Record Your Own High Quality Podcast
Last year, while interviewing specialists in Berlin about the STASI, I heard a simple truth: their greatest weapon wasn’t technology; it was devotion. Loyalty serves as a silent multiplier in both espionage and business.
In my career—from military security and diplomatic intelligence to corporate investigations—I’ve learned that systems fail when people lose purpose, and loyalty turns transactional.
Australia’s cyber crisis serves as a prime example: while our companies continue to harden their code, our adversaries continue to target individuals.
This article argues that Australia’s wave of major breaches is less a story of missing patches and more a story of social engineering, brittle outsourcing, and eroded workplace loyalty—conditions we ourselves have cultivated.
I will show how we arrived here, the real outcomes of our failures, and how to rebuild resilience using the same human principles that once made analogue intelligence so formidable.
Australia’s recent headline breaches—Optus (2022), Medibank (2022), DP World (2023), and Latitude Financial (2023–24)—display different techniques but the same operational logic: penetrate the human perimeter, pivot into systems, exfiltrate data, and exploit public confusion.
Optus (Sept 2022): Approximately 9.8 million customer records exposed—nearly 37% of Australia’s population—ranging from names and DOBs to passport and license numbers. APRA
Medibank (Oct–Nov 2022): Data of ~9.7 million customers stolen; criminals posted sensitive medical information to the dark web after ransom demands. The regulator has since launched legal action. MEDIBANK
DP World (Nov 2023): a cyber incident halted port operations for roughly three days, constricting logistics for an operator that handles about 40% of Australia’s maritime freight. ABC
Latitude Financial (2023–24): Ultimately 14 million customer records implicated, including 7.9 million license numbers and 53,000 passport numbers across AU/NZ. The Guardian
The common denominator is human. The Australian Information Commissioner’s alleged timeline for Medibank points to third-party weaknesses, including credentials saved in a personal browser profile—exactly the sort of outsourced, remote, or loosely governed access that social engineers love to exploit. OAIC
In my earlier analysis of criminal evolution, I traced the arc from street pickpockets to keyboard con artists. The modern offender does not need brute force. They need imagination, time, and open-source intelligence.
They mine LinkedIn and vendor pages for org charts and tech stacks. They lurk in Telegram groups, Discord servers, and forums where “how-to” content is normalized and gamified. This is not theory:
LinkedIn is now a primary reconnaissance surface used to profile targets and craft spear phishing with business tone and context. Trend Micro
Criminal “classrooms” have exploded: Europol and industry reporting show a sharp rise in recruitment and instruction via mainstream platforms since 2021. Europol
Deepfake-enabled fraud moved from curiosity to boardroom risk, exemplified by the US$25m Arup heist orchestrated through a video-conference clone. Financial Times
Consumer fraud losses keep climbing; the U.S. FTC reported US$12.5bn in losses in 2024 alone—an index of how scalable social engineering has become. Federal Trade Commission
McAfee’s 2024 analyses describe an order-of-magnitude surge in deepfake abuse and heightened public anxiety around scams. McAfee
Translation for Australian boards: your adversary learns in public, recruits in public, and rehearses in public. Meanwhile, you still treat cyber as a closed technical theatre.
On my field trips in Bali and Southeast Asia, I observed a global services economy where sensitive work—ID verification, CRM updates, refunds, invoice processing—moves through contractors on consumer laptops over café Wi-Fi. It’s cost-efficient, but it outsources trust:
Diffuse accountability: when a third-party employee falls victim to phishing, who is responsible for the resulting impact?
Low reciprocity: low pay and high churn corrode loyalty; a workforce that feels disposable reciprocates with minimal discretionary care.
Expanded attack surface: every additional endpoint and identity provider is another seam for credential replay, MFA fatigue, or social pretexting.
Medibank’s alleged timeline, pointing to actions by a third-party IT provider employee, is a textbook illustration of why this is not a hypothetical risk.
Our digital culture now rewards audacity over honesty. The algorithmic economy pays those who build parasocial trust, stage proof, and pitch hope—the same three moves used by con artists.
I have previously argued that fitness fraudsters, “get-rich” gurus, and crypto hucksters teach young offenders the fundamentals of manipulation.
The result is an attacker with polished narratives, credible aesthetics, and funnel discipline—a social engineer who scripts with the skill of a marketer, then executes with the rigor of an intelligence officer.
On the other side, victims train their attackers by oversharing travel plans, new roles, stack changes, and procurement wins—especially on LinkedIn.
Trend Micro’s work on LinkedIn abuse shows how readily such data is monetized by threat actors.
Beyond headline numbers, Australia is paying in four compounding currencies:
Trust Erosion (Public & Investor): Each incident degrades confidence in our institutions, depressing brand value and hiking cost of capital. The Medibank and Optus cases have already triggered regulatory actions and sanctions discussions. Reuters
Operational Fragility: DP World’s three-day halt proved that a single compromise can choke critical infrastructure. ASIS International
Copycat Incentives: Visible success begets imitators; threat actors watch remediation lag and target similar seams (identity stores, third-party access, cloud misconfigurations).
National-Level Exposure: The government has had to rewrite strategy, raise penalties, and centralize response, including the 2023–2030 Cyber Security Strategy’s “six shields.” Australian Government Architecture
A downstream metric of pain: after Optus, authorities reported hundreds of thousands of blocked identity-fraud attempts using stolen credentials—evidence that breach fallout persists long after news cycles move on. News
Most Australian breaches begin with social engineering, credential misuse, or third-party lapses—human pathways dressed in technical clothing. The Medibank timeline is illustrative.
Counter: Technical controls (MFA everywhere, phishing-resistant auth, least privilege, hardware security keys) do mitigate human error—if deployed comprehensively and audited without exception.
Transaction-based relationships weaken reciprocity and security discipline; oversight collapses across borders and device policies.
Counter: Outsourcing and remote work can be safe with zero-trust architectures, strong device attestation, contractual telemetry rights, independent audits, and rigorous insider-risk programs.
Without a security culture that is anchored in loyalty, training simply becomes a routine task. In intelligence, MICE taught us that ideology (shared mission) outperforms money (pay check).
Counter: Culture takes time; boards need near-term controls. The right answer is a two-speed.
Model: ship controls now, cultivate culture continuously.
Canberra has moved. The 2023–2030 Cyber Security Strategy sets six shields (strong citizens, safe tech, world-class threat sharing/blocking, protected critical infrastructure, sovereign capability, and resilient region). Penalties under privacy reforms are rising; enforcement is sharpening (OAIC actions against Medibank; litigation against Optus).
These are necessary—but insufficient—without a human-centric rewrite inside corporations.
Re-insource the crown jewels. Keep identity, key management, and high-sensitivity customer data onshore, with direct employee stewardship and hardware-backed authentication.
Maintain a Zero-Trust or Zero-Chance approach. Enforce phishing-resistant MFA, device attestation, and continuous authentication—especially for third-party and contractor access.
Compartmentalize like an intelligence service. Please apply the need-to-know principle to data stores and SaaS roles and avoid treating the CRM as a communal pantry.
Harden LinkedIn exposure. Treat LinkedIn as open-source reconnaissance: scrub org charts, delay role announcements, and train executives on spear phishing patterns drawn from current intel. Trend Micro
Tabletop deepfakes. Run quarterly exercises where finance or operations staff must validate instructions under video conference pressure. Please consider using the Arup case as your “why.” Financial Times
Swap “training” for loyalty-building. Recognition, transparent comms, and value alignment create reciprocity. The STASI leveraged ideology; ethical businesses can leverage purpose. Loyal teams report anomalies sooner and resist social pressure longer.
Contracts should be in place for third-party telemetry. Require vendors to provide device posture data, breach notice within hours, and a right to conduct surprise audits. If vendors refuse to comply, they should not be considered partners; instead, they pose a risk of becoming an incident.
Measure what matters. Monitor the duration required to revoke credentials following role changes, the compliance rates of contractor devices, the proportion of high-risk workflows secured by hardware keys, and the attitude of employees towards leadership, which serves as a gauge of their willingness to go above and beyond to safeguard the company.
In Berlin I was reminded that loyalty outperforms fear. In corporate life, loyalty is not blind obedience; it is shared purpose: employees who feel seen, rewarded, and trusted will protect the enterprise when policy and procedure fall short.
Our cyber posture improves when our people believe they are part of something worth defending.
That is the lesson intelligence has known for decades, and business has forgotten.
Australia is hacked not because our engineers are incompetent, but because our human systems are incoherent. We celebrated efficiency over integrity, cost savings over control, and vanity metrics over vigilance.
The attackers noticed. They always do.
Rebuild loyalty. Tighten the human perimeter. Treat the feed as a training ground—for us, not just for them. Do this, and we move from being a soft target to a hard lesson for those who try next.
Until then, our adversaries won’t need to pick locks. They will pick people and walk through the front door we left ajar.
