“The biggest cyber threat to our country is actually indifference. People read about it, they worry about it, but they don’t act as a consequence.” – Rachel Noble, Former Director General, Australian Signals Directorate
When it comes to cyber security, Australia’s business culture still faces a fundamental challenge: indifference. Rachel Noble’s observation highlights an uncomfortable truth — many Australian organisations understand the risks, but too few act on them.
What Defines Australian Business Cyber Culture?
Cyber culture is more than awareness training or posters in the lunchroom. It reflects how leaders and staff think about risk, decision-making, and responsibility.
In Australia, cyber security is still too often treated as an awareness issue, not an action issue. Leaders acknowledge the risks, they nod, agree, even express concern — but then defer it to next quarter’s agenda or delay until there is “budget or time.”
This mindset is at the heart of our cyber culture problem.
A Simple Analogy: The Locks on Your Office
Consider this. At the end of each day, most businesses lock the office and go home, confident they will return tomorrow and use the same keys. Few would imagine that overnight every lock had been changed.
Yet this is how many trusted organisations operate digitally — unaware that access, control, and integrity may have shifted without their knowledge.
Are Australian Businesses Desensitised?
Part of the cultural challenge is signal versus noise. Large-scale data breaches dominate headlines, which can make smaller companies feel invisible: “We’re not a big target. We’re hidden in plain sight.”
This belief is misleading. Small and mid-sized organisations are frequent targets because they often lack the defences of larger enterprises, but still hold valuable data and critical systems.
Indifference is Not Neutral
Indifference is not passive. It is a cultural posture — one that costs businesses money, reputations, and, in some cases, their licence to operate.
Improving Australian business cyber culture requires a shift from awareness to action, from surface-level concern to genuine leadership.
Building a Stronger Cyber Culture
For organisations ready to take action, the cultural shift starts here:
- Treat cyber security as a business issue, not just a technical one
- Integrate cyber risk into governance, compliance, and strategy
- Move from awareness training to action-based accountability
- Test, rehearse, and review security controls regularly
- Seek external perspective when in-house resources are stretched