The Industry Speaks: Cyber Security Awareness Month 2025

Robert Marolda
Director of Enterprise & Public Sector Sales ANZ at CyberArk

As we enter Cyber Security Awareness Month, enterprise risk is at an all-time high. The rapid rise of machine identities – driven by AI, cloud and automation – is creating an ungoverned identity attack surface that most organisations are not prepared for. Fragmented strategies and siloed tools are compounding the problem, making it harder for security teams to see and control who – or what – has access. Too often, business priorities tilt toward efficiency at the expense of resilience, even as identity-related breaches continue to rise, leaving critical assets exposed.

With a third of machine identities holding privileged or sensitive access, even something as simple as an expired TLS certificate can cause major business disruption. To stay ahead of escalating threats, organisations must treat machine identities with the same urgency as human ones by embedding privileged access management into an integrated identity security strategy that spans the entire business – ensuring visibility, reducing risk and maintaining operational efficiency.

Stuart Low
CEO and Founder of Biza.io

This Cyber Security Awareness Month, I urge businesses to assess what infrastructure already exists that could benefit their approaches to data privacy and security.

One of the biggest barriers to taking a proactive and effective approach to cyber security today is the assumption that systems, processes, and investments need to start from scratch. Furthermore, too many businesses are slow to adopt a sufficient cyber security strategy because it’s not yet required by regulation. This is leaving many businesses open to avoidable threats and risk.

VIEW ALL

The Consumer Data Right (CDR) is just one example of a functioning, widely used, and too often overlooked piece of infrastructure that could help businesses manage, analyse and use data more securely. A critical aspect of this ecosystem is minimising the amount of data that needs to be collected in the first place. It’s an environment that was built to the highest security standards, and purposely only collects data when it hasn’t been obtained elsewhere in the ecosystem and is genuinely critical to service delivery. It ensures businesses aren’t collecting data for the sake of it, significantly reducing their business risk.

If cyber security has become an overwhelming challenge for your business and you’re not sure where to start, remember it’s not always necessary to reinvent the wheel. A lot of work has already been done in this space that could be adding immediate value to your risk posture.

James Greenwood
VP Customer Success and Solutions Engineering APAC at Tanium

With the rise of AI and Agentic AI, it has never been more important for businesses to adopt a ‘cyber safe culture’, as this year’s Cyber Security Awareness Month points out. This means having an always-on approach to cyber security and risk management that recognises and acts on the strengths and limitations of both technology and a human-powered workforce.

Our people are an incredible asset, bringing critical thinking and strategic mindsets. This is priceless. But cyber and technology professionals cannot operate on a 24/7 basis, and mental health and burnout are serious issues impacting our industry. Constant pressure and high workloads are leading to costly human errors, creating more work for our teams.

Automated technology and real-time data, combined with a human workforce, can ensure businesses take a preventative approach to cyber security that can counter the growing sophistication and aggression of bad actors working around the clock. Businesses need to stop being reactive, and start being proactive. That means being able to work at the speed and scale that bad actors are adopting thanks to AI. It means being on the ‘offence’, actively threat hunting and persistently looking for gaps in your cyber security strategy.

Sam Salehi
Managing Director ANZ at Qualys

Every Cyber Security Awareness Month, we are reminded of the basics – don’t click suspicious links, update your software, and use strong passwords. Valuable advice, but in 2025 it’s no longer enough. The real challenge for organisations isn’t defending every corner of the attack surface, but understanding which risks actually matter to the business.

Recent research shows that while almost half of organisations now have a formal cyber risk program, only a fraction align those programs with business objectives. That gap explains why, despite rising investment, most still see their overall risk levels increasing.

In fact, too often security teams spread resources thin across thousands of vulnerabilities, treating them in isolation without considering business impact. We need to shift our conversation from attack surfaces to risk surfaces. Not every vulnerability is equal: a seemingly low-level issue on a mission-critical system can be far more dangerous than a high-severity issue on a peripheral asset.

The way forward is moving from detection to direction. Cybersecurity must evolve from an IT function to a business function – one that quantifies potential loss, models realistic scenarios, and prioritises decisions based on asset criticality, financial exposure and business outcomes. To close the maturity gap, security leaders need to move beyond legacy metrics like CVSS scores and adopt unified risk frameworks such as a Risk Operations Centre (ROC). By continuously correlating vulnerability data, asset context, and threat exposure, a ROC enables smarter prioritisation and faster, more meaningful remediation.

Hayley Fisher
ANZ Country Manager at Adyen

Cyber Security Awareness Month is a timely reminder that businesses can’t afford to treat cyber security as an afterthought. While many small businesses view cyber risk as an IT issue, the real vulnerabilities often sit in payments – from fragmented systems to manual reconciliation. These inefficiencies not only drain time from already stretched teams but also open the door to fraud.

Fresh data from Adyen shows that more than half (57 per cent) of SMEs use more than one SaaS platform just to reconcile payments, creating unnecessary complexity and blind spots. At the same time, only 24 per cent of SMEs rank risk management as their most important platform feature – despite rising fraud and cyber threats.

Building a cyber safe culture means embedding resilience into your everyday operations – not just IT networks, but also cash flow, reconciliation, and customer payments. SMEs that embrace integrated SaaS platforms with strong risk controls and automated fraud detection can significantly reduce vulnerabilities while freeing up time to focus on growth.

Erich Kron
CISO Advisor at KnowBe4

If we want to strengthen security, we need to start with the people who keep the organisation running. Security tools continue to improve, but so do the threats that rely on manipulating human behaviour. Attackers count on stress, distraction and misplaced trust, and those tactics are working.

Recent data shows that between 70 and 90 per cent of breaches feature human involvement. Human risk shows up when people are expected to spot threats but have not been set up to succeed. That is where Human Risk Management (HRM) makes a difference.

HRM is not about ticking a box. It is about understanding how people think and work, what gets in their way, and how to build habits that lead to better decisions. Breaches linked to human behaviour are a sign that security culture is not keeping pace with the threat landscape.

The work is not just about raising awareness. It is about making sure people feel supported, know what to watch for and have the confidence to act when it matters. The goal is not perfection. It is resilience, and that comes from people who are prepared to recognise risks and respond with good judgement.

Adhil Badat
Managing Director APJ at Rackspace Technology

The truth is that cyber-attacks are inevitable. Ransomware and data breaches are designed to cause maximum disruption, and many businesses still treat recovery as a secondary concern.

Traditional backup and disaster recovery solutions were built for a time when organisations could absorb days or even weeks of downtime. In today’s business climate, even short periods of downtime can carry serious consequences. Research in Australia shows the average customer-facing incident takes about two-and-a-half hours to resolve and costs over a million dollars, confirming that even an hour of disruption is enough to erode revenue, customer trust, and brand reputation.

That shift demands a new mindset. Cyber readiness goes beyond storing a copy of your data. It means identifying mission-critical workloads, conducting readiness assessments, mapping dependencies and testing realistic scenarios. It also involves creating clean and isolated environments where recovery can be executed securely, allowing operations to resume in hours rather than weeks.

Resilience should be treated as an ongoing discipline. It requires consistent investment in people, processes and testing so that organisations are able to adapt as threats evolve. By building recovery into the very centre of a cyber strategy, businesses can transform resilience into a competitive strength. This ensures they protect not only their data but also their ability to operate and the trust they hold with customers and partners.

Nigel Tan
APAC SE Director at Delinea

The attack surface is changing, and the rise of machine identities is at the centre of it. From chatbots to APIs and autonomous agents, they already outnumber humans 46-to-1 – yet they’re too often overlooked. Securing these identities is now just as critical as protecting human ones.

The recent Salesloft breach proved the risk. Attackers didn’t go after staff logins – they exploited an AI-powered chatbot’s privileged access, moving into systems like AWS and Slack. With only 28 per cent of Australian organisations ready to secure AI, compared to 44 per cent globally, the gap is clear.

Cyber Security Awareness Month is the moment to act. As machine identities increasingly become entry points for attackers, start with visibility into where they are and what they can access. Then shorten credential lifespans so stolen details quickly expire and restrict each identity’s access to only what it truly needs. Treating machine identities with the same priority as human ones is essential to business resilience.

David Rajkovic
Regional Vice President A/NZ, Rubrik

Cyber Security Awareness Month is an ideal time for leaders to review their current strategies in light of evolving attacks. The traditional approach to security has been to build the highest digital ‘walls’, but new strategies are seeing attackers routinely undermine these defences.

Chief among these new methods are identity-based attacks. Recent research from Rubrik Zero Labs found almost 80 per cent of all cyberattacks in the past 12 months were identity-driven. These attacks involve exploiting a critical vulnerability in those digital walls – weaponising compromised user credentials to gain unauthorised access to critical systems.

As targeted attacks involving compromised credentials increase, zero trust principles can help to minimise the risk of these attacks. Least privilege, where users have access only to resources they need to work effectively, and just-in-time access, where privileges are granted only for pre-determined durations, are two such principles.

Additionally, AI-powered anomaly detection systems can monitor user behaviour, detect unusual access patterns, and identify potential identity-based threats in real-time to provide critical early warning signals. It's no longer enough to know an identity is compromised; we must understand what that identity has access to. Modern data security platforms now continuously map the relationship between every identity - human and machine - and the sensitive data they can access. Platforms allow organisations to proactively identify high-risk permissions and understand the potential 'blast radius' of a compromised account before an attack even happens. Digital walls might have worked when cyber attackers were breaking in, but a new approach is needed because increasingly they’re simply logging in.

Shain Singh
Principal Security Architect at F5

For too many years, application security was considered to be an issue for the IT team. That is no longer the case. The theme for this year’s Cyber Security Awareness Month is ‘Building our cyber safe culture’, and it’s never been clearer that application security, like all elements of cyber security, is a whole-of-business concern.

Every line of code, every integration, and every business process carries potential risk. Cyber Security Awareness Month is a timely reminder that developers, executives, and employees all have a role to play in safeguarding digital trust. That means building trust at every layer. From applications and infrastructure to data. By embedding security into every part of the organisation, businesses can improve their resilience and stay ahead of emerging threats.

As digital transformation accelerates, so do the risks that come with it. Security breaches are becoming a regular feature in the news, and many of them share a common thread and that thread is gaps in application security. Cyber Security Awareness Month serves as a useful prompt to re-examine how we approach security so it is viewed not just as a technical issue, but as a shared responsibility across teams. Strong defences rely on more than just tools. They depend on collaboration, a resilient mindset, and making security an integral part of how we build and run systems.

Alan Win
Founder and CEO at Middlebank Consulting Group

Cyber security is an urgent priority across industries as digitalisation and interconnected systems increase the risk of attacks. Sectors from finance and healthcare to manufacturing and e-commerce are constantly exposed, with the supply chain, including suppliers, manufacturers, logistics providers, and online platforms, particularly vulnerable.

Ransomware, phishing, and supply chain attacks can disrupt operations, compromise sensitive data, and damage customer trust. Organisations must take proactive steps by implementing strong digital security measures, regularly assessing risks, training employees, and working closely with partners. Building cyber resilience is no longer just a technical requirement; it is a strategic necessity for protecting operations and maintaining stakeholder confidence.