What to Consider in Developing a Successful Cyber Security Strategy

Observations

If you do a search or use AI to develop a cyber strategy, chances are you will see reference to the 5 C’s: Change, Compliance, Cost, Continuity, and Coverage¹. Or you might find the Gartner cyber security publication, which addresses business, technology, and environmental drivers in developing your strategy². This paper examines a pragmatic approach, considering how an attacker will structure their attack and the response your strategy needs to address to effectively defend against each of the six vectors discussed in this paper.

Attack Vector 1 – Human Manipulation

The human engineering attack vector is becoming a more common approach and can be used to breach your organisation either internally or through a third-party organisation that supplies services to you. To state the obvious, this is where an individual in the team is exposed to social engineering, which may result in the provision of privileged information or the theft of such information from a team member, allowing an attacker to access your systems. So, how would your cyber security strategy meet this challenge? The following checklist is provided for your reference:

• Implement a robust employee onboarding and offboarding process that includes immediate revocation of privileged access upon termination.
• Regularly audit user accounts and permissions to ensure the principle of least privilege is maintained and to identify any dormant or unauthorised accounts.
• Establish clear security policies for employees regarding data handling, password management, and acceptable use of IT systems.
• The number of people holding privileged access is kept to the minimum necessary and regularly reviewed.
• Ensure all users are required to employ multi-factor authentication.
• Where complex passwords are used, mandate a passphrase policy that is easier to remember and avoids the risk of passwords being written down.
• All people with privileged access (both in-house and third-party suppliers) hold an appropriate police check and, if necessary, hold a national security clearance.
• Regular role-based training against human engineering is conducted for people holding privileged access (for both internal and third-party suppliers).
• Provide a whistleblower policy³ for individuals who believe they may be exposed to human engineering techniques, or believe another member of the team is at risk.
• Provide guidance and training on when and how to log a cyber security call.

Attack Vector 2 – Physical Access

Physical access to your sites can allow an attacker to use a number of techniques, ranging from keyboard loggers and listening devices to accessing unprotected ports and resetting system passwords using command-line code during boot-up. This risk is increased where people with privileged access are able to use this access from a remote locality (working from home). So, how would your cyber security strategy meet this challenge? The following checklist is provided for your reference:

• The physical security (access controls, key management, CCTV, and alarms) to the work area (including when working remotely) is appropriate for the potential risk.
• Regularly review and test physical security controls to ensure their effectiveness.
• Implement clear desk and clear screen policies to minimise the risk of sensitive information being exposed.
• Securely manage and dispose of sensitive documents and hardware.
• Remote workers with privileged access are provided with training on the potential risks and how to check for devices like keyboard loggers regularly.
• Provide for a defence in depth for more sensitive areas where access to comms distribution racks and computer rooms is treated as privileged access.
• Ensure all access ports in the work areas are appropriately managed and locked down if not in use.
• All visitors are required to be escorted.
• All visitors (business, maintenance workers, and cleaners) are required to record their details before being allowed access.
• Access by all remote workers requires multi-factor authentication.

Technical Attack Vectors

These vectors may involve a combination of attack vectors 1 and 2 to gain intelligence on how best to structure the technical attack. This said, poor IT ecosystem hygiene practices can also allow attackers access⁴.

Attack Vector 3 – Denial of Service

A denial-of-service (DoS) attack vector is where the attacker uses various techniques to overload access and cause your organisation to drop its guard. These types of attacks can be used to cause embarrassment, but they can also be used to test your defences. For example, if you have back doors in your company’s systems that can be monitored and exploited at a later date. So, how would your cyber security strategy meet this challenge? The following checklist is provided for your reference:

• Implement Intrusion Detection/Prevention Systems (IDS/IPS) to detect and block malicious traffic patterns associated with DoS attacks.
• Utilise Cloud-based Distributed DoS (DDoS) mitigation services that can absorb large-scale attacks before they reach your infrastructure.
• Conduct regular vulnerability assessments and penetration testing to identify weaknesses that could be exploited in DoS attacks.
• Implement application whitelisting to ensure only approved applications can run, preventing unauthorised software that might be used in a DoS attack.
• Mandate effective change control of your IT ecosystem to ensure unintended errors do not cause a denial of service.
• Ensure effective monitoring of your IT ecosystem to detect unauthorised access or events.
• Mandate load balancing techniques⁵ are used either by internal networking architecture or your Telco/ISP.
• Assess the value of network segmentation⁶ to prevent overloading all access points simultaneously.
• Assess rate-limiting techniques⁷ to control the number of requests or actions a user, device, or server can make within a specific period of time.
• Assess the value of content delivery techniques⁸ to provide a geographically distributed network of servers that work together to deliver digital content.
• Mandate IP address blocking to block traffic from known or suspected malicious sources.

Attack Vector 4 – Phishing

Phishing is a type of cyber attack in which scammers use fake emails, websites, or other digital communications to trick individuals into divulging sensitive information, such as login credentials or financial details. So, how would your cyber security strategy meet this challenge? The following checklist is provided for your reference:

• Deploy email security measures such as advanced spam filters, email authentication protocols (SPF, DKIM, DMARC), and anti-impersonation tools.
• Implement DNS filtering to block access to known malicious websites that might be linked from phishing emails.
• Regularly update security awareness training content to reflect new phishing techniques and trends.
• Provide a clear and easy-to-use reporting mechanism that enables employees to flag suspicious emails, including a phishing button in email clients that allows users to report suspected phishing emails.
• Mandate regular training for all employees (not just IT staff) on phishing and how to avoid being compromised by these types of attacks.
• Mandate regular phishing simulations to test all employees’ preparedness to defend against these types of attacks.
• Mandate that all contracts with suppliers of the IT ecosystem also require them to train and test for phishing attacks.

Attack Vector 5 – Malware

Malware attacks⁹ are where the attacker embeds code to run spyware, a virus, a worm, a trojan, unwanted adware, or a hybrid of one or more of these types of malware. So, how would your cyber security strategy meet this challenge? The following checklist is provided for your reference:

• Implement Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR) tools for advanced threat detection and response on endpoints.
• Utilise application whitelisting to prevent unauthorised software, including malware, from executing on systems.
• Conduct regular security audits of your IT environment to identify and remediate vulnerabilities that malware could exploit.
• Mandate that all security patches be applied as soon as possible upon release.
• Mandate that all IT platform operating systems and applications are maintained at n-1 release status.
• Ensure effective monitoring of your IT ecosystem to detect unauthorised access or events.
• Mandate the use of anti-virus protection software on all end-user and enterprise computer platforms.
• Mandate that all data in transit and at rest is encrypted.
• Mandate that back-ups allow for immutable copies and air-gapping to support recovery of lost or corrupted data.
• Protect against unauthorised use of USB devices (portable hard drives and USB stick drives), access to the IT ecosystem.

Attack Vector 6 – Ransomware

A ransomware attack is often referred to as Malware, but from a business impact perspective, it can be much more destructive in terms of lost productivity, revenue, and reputational damage. So, how would your cyber security strategy meet this challenge? The following checklist is provided for your reference:

• Consider whether micro-segmentation¹⁰ of data may be an effective defence for your organisation. With microsegmentation, administrators can manage security policies that limit traffic based on the principle of least privilege and zero trust.
• Develop and regularly test a comprehensive incident response plan specifically for ransomware attacks.
• Conduct regular penetration testing to simulate ransomware attacks and identify vulnerabilities.
• Implement a zero trust architecture that assumes no user or device is trustworthy by default.
• Mandate that all data in transit and at rest is encrypted.
• Mandate that back-ups allow for immutable copies and air-gapping to support recovery of lost or corrupted data.
• Protect against unauthorised use of USB devices (portable hard drives and USB stick drives), access to the IT ecosystem.
• Template the processes to be followed to properly investigate the attack vector before conducting any recovery of systems impacted¹¹.
• The number of privileged accesses is kept to the minimum necessary.
• Ensure all users are required to employ multi-factor authentication.

Next Steps

• Review your current exposure against each of the six discussed attack vectors and develop a gap analysis of your risk.
• Develop your cyber security strategy to defend against attack vectors.
• In your strategy, develop a maturity framework that enables your organisation to measure the improved effectiveness of the cyber security strategy over time.
• Conduct regular (at least annual) reviews of your cyber security strategy to ensure it remains current against known risks.

Footnotes

1. ‘What Are the 5 Cs of Cybersecurity? Ensuring a Secure Digital Environment’, Endsight, 2023.
2. ‘Cybersecurity Strategy: Embrace Fault Tolerance and Resilience’, Gartner, 2025.
3. ‘Whistleblower Protections’, Fair Work Comission, 2025.
4. ‘Essential Eight’, Australian Signals Directorate, 2025.
5. ‘Can Load Balancers Prevent DoS Attacks?’, Cyberly, 2025.
6. ‘Denial of Service and Prevention’, Geeks For Geeks, 2025.
7. ‘What Is Rate Limiting, and How Does It Help in Defending Against DoS Attacks?’, Cyberly, 2025.
8. ‘What Is the Role of Content Delivery Networks (Cdns) in Mitigating DoS Attacks?’, Cyberly, 2025.
9. ‘What is a Malware Attack?’, Cyberark, 2025.
10. ‘What Is Microsegmentation?’, Paloalto Networks, 2025.
11. ‘Cybersecurity incident response planning: Practitioner guidance’, Australian Signals Directorate, 2024.