At our recent STN Cyber Forum, GNGB’s very own Ross Daws sat down with David Stocks of Germane Advisory to explore cyber incidents and how organisations can strengthen their response capability.

Guest speaker David Stocks of Germane Advisory brought valuable insights from his extensive experience supporting organisations through high-pressure, real-world cyber events.

Why Incident Response Still Matters

Cyber adversaries are evolving fast. But as David highlighted, many large-scale incidents still trace back to basic failure points: misconfiguration, weak credential hygiene, unmonitored lateral movement and absent forensic readiness. The fundamental message: resilience isn’t built on novelty, it’s built on discipline.

The Risk from Inside In

Once an actor gains initial access, the race is on. David’s investigations consistently found:

• Broad internal networks with limited segmentation allowed rapid lateral spread.
• Secret keys, credentials and tokens hidden in code or repositories provided escalation paths.
• Poor visibility into internal traffic hindered early detection.

For the STN ecosystem this means: don’t treat internal networks as low-risk. Apply the same rigor you use for external assets.

Evidence Preservation

A recurring theme in the discussion: forensic readiness is often an afterthought. Cloud automation, ephemeral workloads and poorly defined logging regimes all meant forensic timelines moved from “urgent” to “impossible” once an incident erupted.
You cannot respond properly if you cannot prove what, when, and how the compromise occurred.

Leadership and Decision-Making Under Pressure

One of the key messages was; when an incident occurs, speed matters. But more than speed, clarity of authority and decision-making frameworks matter even more.
David emphasised that organisations which had clear pre-approved triggers for isolation, external counsel, forensic engagement or public disclosure, consistently fared better. In contrast, those that debated in real-time suffered from threat escalation and longer recoveries.

Five Practical Steps for the STN Ecosystem

To translate these insights into action, Ross and David reflected five practical steps that aligned with our ecosystem’s specific environment:

1. Map, test, segment – Know your asset inventory including internal systems, test for hidden credentials, and institute internal network segmentation.
2. Secrets management – Move from ad-hoc storage of tokens/keys to vault systems, rotate credentials and monitor usage.
3. Forensic readiness – Design and test logging, retention, chain-of-custody and incident isolation plans as a core part of cybersecurity operations.
4. Decision-frameworks – Pre-define who has authority for containment, communication, recovery and regulatory engagement so you’re ready before the event.
5. Board-level reporting – Provide the board and senior leadership with periodic incident-response capability updates: “What if we were breached tomorrow? And what is our 0-48 hour plan?”

Looking Ahead

As we move into a transformative phase for the superannuation data and payments ecosystem, including the rollout of Payday Super and the continuing growth of real-time transactions, it’s clear that cyber-resilience cannot be reactive.
The ecosystem must shift to preparation, rehearsal, and continuous improvement. At GNGB, we will keep facilitating this shift through further forums, peer-sharing targeted workshops, and multiple opportunities per year for organisations to test their response plans.