Keeping your business cyber safe

Tuesday, 01 July 2025

Jane Nicholls photo
Jane Nicholls
Journalist
    Current

    The number of cyber attacks is surging and they are becoming more sophisticated and dangerous every day. Australian Cyber Security Centre chief Stephanie Crowe pinpoints critical threats needing director focus.


    The Australian government’s 2002 terrorism awareness slogan — “Be alert not alarmed” — could easily drop into its 2025 cybersecurity messaging. As businesses of all sizes deal with digital attacks the Australian Cyber Security Centre (ACSC) has a mission to protect, educate and make sure we’re paying attention.

    “We had 86,000 cybercrime incidents reported to us in 2024, an average of a report every six minutes, which is increasing with the rapid expansion of technology,” says Stephanie Crowe, head of the ACSC, which is part of government intelligence agency the Australian Signals Directorate (ASD).

    “We work with people to help their own organisations and also to protect their customers,” says Crowe, who joined the ASD in 2009.

    “I wanted to contribute to a government agency that made a difference. I’m proud to be a part of the ASD, which was born during World War II, when the mission was pretty straightforward — to collect foreign signals intelligence on the Japanese Imperial Army to support the Allied war effort.”

    In the 21st century, the battle is on multiple fronts. “We provide cybersecurity advice to help Australian businesses and the public defend themselves against persistent attacks from malicious nation state actors and the rapidly evolving cybercriminal threat,” says Crowe. “We offer a range of services to businesses of all sizes, including sharing intelligence about the threat environment.”

    As the digitisation of our economy spreads, strong cybersecurity is essential to protect networks and systems, and to maintain customer trust. “In a complex geopolitical landscape where cybercriminals are financially motivated and extending their operations through highly organised crime groups, there are mounting risks for companies,” says Crowe.

    Intelligence sharing

    She urges boards to ensure their company is part of the ASD’s Cyber Security Partnership Program, where companies engage with each other and the ACSC to share knowledge and lift resilience across the Australian economy.

    The Cyber Threat Intelligence Sharing (CTIS) platform is central to bringing business and government together for near real-time information about malicious activity. The ACSC partnered with Microsoft for a plugin for the CTIS platform to run through Sentinel, the software company’s security package. Companies need to be an ASD Cyber Security Network Partner to take part. “We share intelligence on the platform to help organisations respond to threats,” says Crowe. “We also provide advisers and products through our Partnership Program portal, which are tailored for organisations  to help them respond to the latest threats they are facing, based on their sector and the customers they service.”

    Reports of narrow escapes are extremely valuable, especially to SMEs that don’t have the resources of large organisations. “We get tips where a company tells us about a threat they’ve seen and responded to, which helps us to prevent ransomware incidents happening to other companies,” says Crowe, noting for unsuspecting SMEs, such an attack could finish the business. “I want to put a call out to report cyber incidents, even if they seem minimal and didn’t impact you. It helps us to respond in a way that helps others.”

    Cybersecurity culture comes from the top, and boards have a critical role to play in influencing their organisation’s safety. Directors should consider the following three key areas.

    1. Confidential reporting is now law

    The fear of reputational damage has contributed to some organisations delaying the reporting of hacks. This has potentially made incidents worse and left customers unaware that their personally identifiable information (PII) has been exposed. One of the biggest boosts to national cybersecurity is when companies report incidents swiftly so that the agencies can help not only them, but others.

    The ASD is not a regulator and has always treated information provided by organisations in confidence, but additional “limited use” protections became law in November 2024, under the Intelligence Services and Other Legislation Amendment (Cybersecurity) Act 2024. This legislation means any information about a cybersecurity incident voluntarily provided to the ASD — or acquired by the ASD in collaboration with an organisation — can’t be used for regulatory purposes. The aim of the limited-use obligation is to give companies greater confidence that their information is protected, leading to the ASD/ACSC receiving more detailed information faster and, in turn, bolstering the agency’s ability to improve its advice.

    “The limited-use obligation is really important for us,” says Crowe. “It’s legislative assurance that when industry reports cybersecurity incidents to us, we can only use that information to protect that entity, to remediate that incident or to be able to provide technical information that’s anonymised to help others experiencing the same threat or vulnerability. The limited-use obligation means the ASD can’t provide information reported to us to a regulator. If a regulatory action comes about because of your cyber incident, none of the information you shared with ASD will be involved in that process.”

    The drama of an unfolding attack can make correct details elusive and the legislation further protects companies in this situation.

    “Cyber incidents can be complicated,” says Crowe. “At the beginning, you don’t necessarily know the full extent. The limited-use obligation gives industry and companies confidence they can tell us something without fear of it being used against them if it turns out to be wrong as the investigation unfolds.”

    Limited use does not override mandatory reporting obligations. The ASD considers it is always in the best interests of organisations to report incidents promptly. The ACSC can then provide confidential advice and assistance.

    2. The LOTL threat

    Crowe and the ASD have encouraged boards to be aware of another emerging online risk. “Living off the land”, aka LOTL, is when hackers gain access to a network — perhaps by using a stolen username and password — then lurk inside the system.

    “It is a change in the way hackers operate — they hide,” says Crowe. “Cybercriminals want to be found. They leave ransom notes and they’re there for a clear intent — financial gain. LOTL tradecraft is to hide on a network and not be found, so the hacker can cause an effect at a time of their choosing.”

    Unlike ransomware cybercriminals, LOTL hackers are playing the long game. “It might be to disrupt or take down systems, or to make changes to a system,” says Crowe. “It is a real threat if you’re managing operational technology for energy and water systems, or supporting medical devices in the health sector, where disruptions can impact lives and livelihoods.”

    The malicious use of LOTL techniques is seen as a significant threat — including from China and Russia, plus state-sponsored actors. Intelligence and critical infrastructure agencies from the US, Canada, UK and New Zealand, and the ACSC, have co-authored a guide to help network defenders against this tactic. Crowe says boards need to understand the threat LOTL poses in terms of potential impact and that it requires them to support investment in the right tools for their cybersecurity workforce.

    “It’s a change in the way network defenders have operated, because rather than looking for malware or malicious software — which is relatively easy to find if you know where to look — you have to understand the behaviour of a network to the point where you can identify where something doesn’t look right. For example, do I have a user logging in at 2am when we know they shouldn’t be working? You need tools to log that activity and understand when it changes. You have to assume you’re compromised and identify the most precious things you need to monitor and protect.”

    A cyberspook’s five golden security rules

    “When leaders practice cyber safety on personal devices, it significantly reduces their own risk and can manifest into a strong cyber culture across the company,” says Stephanie Crowe.

    1. Accept all updates on phones, laptops and desktops immediately. “We’re no longer in a world where you can do it later, because hackers are exploiting vulnerable devices really quickly these days. The reason a personal device needs to do an update is because it’s vulnerable. You need to do it.”

    2. Reset passwords regularly. “Use passphrases or strong passwords. Password managers have high-level encryption, which can protect your password from being stolen.”

    3. Set up multi-factor authentication (MFA) and digital credentials on all your devices. “MFA, or modern technologies such as passkeys, are basic cyber hygiene.”

    4. Trash apps you’re not using. “Cybercriminals use apps that aren’t supported or patched regularly to get into devices. If you’re not using an application, delete it.”

    5. Turn off your devices. “Embed turning your device on and off into your routine. If you’ve accidentally clicked on a link, it can reduce the risk, because when you turn your device off and on again it reboots, which can get rid of low-level malicious software. Make it part of your routine at least every couple of days.”

    3. Think about quantum safety now

    Quantum computing is likely years away from being mainstream, but boards need to be talking about it now. “Quantum computers will be harder, faster and better at maths than computers that exist today,” says Crowe.

    That quantum leap means they’ll have the potential to break existing cryptographic algorithms that currently keep us secure online. The looming threat is known as “harvest now, decrypt later”, where cybercriminals actively collect sensitive data in the hope that in the future they’ll be able to unlock and profit from it.

    If it weren’t such a concern, you might admire such long-term strategising. Instead, it’s a giant headache, because ensuring quantum safety in the future means commencing the laborious process of securing critical data with post-quantum cryptography (PQC) immediately. As with LOTL, there is international cooperation through the US National Institute of Standards and Technology around PQC, including the development and approval of PQC algorithms.

    “The ACSC’s position is that everyone should transition to PQC by 2030 to be quantum-safe,” says Crowe. “We have advice on the ACSC website about preparing for PQC. Essentially, it’s also about protecting the crown jewels and having an implementation plan for where you need to use more sophisticated algorithms.”

    This article first appeared under the headline 'Top Secrets' in the July 2025 issue of Company Director magazine.

    Contemporary governance resources

    AICD’s Policy team supports members with guidance on cyber security issues, including:

    Latest news

    This is of of your complimentary pieces of content

    This is exclusive content.

    You have reached your limit for guest contents. The content you are trying to access is exclusive for AICD members. Please become a member for unlimited access.