#NSBCS.066 - Your North Star for Cyber Security: Why Understanding Risk Should Come First
Source: NSB Cyber
Your North Star for Cyber Security: Why Understanding Risk Should Come First
When it comes to cyber security or business strategy more broadly, it’s easy to get lost in highly technical controls, complex implementations, and day-to-day decisions. Endpoint detection, logging and monitoring, threat intelligence feeds - there’s always another layer of security to consider.
But before throwing tools and policies at the problem, take a step back. The North Star of any cyber security strategy should be a fundamental question: What are our risks, and how do we manage them effectively?
Know Your Risk
Before an organisation can build an effective cyber security strategy, it should first understand its risk profile and risk appetite, which can only be done through conducting a proper risk assessment.
This means looking at:
The type of data you hold
Your regulatory requirements
The systems you use and how they interact
Your risk appetite
A local bakery that emails suppliers and takes online orders from customers has a completely different risk landscape from an APRA-regulated financial services firm or a multinational insurer managing compliance across multiple regions that are heavily reliant on technology. Think of it like this: if you were designing a physical security system for a bank, you wouldn’t install the same level of protection as that local bakery. Both have assets to protect, but the risks and requirements are completely different.
Fit-for-Purpose Security
Understanding your risk profile and appetite allows for a fit-for-purpose cyber security approach. The local bakery might only need basic controls - strong passwords and MFA on accounts used to order supplies, and regularly updating their computers' operating systems to ensure they are up to date. Perhaps they would consider a penetration test if they had a custom-built platform that enabled them to take online orders. These controls could be enough to make it highly secure within its risk environment.
But if that same approach were applied to a financial services firm, it would likely fall short. A company handling sensitive customer financial data that is regulated by APRA likely needs some element of cyber security governance, access control mechanisms, ongoing system monitoring, and incident response plans. Similarly, a medium-sized financial firm might not require an enterprise-grade security stack as may be required by the multinational insurer, but depending on its customer base and the sensitivity of the data it holds, it could still need more rigorous controls than others of similar size.
Without understanding risk exposure, organisations may underinvest in security, leaving gaps that could lead to breaches, or over-invest in controls that add little value, wasting time and resources. A tailored, risk-based approach will always be stronger than a one-size-fits-all solution. By using risk as the North Star of your cyber security strategy, businesses can build an effective and proportionate cyber security strategy, ensuring operations remain secure without unnecessary complexity.
For information on NSB Cyber’s Cyber Resilience capabilities or to book a meeting with our team, click here.
What we read this week
Sydney-Based Brydens lawyers cyber breached: 600GB leaked - Brydens Lawyers, a major Sydney-based law firm, disclosed a cyber incident from late February 2025, resulting in unauthorised access to data on its servers. Principal Lee Hagipantelis confirmed the breach and said the firm has informed the Australian Cyber Security Centre and the OAIC, also enlisting specialist advisers. According to reports, over 600GB of case, client, and staff information was stolen, and a threat actor is demanding a ransom. Though no ransomware group has publicly claimed responsibility, Brydens stated that it has restored its system’s security and will notify affected individuals once the investigation is complete.
Australia Among Top 10 Targets in Ransomware Attack Surge - Ransomware attacks spiked 126% year-over-year last month, with 962 victims globally, according to Bitdefender’s latest report. Clop (Cl0p) alone claimed 335 attacks, exploiting critical vulnerabilities like CVE-2024-50623 and CVE-2024-55956 in Cleo file transfer software. Australia was the sixth most targeted country and saw a 12-fold rise in compromised accounts last year. Attackers increasingly focus on newly disclosed vulnerabilities with remote code execution potential and proof-of-concept exploits, scanning for weaknesses within hours of publication. Surfshark found 47 million Australian accounts were breached in 2024, highlighting the severity of ransomware’s shifting tactics.
RansomHub Targets US Agencies Using SocGholish - RansomHub is harnessing SocGholish (aka FakeUpdates) to deliver ransomware in multi-stage attacks, Trend Micro warns. Active since 2024 and tied to over 200 victims, including Change Healthcare and Rite Aid, RansomHub now targets US government entities. SocGholish uses a network of 2,500 compromised WordPress sites, redirecting victims via the Keitaro traffic distribution system to fake software updates. A malicious JavaScript loader then drops Python-based backdoors for data exfiltration. Domain shadowing further conceals malicious subdomains under trusted domains, bypassing security filters. By compromising known sites, attackers lower user vigilance, making these threats especially dangerous.
GitHub Supply Chain Attack Exposes Secrets in 23K Repositories - A malicious commit to the widely used tj-actions/changed-files GitHub Action compromised secrets in over 23,000 repositories, StepSecurity reports. Tracked as CVE-2025-30066, the attack allowed remote actors to read CI/CD logs, exposing AWS keys, GitHub personal access tokens, and private RSA keys. Wiz Threat Research identified dozens of affected repositories, including those belonging to large organisations. Though the malicious update was quickly removed, experts warn of persistent risks, given the widespread adoption of open-source components. Organisations are urged to audit their pipelines, revoke compromised secrets, and implement real-time CI/CD security monitoring to prevent further damage.
Attackers Exploit CVE-2024-4577 in PHP: Crypto Miners, Quasar RAT Observed - Threat actors are abusing CVE-2024-4577, an argument injection flaw in PHP on Windows CGI environments, to deliver remote access trojans like Quasar RAT and deploy cryptocurrency miners such as XMRig and Nicehash. Bitdefender reports an uptick in global exploitation attempts, with Taiwan (54.65%), Hong Kong (27.06%), and Brazil (16.39%) hardest hit. Notably, some attacks even modify firewall settings to block competing cryptojacking groups. Cisco Talos researchers have also observed campaigns targeting Japanese organisations. Experts recommend updating PHP installations and restricting built-in Windows tools like PowerShell. By patching promptly, organisations can mitigate these stealthy, lucrative attacks.
Referenceshttps://www.cyberdaily.au/security/11845-brydens-lawyers-suffers-alleged-600-gigabyte-data-breach-following-ransomware-attack
https://www.insurancebusinessmag.com/au/news/cyber/ransomware-hits-record-high-australia-among-top-targets-528683.aspx
https://www.cybersecuritydive.com/news/ransomhub-using-fakeupdates-scheme-to-attack-government-sector/742793/
https://www.cybersecuritydive.com/news/supply-chain-github-exposure-secrets/742693/
https://thehackernews.com/2025/03/hackers-exploit-severe-php-flaw-to.html