WORKPLACE RELATIONS

30 September 2025

October: Cyber Security Awareness Month

The theme for 2025 is ‘Building our cyber safe culture’.

In today’s digital economy, cyber threats are among the most significant risks businesses face. A single click on a malicious link or an overlooked update can open the door to costly data breaches, reputational damage and operational disruption.

That’s why cyber awareness is not just an IT issue—it’s a business survival issue.

Why cyber awareness matters for private practice

  • Financial impact: Average self-reported cost of cybercrime per report for businesses, down 8% overall:
    • small business: $49,600 (up 8%)
    • medium business: $62,800 (down 35%)
    • large business: $63,600 (down 11%)
  • Human error: Incidents commonly stem from clicking on phishing emails, misconfiguring systems, or weak password practices.
  • Regulatory pressure: Privacy laws and compliance requirements (Australia’s Privacy Act) make businesses legally accountable for protecting sensitive data.
  • Reputation: A breach erodes customer trust, sometimes permanently.

According to the Australian Cyber Security Sector, ‘Compared to FY2022–23, healthcare and social assistance rose to be the most frequently reported non-government sector’.

Annual Cyber Threat Report 2023-2024 | Cyber.gov.au

Common threats facing practices

  1. Phishing and business email compromise – Fake invoices, payroll redirection, and CEO fraud are on the rise.
  2. Ransomware attacks – Criminals encrypt files and demand payment to unlock them.
  3. Insider threats – Careless or disgruntled employees can unintentionally or deliberately expose systems.
  4. Weak access controls – Shared logins, reused passwords, or lack of MFA create easy entry points.
  5. Supply chain risks – A third-party vendor breach can quickly become your problem.

Worth a note: The Workplace Relations team has commonly heard of invoices that are fake being paid annually

Practical cyber awareness habits for staff

  1. Stop and check before clicking – Hover over links, check sender details, and look for red flags in emails.
  2. Use strong, unique passwords – Avoid reusing work passwords on personal accounts. A suggestion would be to use a password manager.
  3. Enable multi-factor authentication (MFA) – Adds a powerful layer of security, especially for remote work and cloud tools.
  4. Lock devices – Never leave laptops or phones unattended in public spaces or unlocked at your desk.
  5. Update regularly – Install software and system patches promptly; don’t ignore update prompts.
  6. Be cautious with data – Only share confidential information through approved channels.
  7. Report incidents immediately – If you suspect something is wrong, follow your Incident Response Plan as early reporting can prevent escalation.

The rise of AI makes cyber awareness more difficult for staff to detect because AI can automate and scale attacks, generate convincing phishing messages, and even mimic human behaviour to bypass detection. Unlike traditional cyber threats, AI-powered attacks adapt quickly, making them harder to predict or recognise. At the same time, users often lack awareness of how sophisticated these AI-driven tactics can be, leaving businesses and individuals more vulnerable.

Building a cyber-smart safe culture

  • Leadership commitment: Managers, doctors and owners should lead by example, making cyber security part of business strategy – not just IT.
  • Regular training: Annual workshops, simulated phishing exercises, and micro-learning modules help keep awareness fresh. Tools to start the conversation can be found at Cyber Security Awareness Month 2024 and Free privacy training
  • Clear policies: Employees should know exactly what is expected—– acceptable use, reporting processes, and consequences.
  • Incident response plan: A well-rehearsed, no-blame plan minimises damage when breaches occur as everyone knows what their role and responsibilities are when a breach occurs.

Final word for practices

Cybersecurity is not just about firewalls and antivirus software — it is about people. Employees are both the first line of defence and the most common entry point for attackers. By fostering cyber awareness across your practice, you strengthen resilience, protect your reputation and safeguard the trust of patients.

Awareness is the first step. 

Cyber Security Awareness Month 2025