IT Brief Australia - Technology news for CIOs & IT decision-makers
Australia
Guides
#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things
Search
Story image
#
SIEM
#
Advanced Persistent Threat Protection
#
Physical Security

Exclusive: Cyber expert Louise Hanna warns education, proactive strategies lacking

Today
Author image
By Melania Watson, Interview Editor

Cyber Security expert Louise Hanna is warning that a combination of education and proactive strategies is "seriously lacking" for several Australian organisations.

With over 25 years in IT and cybersecurity, Hanna has witnessed the industry evolve at breakneck speed.

Following her keynote at the AUSCERT 2025 Cyber Security Conference in Australia's Gold Coast,  she sat down with TechDay to discuss how organisations can protect themselves in an era of rapid digital change.

As Chief Executive of Excite Cyber, Hanna emphasised the need for both caution and planning in the face of hype-driven adoption of emerging technologies.

"Everybody's jumping into AI, not really understanding that there are risks around it," she explained.

"I've been telling everybody, sit back, because now there are frameworks that can help make AI secure when implemented into your organisation."

Hanna's career includes a pivotal tenure at New South Wales Parliament, where she learned to communicate cybersecurity needs in a language non-technical decision-makers could understand.

"The biggest lesson I learned was getting people that are non-technical to understand why you need to spend money on security," she explained. "I'm great with executives because I can bring the technical speak down to business speak."

In today's threat landscape, a strong incident response plan needs both traditional reactive methods and modern proactive strategies. "They rely on each other," she said. "The proactive stuff lessens your risk, but you still need to be ready if something happens."

According to Hanna, that readiness must also extend beyond IT teams.

"Executives need to know their role when an incident happens," Hanna said.

"It's about communication. Look at the Optus breach for example - nobody knew what to do, and Optus didn't tell them. People were panicking."

Hanna recalled the day she was flooded with phone calls following the breach.

"I got 100 phone calls - 'They've got my driver's licence, my passport details, what do I do?'" she said. Her advice was clear and immediate: contact IDCare, and change your email login credentials.

"Once someone has your email login, your identity can be used for anything," she explained.

She shared one example of identity theft leading to dozens of fraudulent mobile accounts being set up - which were then later linked to organised crime.

"Drug dealers in Australia need mobile phones to be in someone else's name. That's why they steal identities."

Detecting threats early remains one of the industry's biggest challenges. "If you have something like threat hunting or a SIEM that can detect anomalies in your network, then ransomware can't sit there for months," she said.

"It used to be that small businesses couldn't afford that tech, but now it's available as a managed service and it's very affordable."

Despite growing risks, Hanna believes many Australian organisations still do not understand the danger posed by supply chain attacks. "No, they don't grasp the risk," she said. "Executives often don't want to spend money on something they can't see. It all comes down to education."

She pointed to the Optus breach once again, revealing she was among those affected—despite having left the company 20 years earlier. "They didn't need to keep that data," she said. "That's the kind of awareness companies need to adopt."

For smaller organisations developing incident response plans, Hanna suggests starting with established frameworks such as NIST. "Have a go yourself, then get a professional to refine it. Testing it is how you see if it works," she said.

She recalled working with a Sydney boarding school. "Once we did the incident response test, we realised the plan needed to be changed. That's how you build confidence," she said.

Even seemingly harmless uses of AI tools can expose organisations to risk. Hanna highlighted the importance of staff education, particularly around generative tools like ChatGPT. "If you're using it, make sure there is no confidential information going into your request," she said.

"A friend of mine typed in loads of info about herself, then I asked ChatGPT what it knew about her—and it spat it all out. You have to be careful. Once it's in there, it's out there."

When it comes to operational technology (OT), Hanna said the stakes are higher and often misunderstood. "IT is your data, your emails, your systems. OT is CCTV, lifts, power grids - hardware that's connected to your network. And it's often neglected."

She shared an alarming story from her time as head of IT at Parliament House, about 15 years ago. "The building services team had installed a modem and ADSL line into one of our computers without IT's knowledge," she said. "They were managing the power and lift systems, but they had full access to the entire parliamentary network."

She quickly shut the access down, installed a firewall, and secured the connection. "It took a few days to buy the right hardware, but the fix itself wasn't hard. They just hadn't thought about the risk."

CCTV systems posed another risk. "The security team had put IP addresses on Dymo labels stuck to the top of cameras," she said. "Anyone with basic knowledge could have accessed the building's live feed from a browser."

The reaction at the time was largely indifferent. "They didn't care because nothing had happened," she said. "But if I told them that story today, they'd be mortified."

This attitude - of not caring until something goes wrong - is what Hanna hopes to change.

"If they don't understand the impact, they don't understand the risk," she said. "That's why education is so important."

Hanna also noted that egos and cultural differences can hinder global cooperation in cybersecurity. "Some countries think they're better than others," she said. "Egos get in the way."

Still, Hanna believes the path forward is clear.

"It's all about governance. If organisations align with ISO 27001 or NIST, it forces them to face their risks," she said.

So how do organisations really start to secure their systems properly?

"Education. Education is the thing that brings it all together," she stressed. "That is how you stay safe."

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Google boosts education with Gemini 2.5 & LearnLM updates
Google unveils AI-driven shopping with virtual try-on feature
Google unveils Gemini 2.5 updates for enhanced AI on Vertex
Google DeepMind reveals new strategy to defend Gemini 2.5 AI
Google unveils Gemini AI upgrade for universal assistant vision
Top stories
Synology unveils new data & cloud solutions at COMPUTEX 2025
AI-driven threats prompt IT leaders to rethink hybrid cloud security
Cohesity unveils AI-driven RecoveryAgent to automate cyber recovery
Google announces major Gemini AI upgrades & new dev tools
Google unveils SynthID Detector to verify AI-generated content