10 Things to Know About Cybersecurity in 2025
Four of Australia’s leading cybersecurity experts share the latest advice on emerging threats, strategies to thwart them, vulnerabilities to avoid and how to think outside the box.
Stay alert to threats from within
The risk of an “inside job” is growing, with cyber criminals able to infiltrate IT systems and “hide in plain sight”, according to Rachael Falk, CEO of the Cyber Security Cooperative Research Centre (CSCRC). “They may look like a legitimate user but they’re mapping your network from the inside for months, until the day they take everything out.”
“We call this tradecraft ‘living off the land’, or LOTL, and it’s probably the biggest shift,” says James Baker, first assistant director-general of cyber threat intelligence at the Australian Cyber Security Centre (ACSC), the government’s lead cyber agency. The old modus operandi for hackers was to get into a network, lay their malware and exfiltrate as much data as possible. That’s “noisy” and the signature of malware on a network is detectable. “This pivot by malicious actors to use LOTL tradecraft sees them employ existing tools in the networks to do their reconnaissance and hide in the noise of the network. They will then steal legitimate user credentials and masquerade as them.” Locating these criminals “is like finding a needle in a haystack”, adds Baker.
Falk says “sysadmins” – system administrators – are prime targets for LOTL criminals and need to be given extra security and surveillance. “It’s like having a janitor with the keys to everything right through the building – from the boardroom to the safe. You’ll never notice when they go into a room because they can be there legitimately. What you’re looking for is if they are doing something differently, taking unusual things.” Falk isn’t suggesting that sysadmins (or cleaners, for that matter) are the bad actors but in the wrong hands their system credentials – the virtual keys – can unleash havoc.
Be mindful of AI’s dark side
AI is helping network defenders “in the cat-and-mouse game of cybersecurity”, says Baker. “Living-off-the-land hackers masquerading as legitimate users inside your system are difficult for humans to find but when AI is incorporated, machines are really wonderful at finding those anomalies.
“The flipside is that malicious actors are also using AI to develop malware and find vulnerabilities quicker. A hacker can now write a very well-constructed, socially engineered spear-phishing email – courtesy of ChatGPT.” And they are coming at an alarming rate.
“AI can generate these scams much faster and send them to lots more people across all platforms,” says Jacqui Loustau, founder and executive director of the Australian Women in Security Network (AWSN). That means via text, email, LinkedIn, WhatsApp, Signal – “any place you are communicating”.
Beware the overshare
Using website contact forms may feel impersonal for customers but Loustau says it’s good security practice because detailed direct contact information provides a leg-up for hackers. “They scrape email addresses off websites and use tools to email them all,” she says. Think about who might be looking at those email addresses, perhaps with people’s names and titles attached, and what a malicious actor might use them for, such as a phishing attack. “If you have to give an email address, make sure that whoever is monitoring that inbox considers any incoming emails have a risk attached. That’s why I suggest a contact form instead, especially for SMEs.”
Build strength with diversity
Loustau started the Australian Women in Security Network to help rebalance the male-heavy industry and says diversity beyond gender is equally important for cybersecurity. “When you have people from diverse backgrounds thinking about the different ways we need to protect a technology, process or application it brings out a lot of creativity and innovation,” she says. “It helps to build a system that’s not only better to use but also secure.” Different cultural, educational and workforce backgrounds all build strength.
“You also need people who are great communicators and who can help others understand what they need to do to protect themselves,” adds Loustau. “They need to be empathetic because cybersecurity is often seen as scary and specialised. Diversity also means getting everyone to understand the basics of cybersecurity so that they consider it, no matter what they do in their job or their life.”
Patch in time to save crime
The WFH revolution has seen a lot of computers connecting to corporate networks from people’s homes. Every time a tech vendor announces a new security patch, that’s the dinner bell for hackers. “Within hours, cyber criminals are out there scanning the entire internet opportunistically looking for devices that haven’t been updated and using that as their first foothold into your network,” says Baker. “We used to say, ‘Patch once a week’, then we said, ‘Patch once a day.’ For critical systems, we now say, ‘Patch as soon as it’s available.’”
Baker says that the same goes for individuals deploying updates for their phones, apps and computers. We all get complacent and that’s what the hackers are banking on (literally). “Many of those updates are not feature additions – they are patching security holes that the vendors have identified. The best way to keep a hacker out of your tools and your devices is to keep them up-to-date.”
Take a stand on ransoms
It’s the million-dollar question but experts come down on the side of “don’t pay”, while agreeing it’s never a simple yes or no. “I’m a lawyer at heart and when ransoms are paid it means it’s been an effective threat and obviously you need to break the food chain of payments,” says Falk. “However, it could be a life-or-death situation – perhaps a hospital where operations need to proceed – or another critical business.”
The Australian Cyber Security Centre’s position is not to pay ransoms. “There are business decisions that play into it but from our experience, paying a ransom is not a guarantee you’ll get your data back,” says Baker. “You might make yourself a bigger target because you’ve paid once – we have evidence of companies being double-extorted.”
The unanimous advice is to plan what you would do before you’re hit by a ransomware attack – not during the panicked aftermath. Early in 2024, the Australian Institute of Company Directors (AICD) in partnership with the CSCRC and Ashurst lawyers published the free Governing Through a Cyber Crisis resource for Australian company directors. “In terms of ransoms, we made it clear that leaders get that advice well in advance of an incident – and that the board and the chair have that advice – so you have at least agreed on an answer,” says Falk.
Ransomware is just as much of a problem for SMEs. While Loustau sympathises with small businesses who are tempted to pay a ransom to get their system back online, “every cent of ransoms paid to cyber criminals helps them to get better technology to scam more businesses”, she says. “They research organisations. They know how much ransom they’d be willing to pay and customise the amount accordingly. It will be a smaller ransom for a charity, for example. The more money they get, the more people they will attack.”
Make a plan now for when you get hacked
“All organisations must prepare for a cyber incident,” says Falk. As part of raising awareness about the need to prepare, the CSCRC worked with CSIRO’s Dr Marthie Grobler, mission lead for the Critical Infrastructure Protection and Resilience (CIPR) initiative, to develop a training program called Corporates Compromised. Grobler says the gamified training drives home to all C-suite executives that it’s absolutely their job to care about cybersecurity. “They know cybersecurity is important but if a choice has to be made between implementing cybersecurity measures or bringing in money, money will often win.”
In these fictional cybersecurity scenarios, the roles are shuffled and executives have to play out the situation in another colleague’s shoes. “It’s a tool to get them talking and to realise, ‘It could happen to me, what would I have done?’ It’s surprising how few people know who they’re supposed to call in the event of a cyber attack and even if they do know it’s normally on a database in the system, which has been encrypted by the hackers and they can’t access it. It gets them thinking about needing a Plan B and a Plan C.”
This highlights the need to keep an offline physical record of information needed in the event of a cyber attack. “When everything goes down and you don’t have access to anything, you need to have printed copies locked away – and know who has the keys and the backup keys,” says Grobler. Speaking of which – and back to the digital realm – Loustau calls out another critical safekeeping mechanism: “Backups!”
Consider the snowballing threat of multi-sector hazards
Grobler urges companies to think about their interdependencies – if X service goes down, what does it mean for Y, as in you. The chaotic CrowdStrike outages in July 2024 came from a botched update configuration – a human error inside a giant cybersecurity tech company. What became known as the Blue Screen of Death took out 8.5 million Microsoft Windows systems around the world, a sobering reminder of how catastrophic a malicious attack on critical infrastructure could be.
The Critical Infrastructure Protection and Resilience (CIPR) work that Grobler leads at CSIRO examines 11 sectors, starting with energy, telecommunications and data. “We’re looking at the interdependencies,” she says. “We want to understand if the energy network goes down, how does that affect the other sectors, how quickly and what are the repercussions?”
As well as cyber, CIPR is also assessing the potential impacts of other human-induced hazards, such as climate change, in order to plan how to improve protections and bolster resilience. “We’re only scratching the surface but we are already uncovering different hazards that weren’t previously considered, yet seem to be happening more often. The wide repercussions from the CrowdStrike outage showed us that.”
Remember: old-school scams have not gone away
“AI is bringing in new threats, such as deep-fake videos and phone calls, but the same old malicious cyber threats continue to thrive because they’re very lucrative,” says Falk.
They include business email compromise (BEC) fraud – when an email appears to be from a trusted person and asks for a large transaction to be made that is directed to the hacker’s account – ransomware-as-a-service attacks “and garden-variety scams that milk hard-working Australians for hundreds of thousands of dollars”, says Falk. In 2022-23, the total of self-reported BEC losses to the ACSC’s ReportCyber, the federal government’s online cybercrime reporting tool, was almost $80 million, with SMEs the hardest hit. The average cost of each BEC incident was more than $39,000.
Rethink ignoring that unexpected call
Phishing calls, texts and emails have made us rightly hyper-suspicious of unexpected contact. But if a call comes from someone saying they’re from the Australian Cyber Security Centre, listen up because it could well be them trying to warn you. For example, the ACSC’s cyber-intelligence monitoring includes looking out for where ransomware syndicates are deploying their malware. “We track it and call companies to tell them they have something happening on their network that could turn into a bad day for them,” says Baker. If an organisation is cyber-ready and has a segmented network, it can act on that information to disconnect the affected area and protect the rest of its system.
For less well-prepared SMEs, the ACSC can recommend remediation advice as well as vetted commercial “incident response” firms. The issue, says Baker, is they’ve tried to contact more than 600 entities in the past six months and about 40 per cent don’t phone back (to validate it is a genuine call, you can ring back on 1300 CYBER1 – 1300 292 371). “Then we hear from them when it’s too late.”
One last takeaway...
“Cyber criminals are innovating at a dizzying pace. They don’t have three-year technology plans – they shapeshift. It’s like 100 Silicon Valleys – they have large budgets, they’re quick to market, they have plentiful labour and no legal constraints. Companies need to allocate the budget to invest in the right tech, good people and multiple layers of defence.” – Rachael Falk, CEO, Cyber Security Cooperative Research Centre (CSCRC)
“Many cyber criminals target SMEs that work with big corporates and government organisations. This third-party risk or supply-chain risk is why helping small businesses with cybersecurity is super-important because it also protects large enterprises and government agencies.” – Jacqui Loustau, Founder and executive director, Australian Women in Security Network (AWSN)
“A lot of organisations are working to defend against ‘pure’ cyber attacks – straight attack vectors such as malware and ransomware. But now criminals are working with an angle – it’s not something that’s necessarily within your control. They’re trying to find one entity where they can do something simple and it will amplify the effects nationally or globally.” – Dr Marthie Grobler, Mission lead, Critical Infrastructure Protection and Resilience (CIPR), at CSIRO
“One thing that helps me sleep better at night is the partnership approach to cybersecurity, particularly in the Australian CISO [chief information security officer] community. Companies that wouldn’t share commercial information are banding together to share on cybersecurity, such as if they spot a new vulnerability targeting a particular entity. We all need to understand that it’s no longer a matter of ‘if’, it’s a matter of ‘when’.” – James Baker, First assistant director-general, cyber threat intelligence, Australian Cyber Security Centre (ACSC)
