Cybersecurity Strategy

This document outlines Vaxa’s cybersecurity strategy, detailing the key pillars, principles, and practices that guide our approach to security. It serves as a reference for all team members, outlining the shared responsibilities and expectations for maintaining a secure environment. Policies and procedures are detailed in separate documents, with this strategy providing the overarching framework for our security posture.

Print this page

This is a Controlled Document

In line with Vaxa's governance framework, changes to controlled documents must be approved or merged by a code owner. All contributions are welcome and encouraged.

Version	Effective	Reviewed	Next review due
1.0.0	2023-08-15	2024-09-02	2025-09-02

Introduction

Cybersecurity isn’t just about protecting systems—it’s about maintaining trust, ensuring business continuity, and safeguarding the data we’re entrusted to keep safe.

Vaxa’s cybersecurity strategy focuses on practical, high-impact measures that align security with our business operations.

We structure our approach around five key pillars: risk management, cyber detection and prevention, access and identity control, data security, and resilience and response. Each pillar provides a guiding framework for securing our business without unnecessary complexity or overhead.

Pillar #1: Risk management

Security starts with understanding risk. We take a proactive approach by identifying the most critical threats to our business—whether that’s data breaches, insider threats, phishing attacks, or system failures.

Risk assessments are an ongoing process, not a one-time exercise. We evaluate risks based on their likelihood and impact, ensuring that security measures are proportionate to the business’s size and resources. Where possible, we mitigate risks through secure architecture, strong internal practices, and cyber insurance for financial protection.

Pillar #2: Cyber detection and prevention

Our strategy prioritises early detection and proactive prevention to reduce the likelihood and impact of cyber incidents.

We implement continuous monitoring for suspicious activity, using tools that provide real-time alerts on unauthorised access attempts, malware, or data exfiltration. Prevention starts with strong authentication, secure configurations, and automated updates—ensuring our systems remain protected without manual intervention. We also use external threat intelligence to stay ahead of emerging risks.

A key part of prevention is educating our team. Cybersecurity awareness is built into our culture, ensuring that everyone understands the risks of phishing, weak passwords, and social engineering attacks.

Pillar #3: Access and Identity Control

Limiting access is one of the simplest and most effective ways to reduce cyber risk. We follow a zero trust approach, where access is only granted on a need-to-know basis. Every system, account, and user remains untrusted at every link in the chain. We instead verify each request based on the user’s identity, device, and context to make an informed decision on providing access.

Multi-factor authentication (MFA) is enforced across all critical systems, reducing the risk of compromised credentials. Administrative privileges are tightly controlled, and regular audits ensure that old or unused accounts are removed. We use role-based access control (RBAC) to define who can access what, ensuring that sensitive data is never exposed unnecessarily.

Pillar #4: Data Security

As a digital business, our most valuable asset is data. Protecting it is non-negotiable.

We encrypt sensitive data both in transit and at rest, ensuring that even if data is intercepted, it remains unreadable. Backups are maintained regularly and stored securely, with an emphasis on offsite and immutable backups that can’t be altered by ransomware.

Client and business data is handled with clear security and privacy considerations, ensuring compliance with relevant regulations (e.g., Australian Privacy Act). Secure file sharing and communication methods are used to prevent accidental data leaks.

Pillar #5: Resilience and Response

No security strategy is complete without a plan for when things go wrong. Cyber resilience is about ensuring the business can recover quickly from incidents while minimising disruption.

We maintain a simple but effective incident response plan, detailing how to contain, investigate, and recover from security breaches. Regular testing, including simulated phishing attacks and breach response drills, ensures that we’re prepared for real threats.

Business continuity is a priority. We ensure that critical systems and data can be restored quickly in the event of an attack, outage, or data loss. By combining strong technical defences with a well-rehearsed response plan, we build a business that can withstand and adapt to cyber threats.

Concluding statements

Cybersecurity is not just an IT function—it’s a core part of how we operate. By embedding security into every aspect of our business through risk management, cyber detection and prevention, access control, data security, and resilience, we ensure that security supports growth rather than hinders it.

This strategy evolves as the business grows, adapting to new threats and technologies while keeping security simple, effective, and aligned with business needs.

Last modified March 3, 2025: Merge pull request #15 from vaxa-tech/add-munki-docs (6d10186)