Australia has seen this firsthand. In 2022, two of the country’s largest companies, Optus and Medibank, suffered devastating breaches. Optus was compromised through an unsecured API, while Medibank’s systems were breached via a compromised contractor login. Different technical failures - but the same underlying issue: weak processes, poor oversight, and human error.
At Dcode Group, we believe the best defense starts with acknowledging that people are the vulnerability. From there, businesses can put systems and habits in place to reduce risk. Here are five practical strategies to help protect your data and systems.
1. Systems and Processes
The Optus breach showed what happens when basic checks fall through the cracks. An unsecured API - something that could have been caught with routine audits and process discipline - became the gateway for attackers.
That’s why every organisation needs clear, documented systems and processes. This includes:
- Regular audits of APIs and integrations.
- Defined responsibilities for updates and patching.
- Formal onboarding and offboarding procedures for staff and contractors.
Security lapses often happen when no one is accountable. Strong processes ensure nothing gets overlooked.
2. Have a Response Plan
Even the most secure systems can be compromised. The question isn’t if something will happen, but when. Having a plan is the difference between chaos and control.
Ask yourself:
- Who responds if data is hacked?
- How do we notify customers and stakeholders?
- What legal or compliance requirements apply?
A response plan turns a potential crisis into a managed incident, minimising damage to both reputation and operations.
3. Two-Factor Authentication (2FA)
Passwords alone aren’t enough. Two-factor authentication (2FA) adds a second layer of protection, making it harder for attackers to get in - even if they steal a password.
At Dcode Group, our preference is SMS-based 2FA. We also recommend disabling e-SIMs, as they can introduce vulnerabilities through SIM-swapping. It’s a small step, but one that dramatically reduces the risk of unauthorised access.
4. Use a Password Manager
Weak or reused passwords are still one of the easiest ways into a system. A password manager solves this by generating and storing unique, random passwords for every account.
This way:
- Staff only need to remember one strong master password.
- The system handles the rest - no sticky notes, no reusing “Password123”.
A password manager isn’t just a convenience; it’s a foundational security measure.
5. Maintain an Access List
The Medibank hack exposed just how risky third-party logins can be. A contractor’s compromised credentials opened the door to sensitive data. This is why maintaining a tight access list is critical.
Every business should:
- Regularly review who has access to what.
- Remove accounts for former staff and contractors immediately.
- Limit permissions to the minimum required for each role.
Access is like keys to your office. You wouldn’t give every staff member a master key and let ex-employees keep theirs - the same logic applies to digital systems.
Final Thoughts
Technology evolves quickly, but attackers often exploit the same simple weaknesses. The Optus and Medibank breaches proved that poor processes, weak oversight, and unmanaged access are just as dangerous as sophisticated malware.
By putting the right systems in place - from process discipline and access reviews to 2FA and password managers - organisations can turn their biggest weakness (people) into their strongest line of defense.
At the end of the day, security isn’t just about firewalls and encryption. It’s about building a culture where every person understands their role in protecting the business.
