In an era where data is one of a company’s most valuable assets, it’s astonishing that some of Australia’s largest organisations continue to leave gaping holes in their cybersecurity defences. The recent cyberattack on Qantas is yet another wake-up call but will CEOs finally listen?
In early June, Qantas confirmed that sensitive frequent flyer data was accessed by attackers through a breach at one of its offshore call centre contractors in Manila.
Investigations suggest that poor security controls and insufficient oversight allowed cybercriminals to exploit known vulnerabilities in the vendor’s systems. A cyber security audit could have identified these weaknesses before they were exploited.
This breach follows a disturbing pattern. Just over the past two years, major companies like Optus, Medibank, and Latitude Financial have suffered devastating hacks, exposing millions of customers’ personal details names, addresses, IDs, and even health records to the dark web.
So why, even after these high-profile disasters, do boards and CEOs still seem unwilling to prioritise robust cybersecurity?
Short-Term Thinking and “Tick-Box” Compliance
Our Cybernetic Global Intelligence CEO, Mr. Ravin Prasad says, “One reason is that many boards still treat cybersecurity as an IT problem rather than a core business risk.” Instead of embedding security into every layer of their operations and supply chains, they take a compliance-driven approach: ticking the boxes for audits and certifications but failing to invest in continuous threat monitoring, staff training, and incident response planning.
He re-iterates, “Cyber risk should be on the same level as financial and reputational risk because, in reality, it is. But when a CEO sees cybersecurity only as a cost centre with no immediate ROI, it stays on the backburner until it’s too late.”
Cybernetic Global Intelligence, a certified cyber security consultant in Australia emphasises the need to move beyond checklist compliance and build long-term resilience into the organisation’s digital framework.
Understand how SCADA security protects critical infrastructure from Cyber Threats.
A Culture of Complacency
Another factor is culture. Many leaders maintain the ‘it won’t happen to us’ mentality, even after experiencing breaches—often through third parties they failed to adequately vet. They rely on outdated legacy systems, underfunded security teams, and resist changing business processes that are convenient but insecure. Meanwhile, cybercriminals grow bolder and more sophisticated.
The result? Massive breaches that cause reputational damage, share price dips, regulatory fines, and loss of customer trust, often costing far more than proactive security ever would.
-
Customers Pay the Price
What’s worse, it’s customers who pay the ultimate price. Stolen data is sold on the dark web, used for identity theft, fraud, and blackmail. Victims often spend years cleaning up the mess with little recourse against the companies that have failed to protect them in the first place.
-
Third Parties Are the Weakest Link
The Qantas breach is a stark reminder that your cybersecurity is only as strong as your weakest link, and supply chains are often the softest targets. Outsourcing to offshore contractors may cut costs, but without robust oversight and clear security standards, it can open the door wide for attackers.
A thorough cyber security audit that includes vendor and third-party assessments can significantly reduce these risks.
-
Global Experts Still See Boardroom Gaps
This is not just an Australian problem. “We still see a worrying lack of focus on cybersecurity among CEOs and board members even during tabletop exercises and board meetings specifically designed to test an organisation’s readiness for a cyber incident,” as said by Mr. Ravin Prasad, CEO of a leading global and certified cybersecurity consultant in Australia.
He further states, “Too often, we see boardrooms treat these simulations as a one-off exercise instead of using them to drive real governance change. The gaps are obvious: lack of clear decision making, poor incident response protocols, and no accountability for third-party risks. It’s the same pattern, again and again.”
-
Regulators May Step In
After the Optus and Medibank breaches, the Australian government signaled tougher penalties for companies that fail to adequately safeguard customer data. However, enforcement has been slow to catch up. Without stronger consequences for negligence, some executives will continue to gamble with people’s personal information.
Explore how cybercriminals are evolving their tactics in today’s world of AI.
-
Boards Must Work with Trusted Experts
It’s clear that CEOs and boards need to focus on cybersecurity within their businesses and they must do so in partnership with trusted cybersecurity consulting firms that bring qualified, independent expertise.
Relying on under-resourced internal teams alone is no longer enough. Modern threats require a multi-layered, constantly evolving approach guided by professionals who live and breathe cyber risk.
And here’s the uncomfortable truth: CEOs and boards must understand that apologising to customers after a breach is not a sign of leadership, it’s an admission that your company cannot be trusted to handle and secure customer data.
That trust, once broken, is incredibly hard to rebuild.
Time for Boards to Wake Up
Cybersecurity can no longer be seen as optional or delegated to the IT department alone. It requires ongoing investment, independent oversight, and a board-level mindset shift that recognises cyber resilience as a critical part of business sustainability.
For Qantas passengers, the recent hack is a stark reminder that trust in a brand means little if it doesn’t translate into action.
For every CEO, it’s a signal. When it comes to protecting your customers, ignorance is not a defense and complacency is not an option.
Get in touch with us for a cyber security audit. And keep your company information safe.