#NSBCS.131 - Compliance gets you in the room. Culture keeps you safe.

 

Our Cyber Associate, Mark Gallagher, shares his perspective on why compliance is only the starting point, and why building a genuine security culture is what truly strengthens cyber resilience.

Why I Care About This

I've worked hands-on in cybersecurity for nearly six years. Currently I work as a DFIR consultant here at NSB Cyber, leading clients through live incidents from the first scoping call, right through to recovery and lessons learned. The job demands composure under pressure, genuine curiosity, and, most importantly, the ability to support people through one of the worst moments of their working lives. That last part requires empathy. Empathy for people who have been forced to learn the hard way.

The most meaningful part of my job isn't containment or remediation. It's the conversation afterwards, helping a client understand what actually happened and why. That takes patience, clear communication, and the ability to turn complex technical detail into something a non-technical audience can genuinely understand. Business email compromise cases are a particularly rewarding part of that. I love helping clients find the confidence to share their story openly. A story told with humility is one of the most powerful awareness tools we have, often leaving a far greater impact than any slide deck ever could.

The stats around the human element are staggering. Most industry research places human involvement as a contributing factor in somewhere between 70% and 90% of breaches. I don't share figures like that to scare people. I share them to make a point about importance. Security teams are the last line of defence. Staff are the first.

What Actually Moves the Needle

I've built phishing simulation programmes based on real attacks targeting staff at organisations I've worked with. Reading the metrics that come back is genuinely fascinating. One of my favourite findings was a sharp spike in click rates between 1 PM and 2PM. Staff returning from lunch, maybe a bit sluggish, maybe buried under a workload they haven't had a chance to breathe through yet. That single data point opened up a much bigger conversation about staff wellbeing, one that had nothing to do with firewalls or filters.

That's the part most companies miss. I've sat through mandatory training modules myself, and being honest, a lot of it is lifeless. Generic, drab, built for compliance rather than behaviour change. Staff click through to the next slide just to finish it. On the other end, a compliance box gets ticked. Nothing actually changes in how anyone thinks or behaves.

According to Verizon's 2024 Data Breach Investigations Report, the median time for someone to fall for a phishing email is less than 60 seconds. Sixty seconds. No generic e-learning module closes that gap. What closes it, is training that's tailored to the actual threat profile of the person sitting in front of the screen. An accounts payable analyst faces a different threat landscape to a software developer, who faces a different one again to a C-suite exec. Attackers already know this. Yet generic mandatory cyber awareness training rarely reflects it.

The Culture Threat Actors Actually Fear

I've had the privilege of speaking to large groups of staff, including senior leadership, about all of this. The goal was never to frighten anyone. It was to stimulate genuine thinking. To get people to realise the security team isn't a wall between the business and attackers but instead the last line of defence. Everyone else is the first. When that idea actually lands, the culture shifts. People start talking to each other about a strange email before they even think to forward it to IT. That organic spread is worth more than any training completion percentage on a dashboard.

This matters even more for organisations sitting on large volumes of customer data. That data is gold to threat actors, and a ransomware event isn't just a financial hit, it's a reputational one. Companies pay ransoms to avoid a PR crisis, even knowing the data might leak anyway. That pressure exists because attackers understand the full business context they're exploiting, not just the technical one.

Multi-factor authentication, email filtering, endpoint detection, conditional access policies. All of it matters, and none of it is the full answer. A well-built social engineering attempt is specifically designed to slide above those controls and land on the one moment a person isn't paying attention. The technical stack and the human layer have to move together.

What threat actors fear most isn't another tool. It's a workforce that's genuinely switched on. Not from fear, but from confidence. People who feel empowered to pause, question, and verify before they act. That kind of culture doesn't come from a module completed once a year to satisfy an audit. It comes from investment, real investment, in training that's relevant, leadership that takes it seriously, and a workplace where people feel like participants in security rather than a checkbox standing between the business and a compliance certificate.

That is what NSB Cyber exists to do. Through tabletop exercises, tailored awareness training, and cyber threat intelligence that tells you who is targeting you and why, we help organisations build a security culture that holds up under real pressure. And when something does go wrong, our incident response and recovery services make sure you are not just getting back on your feet but understanding exactly what happened and how to make sure it never happens the same way twice. Pre-incident or post-incident, we are in your corner.

Compliance is the floor. Not the finish line.

#NoStepBackward


What we read this week

  • Majority of Australian Banks Still Lack Strongest Email Protection, Proofpoint Warns - Proofpoint's analysis of 78 APRA-authorised banks found 59 per cent are not using DMARC's strongest 'reject' setting, which blocks spoofed emails outright. Only 41 per cent have reached reject-level protection, up from 22 per cent in 2023, while 18 per cent have no DMARC record at all. Proofpoint notes that even AI-generated phishing still relies on tricking a person, making authentication controls and phishing-resistant MFA foundational rather than optional.

  • Auditor-General's Report Reveals Dangerous Gaps in Third-Party Security in NSW Public Schools - A NSW Audit Office review found 98 per cent of public schools rely on three third-party platforms for student data, yet the Department of Education did not treat these as critical assets until early 2026. The audit found inconsistent access controls and cases where staff retained data access after leaving a school. This follows closely on the Instructure/Canvas breach, which hit student data across Australian education providers via ShinyHunters.

  • Chinese Open-Source Toolkit Powers Scam Surge Spilling Into Australian Business Networks - Infoblox Threat Intel has linked the Chinese DCloud Uni-App framework to over 236,000 scam domains, including fake crypto exchanges and investment schemes. One active operation, Yuechi Sharing Technology, is currently targeting Australia, New Zealand, and the US via a bike-sharing investment lure. Infoblox recorded over five million attempted connections from 985 organisations, arriving via employees' personal devices rather than direct network attacks.

  • KDDI Breach Exposes Up to 14.22 Million Email Credentials Across Six Japanese ISPs - KDDI has disclosed that an attacker exploited a third-party software flaw in its shared email infrastructure, potentially exposing credentials for up to 14.22 million accounts across six ISPs, including J:COM and Nifty. The intrusion was detected on 17 June and reported to Japan's privacy regulator. Some passwords were hashed, though KDDI hasn't disclosed what proportion, leaving credential risk uncertain.

  • Progress Kemp LoadMaster Critical Flaw Allows Unauthenticated Root Command Execution - A critical flaw in Progress Kemp LoadMaster, CVE-2026-8037 (CVSS 9.8), allows unauthenticated attackers to execute commands as root via a crafted API request. Progress patched it on 4 June with no known exploitation at the time, but watchTowr Labs published a full exploit write-up on 29 June, raising active risk. Organisations running LoadMaster with the API enabled should patch immediately.


Next
Next

#NSBCS.130 - The Real Opponent: Cyber Lessons from the 2026 World Cup