Lieutenant General Michelle McGuinness has a message about cyber security. And it’s for everyone, not just the IT guy in the cupboard.
Cyber security isn’t just an IT issue, Australia’s cyber security coordinator Lieutenant General Michelle McGuinness told the MSIA conference last week. It’s everyone’s business.
And because of the critical nature of the health care profession, cyber security can be life and death.
“It’s not just a problem for the IT guy in the cupboard. It is a leadership issue. It is a resource issue. It is a risk issue. It is a culture issue,” she said.
Patient data is incredibly valuable, and healthcare operations are critical to public safety. This combination makes the sector uniquely attractive to attackers.
Her team has coordinated more than 100 nationally significant cyber incidents in less than two years. Across government, business and critical infrastructure, “millions of Australians” have been affected, she said, and there is no sign the volume is slowing.
The Australian Signals Directorate’s latest threat report found a cyber incident is reported in Australia every six minutes. Healthcare ranked fourth among the top 10 sectors reporting incidents, “although I’ve seen stats that it’s also the most targeted sector,” she warned.
“Unfortunately, the necessity of our work is not reducing,” she said.
“So even though we feel we’re having some wins on the board… we know that the threat is also evolving, and there has been no reduction in attacks.”
Cyber criminals are responsive, adaptive and agile. They use technology quickly and have no concern for risk. They capitalise on opportunities. They continue to evolve, especially as technology evolves, often faster than us.
“Which is why the absolute need to work together, both within sectors, across sectors, and oof course across the nation,” she said.
The work that’s been done
Lieutenant General McGuinness told the MSIA audience that Horizon 1 of the 2023–2030 Australian Cyber Security Strategy is almost complete.
“There were 60 initiatives under Horizon 1. 59 are complete and one is awaiting ministerial sign-off,” she said.
For health, key deliverables include:
- Establishing and maturing sector intelligence-sharing arrangements, including the health ISAC
- Developing a health sector cyber incident playbook, based on exercises with health leaders
- New limited-use protections in the Cyber Security Act 2024, designed to give industry confidence to call for help early without fear that information will be used against them in regulatory or class-action proceedings.
These protections have already changed behaviour. In the 12 months before the legislation, ASD reached out to 620 organisations about suspected incidents; about 55% responded, often weeks later. In the 12 months since, ASD has contacted 1700 organisations, with around 75% responding – most within 24–48 hours.
“That’s a really time-critical, trusting environment,” she said. “We’re saying, ‘We think you’ve got a problem,’ and we want to prevent others from having the same one.”
The call to action for health businesses
CyberCX co-founder Alex Heidenreich has worked in incident response across healthcare and other critical infrastructure sectors. He said the cyber threat level for healthcare in Australia was “elevated and moving towards high”.
“The most important thing that any one organisation can do is to make cyber security a part of every part of your business,” Lieutenant General McGuinness said.
Both speakers agreed: the biggest vulnerability is people.
Related
The initial access to systems is most often gained through human error, compromised credentials, or exploiting vulnerabilities—technical flaws are only one part.
Mr Heidenreich also highlighted how high-value individuals (such as executives or IT admins) are often directly targeted due to their organisational access. Their personal digital footprints are a prime source for attackers.
So here’s what should you do.
- Use unique, strong passphrases or passkeys
This is a basic one but one that people still get wrong time and time again.
“There was an article about two months ago, the top 10 passwords listed for Australians started with password. I think number eight was boobies,” Lieutenant General McGuinness said.
Mr Heidenreich said most passwords were vulnerable due to predictable patterns, dictionary words, or context from a user’s life.
Password tips:
- Use long passphrases: The difference in security between an 8-character passphrase and a 15-character passphrase is enormous (77 million years to crack versus one day).
- Make passwords unique: Don’t reuse passwords across different accounts.
- Avoid common passwords: Don’t use predictable passwords like “password” or other words commonly found in password lists.
- Update passwords regularly and whenever a breach is suspected.
- Use passkeys wherever possible for even greater security.
- Use a password manager.
- Update your software regularly
Regular software updates and system backups are critical to limiting the damage from attacks like ransomware.
“Update your operating system because we’ve got very short periods of time to patch these days. You want to have that automated,” Mr Heidenreich said.
“Have backups of your data. I’ve seen people get hit with ransomware at home. I saw a gentleman get hit, the kids downloaded a free game. Had ransomware in it. They launched it. They had a laptop at home that they’ve never taken a backup of. Ten years’ worth of kids’ photos,” he said, highlighting the human element to attacks.
- Apply multifactor authentication
Wherever you can, apply multifactor authentication to all your accounts. It’s much harder to be hacked when you’ve got this layer of protection.
Cyber security in the future
Lieutenant General McGuinness said, unfortunately there was a huge shortage of cyber security professionals.
“We have a shortage of 30,000 so we’re really working across universities and across the vocational sectors to build that workforce,” she said.
“So please look after your IT guy in the cupboard and help him or her build that network.”
Even more importantly, everyone needed to be well versed in the importance of cyber security.
“We need everyone to play their role in shaping the future of our nation’s cyber security. Cyber security has to be built in, no matter your size. Please have a plan, and please exercise it and share your lessons,” she concluded.
“We need all of you to uplift your staff, your employees, your customers, your patients, your supply chains. Because this really matters, and we really are only as strong as our weakest link.”
