Australia’s New Cyber Plan Puts Staff Training Front and Centre

The federal government has released the Horizon 2 action plan for the national cyber security strategy, and it’s a meaty one. As reported by iTnews, the plan would give telcos and cloud providers the ability to block cyber threats upstream — before they ever reach Australian networks — alongside a review of subsea cable protections. Tucked in among the big-ticket items is the one most workplaces will actually feel: a minimum standard of cyber security training, to be written into Australian Signals Directorate standards.

The plan’s language is blunt: workers are to be “our first line of cyber defence, our ‘human firewall'”. And cyber security minister Tony Burke’s framing matters for anyone who supplies government or critical infrastructure. Horizon one put locks on the front door, he said — horizon two is about the supply chain. “We are now locking the windows.”

For not-for-profits, that’s the bit to pay attention to. NFPs delivering government-funded services sit squarely inside that supply chain, and requirements like this rarely stay in Canberra. They flow down into procurement rules and grant agreements. Funders already ask about data handling; a published minimum training standard gives them something concrete to demand — and a box you’ll need to tick.

Our advice: don’t wait to be told. Run regular security awareness training for staff and volunteers now, and keep evidence of who’s completed it. When a funder asks, “yes — here’s the report” beats a scramble.

All IT runs managed security awareness training with phishing simulations and automated reporting, and we work with not-for-profits across Australia on exactly this kind of funder-ready evidence.