
ACSC Cyber Security Awareness Month is more than a calendar event, It’s a strategic opportunity for Australian businesses to reflect on how deeply cyber security is embedded into their organisational culture. The 2025 theme, “Building Our Cyber Safe Culture,” emphasises that security isn’t just the responsibility of IT teams - it’s a shared mindset across every department, from finance to marketing to operations. In today’s threat landscape, where ransomware, data breaches, and supply chain attacks are increasingly common, businesses must move beyond reactive measures and foster a proactive, security-first culture. This means integrating cyber awareness into daily workflows, decision-making, and long-term planning.
In this post, we explore the four key focus areas of this year’s campaign - event logging, legacy technology, supply chain risks, and quantum readiness, and outline what they mean for Australian businesses striving to build resilience and trust.
Event logging: The foundation of threat detection
Why it matters:
Event logging is the backbone of visibility in cyber defence. Without it, you can’t detect breaches, investigate incidents, or comply with regulatory requirements like the Australian Privacy Act or ACSC Essential Eight.
Key risks of poor logging:
- Undetected lateral movement by attackers
- Inability to trace data exfiltration
- Compliance failures during audits
What businesses should do:
- Centralise logs using a SIEM (Security Information and Event Management) platform.
- Log critical events: authentication attempts, privilege escalations, file access, configuration changes.
- Set retention policies aligned with compliance needs (e.g., 12 months for financial services).
- Automate alerts for anomalies like failed logins, unusual access times, or disabled security controls.
Tip: Even small businesses can use cloud-based logging tools like Microsoft Sentinel to get started.
Legacy technology: A hidden cyber risk
Why it matters:
Legacy systems are one of the most overlooked vulnerabilities in business environments. They often lack modern security features, are incompatible with current threat detection tools, and may no longer receive vendor support. This makes them prime targets for attackers looking to exploit outdated software or hardware.
One of the most pressing examples is Windows 10, which will reach end of life (EOL) on 14 October 2025. After this date, Microsoft will no longer provide security updates or patches for most versions of Windows 10, leaving systems exposed to known vulnerabilities. Many Australian businesses still rely on Windows 10 across their fleets, and failure to upgrade could result in significant security and compliance risks.
Key risks of legacy systems:
- Unsupported operating systems (e.g. Windows 10 post-EOL, Windows Sever 2012, Windows Server 2016 post-EOL in early 2027)
- Outdated firmware in networking equipment
- Legacy applications with hardcoded credentials or weak encryption
- Incompatibility with modern endpoint protection and monitoring tools
What Australian businesses should do:
- Conduct a legacy tech audit: Identify all systems running Windows 10 and other unsupported platforms. Include desktops, laptops, virtual machines, and embedded systems.
- Plan for migration: Transition to Windows 11 or other supported platforms well before the EOL date. Consider hardware compatibility, licensing, and user training.
- Apply compensating controls: If immediate replacement isn’t feasible, isolate legacy systems from the internet, restrict access, and monitor closely.
- Update policies and budgets: Include legacy tech replacement in your IT roadmap and capital expenditure planning. Factor in the cost of downtime, breach recovery, and compliance risks.
Tip: Use Microsoft’s compatibility tools to assess upgrade readiness and ACSC’s Essential Eight to evaluate how legacy systems impact your overall cyber maturity.
Regulatory angle:
Operating unsupported systems may breach obligations under the Privacy Act 1988 and APRA CPS 234 (for financial institutions), especially if those systems handle personal or sensitive data.
Supply chain & third-party risks: beyond your perimeter
Why it matters:
Third-party vendors, cloud providers, and software suppliers can introduce vulnerabilities into your environment. The Optus and Medibank breaches highlighted how indirect access can be exploited.
Key risks:
- Poor vendor security practices
- Lack of visibility into subcontractors
- Insecure APIs or integrations
What businesses should do:
- Perform due diligence: Assess vendors’ cyber maturity before onboarding. Ask for SOC 2 reports or ISO 27001 certification.
- Include security clauses in contracts: Require breach notification, data handling standards, and right-to-audit provisions.
- Limit access: Use least privilege principles for third-party integrations.
- Monitor continuously: Track vendor risk over time by creating a living inventory of 3rd parties and classify vendors by risk based on sensitivity of data handled.
Tip: Create a vendor risk register and update it quarterly. Include cloud services, software providers, and outsourced IT support.
Quantum readiness: Preparing for the next cryptographic shift
Why it matters:
Quantum computing could break current encryption standards, making today’s secure data vulnerable tomorrow. While quantum threats aren’t imminent, preparation is essential - especially for sectors with long data lifecycles (e.g. healthcare, legal, government).
Key risks:
- Long-term data exposure (e.g., medical records, legal archives)
- Incompatibility with future cryptographic standards
- Vendor lock-in with non-quantum-safe solutions
What businesses should do:
- Inventory cryptographic assets: Identify where encryption is used - VPNs, TLS, email, backups.
- Engage vendors: Ask about their roadmap for quantum-safe algorithms (e.g., NIST-approved post-quantum cryptography).
- Avoid hardcoded cryptography: Use modular libraries that can be updated.
- Stay informed: Follow updates from NIST, ACSC, and industry groups on quantum readiness.
Tip: If you're in a regulated industry, start including quantum risk in your strategic risk register.
Final thoughts
Cyber security isn’t just a technical challenge - it’s a business imperative. By focusing on these four areas, Australian businesses can build a resilient, forward-looking cyber culture that protects data, reputation, and customer trust.