Cyber Security
August 5, 2025

VITD ISO Quarterly Review – July 2025

As an ISO 27001–accredited company, The Virtual IT Department (VITD) is committed to maintaining the highest standards in information security. This includes conducting regular, thorough reviews of the evolving regulatory landscape.

We believe the insights we gather for our own operations can also be incredibly valuable for your business. That’s why we’ve tuned our latest quarterly regulatory review into a concise summary of the most critical changes and trends in cybersecurity and data management and how they might affect your organisation’s risk profile.

We hope this report offers practical value as you navigate today’s complex digital environment.

Understanding the Evolving Cyber Landscape: What You Need to Know

The past few months have brought significant changes to Australia’s legal and regulatory environment concerning cybersecurity and data privacy. These updates are designed to strengthen protections for businesses and individuals, but they also place greater responsibility on organisations to manage their digital risks effectively.

1. Stricter Privacy Laws and Accountability

Australia’s Privacy Act has been updated to explicitly state that protecting personal information requires not just policies, but concrete technical and organisational measures. This means your IT systems and internal processes must actively safeguard data.

The Office of the Australian Information Commissioner (OAIC) now has:

  • New powers to issue fines and compliance notices
  • Provisions allowing individuals to take legal action for serious privacy invasions

Example: In May 2025, the OAIC ruled against Regional Australia Bank, awarding compensation for failing to take "reasonable steps" to protect personal information. This demonstrates that even isolated privacy breaches can lead to tangible financial penalties.

Key Learning: It’s no longer enough to claim you protect data. You must demonstrably do so with robust systems and processes.

2. Mandatory Ransomware Reporting is Here

From 30 May 2025, if your business has an annual turnover of over $3 million or is part of Australia’s critical infrastructure, you are legally required to report any ransomware payments to the Australian Signals Directorate (ASD) within 72 hours.

Example: Recent ransomware attacks have affected businesses from Skeggs Goldstien (financial services) to Brydens Lawyers (legal sector), often involving the theft and threatened release of sensitive data.

Key Learning: Proactive preparation for ransomware incidents, including a clear response plan and reporting procedures, is now a legal necessity, not just an IT best practice.

3. Increased Scrutiny on Cybersecurity Practices

Recent legal cases, such as ASIC’s proceedings against FIIG Securities (March 2025), are setting new benchmarks for how often and how thoroughly businesses must implement cybersecurity controls. This includes:

  • Daily monitoring of security software
  • Regular patching
  • Frequent reviews of security logs

Example: In the FIIG case, ASIC highlighted alleged failures to detect a cyber intrusion and delays in investigation, indicating that adequate measures could have enabled earlier detection.

Key Learning: Regulators and courts now expect concrete, regular, and demonstrable cybersecurity activities, not just written policies.

4. The Supply Chain is a Major Risk

A significant number of data breaches in Australia and worldwide have originated from third-party vendor vulnerabilities. Even if your internal security is strong, your partners’ weaknesses can expose you.

Example:

  • Hertz reported customer data theft via one of its vendors (April 2025)
  • Hexicor, an Australian IT services firm, was hit by ransomware, exposing customer data and digital certificates

Key Learning: Your cybersecurity posture is only as strong as your weakest link in the supply chain.

Strategic Questions for Your Organisation

These are the questions we recommend discussing with your leadership, HR, and technical teams:

Strategic/Governance

  • How does our board and executive committee ensure they are adequately informed about, and accountable for, our cybersecurity posture and evolving legal obligations?
  • Are our current investments aligned with rising regulatory expectations and the sophisticated nature of today’s cyber threats?
  • What is our strategy for managing supply chain and third-party vendor cyber risks?

HR Practices

  • Are employees receiving regular, up-to-date cybersecurity awareness training that covers the latest threats like phishing and social engineering, and are we tracking its effectiveness?
  • Do staff understand their role in reporting incidents, including the new mandatory ransomware reporting requirements?

Technical: For your IT Manager

  • Is our Endpoint Detection and Response (EDR) software being monitored daily?
  • Are critical patches and updates applied within one month of release, in line with regulatory expectations?

Next Steps: Let’s Keep the Conversation Going

If this summary raises questions for your business, or if you’d like to assess your current risk exposure and compliance status, we’re here to help.

We can walk you through your current security posture and outline practical steps to strengthen your compliance in light of these changes.

Thanks again for trusting The Virtual IT Department as your IT partner- helping you stay secure, informed, and ahead of the curve.

Contact us

Let's talk
IT Department tech staff helping client with computer
Learn more about

Learn more

Keep reading

Need help with your IT services?

See all Services