Most cyber breaches don’t stem from cutting-edge hacking techniques. They happen because of simple, preventable failures—like a weak password, an ignored security alert, or excessive admin privileges.
The Medibank breach in 2022 serves as a stark reminder:
- An IT service desk operator saved admin credentials in their browser, which synced to a personal device.
- Malware on that device stole the credentials.
- A Russian cybercriminal used them to exfiltrate 520GB of customer data—undetected for nearly two months.
- Security tools generated multiple alerts, but no one acted in time.
Medibank had a dedicated cybersecurity team and a $1M security budget. Yet fundamental gaps remained—no MFA on critical systems, excessive admin privileges, and untriaged security alerts. This isn’t the exception; it’s the norm. Policies exist, but when a real threat emerges, something breaks. And that ‘something’ is almost always a leadership gap.
1. Technology Alone Won’t Save You
Most organisations don’t lack cybersecurity investment—they lack security execution. Medibank’s EDR (Endpoint Detection and Response) system flagged suspicious activity multiple times. But alerts sitting in an inbox don’t prevent breaches—action does.
Businesses are adopting AI-driven security tools, but attackers are evolving just as fast. Deepfake scams now impersonate executives. AI-generated phishing emails are more convincing than ever.
The real defence? Making sure people and processes keep pace with technology.
2. People Are the First and Last Line of Defence
Most cyber incidents are triggered by human behaviour—a clicked phishing link, a reused password, or an employee too afraid to report a mistake. Yet many businesses still treat cybersecurity awareness as a one-off training session rather than a core part of company culture.
The best organisations go further. They don’t just educate employees—they test them. Regular phishing simulations, clear reporting processes, and leadership involvement in security discussions create real resilience.
It’s not just internal teams at risk. Customers are increasingly targeted by scams impersonating brands they trust. If they don’t know what to look for, they become part of your attack surface. Are you educating them too?
3. Leadership Defines Security Culture
Cybersecurity isn’t just an IT function—it’s an organisational responsibility. If executives treat it as an IT problem, so will everyone else.
Security isn’t just about policies and compliance. It’s about setting clear expectations, ensuring accountability, and embedding security into everyday decision-making.
“It’s like personal health. You can’t rely only on your immune system to stay safe. You need good habits, continuous education, and the right systems in place—because prevention is always better than the cure.”
Organisations that get this right don’t just avoid breaches. They build trust, protect their reputation, and operate with confidence in an increasingly hostile digital environment.
Cybersecurity: A Business Imperative
If security isn’t embedded into the way your organisation thinks and operates, now is the time to act. Strengthening your strategy, governance, and leadership approach to security isn’t just a technical necessity—it’s a business imperative.
Need help embedding cybersecurity leadership into your organisation? evince Consulting’s Advisory Services, Expert Services, and tailored Mentoring & Facilitation Services can help IT leaders take control of their security strategy.
To see if we can help you, book an alignment call today.
