Cyber security for directors is no longer the sole domain of IT teams; it is now a core business risk that demands board-level attention. In 2024, the Australian Signals Directorate (ASD) received over 1,100 reports of cyber incidents affecting critical infrastructure and small to medium-sized businesses. The ASD report also notes that the average cost of a cybercrime has surged by 14% in the past year alone. These figures confirm what directors can no longer afford to ignore: cyber risk is business risk.

This shift isn’t just about the increasing frequency of attacks but the consequences when things go wrong. Boards are being held accountable for the effectiveness of their organisation’s cyber posture. Whether through legal action, regulatory scrutiny, or reputational fallout, cyber breaches now routinely reach the boardroom. Directors are expected to have the knowledge, oversight, and governance practices to proactively identify and manage these risks.

This blog outlines why cyber governance must become a boardroom priority in 2025. We examine evolving threats, explain why directors can no longer delegate cyber responsibility, and explore the lessons learned from Australia’s most damaging breaches. You’ll also find practical guidance on what boards can do today to lead on cyber resilience. If you’re a director or senior leader, cyber security now starts with you.

The New Cyber Risk Landscape in 2025

Cyber threats have grown in volume and sophistication. Attackers now employ AI-powered phishing, deepfakes, and supply chain attacks to exploit business trust and reputations. Notably, the CrowdStrike 2025 Global Threat Report reveals that vishing operations have surged by 442% between the first and second half of 2024. These threats intersect with governance, finance, insurance, and regulatory exposure, making cyber security a multifaceted board-level concern.

Why Directors and Boards Can’t Delegate Cyber Responsibility

Directors face legal and financial implications for cyber security failures. The Australian Securities and Investments Commission (ASIC) has emphasised that directors must ensure robust cyber security measures and business continuity plans are in place. Governance frameworks like APRA CPS 230, ISO 27001, and the Essential Eight maturity model demand board-level cyber awareness. Public and stakeholder expectations have risen, and failure to act is viewed as a failure of leadership.

Lessons from Australia’s Most Damaging Cyber Breaches

Australia’s most high-profile cyber incidents, Optus, Medibank, and Latitude, demonstrated that cyber security lapses carry serious governance consequences. The real fallout extended far beyond technical remediation and impacted the boardroom. Legal proceedings were launched, brand reputations suffered severe reputational damage, and leadership accountability came under direct scrutiny. These cases illustrate that cyber governance is not optional. Boards must ensure they are asking the right questions and setting expectations around cyber preparedness before, not after, a breach occurs.

Board-level consequences of recent breaches include:

• Class actions for failing to protect sensitive data.
• Brand damage that undermined customer trust and investor confidence.
• Executive resignations and leadership turnover follow public and regulatory pressure.
• Regulatory investigations and penalties with long-term reputational and financial implications.

Where Today’s Cyber Threats Are Targeting Leaders

Modern cyber attackers increasingly target senior executives, recognising the influence and access held at the top. Ransomware gangs now use double extortion techniques, threatening to leak sensitive board-level communications to pressure executives directly. AI-powered scams, including deepfake videos and cloned voices, make social engineering attacks against leadership more convincing than ever. Meanwhile, third-party supply chain risks remain vastly underestimated by boards, even though directors may be held responsible for the failures of vendors and partners. Insider risk is also rising, with executive-level accounts seen as high-value entry points for long-term attacks and surveillance.

Key threat vectors aimed at directors and boards include:

• Ransomware and double extortion campaigns that exploit leadership visibility.
• AI-enhanced deepfake scams targeting payment approvals and authorisation chains.
• Third-party/supply chain vulnerabilities that expose gaps beyond direct board oversight.
• Insider threats and credential theft, especially from executives and senior staff.

What Boards Can Do: Proactive Cyber Governance Essentials

Boards must lead on cybersecurity, not follow. Directors are responsible for embedding cyber risk into governance frameworks and ensuring visibility over their organisation’s posture. This includes commissioning regular cyber resilience assessments, overseeing tested response plans, and reviewing supply chain exposures. SMBs in particular benefit from structured approaches like the SMB1001 Certification, which provides a clear benchmark for managing security risks in smaller environments. For directors, supporting SMB1001-aligned practices signals a commitment to best-practice governance, even when internal resources are limited.

Directors should act on the following:

• Integrate cybersecurity into board agendas and risk frameworks
• Commission regular cyber resilience assessments
• Demand clarity on:
  • Quarterly-tested incident response plans
  • Ransomware readiness posture
  • Third-party and supply chain risk exposure
  • Data protection practices, such as 3-2-1 backups
• Provide cyber training for board members
• Engage external specialists where internal capacity is limited
• Promote a culture of security from the top down
• Encourage adoption of frameworks like SMB1001 to strengthen cyber governance in resource-constrained environments

Conclusion: Cyber Security is a Board Issue Now

Cyber security is no longer a back-office function; the current board-level cyber risk in 2025 is now an imperative for directors. The rising volume and sophistication of threats, from AI-driven scams to third-party vulnerabilities, means directors must lead from the front. Regulatory bodies like ASIC now expect active board engagement, and recent breaches have shown that failure to act can lead to class actions, reputational damage, and leadership fallout.

Cyber security for directors must be embedded into existing governance frameworks, oversee risk assessments, and demand clarity on incident response are better positioned to protect their organisations. The responsibility is clear: directors must treat cyber risk as core to business continuity, compliance, and trust. In 2025, leadership will be judged not by what was said after a breach, but by what was done before it.

BITS Assists Organisations to Build Cyber Resilience from the Top Down

Need clarity on your board’s cyber obligations? BITS assists organisations of all sizes, including not-for-profits, build cyber resilience from the top down. We collaborate with executive teams and boards to assess cyber readiness, conduct board-level simulations, and address critical gaps. Book a Cyber Governance Consultation with BITS today.

Related Blogs

• What Is SMB1001 Certification and Why Does an Organisation Need It?
• Empowering Australian Construction Firms with Scalable IT and Cyber Security Solutions for Future Growth
• A Complete Guide to Cloud Migration Best Practices