Getting your Trinity Audio player ready...
null

Human error accounts for 37% of all data breaches in Australia, and phishing is the leading cause of malicious or criminal attacks1. With more digitised operations, the 'gate' to sensitive data is no longer protected by just a firewall, but the collective awareness of the people using the system.

From misplaced clicks to weak password habits or blurred boundaries between work and personal devices, everyday actions by staff remain an important part of avoiding cyber incidents.

Why employee-led cyber risk prevention matters

Businesses across Australia continue to face an increase in criminal cyber activity. Common entry points for attackers are phishing, credential theft and unauthorised access. These threats often begin with a human action, such as clicking a link, reusing a password or overlooking a protocol.

When employee awareness is low or controls are unclear, small mistakes can escalate quickly into operational disruption, data exposure, financial loss and reputational damage.

According to the Australian Signals Directorate (ASD), robust personnel security guidelines are the foundation of a secure environment. This ensures that every individual who accesses your systems understands their responsibilities.

Key risks to address internally:

  • Phishing and social engineering: Phishers exploit human psychology, creating a sense of urgency to trick staff into revealing credentials.
  • The 'shadow IT' trap: Blurring of lines between professional and personal device usage introduces vulnerabilities. When employees use unapproved software or personal devices for business tasks, they bypass the company's security perimeter.
  • Software lifecycle risks: For example, Windows 10 is reaching the end of its lifecycle and in such situations, businesses stop receiving critical security patches, which creates gaps for cyber criminals to exploit.

Common risk exposures driven by everyday activity

  • Phishing emails that appear legitimate and prompt users to click links or share credentials.
  • Poor access management, including shared logins or excessive permissions.
  • Unsecured personal devices used for work purposes without adequate protection.
  • Outdated operating systems or software, increasing vulnerability to known exploits.
  • Credential reuse, where the same passwords are used across business and personal platforms.

Employees are protectors, not weak links

When employees understand how cyber threats work and why controls exist, they are better placed to recognise warning signs and act early. Spotting suspicious emails, questioning unexpected requests for information, managing access responsibly and escalating concerns before damage occurs are key elements of a solid human cyber firewall.

Guidance from the ASD highlights the importance of personnel security controls, including user awareness, separation of duties and controlled access to systems based on role and necessity2. These principles are increasingly relevant for organisations operating hybrid or flexible work environments.

Managing and protecting access

Businesses benefit from clearly defining who can access what and why. Key measures include:

  • Applying least-privilege access so staff only see systems relevant to their role
  • Regularly reviewing user permissions, particularly following role changes or departures
  • Enforcing strong authentication practices, including multi-factor authentication
  • Separating professional and personal system use to reduce cross-contamination risk.

Well-managed access controls reduce the impact of compromised accounts.

The role of training and education

One-off cyber awareness sessions rarely change behaviour. Effective programs are ongoing, relevant and practical.

Training works best when it:

  • Reflects real-world scenarios employees are likely to encounter
  • Explains the business impact of cyber incidents, not just the technical details
  • Reinforces clear reporting pathways for suspicious activity
  • Evolves as threats change.

Regular refreshers help keep cyber risk visible, particularly as attackers adapt their tactics. Importantly, training also supports a culture where staff feel confident reporting concerns early, rather than worrying about blame.

The 'human firewall' in action

Sarah, an employee, receives an 'urgent' email from the CEO requesting immediate action for a project. She notices that, while the name says 'CEO,' the actual email address has a single-letter misspelling. Sarah relies on her security training. Instead of replying, she follows the 'Pause and Verify' protocol.
Sarah recognises the artificial urgency and unusual process and uses a separate, verified channel — a direct internal chat message — to the CEO's executive assistant. The assistant quickly confirms that the CEO has not requested any action from her. Sarah immediately flags the email using the company's 'Report Phishing' tool.

Planning for incidents before they happen

Even with strong controls, cyber incidents can still occur. Preparation determines how well an organisation responds.

Incident response planning clarifies roles, responsibilities and decision-making during an incident. It also reduces confusion during high-pressure situations, enabling faster containment and recovery.

From an employee perspective, this includes knowing:

  • How to report suspected incidents
  • Who is responsible for escalation and external communication
  • What immediate actions to take to limit damage.

Testing these plans through tabletop exercises or simulations can highlight gaps and strengthen readiness.

How insurance supports cyber security

Cyber insurance plays a broader role than post-incident financial support. For many Australian businesses, standalone cyber insurance provides access to specialist expertise that supports prevention, preparedness and response.

This can include proactive services such as:

  • Device and vulnerability scanning
  • Dark web monitoring for compromised credentials
  • Threat intelligence and monitoring
  • Incident response planning support.

These services complement internal controls and employee training, helping organisations identify risks earlier and strengthen defences over time.

How Gallagher can help businesses build cyber resilience

Gallagher works with businesses to understand their cyber risk profile in context — across people, processes and technology. Through risk management, crisis planning and cyber insurance solutions, Gallagher supports businesses in building resilience rather than reacting under pressure. Access to cyber specialists and response resources can be particularly valuable for organisations without dedicated internal cyber teams.

For more details on Gallagher's full range of cyber risk management services, get in touch with our adviser.

Connect with us

Sources

1Kind, Carly. "Latest Notifiable Data Breach statistics for January to June 2025," Australian Government, 4 Nov 2025.

2"Guidelines for personnel security," Australian Government, 4 Dec 2025.

Disclaimer

Gallagher provides insurance, risk management and benefits consulting services for clients in response to both known and unknown risk exposures. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance and/or risk management perspective, and offer broad information about risk mitigation, loss control strategy and potential claim exposures. We have prepared this commentary and other news alerts for general information purposes only and the material is not intended to be, nor should it be interpreted as, legal or client-specific risk management advice. General insurance descriptions contained herein do not include complete insurance policy definitions, terms and/or conditions, and should not be relied on for coverage interpretation. The information may not include current governmental or insurance developments, is provided without knowledge of the individual recipient's industry or specific business or coverage circumstances, and in no way reflects or promises to provide insurance coverage outcomes that only insurance carriers' control.

Gallagher publications may contain links to non-Gallagher websites that are created and controlled by other organisations. We claim no responsibility for the content of any linked website, or any link contained therein. The inclusion of any link does not imply endorsement by Gallagher, as we have no responsibility for information referenced in material owned and controlled by other parties. Gallagher strongly encourages you to review any separate terms of use and privacy policies governing use of these third party websites and resources.

Insurance brokerage and related services to be provided by Arthur J. Gallagher & Co (Aus) Limited (ABN 34 005 543 920). Australian Financial Services License (AFSL) No. 238312

MORE NEWS & INSIGHTS