12-Month Security Awareness Training Plan for Australian SMBs (No Dedicated Trainer Required)

---

Why Your 10–50 Person Business Needs a Training Rhythm, Not a One-Off

The ACSC's Annual Cyber Threat Report consistently flags phishing, business email compromise, and credential theft as the top threats facing Australian organisations. Guardz telemetry shows credential-theft events surged 160% in 2025, and over 80% of SMB breaches now stem from compromised passwords or stolen session tokens. A single annual "cyber induction" doesn't stick — your team needs a monthly cadence that builds muscle memory.

The curriculum below is designed for businesses without a dedicated security trainer. Each session takes 15 minutes. Rotate delivery between the office manager, a team lead, or simply press play on a video.​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌

‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌‌‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​​‌‌​​​‌‍​​‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌​‌‌​​‍​‌‌‌​‌​‌‍​‌‌​‌‌​‌

---

The 12-Month Rolling Curriculum

January — Phishing: Spot the Hook Before You're Caught

Why it matters: 91% of cyberattacks still begin with a phishing email. AI-generated phishing (deepfake voicemail, flawless grammar) has made traditional "look for typos" advice obsolete.

• Learning outcomes:
  • Identify the 3 telltale signs of a modern phishing email (urgency triggers, domain mismatches, unexpected attachment requests).
  • Demonstrate the "stop-and-verify" protocol: forward to IT or call the sender on a known number before clicking.
  • Distinguish between a legitimate MFA push and a push-bombing attack designed to fatigue the recipient.
• 15-minute format: Video + 5-question quiz. Use the ACSC's free "Stay Smart Online" phishing awareness video followed by a team discussion about the last suspicious email anyone received.

February — Passwords & MFA: Your First and Best Defence

Why it matters: Credential theft is the lowest-barrier attack vector. MFA blocks 99.9% of automated account compromises, yet SMB adoption in Australia still lags.

• Learning outcomes:
  • Explain why "Password123!" fails even if it meets complexity rules (credential stuffing doesn't care about your exclamation mark).
  • Enrol every staff member in a password manager and generate one unique passphrase during the session.
  • Recognise the difference between legitimate MFA prompts and MFA fatigue attacks — and know to report repeated unsolicited pushes immediately.
• 15-minute format: Lunch-and-learn. Demo a password manager, walk through MFA enrolment on phones, and order pizza. Everyone leaves with MFA active on email.

March — Social Engineering: When the Attacker Bypasses the Tech

Why it matters: The Karakurt ransomware syndicate employed a dedicated "cold case negotiator" who weaponised stolen personal data — including children's medical records — to coerce victims into paying ransoms. Social engineering is psychological warfare, not technical hacking.

• Learning outcomes:
  • Name the four social engineering levers: authority, urgency, familiarity, and fear — and give a real example of each.
  • Practise a scripted response to an unsolicited phone call requesting sensitive information ("I'll call you back on the published number").
  • Identify pretexting attacks: someone claiming to be from IT, a supplier, or a regulator requesting credentials or system access.
• 15-minute format: Role-play scenarios in pairs (5 min role-play, 10 min group debrief). The "attacker" uses one of the four levers; the "target" practises the scripted refusal.

April — Mobile Security: The Office in Your Pocket

Why it matters: SMB staff use personal phones for work email, Teams, and file access — sometimes without a PIN. A lost or stolen device with unlocked corporate access is a data breach in someone's handbag.

• Learning outcomes:
  • Enable device encryption and a minimum 6-digit PIN or biometric lock on every device accessing work data.
  • Identify risky app behaviours: clipboard access, contact harvesting, and excessive permission requests on mobile apps.
  • Report a lost or stolen device within 30 minutes using the company's designated reporting channel (Slack, Teams, or SMS to manager).
• 15-minute format: Microlearning card (one-page PDF printed and laminated) with a 5-step checklist. Distribute Monday morning; team lead confirms all devices pass by Friday.

May — Home Office & Remote Work Security

Why it matters: SMBs with hybrid staff often have zero visibility into home network security. Default ISP router passwords, unpatched firmware, and family members sharing work devices create a threat surface the office firewall never sees.

• Learning outcomes:
  • Change the default admin password on the home router and check for firmware updates during the session.
  • Separate work and personal device usage — no shared family tablets running company email.
  • Secure the physical workspace: lock screen when stepping away, no work calls on speakerphone in cafes, shred printed documents at home.
• 15-minute format: Video + quiz. CISA's "Telework Essentials" video (free on YouTube) followed by a 5-question self-assessment checklist each staff member completes.

June — Data Handling & Classification

Why it matters: The Notifiable Data Breaches scheme applies to businesses with an annual turnover of $3 million or more, but every SMB holding customer data has reputational and contractual obligations. Staff need to know what's sensitive before they can protect it.

• Learning outcomes:
  • Classify data into three buckets: public, internal, and confidential — with a clear example of each from daily workflows.
  • Apply the "need-to-know" principle: only share confidential data with colleagues who require it for their role.
  • Securely dispose of confidential data: shred paper documents and permanently delete digital files (not just move to the recycle bin).
• 15-minute format: Lunch-and-learn with real examples. Project three sample documents on screen; group classifies each, debates edge cases, and agrees on handling rules.

July — AI Tools Safety: ChatGPT, Copilot, and the Shadow IT Problem

Why it matters: Staff are pasting sensitive customer data, contract terms, and proprietary code into free AI tools without understanding where that data goes. A Salesforce Marketing Cloud vulnerability in 2026 demonstrated how cross-tenant data exposure is real — your AI prompt history is not private.

• Learning outcomes:
  • Identify what constitutes "sensitive data" that must never be pasted into a public AI tool: customer PII, financials, source code, legal documents, and login credentials.
  • Use the "scrub before you prompt" technique: remove names, account numbers, and identifiers before asking an AI for help.
  • Verify AI-generated outputs before acting on them — AI confidently invents facts, and a hallucinated invoice number can cause real financial damage.
• 15-minute format: Microlearning card pinned to every desk. Front: "Before you paste into AI, ask: Would I print this on a billboard?" Back: the 5 data types to never share.

August — Vendor & Supply Chain Security

Why it matters: The 2025 Heathrow airport check-in disruption was caused by a third-party software vendor — not the airline. Supply chain attacks have doubled year-on-year in SMB environments. Your business is only as secure as the weakest vendor with access to your systems.

• Learning outcomes:
  • Identify at least 3 third-party services or vendors that have access to company data or systems.
  • Verify the identity of any vendor requesting remote access — phone callback to a known number, not the number in the email.
  • Report suspicious vendor behaviour: unusual login times, requests for elevated access, or files shared outside normal channels.
• 15-minute format: Video + quiz. Use the OAIC's supply chain risk awareness materials, followed by a team discussion listing every vendor with access and whether that access is still necessary.

September — Physical Security: The Office Is Still a Target

Why it matters: Tailgating, unattended unlocked workstations, and visitor sign-in sheets that nobody checks are universal SMB vulnerabilities. A breach doesn't need a zero-day exploit if someone can simply walk in and plug in a malicious USB.

• Learning outcomes:
  • Challenge unfamiliar faces in the office with a polite, scripted question: "Hi, who are you visiting today?"
  • Lock screens every time you step away — demonstrate the muscle memory of Windows+L or Control+Command+Q.
  • Report unaccompanied visitors, propped-open doors, and unattended devices in public areas immediately.
• 15-minute format: Walkthrough audit. The team lead walks the office with the group, spotting unlocked screens, unsecured server rooms, and tailgating opportunities. Count the findings; commit to zero next month.

October — Incident Reporting: If You See Something, Say Something

Why it matters: The difference between a contained incident and a multi-week breach is often the time between detection and reporting. Staff who hesitate because they fear blame are the single biggest delay factor in SMB incident response.

• Learning outcomes:
  • State the company's incident reporting procedure from memory: who to contact, which channel to use, and the expected response time.
  • Identify what qualifies as a reportable incident: suspicious emails, missing devices, unexpected system behaviour, unauthorised access attempts, and data sent to the wrong recipient.
  • Practise a blameless reporting script that removes fear of repercussions: "I'm reporting this because it's the right thing to do, not because I'm in trouble."
• 15-minute format: Role-play a mock incident. One staff member "discovers" a phishing email they clicked; they report it using the real procedure, receive a supportive response, and the group times how long the process takes.

November — Travel Security: Borders, Wi-Fi, and Device Seizure

Why it matters: Australian business travellers face device search powers at international borders, hotel Wi-Fi that's trivially spoofed, and credential theft from public charging stations (juice jacking). A single compromised device returning to the office network is a bridgehead for attackers.

• Learning outcomes:
  • Use a VPN on all public Wi-Fi and avoid accessing sensitive company data on hotel or airport networks.
  • Never plug an untrusted USB cable or public charging station into a work device — carry a power-only USB condom or use a power bank.
  • Understand border search powers: know that customs officials in many countries can demand device passwords, and plan accordingly by travelling with a clean, loaner device if handling sensitive material.
• 15-minute format: Microlearning card distributed with travel approval forms (or a week before any booked business travel). 5-point checklist: VPN, loaner device, power bank, disable auto-connect Wi-Fi, and IT contact number saved offline.

December — Year-in-Review: What We Learned and What We'll Improve

Why it matters: Training without reflection doesn't stick. A December review session reinforces the year's lessons, celebrates wins, and sets the baseline for next year's curriculum.

• Learning outcomes:
  • Each staff member shares one security lesson that changed their behaviour in the past 12 months.
  • Identify the top 3 threats most relevant to the business's actual risk profile (based on incidents, near-misses, and industry trends), and vote on next year's training priorities.
  • Commit to one personal security habit for the new year — written on a sticky note and stuck to their monitor.
• 15-minute format: Lunch-and-learn with a whiteboard. Group maps the year's wins (phishing reported, MFA enrolled, incidents contained) and votes on the topic they want covered deeper next year. Order pizza; celebrate the fact you didn't end up in the ACSC report.

---

FAQ

Conclusion

A 12-month security awareness programme doesn't need a dedicated trainer, a six-figure platform, or a week of downtime. It needs 15 minutes, 12 times a year, with content that's relevant to how your staff actually work. The curriculum above is free to implement and built around the threats Australian SMBs face right now — credential theft, AI-driven phishing, supply chain compromise, and the blurry line between home and office security.

Start this month. Pick the topic that matches today's date, print the microlearning card, and put it in front of your team. The best time to build a security culture was last year. The second-best time is Monday morning.

Get expert help implementing your training programme: Visit consult.lil.business for a free 30-minute cybersecurity posture assessment tailored to your SMB.

---

References

1. ACSC Annual Cyber Threat Report
2. CISA — More Than a Password: MFA Awareness Materials for SMBs
3. OAIC — Notifiable Data Breaches Scheme: What You Need to Know
4. Guardz — 2025 SMB Cybersecurity Landscape Report
5. SentinelOne — The Good, the Bad and the Ugly in Cybersecurity (Week 19, 2026)