Australian organisations are investing closely in cyber safety, but most breaches nonetheless exploit easy, preventable weaknesses. The 2025 Nexon Cyber Safety Report, based mostly on penetration testing of 126 organisations throughout 30+ industries, reveals seven recurring vulnerabilities that attackers exploit, and explains tips on how to repair them.
From poor password hygiene to misconfigured cloud techniques, each single organisation we examined had not less than one vulnerability that would have been prevented with stronger foundations.
Easy errors go away the door ajar
Most cyber breaches don’t come from superior hacking methods or nation-state actors. Nexon’s penetration testing this 12 months confirmed that attackers succeed by exploiting primary, preventable gaps that seem throughout each layer of the surroundings.
The sample was constant: weak credential hygiene, lacking multi-factor authentication (MFA), insecure net purposes, human error, perimeter gaps, flat inside networks and cloud misconfigurations.
Under are the seven frequent threats we discovered. For the entire findings, together with detailed statistics, staged implementation roadmaps and particular remediation steering for addressing every vulnerability, obtain the complimentary 2025 Cyber Safety Report.
1. Weak passwords stay the best approach in
Predictable and reused credentials facilitated unauthorised entry extra usually than any superior hacking approach in our 126 penetration checks. We discovered ‘Password123’ and different predictable patterns, seasonal mixtures like ‘Winter2025!’, passwords based mostly on firm names and default or hardcoded service account credentials are nonetheless in widespread use.
- 59% of passwords have been solely 8–10 characters lengthy
- 1 in 4 organisations reused passwords throughout accounts
- 10% nonetheless enforced weak or outdated password insurance policies
2. Multi-factor authentication gaps expose accounts
Even with sturdy passwords in place, attackers usually discovered authentication endpoints missing enforced MFA or with bypassable problem flows. We discovered that almost 1 in 10 net apps lacked MFA enforcement, that cloud admin accounts have been exempt from MFA and that privileged accounts – together with executives and automatic service accounts – have been generally exempt from MFA.
- MFA was lacking or misconfigured in 9% of net purposes, 5% of perimeter companies and 3% of cloud admin accounts
3. Net software housekeeping flaws create actual dangers
Daily errors, not advanced assaults, are the largest explanation for net and API weaknesses. Attackers usually piece collectively minor points, reminiscent of misconfigured parameters or outdated dependencies, to search out methods to interrupt in.
- 63% of net purposes had not less than one safety misconfiguration
- 64% of APIs lacked vital controls
4. Individuals stay essentially the most exploitable entry level
Phishing and social engineering have been essentially the most dependable strategies for cyber attackers to acquire preliminary entry in simulations. As soon as attackers received in by folks, inadequate inside entry controls and community segmentation made escalation straightforward. Many of those assaults went undetected till our crew reported them.
- 83% of phishing makes an attempt in simulated assaults gained credentials
- 72% of engagements escalated to the area admin inside days
- 60% of simulated assaults went undetected by monitoring groups
5. Exterior perimeters nonetheless have openings
Fewer direct perimeter break-ins occurred this 12 months than in earlier years, however easy strategies, reminiscent of weak passwords and lacking two-factor logins, nonetheless let attackers in. In lots of circumstances, only one neglected system was sufficient to present attackers entry.
- 5% of external-facing companies had no two-factor login
- 8% of organisations had weak or outdated encryption
6. Flat inside networks give attackers the keys
As soon as attackers received inside, they usually discovered wide-open networks. Weak protocols, uncovered information sharing and poor system separation made it straightforward to maneuver round and acquire full management.
- 72% of engagements reached area admin management – giving attackers the keys to every thing
7. Cloud misconfigurations create large dangers from small gaps
Most cloud breaches stemmed from insecure default configurations, not superior assaults. Extreme permissions, poor login controls and harmful defaults left delicate information and accounts uncovered in lots of environments.
- 6% of cloud setups left unsafe default settings in place
- 4% used outdated or weak login strategies
A structured method to addressing these gaps
Addressing these foundational gaps removes the vast majority of exploitable weaknesses. There’s no level investing in superior safety instruments if attackers can nonetheless stroll in by weak passwords or lacking MFA.
Nexon’s three-stage cyber safety framework gives a structured method: Get Protected by placing the correct foundations in place, Keep Protected by steady monitoring and incident response, and Don’t Get Caught Out by proactively testing and strengthening defences towards evolving threats.
Leveraging Microsoft applied sciences, Nexon delivers a strategic, end-to-end method to cybersecurity, combining licensed experience, confirmed processes, and superior options to strengthen digital resilience.
The complimentary 2025 Nexon Cyber Safety Report gives detailed remediation roadmaps, implementation guides and particular actions to deal with every menace. Obtain your copy to see the place your organisation could also be uncovered and tips on how to shut these gaps.
For extra details about penetration testing, safety assessments and addressing these frequent vulnerabilities, contact us at nexon.com.au/nexon-cyber.
Reference: 1. Nexon: 2025 Nexon Cyber Safety Report
