Skip to content
Book a discovery call
Illustration of user typing in a password.
cybersecurity

Cybersecurity Failures Start at the Top

Amit Singh |

Most cyber breaches don’t result from sophisticated hacking. They stem from simple, preventable mistakes - a weak password, a mismanaged security alert, an overprivileged account.

We’ve seen it time and again. The Medibank breach in 2022 is a prime example, but it’s far from the only one. Here’s what happened:

  • An IT service desk operator saved admin-level credentials in his browser. These credentials synced to his personal device.
  • Malware on that personal device stole the credentials.
  • A Russian cybercriminal used them to access Medibank’s systems and exfiltrated 520GB of sensitive customer data over nearly two months.
  • Medibank’s security tools generated multiple alerts, but no one escalated or acted on them in time.

These aren’t highly technical failures; they’re failures in process, leadership, and culture. Despite having a dedicated cybersecurity team and a $1M security budget, critical security gaps remained:

  • No multi-factor authentication (MFA) on key systems
  • Overuse of admin privileges
  • Security alerts ignored or untriaged
  • Multiple audit recommendations left unimplemented

And here’s the real issue: Medibank isn’t the exception, it’s the rule. Many organisations have security policies in place, yet when a real threat emerges, something breaks. People don’t take action.

That’s because cybersecurity isn’t just about having the right tech. Like personal health, it requires education, good habits, and leadership to build resilience.

 

You wouldn’t rely only on your immune system to stay healthy, so why do businesses rely only on IT to stay secure?

I recently discussed this in a TV interview with Ticker News, where we explored how AI-driven threats are evolving and why businesses need to rethink cybersecurity as an organisational responsibility, not just an IT problem. You can watch the full interview here.

Technology Alone Won’t Save You

Most organisations don’t have a lack of cybersecurity investment, they have a lack of security execution. Medibank had an EDR (Endpoint Detection and Response) system that flagged suspicious activity multiple times. But alerts sitting in an inbox don’t prevent breaches, action does.

More businesses are adopting AI-driven security tools, but attackers are doing the same. Phishing emails are becoming more convincing. Deepfake scams are tricking employees into transferring funds or revealing credentials. The only real defence is ensuring people and processes keep pace with technology.

People Are the First and Last Line of Defence

Most cyber incidents stem from human behaviour - a clicked phishing link, a reused password, an employee too afraid to report a mistake. Cybersecurity awareness can’t be a one-off training session. It has to be embedded into everyday behaviour.

The best companies don’t just educate employees on risks - they test them. Regular phishing simulations, clear reporting processes, and leadership involvement in security discussions make a difference.

It’s also not just internal teams at risk. Customers are increasingly targeted by scams impersonating brands they trust. If your customers don’t know what to look for, they become part of the attack surface. Are you educating them too?

Leadership Defines Security Culture

At its core, cybersecurity is a leadership issue. If executives treat it as an IT problem, so will everyone else. Security isn’t just about policies and compliance, it’s about setting expectations and accountability across the business.

It’s like personal health. You can’t just rely on your immune system to keep you safe. You need good habits, continuous education, and the right systems in place - because prevention is always better than the cure.

The organisations that get this right don’t just avoid breaches, they build trust, protect their reputation, and operate with confidence in an increasingly hostile digital environment.

If cybersecurity isn’t embedded into the way your organisation thinks and operates, now is the time to take action. Strengthening your strategy, governance, and leadership approach to security isn’t just a technical necessity, it’s a business imperative. If this is an area where you need guidance, it’s worth seeking the right expertise to ensure your organisation is truly prepared.

Share this post