It’s 9:47am on a Tuesday when your finance manager calls. She can’t access the accounting system. Moments later, your receptionist says customers can’t place orders online. Within minutes, you realise your entire network is locked.
Your business has just joined an unwelcome club.
In 2024, more than 1,000 Australian organisations reported data breaches to the privacy regulator, a 25 per cent increase on the previous year and the highest number since reporting began in 2018. The average cost? $4.26 million per breach in Australia, up 27 per cent since 2020.
Perth-based cyber security consultant Ruman Sarawer suggests most of those organisations had frameworks in place. They’d passed audits. They were compliant.
They just weren’t resilient.
“Compliance doesn’t mean you’re secure,” says Ruman, founder of CipherShield and Australian Information Security Association committee member. “You can tick every box and still be completely unprepared when an incident occurs.”
With more than a decade of experience across mining, energy, infrastructure and enterprise, and credentials including ISO 27001 Lead Auditor, CISSP and CISA, Ruman has seen how controls that look good on paper often fail under pressure.
The question no one asks until it’s too late
Imagine a fire spreading through your office. Can you still serve customers? Support staff? Deliver critical services?
Most businesses can’t. Their operations depend on that physical space.
A cyber incident raises the same question. If ransomware locks your systems or attackers infiltrate your network, can your business keep running?
“Cyber security isn’t about stopping every attack,” Ruman explains. “It’s about preparing for when it’s your turn, because one day it will be your turn, and being able to respond quickly, minimise damage and keep operating.”
The cause might be ransomware, a denial-of-service attack or human error. The issue is the same: can you survive disruption?
When you can’t, the consequences escalate quickly. Lost revenue while systems are down. Regulatory scrutiny. Potential class actions like those faced by Optus and Medibank. Long-term reputational damage that drives customers straight to competitors.
Where compliance fails
Ruman has seen the same scenario play out dozens of times. A company engages consultants, completes an audit, receives a report and files it away.
“The report gets delivered and nothing changes,” he says. “A year later, the same vulnerabilities are still there.”
This is the compliance trap. Frameworks like ISO 27001 and the Australian Signals Directorate’s Essential Eight are valuable. They establish baselines, create benchmarks and demonstrate due diligence to regulators and insurers.
But they don’t make you resilient.
They don’t test whether your incident response plan actually works. They don’t verify whether backups can be restored quickly. They don’t prepare leaders for the moment phones start ringing and decisions need to be made fast.
Resilience requires testing, where leadership walks through realistic breach scenarios. Incident response rehearsals that expose whether procedures are practical or wishful thinking. Backup testing that actually restores data, not just confirms it exists. Business continuity planning that identifies single points of failure.
This is where CyberProof focuses its work, helping organisations move from compliance to operational resilience through proactive threat monitoring, disaster recovery planning and recovery readiness.
The real vulnerabilities sit at desks
Despite billions spent on security technology, most breaches still start with people.
Phishing emails, weak passwords and poor data handling remain common entry points for attackers. That makes people the most important security control in any organisation.
“You can buy the best technology available,” Ruman says, “but if your people aren’t trained, it won’t protect you.”
This matters most for small and medium businesses that can’t afford enterprise-grade security operations centres or round-the-clock monitoring.
Basic awareness training dramatically reduces risk. Teaching staff to recognise phishing attempts. Establishing clear data handling rules. Creating acceptable-use policies for AI tools like ChatGPT and Microsoft Copilot, which employees increasingly use without oversight.
The AI blind spot
The rapid adoption of artificial intelligence has exposed a major governance gap.
Employees across Australia now use AI tools daily, uploading documents to ChatGPT, feeding data into Copilot and processing sensitive information through third-party platforms, often with no guidance on what’s acceptable.
“Not long ago, a company uploaded their full salary information to Copilot,” Ruman says. “Suddenly, everyone could see who earned what. That’s confidential information that should never have been there.”
The problem isn’t AI itself. The technology offers huge productivity gains. The problem is adoption without governance.
Without policies and training, AI amplifies existing weaknesses at scale.
Governance: the missing link
The most common mistake Ruman encounters is treating cyber security as an IT problem.
It isn’t. It’s a leadership problem.
“Governance is about steering the ship,” he explains. “If security isn’t aligned with where the business is going, it will never be effective.”
Information security governance defines who owns risk, who makes decisions during incidents and how security supports business objectives. Without it, ownership is unclear, controls are disconnected and decision-making collapses under pressure.
Effective governance starts at the executive and board level. Cyber risk can’t be delegated entirely to IT, because it affects every function of an organisation.
You need to ask the hard questions. Who holds our data? What access do suppliers and contractors have? What do our contracts say about security obligations? If we’re breached tomorrow, who decides whether to pay a ransom? Who communicates with customers, regulators and media?
These are governance questions, not technical ones. And they’re increasingly urgent. Under Australia’s updated Privacy Act, companies can face fines of up to $50 million for serious or repeated breaches. The Office of the Australian Information Commissioner (OAIC) is actively pursuing civil penalty actions against major organisations, including Medibank.
Directors have a fiduciary duty to exercise reasonable care. Ignorance of cyber risk is no longer a defence.
The real test
In the end, resilience comes down to one question: when — not if — prevention fails, can your business keep operating?
Can you continue serving customers while responding to the incident? Can you recover quickly enough to avoid permanent damage? Can you maintain trust with customers, partners and regulators throughout the process?
“There’s no such thing as a bulletproof organisation,” Ruman says. “Resilience is about accepting that attacks will happen and being prepared to respond effectively. It’s about making sure you’re still standing when the dust settles.”
–-
Cecily Rawlinson is the Director of CyberWest Hub, Western Australia’s central force for advancing cyber security. The Hub is committed to strengthening the state’s cyber industry, developing a future-ready workforce, and raising cyber awareness across all sectors of the economy. For more information, you can get in touch with Cecily at director@cyberwesthub.au.
Ruman Sarawer is one of many experts that exist in Perth to support companies with their cyber security and data privacy challenges. CyberWest Hub is connected to a range of local experts - find out more at https://www.cyberwesthub.au
