October marks Cyber Security Awareness Month 2025, and this year’s theme—Building Our Cyber Safe Culture—signals a shift in tone and urgency. Consistent reporting around the rise of state-sponsored cyber activities and new tactics being used to circumvent MFA seen across 2025 might already have executive leaders especially those that hold accountability for IT already questioning the extent to which their current managed IT services provider is across the changing threat landscape; this October is most certainly the moment to pause, reflect, and act.
A Strategic Shift in Cyber Defence: The ASD’s 2025 Pivot
This year, the Australian Signals Directorate (ASD) has made a decisive pivot in its cyber security guidance for businesses and organisations. In its Annual Cyber Threat Report 2024–2025, ASD’s Australian Cyber Security Centre (ACSC) moved beyond the foundational Essential Eight controls to spotlight four new priority actions:
- Best-practice event logging,
- Legacy technology replacement,
- Third-party risk management, and
- Quantum readiness.
This shift reflects the tectonic shifts reshaping the cyber threat landscape right now, as state-sponsored actors and financially motivated cybercriminals increasingly targeting Australian networks, supply chains, and critical infrastructure. With over 1,200 cyber incidents reported and the average cost of cybercrime for large businesses surging to $202,700—a staggering 219% increase from the previous year. the ASD’s new message is clear: organisations must now operate with an “assume compromise” mindset and elevate their cyber maturity well beyond the basics.
Are the Essential Eight really not enough?
The Essential Eight…are exactly that…ESSENTIAL, and at Maxsum, we have always supported the ASD’s position that the Essential Eight are a great start, but effective cyber security and resilience require choosing and implementing additional layers of protection and defence in alignment with a strategic framework, like the NIST CSF2.0, to proactively secure and defend your most valuable data and assets.
While traditional Essential Eight security measures like multi-factor authentication (MFA), regular backups, patching, and password hygiene remain essential, they are now considered baseline expectations— it is now expected that Australian organisations have the Essential Eight covered and understand that the represent a cost of doing business today.
What’s new in 2025 is a sharper focus on four new emerging priorities that demand executive attention and strategic investment in the year ahead. Let’s unpack each of this year’s four key themes in more detail.
1. Event Logging: Visibility is the First Line of Defence
“You can’t defend what you can’t see.” This year’s first recommendation is a call to action for organisations to implement best-practice event logging across their networks and systems.
Why it matters now:
- The ASD responded to over 1,200 cyber security incidents in FY2024–25—an 11% increase from the previous year.
- Without robust logging, threats move invisibly through systems, making detection and response nearly impossible.
- Automated platforms like SIEM and SOAR are powerful—but only if they’re properly configured, monitored, and maintained.
This is a wake-up call: Not least of all because this work is not typically the domain of your Managed IT Support provider, unless they also specialise in Managed Security.
As CEO, you need to seek clarity on the extent to which your MSP has event logging in place and move to activate effective, actionable event logging aligned with threat detection best practices.
2. Legacy Technology: The Hidden Risk in Your Infrastructure
Outdated hardware and software—often overlooked—pose a serious threat to organisational resilience.
Why it matters now:
- Legacy systems are often unsupported, unpatched, and extremely vulnerable to exploitation.
- The ASD urges organisations to replace legacy technology or implement appropriate mitigations.
- Legacy technology and OT equipment in particular likely falls outside the scope of services your MSP provides you with, meaning these devices may be unmapped, invisible to network scanning and monitoring tools.
This is not just a technical issue—it’s a strategic issue and a financial one. CIOs must lead the charge in this arena to start auditing legacy assets and working with their CFO to prioritise budget for replacements and interim mitigations like network segmentation.
3. Supply Chain and Third-Party Risk: Your Risk is Their Risk
Your cyber risk does not stop at your organisation’s digital perimeter. The third week of Cyber Security Awareness Month focuses on risks brought into your organisation without robust supply chain and third-party risk management.
Why it matters now:
- State-sponsored actors are increasingly targeting supply chains to gain access to sensitive data and critical infrastructure.
- A compromised supplier can lead to data theft, outages, and reputational damage.
- The ASD recommends choosing products and services that are secure by design and implementing Software Bills of Materials (SBOMs) to map dependencies and respond to vulnerabilities faster.
COOs should ensure that teams working on procurement and vendor management understand their role in managing your organisation’s cyber risk. Your question to them must be: Are we choosing products and services that are secure by design? And to your MSP, you need to be asking about vulnerability management across your supported software and third-party services.
4. Quantum Readiness: Preparing for the Next Cryptographic Frontier
The final focus area is quantum readiness—a forward-looking imperative that may feel abstract but is increasingly urgent.
Why it matters now:
- Cryptographically relevant quantum computers (CRQCs) WILL eventually break traditional encryption.
- The ASD urges organisations to adopt post-quantum cryptography to safeguard sensitive data and infrastructure.
- Transition planning must begin NOW to ensure operational continuity in the 2030s and beyond.
For CIOs, this is a strategic horizon issue. It’s time to engage with your IT provider on their roadmap for quantum-safe encryption and ensure your organisation isn’t left vulnerable when the quantum shift arrives.
The Bottom Line: Cyber resilience starts at the top and needs good answers to hard questions
Cyber Security Awareness Month 2025 is not just about team training and phishing simulations. It’s a call to action for executive leaders to reassess their cyber posture and planning with direct reference to emerging threats and evolving best practices.
If your current IT provider is just talking about MFA and antivirus, it’s time for you to ask tougher questions, and if necessary, find someone who can provide you with better answers…
- How do you manage event logging, legacy tech, and supply chain risk, and do you manage these for our environment too?
- What consideration have you given to quantum readiness?
- How can you help us build a cyber-safe culture—not just tick compliance boxes?
At Maxsum, we believe that cyber security is a strategic enabler, not just a technical necessity. We’re here to help you navigate the new frontiers of risk with confidence, clarity, and expert guidance.
