If Qantas Can Be Breached… What About the Rest of Us?

Cybersecurity is no longer optional

Too many organisations still treat cybersecurity like an afterthought - something to look at ONCE something goes wrong. But in 2025, that mindset is not only outdated, it’s a liability.

Cybersecurity is not just a technical issue. It’s a people issue. A process issue. A leadership issue, and increasingly, it’s a reputation issue.

Whether you're a not-for-profit, a government agency, or a mid-to-large business, your digital platform is an essential business asset - and a potential entry point for attackers.

The Data Doesn't Lie: Cybersecurity Risks in 2025

According to the CrowdStrike 2025 Global Threat Report, the majority of attacks in 2024 didn’t begin with high-end hacking tools. They began with access.

Identity-Based Attacks

80% of breaches investigated in 2024 involved the use of valid credentials. In other words, attackers didn’t break in, they logged in.

Third-Party Risks and Supply Chain Attacks

More than 50% of attacks originated from a third-party or supply chain entry point. This is exactly what happened in the Qantas case.

Unpatched Software Platforms

Unpatched CMS platforms and plugins continue to offer easy wins to attackers. Failure to patch vulnerabilities within 30 days can increase exploit risk by over 80%.

Human Error and Phishing

Despite years of training, phishing remains one of the most successful breach vectors. Your people are often the first point of failure, or the first line of defence.

7 Common Website and Platform Security Gaps We See Every Day

At Koben, we’ve worked across hundreds of digital platforms, and we consistently see the same critical gaps - even in organisations that believe they’re “secure.”

1. Weak or Inconsistent Use of Multi-Factor Authentication (MFA)

MFA is one of the simplest, most effective ways to protect user credentials, yet it’s often inconsistently applied, or omitted from ‘non-core’ systems like CRMs, CMS platforms, and email services.

2. Overly Broad User Access

Many teams grant blanket admin access to staff or external vendors, often “temporarily”, but those permissions are rarely revoked. This increases risk exponentially if even one account is compromised.

3. Outdated Content Management System (CMS) Plugins

Open-source CMS platforms like WordPress offer flexibility, but they’re also frequent targets for attackers. Unpatched plugins and inactive extensions are easy wins for cybercriminals.

4. Lack of Regular Access Audits

Do you know who currently has admin access to your systems? When was their access last reviewed? Many organisations don’t review access regularly, and that’s exactly what makes them vulnerable.

5. Inadequate Disaster Recovery Plans

Backups are one thing - but a tested, documented disaster recovery plan is something else entirely. If your website went down today due to an attack, would your team know what to do? It’s always better to plan proactively than respond reactively. Intentional and proactive planning can reduce down time in the event of a data breach.

6. Shadow SaaS and Unvetted Third-Party Tools

When staff sign up for tools outside IT’s purview - think online form builders, booking widgets, analytics plugins - they introduce new risks. Each one represents a potential breach point, and need to be vetted, logged and monitored.

7. Little to No Cybersecurity Training for Staff

Many breaches start with a single click. If your team isn’t trained to spot phishing attempts or social engineering tactics, your entire platform is at risk. 

What a Secure, Resilient Digital Platform Looks Like

Great digital platforms don’t just look beautiful or function well -  they’re built to be resilient, secure, and scalable. Here's what a mature digital security strategy includes:

• End-to-End Multi-Factor Authentication

This should be enforced across all systems, including internal tools, customer portals, email, and admin logins.

• Role-Based Access Control

Not every user needs admin access. Use the principle of least privilege to ensure people only have the permissions they truly need, and revoke them when roles change.

• Patch and Plugin Management

Make plugin and CMS updates part of your monthly security routine. Automate where possible, and remove inactive modules or outdated tools.

• Quarterly Access and Infrastructure Audits

Regularly review who has access to your systems, what integrations exist, and whether your disaster recovery plans are still fit for purpose.

• Secure Third-Party Vendor Vetting

When choosing digital vendors or tools, always review their security practices, terms of service, and incident history.

• Staff Cybersecurity Education

Empower your team to be your first line of defence with training on phishing, data handling, and platform hygiene.

• Embedded Security in Every New Project

At Koben, we consider cybersecurity at the core of every website, app, or platform we develop - not as an add-on, but as a foundational layer and first line of defense.

The cost of inaction is more than financial

While the immediate impact of a breach might be downtime, support costs, or operational stress, the long-term effects can be much more damaging:

• Loss of customer trust

• Brand reputation erosion

• Regulatory fines and compliance failures

• Loss of donor or stakeholder confidence (especially in NFP and government sectors)

As seen in the Qantas case, customers are already hesitating. Brand damage like that doesn’t heal quickly.