues.
• Quarterly executive risk reporting, access reviews and roadmap governance.
• Six-monthly incident exercises, restoration testing and policy review for higher-risk areas.
• Annual risk assessment, penetration testing where appropriate, insurance review and strategy refresh.

Frequency should be risk-based. Internet-facing systems and high-risk vulnerabilities may need much faster action. Critical backups may need more frequent restoration testing. The value is in a repeatable cadence that creates evidence and catches drift.

How to measure cyber security without drowning in metrics

Metrics should support decisions. A board dashboard with 40 technical numbers can hide the few issues that matter. Combine leading indicators, which show whether controls are in place, with outcome indicators, which show whether incidents are being detected, contained and recovered.

Useful coverage measures include the percentage of active users protected by MFA, managed devices reporting to endpoint protection, critical assets included in vulnerability scanning, important logs reaching monitoring and critical services covered by tested recovery plans.

Useful timeliness measures include the age of known exploited vulnerabilities, time to remove leaver access, time to triage high-severity alerts, time to contain incidents and time to restore critical services in testing.

Useful quality measures include successful restoration rate, phishing report rate, repeat findings, overdue high risks, privileged accounts without an owner, high-risk suppliers without a current review and exceptions beyond their expiry date.

Business leaders also need context. A 98 per cent MFA result may look strong, but the unprotected two per cent could include administrators or a finance platform. An average patch time may hide one exposed system that is months overdue. Report the exceptions that could materially change risk.

A concise executive report can show:

Metrics should be stable enough to show trend. Change them when they stop supporting decisions, not every time a new tool produces a different dashboard.

Budgeting for cyber security

There is no universal percentage of revenue that produces the right security budget. Cost depends on industry, data, scale, regulation, technology, internal capability and risk tolerance. A small professional-services firm and a manufacturer with operational technology need different programs.

Build the budget from risk and required outcomes. Separate foundational operations—identity, device management, patching, backups, monitoring and awareness—from specific projects such as an ISO 27001 program, network redesign or application penetration test.

Include people and process, not only licences. A tool needs configuration, ownership, monitoring, maintenance and response. Low-cost software that nobody operates can provide less value than a simpler service with clear accountability.

Consider the cost of inaction realistically. Compare an investment with plausible downtime, payment fraud, privacy response, emergency recovery and lost opportunities. Avoid using fear as the only justification; connect investment to measurable reduction, customer assurance and resilience.

Prioritise controls that reduce several risks. Strong identity, patching, administrator restriction, backups and monitoring support many scenarios. Remove overlapping tools where they add complexity without improving coverage.

In-house, co-managed or managed cyber security

An in-house model provides direct control and business knowledge but requires enough people, specialist depth and coverage. A fully managed model can provide scale and continuous capability, but responsibilities and integration must be clear. Co-managed security combines an internal team with external specialists.

The right model depends on existing staff, hours of operation, complexity and risk. A growing business may keep governance and business ownership internally while using a provider for monitoring, vulnerability management, cloud hardening and incident support.

When evaluating a provider, ask who performs the work, where the team is located, how staff are screened, what happens after hours, which actions they are authorised to take, how evidence is retained, how incidents are escalated and how the provider secures its own privileged access.

Request sample reporting. It should explain business risk, trends, exceptions and actions, not merely list alerts. Confirm what is included, what is excluded and which customer responsibilities remain.

A provider should be willing to work with your internal team, insurer, legal advisers, auditors and other suppliers. Security often fails at organisational boundaries, so collaboration is a capability.

Stanfield IT provides practical Cyber Security Services across assessment, consulting, hardening, monitoring, compliance, testing and incident response for Australian organisations.

Common cyber security mistakes

Treating security as a one-off project

Threats, systems, staff and suppliers change. A successful uplift becomes stale without ownership, monitoring and review. Build an operating rhythm and recurring budget rather than declaring the work finished.

Buying tools before understanding risk

More products can create more consoles, alerts and gaps between responsibilities. Define the outcome and owner first. Use existing capabilities well before adding another platform.

Assuming MFA solves identity risk

MFA is essential, but enrolment, reset, session theft, legacy authentication, application consent and excessive privilege can still create exposure. Measure coverage and strengthen the whole identity lifecycle.

Ignoring cloud and SaaS settings

A secure provider cannot compensate for public sharing, unmanaged guests, broad administrator access or risky integrations. Review customer-side configuration and logs.

Backing up without testing recovery

A green backup status does not prove that the business can restore. Test data, applications, identities and dependencies against agreed recovery objectives.

Relying on annual awareness training

People need timely, role-specific guidance and a safe reporting culture. Finance, executives and administrators face different scenarios from general staff.

Letting exceptions become permanent

Temporary administrator rights, unsupported systems and disabled controls often remain long after the original reason disappears. Every exception needs an owner, risk statement, compensating controls and expiry.

Failing to include suppliers

A critical service can be disrupted through a provider even when internal controls are strong. Maintain visibility, contractual expectations and alternative arrangements.

Reporting activity instead of risk

Counts of blocked emails or detected malware may look impressive but do not show whether critical gaps are closing. Report coverage, response time, recovery proof and overdue residual risk.

Waiting for an incident to create a plan

During a crisis, contact details, insurance instructions, authority and communication channels should already exist. Exercises are cheaper than improvisation.

Frequently asked questions about cyber security

What is cyber security in simple terms?

Cyber security is the practice of protecting systems, accounts, devices, networks and information from unauthorised access, disruption, alteration and loss. For a business, it also includes governance, staff behaviour, supplier risk, incident response and recovery.

Why is cyber security important for small businesses?

Small businesses process payments, hold personal information and depend on cloud services, but may have limited internal security resources. A single compromised account or unavailable system can therefore cause disproportionate financial and operational impact.

What are the first cyber security controls a business should implement?

Start with complete MFA coverage, prompt patching, restricted administrator access, managed endpoint protection, secure email and cloud configuration, protected backups with restoration testing, staff reporting processes and an incident response plan.

Is the Essential Eight mandatory for every Australian business?

Not for every business. It is official ASD guidance and may be required by particular government, customer or sector arrangements. Even where it is not mandatory, it provides a strong technical baseline. Confirm specific contractual and regulatory obligations.

Which Essential Eight maturity level should we target?

The target should reflect threat exposure, sensitivity, business impact and stakeholder expectations. ASD recommends a risk-based approach and balanced maturity across all eight strategies. An assessment can establish the current state and practical target.

Is ISO 27001 the same as the Essential Eight?

No. ISO 27001 defines requirements for an information security management system and can support independent certification. The Essential Eight is a set of technical mitigation strategies. They can complement each other within one program.

What is the difference between cyber security and information security?

Information security protects information in all forms, including digital, paper and verbal information. Cyber security focuses on digital systems, networks, devices and online threats. In business practice, the disciplines overlap significantly.

Do we still need antivirus?

Yes, but traditional signature-based antivirus alone is not enough. Modern endpoint protection and detection can identify suspicious behaviour, support investigation and isolate devices. It should operate alongside hardening, patching, least privilege and monitoring.

Is multi-factor authentication enough to stop account compromise?

MFA greatly reduces risk but does not eliminate it. Attackers may use phishing proxies, session theft, approval fatigue, help-desk manipulation or malicious application consent. Use stronger methods for high-risk access and monitor identity events.

How often should we patch systems?

Patching frequency should reflect exposure and risk. Known exploited or internet-facing vulnerabilities may require urgent action, while routine updates can follow tested cycles. Maintain service levels, verify completion and manage exceptions.

How often should backups be tested?

Test sample restoration regularly and complete service recovery according to criticality and recovery objectives. High-impact systems may need more frequent testing. Record results, actual recovery time and gaps.

What is managed detection and response?

Managed Detection and Response combines monitoring technology with security analysts who investigate suspicious activity, escalate confirmed threats and may help contain incidents under agreed authority. It extends capability beyond standard business hours.

What should staff do after clicking a suspicious link?

They should report it immediately through the approved channel, even if nothing appears to happen. The response team can check the message, account, device and sessions. Early reporting is more valuable than hiding a mistake.

Should a business pay a ransomware demand?

The Australian Government advises against paying. Payment does not guarantee recovery or deletion of data and can create further risk. Obtain urgent legal, insurer, law-enforcement and incident-response advice. Mandatory payment reporting may apply to covered entities.

How do we know whether a data breach must be reported?

Covered entities need to assess whether personal information was accessed, disclosed or lost, whether serious harm is likely and whether remedial action prevents that harm. The facts and law can be complex, so engage privacy and legal advisers promptly.

How can a business use AI securely?

Use approved tools, define permitted data, restrict access and actions, assess suppliers, require human oversight for material decisions, monitor activity and include AI in incident response. Higher-risk integrations need deeper testing and stronger approval.

How much should cyber security cost?

There is no reliable universal percentage. Budget from business risk, required outcomes, regulatory needs and internal capability. Include ongoing operation, training, testing and response—not only software licences.

How often should we run a cyber security risk assessment?

At least annually for many organisations, and after major changes such as acquisitions, cloud migrations, new critical applications, regulatory shifts or significant incidents. High-risk environments may need more frequent review.

What should be included in a cyber security policy?

A policy should define purpose, scope, ownership, acceptable behaviour, access expectations, incident reporting and how supporting standards are governed. Related documents can cover access, remote work, backups, suppliers, AI and incident response.

Can Stanfield IT work with an internal IT team?

Yes. Stanfield IT can provide specialist assessments, monitoring, penetration testing, compliance support, incident response and strategic guidance alongside an internal IT team or existing provider.

Cyber security glossary

Application control: A control that permits approved software and code to run while restricting unauthorised items.

Attack surface: The systems, accounts, interfaces, people and suppliers through which an attacker could attempt access or cause harm.

Business email compromise: Fraud that uses impersonated or compromised business communications to redirect payments or obtain sensitive information.

Conditional access: Access rules that consider factors such as user, device, location, application and risk before allowing a sign-in.

Cyber resilience: The ability to prepare for, withstand, respond to and recover from cyber incidents while maintaining critical outcomes.

Defence in depth: Multiple layers of preventive, detective, responsive and recovery controls so one failure does not determine the whole outcome.

Endpoint detection and response: Technology that monitors devices for suspicious behaviour and supports investigation and containment.

Information Security Management System: A structured, risk-based management system for governing and continually improving information security.

Least privilege: Giving a person or system only the access needed for its authorised purpose and no more.

Multi-factor authentication: Authentication using two or more factors, such as something known, possessed or inherent to the user.

Penetration testing: Authorised testing that validates whether weaknesses can be combined to achieve a defined objective.

Phishing-resistant MFA: Authentication designed to resist fake sign-in pages and credential relay, such as FIDO2 security keys or suitable passkeys.

Recovery Point Objective: The maximum acceptable amount of data loss measured in time.

Recovery Time Objective: The target time for restoring a service after disruption.

Security Information and Event Management: A platform that collects and analyses logs to support detection, investigation and reporting.

Vulnerability: A weakness in software, hardware, configuration or process that can be exploited or lead to harm.

Zero trust: An approach that does not rely on network location alone and continually evaluates identity, device, context and access need.

A practical conclusion

Effective cyber security is not about predicting every attack or eliminating all risk. It is about understanding what the business depends on, making compromise harder, detecting problems early, limiting their spread and recovering in a controlled way.

For most Australian businesses, the strongest starting point is a clear risk assessment followed by disciplined fundamentals: identity protection, patching, secure configuration, restricted privilege, backups, monitoring, staff readiness and a rehearsed response plan. Frameworks such as the Essential Eight, NIST CSF 2.0 and ISO 27001 can organise the work and provide evidence, but ownership and consistent operation are what create resilience.

The program should remain practical. Controls need to support how people work, suppliers need to be included, AI needs guardrails and leaders need a concise view of residual risk. Progress should be measured through coverage, speed, testing and outcomes—not simply through the number of products installed.

Stanfield IT helps Australian organisations assess cyber risk, build prioritised roadmaps, strengthen controls, monitor threats, prepare for incidents and improve compliance without turning security into unnecessary complexity. To understand your current exposure and the most valuable next steps, arrange a Cyber Security Risk Assessment or contact Stanfield IT for a practical conversation.

Authoritative sources and further reading

• ASD Annual Cyber Threat Report 2024–25
• ASD Essential Eight
• ASD Essential Eight Maturity Model
• ASD Careful Adoption of Agentic AI Services
• OAIC Notifiable Data Breaches statistics, January to June 2025
• OAIC About the Notifiable Data Breaches scheme
• Department of Home Affairs Cyber Security Act
• NIST Cybersecurity Framework 2.0
• NIST Cybersecurity Framework 2.0 Small Business Quick Start Guide
• NIST Computer Security Incident Handling Guide, Revision 3
• ISO/IEC 27001 information
• Verizon 2026 Data Breach Investigations Report