Ionize 2025 Cyber Security Update

Welcome to 2025!

2024 was a busy year in the cyber realm, with 2025 already shaping up to be more of the same.  With that in mind, Ionize is pleased to provide this overview of key cyber developments as 2025 begins.

Some of the key changes in the legislative and regulatory landscape that were paved in 2024 and will dominate 2025 include:

• Cyber Security Act 2024 – This legislation introduced several key measures requiring action, including:
  • the now Mandatory ransomware payment reporting requirement for businesses paying a ransom during cyber incident. These must be reported to the Department of Home Affairs;
  • limited use exception which prevents information, (which is voluntarily provided to certain Government departments), from being used for enforcement purposes. This is designed to encourage enhanced cooperation between industry and Government during cyber incidents;
  • Mandatory Smart Device Security Standards for internet-connected devices to reduce vulnerabilities; and
  • Coordination of significant cyber incidents by the National Cyber Security Coordinator (NCSC).
• Privacy Act amendments introduced stricter data protection measures, including:
  • a Statutory tort for serious invasions of privacy where the conduct was intentional or reckless;
  • the introduction of a criminal offence for doxing; and
  • eligible data breach declarations and information sharing.
• For organisations operating critical infrastructure, there were Security of Critical Infrastructure Act amendments which broadened the definition of critical infrastructure to include data storage systems tied to critical assets. This expanded the Government’s ability to intervene during severe incidents to:
  • increase Government powers to manage the consequences of incidents;
  • enable Government to direct entities to address serious deficiencies in their risk management programs; and
  • simplify information sharing across industry and Government.
• For organisations servicing Australian Government, the Australian Government Information Security Manual (ISM) changes in December 2024 focused on:
  • maintaining an organisational system register;
  • handling malicious software safely;
  • expanding security controls to non-classified systems;
  • expanding logging and monitoring requirements; and
  • updates to cryptographic algorithms and key sizes.
• Further to the ISM changes, the Protective Security Policy Framework changes were released on 1 November 2024:
  • The most significant change to the PSPF is the move away from Maturity Levels back to a compliance-based framework, changing recommended guidance to mandatory compliance activities; and
  • The number of policies has been expanded from 16 to 25 and the number of controls from 60 to 211. However, rather than a significant expansion of responsibilities, controls and requirements, certain domains and policies have been split to enhance clarity and to refine compliance activities.
• For organisations servicing Defence, the Defence Industry Security Program (DISP) flagged changes to uplift the requirement for Essential 8 Maturity Level 1, to Maturity Level 2. These changes require a significant technology and process uplift.

In the operational cyber context, Australia continues to be targeted by very active issue motivated cyber threats groups such as RipperSec, DXPLOIT and many others. Further to this, Australia (through the ACSC) and our other 5-eyes partners attributed supply chain and living off the land cyber-attacks to Russia and the PRC respectively, indicating a growing concern about coordinated cyber-attacks against Australian interests and Western democracies more broadly.  During 2024 the Ionize Hunting Analysis and Warning Centre (HAWC), through our 24×7 eyes on glass monitoring, provided frequent unsolicited notifications to clients and partners of threat actor activities and their criminal intentions to harm.

We have seen the most common cyber-attack methods continue to be compromised account credentials for both government and critical infrastructure organisations, while email compromise was the most common attack vector for business. HAWC has observed the constant evolution of phishing vectors and techniques to be the initial point of compromise, whether through direct code execution or theft of credentials.

The self-reported cost of cybercrime for 2024 was:

• small business: $49,600
• medium business: $62,800
• large business: $63,600.

Ionize’s incident response experience indicates that these numbers are understated and probably only represent the direct response action to the incidents, not the ongoing remedial actions required which are often significantly higher.

In short, the legislative and regulatory environment is responding to the increasing cyber threat level, requiring organisations to uplift their cyber resilience and pave the way for the Federal Government’s to intervene when required. Addressing the legislative, regulatory and operational cyber controls has now become the base cost of doing business.

Please contact us if you’d like to discuss any aspect of these changes in the cyber domain. Our team would be pleased to delve deeper into those facets and issues that are of most concern to your organisation and what clear actions can be taken to reduce the risk of a cyber incident.

We look forward to supporting you through 2025 and beyond.