Cybersecurity Fundamentals — What It Means and Why It Matters
A plain-English guide to cybersecurity written so a high school student can understand it. What hackers actually do, how organisations defend themselves, and what Australia's government says every business should do.
What Is Cybersecurity? (The Simple Version)
Imagine your house. You have a front door with a lock. You have windows that close. Maybe a security camera. You do not leave your wallet on the front porch. Cybersecurity is the same thing — but for computers, phones, websites, and the data stored on them.
Every time you log into your email, buy something online, or use a government service, your personal information is stored on a computer somewhere. Cybersecurity is about making sure only the right people can access that information, and that nobody can steal, change, or destroy it.
The Three Things Cybersecurity Protects
Known as the "CIA Triad" — and no, it has nothing to do with spies
Confidentiality
Only the right people can see the data. Your medical records should only be visible to your doctor and you — not to a hacker in another country.
Think: Privacy
Integrity
The data has not been tampered with. When your bank says you have $500 in your account, you need to trust that nobody changed that number.
Think: Accuracy
Availability
The system works when you need it. If the tax website crashes during lodgement season, that is an availability failure.
Think: Uptime
How Attacks Actually Work
The most common ways systems get compromised — explained simply
Phishing
A fake email that looks real. "Your bank account is locked — click here to unlock it." The link goes to a fake website that steals your password. This is the number one way hackers get in — not through clever code, but by tricking humans.
In 2022, Optus (one of Australia's largest telcos) had 9.8 million customer records exposed. Medibank had 9.7 million. These incidents led to sweeping Australian privacy law reforms.
Ransomware
Malicious software that encrypts all your files and demands payment (usually in cryptocurrency) to unlock them. Hospitals, schools, and businesses have been paralysed by ransomware.
The ACSC reports that ransomware is the most destructive cybercrime threat to Australian businesses. Average cost per incident runs into millions.
Credential Stuffing
Using username/password combinations stolen from one website to try logging into other websites. If you use the same password for your email and your bank, and the email provider gets hacked — your bank is next.
This is why multi-factor authentication (MFA) is so important. Even if your password is stolen, the attacker still needs your phone.
SQL Injection
Typing special characters into a login form or search box that tricks the database into revealing data or bypassing security. Like putting a command inside your name that the computer accidentally executes.
One of the oldest and most common web attacks. Still in the OWASP Top 10 most critical web security risks.
DDoS (Distributed Denial of Service)
Flooding a website with so much fake traffic that it cannot handle real users anymore. Imagine 10 million people trying to enter a shop that fits 100.
Australian government websites and financial services have been targeted by DDoS attacks from international threat actors.
Supply Chain Attack
Instead of attacking the target directly, attackers compromise a software library or tool that the target depends on. When the target updates that library, they unknowingly install the attacker's code.
The SolarWinds attack affected thousands of organisations worldwide, including government agencies, through a compromised software update.
Australia's Essential Eight — The Government's Cybersecurity Playbook
What the Australian Signals Directorate says every organisation should do
The Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate (ASD), created a framework called the Essential Eight. These are eight things that, if implemented properly, prevent the vast majority of cyberattacks. They are mandatory for Australian federal government agencies and strongly recommended for everyone else.
Only allow approved software to run on your computers. If a hacker installs malware, it cannot execute because it is not on the approved list.
Keep your software updated. When the company that made your software finds a security hole, they release a "patch" to fix it. Apply it quickly — within 48 hours for critical vulnerabilities.
Macros are tiny programs inside Word and Excel files. Hackers hide malicious code inside macros. Block macros from running in files downloaded from the internet.
Turn off features you do not need. Disable Flash, disable Java in browsers, block web ads (which can carry malware). Reduce the "attack surface" — fewer features means fewer things hackers can exploit.
Not everyone needs admin access. Give people only the access they need to do their job (this is called "least privilege"). Review admin accounts regularly.
Same as patching applications, but for Windows, macOS, and Linux themselves. Old operating systems that no longer receive updates should be replaced.
Your password alone is not enough. MFA requires a second proof of identity — a code sent to your phone, a fingerprint, or a security key. Even if someone steals your password, they cannot get in without the second factor.
Make copies of your important data every day and store them somewhere safe. If ransomware encrypts everything, you can restore from the backup instead of paying the ransom.
Essential Eight Maturity Levels
The ACSC defines four maturity levels (0 through 3) for implementing these strategies. Think of them as difficulty levels in a game:
The Bigger Picture — PSPF and Australian Government Security
How cybersecurity fits into Australia's national security framework
The Essential Eight is part of a larger framework called the Protective Security Policy Framework (PSPF). The PSPF is the Australian Government's overarching security policy that covers not just cybersecurity, but also physical security (building access, CCTV), personnel security (background checks, clearances), and information security (document classification).
PSPF's Six Security Domains
Security Governance
Who is responsible for security? Every entity must have an Accountable Authority and a Chief Security Officer.
Information Security
How is information classified and protected? Includes the Essential Eight and the Information Security Manual (ISM).
Personnel Security
Background checks, security clearances, and ongoing suitability assessments for people who access sensitive information.
Physical Security
Protecting buildings, rooms, and equipment. Secure zones, access control, CCTV, and visitor management.
Contracting & Procurement
Security requirements for third-party suppliers and service providers working with government.
Business Continuity
Planning for disruptions — natural disasters, cyberattacks, pandemics — and ensuring critical services can continue.
Global Frameworks That Align with the Essential Eight
Five functions: Identify, Protect, Detect, Respond, Recover. Used worldwide as a reference framework. The Essential Eight maps to the "Protect" function.
The global standard for Information Security Management Systems (ISMS). Certifiable — organisations can be audited and certified as ISO 27001 compliant.
Service Organisation Controls — focused on trust services criteria: security, availability, processing integrity, confidentiality, and privacy. Common in SaaS and cloud services.
Encryption — The Lock on Your Data
How data is protected even if someone intercepts it
Encryption is the process of scrambling data so that only someone with the correct key can unscramble it. Even if a hacker intercepts encrypted data, they see meaningless gibberish.
Encryption in Transit
Protects data while it is moving between two places. When you visit a website with "https://" in the address bar, the data between your browser and the server is encrypted using TLS (Transport Layer Security).
Analogy: Putting a letter in a locked box before mailing it. Even if the postman reads the outside, they cannot see the contents.
Encryption at Rest
Protects data while it is stored on a hard drive, database, or cloud storage. AWS services like RDS and S3 can encrypt all stored data using AES-256 encryption.
Analogy: Keeping your valuables in a locked safe inside your house, not just behind the front door.
What You Can Do Right Now
Personal cybersecurity habits that take 5 minutes
Use a password manager
One strong, unique password for every account. You only remember one master password.
Enable MFA on everything
Email, bank, social media, university — if it offers MFA, turn it on.
Update your devices
Those annoying software update notifications fix security holes. Install them.
Think before you click
If an email asks you to "verify your account urgently" — stop. Go directly to the website instead of clicking the link.
Use HTTPS everywhere
Check for the padlock icon in your browser. Never enter passwords on HTTP (non-encrypted) sites.
Back up your important files
Cloud backup (Google Drive, iCloud, OneDrive) or an external hard drive. If your laptop dies tomorrow, what would you lose?
References & Further Reading
• Australian Cyber Security Centre (ACSC) — cyber.gov.au
• ACSC Essential Eight — Essential Eight Framework
• Essential Eight Maturity Model — Maturity Model
• Protective Security Policy Framework (PSPF) — protectivesecurity.gov.au
• NIST Cybersecurity Framework — NIST CSF 2.0 (PDF)
• Blueprint for Secure Cloud — ACSC Cloud Blueprint
Platform Engineering Series
This article is Part 7 of a 9-part series.
Note: The architecture examples in this series reference LexAML, a real-world AML/CTF compliance platform. The diagrams shown are high-level representations shared for educational purposes.
This content is compiled from various industry sources, official documentation, and practical experience gained across production environments. Your experience may differ based on your organisation, tech stack, and industry context.
We are continuously developing and fine-tuning this content. If something differs from your understanding, or if you have suggestions for improvement, we would genuinely appreciate hearing from you.
Reach out: sumit@getpostlabs.io