Every day, organisations across Australia and Aotearoa New Zealand rely on technology to keep essential operations running.
Whether it’s managing hospitals, airports, schools, government facilities or commercial buildings, digital systems now sit behind many of the services people depend on. From work orders and maintenance schedules to payroll, customer reporting and supplier communications, technology supports activities that keep businesses operating and communities functioning.
When those systems are interrupted, the impact can be felt quickly. Services can be delayed, operations interrupted, and customer confidence affected.
That’s why cyber security is no longer just an IT issue; it’s become a resilience issue.
For OCS, resilience is about building a business that can anticipate risk, adapt to changing conditions and continue delivering for customers when disruption occurs. In that context, cyber security plays an increasingly important role in protecting services, data, reputation and operational continuity.
Neil Weller, OCS Group Chief Information Security Officer, believes organisations need to stop viewing cyber risk as a specialist technology topic and start recognising it as a business-wide resilience challenge.
Cyber Incidents Are No Longer Just Technology Incidents
Recent events have demonstrated how quickly cyber incidents can affect day-to-day operations.
Last year’s cyber incident involving Qantas attracted significant attention across Australia and New Zealand, highlighting that even large and well-resourced organisations can be vulnerable to cyber threats. While every incident is different, the broader lesson is the same: cyber security is no longer only about protecting systems. It’s about protecting the ability of a business to operate.
For many organisations, the biggest impact of a cyber incident isn’t the technology failure itself, it’s the operational disruption that follows.
A system outage can affect customer reporting, maintenance schedules, supplier communications, workforce planning and access to critical information. In some environments, it can affect the ability to deliver services safely and/or consistently.
The question is no longer whether systems can recover. It’s whether operations can continue while recovery is taking place.
The most resilient organisations no longer separate cyber resilience from operational resilience. They recognise that technology, people and service delivery are increasingly connected.
AI Is Changing the Risk Environment
Artificial intelligence is accelerating this shift.
Research from McKinsey shows that AI adoption continues to grow rapidly across organisations worldwide. Businesses are using AI to improve productivity, automate routine tasks and support decision-making. The opportunities are significant, but so are the risks.
AI is also making cyber attacks more convincing and harder to detect.
Fraudulent emails can be written more professionally. Voice cloning technology can imitate trusted individuals. Fake videos and messages can appear increasingly authentic.
As a result, many of the signals people have traditionally relied on to determine whether something is genuine are becoming less reliable.
Neil Weller believes this makes strong governance and clear decision-making more important than ever.
“AI is not delivering value through technology alone. The organisations seeing the greatest benefit are redesigning work around it, rather than simply layering it on top of existing processes.”
The same principle applies to resilience. New tools only create value when they’re supported by the right controls, habits and behaviours.
Resilience Depends on the Fundamentals
While cyber threats continue to evolve, many successful attacks still rely on familiar weaknesses.
Stolen credentials, excessive system access and poor access controls remain among the most common pathways used by attackers. Organisations often focus on sophisticated threats, yet many incidents can be traced back to basic controls that were overlooked or inconsistently applied.
While cyber threats continue to evolve, the most effective protections are often the ones organisations apply routinely. These include:
- Limiting access to systems and information to those who genuinely need it
- Using multi-factor authentication to strengthen sign-in security
- Regularly reviewing who has access to what
- Monitoring for unusual account activity or unexpected behaviour
- Having clear processes for escalating concerns and responding quickly.
None of these measures are particularly complex. Much like resilience itself, strong cyber security is usually the result of good, regular habits.
Building a Culture of Awareness
Technology alone cannot create resilience. People remain one of the most important lines of defence.
Whether it’s identifying a suspicious email, questioning an unusual request or following established processes, individual decisions play a substantial role in reducing cyber risk.
The proliferation of publicly available AI tools has added another layer of complexity. Many employees are using AI to improve productivity, often with positive intentions. However, without clear guidance, sensitive information can be exposed or shared inappropriately.
The most resilient organisations are responding by creating clear expectations, providing approved tools and helping people understand the risks.
Most people are trying to do the right thing. The role of leadership is to ensure they have the knowledge, tools and support to do so safely.
Resilience Requires More Than Technology
One of the biggest shifts organisations are making is recognising that cyber resilience isn’t owned by IT teams alone.
Technology teams play a critical role, but resilience also depends on leadership, governance, operational planning and the decisions people make every day.
In facilities services, resilience often comes down to maintaining service continuity when conditions change. The same principle applies to cyber security. Organisations that respond most effectively are usually those that have already invested in clear processes, defined responsibilities and practical contingency planning before an incident occurs.
As Neil Weller says:
“Cyber security now sits firmly within the broader resilience agenda. It shapes how organisations protect trust, maintain operations and respond under pressure.”
Small Actions Have a Big Impact
While cyber resilience is often discussed in terms of headline-making incidents, in everyday practice, it’s strengthened through small, regular actions. Examples include:
- Reviewing access permissions regularly
- Using multi-factor authentication
- Verifying unexpected requests
- Protecting sensitive information
- Testing recovery plans
- Providing clear guidance on AI use
- Encouraging people to report concerns early.
Individually, these actions may seem routine, but together, they help organisations reduce risk, respond more effectively to disruption and maintain trust when challenges arise.
Building Resilience for the Future
As digital tools become more embedded in everyday business operations, organisations are facing a growing need to balance innovation with risk management.
The organisations best placed to succeed won’t be those that simply adopt new technology fastest. They will be the organisations that understand how technology, people and operations work together.
Resilience is built before disruption occurs. It is strengthened through clear governance, informed decision-making, practical controls and a culture where people understand their role in managing risk.
In cyber security, as in resilience more broadly, small actions taken today can make a significant difference tomorrow.
