12-Month Security Awareness Training Outline for Australian SMBs

Why Monthly Beats Once-a-Year

The Australian Cyber Security Centre (ACSC) reports that small businesses account for a disproportionate share of cyber incidents, yet most run annual compliance training that employees forget within weeks. Monthly micro-sessions build muscle memory. One topic. Fifteen minutes. Done. The CrowdStrike 2025 State of SMB Cybersecurity Report found that while awareness is rising, protection posture still lags — the gap is execution, not knowledge.

A rolling monthly curriculum also means new starters can jump in at any point without waiting for an annual cycle. Each module stands alone.​‌‌​‌‌​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​‌​​​‍​‌‌​‌‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌‌‌‍​‌‌​​​​

‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌‌‌‍​‌‌‌​‌​‌‍​‌‌‌​‌​​‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​

The 12-Month Curriculum

January — Phishing Recognition

• Identify common phishing indicators such as mismatched sender domains, urgent language, and suspicious attachments.
• Distinguish phishing, spear phishing, and business email compromise (BEC) with real Australian incident examples.
• Apply the "verify before you click" protocol: check the link, confirm the sender, and report anything suspicious.

Format: 5-minute video walkthrough of a real phishing email + 10-question quiz via your LMS or Google Forms.

February — Passwords and MFA

• Create and manage strong, unique passwords using a password manager rather than reusing credentials across accounts.
• Explain how multi-factor authentication blocks over 99% of automated account compromise attacks.
• Enrol at least one new MFA method on a work account during the session.

Format: Microlearning cards (3 cards: password hygiene, MFA setup, manager walkthrough) delivered via email or Slack.

March — Social Engineering

• Recognise voice-based and in-person manipulation tactics including pretexting, baiting, and tailgating.
• Respond to a live social engineering call scenario using the "pause, verify, callback" method.
• Report a simulated social engineering attempt through your incident reporting channel.

Format: Lunch-and-learn with a live role-play exercise. Record it for absent staff.

April — Mobile Security

• Secure work devices with screen locks, remote wipe capability, and up-to-date OS patches.
• Identify risks from public Wi-Fi, sideloaded apps, and Bluetooth vulnerabilities (BrakTooth-class attacks remain active).
• Separate work and personal data using mobile device management or containerised profiles.

Format: 5-minute video + checklist PDF employees pin to their desk or save to their phone.

May — Home Office Security

• Harden a home network: change default router credentials, enable WPA3, and segment IoT devices from the work VLAN.
• Secure physical workspace: lock screens, shred documents, and position monitors away from windows.
• Use a VPN or zero-trust network access for all remote connections to company resources.

Format: Microlearning cards emailed weekly across the month — one card per sub-topic, each under 2 minutes.

June — Data Handling and Classification

• Classify data into public, internal, confidential, and restricted tiers using your organisation's labelling scheme.
• Apply correct handling procedures for each tier: encryption at rest, secure sharing links, and disposal methods.
• Identify a data spill or misclassification and report it within the correct channel and timeframe.

Format: 5-minute scenario video ("You emailed the wrong attachment — what now?") + quiz.

July — AI Tools Safety

• Evaluate AI tools before use: check data residency, terms of service for training-on-inputs clauses, and output reliability.
• Avoid pasting confidential or customer data into public AI chatbots and image generators.
• Apply the "human-in-the-loop" principle: never ship AI-generated output unreviewed, especially code or client communications.

Format: Lunch-and-learn with live demo of a safe AI workflow versus a risky one.

August — Vendor and Supply-Chain Risk

• Assess a third-party vendor's security posture using a basic questionnaire covering encryption, access controls, and incident history.
• Recognise supply-chain attack patterns: compromised updates, forged driver signatures, and credential harvesting through partner portals.
• Maintain an up-to-date vendor risk register and trigger a review when a vendor reports a breach.

Format: Microlearning cards covering vendor assessment, ongoing monitoring, and breach response.

September — Physical Security

• Control physical access: badge-in protocols, visitor logbooks, and clean-desk policies.
• Respond to a tailgating or unidentified person in a restricted area without confrontation.
• Secure devices and documents when leaving a desk, meeting room, or vehicle unattended.

Format: Walkthrough video filmed in your own office showing common lapses + quiz.

October — Incident Reporting

• Identify what counts as a security incident: lost device, suspicious email acted on, unannounced software, or unexpected access.
• Follow your incident reporting procedure step-by-step: who to call, what to document, and what not to do (don't reboot, don't delete).
• Practise a simulated incident report from detection through to hand-off.

Format: Tabletop exercise — 15-minute scenario walkthrough in a team meeting.

November — Travel Security

• Secure devices before travel: full disk encryption, VPN configured, remote wipe enabled, and no sensitive data on USB drives.
• Avoid connecting to airport and hotel Wi-Fi without VPN protection.
• Recognise targeted risks at conferences and border crossings: shoulder surfing, device confiscation, and impersonation.

Format: 5-minute video + one-page travel security checklist distributed before the holiday travel season.

December — Year-in-Review

• Summarise the year's key incidents, near-misses, and training module outcomes for the team.
• Identify the weakest link from the past 12 months and propose one concrete improvement.
• Set security goals for the coming year aligned with business priorities.

Format: Lunch-and-learn retrospective with a short slide deck and an anonymous team survey rating each module.

FAQ

Conclusion

A 12-month security awareness training cycle turns cybersecurity from a once-a-year checkbox into a habit. Australian SMBs that invest 15 minutes a month in focused, practical training reduce phishing click-through rates, catch social engineering attempts earlier, and build a culture where security is everyone's job — not just IT's. Pick a month, pick a format, and start. Visit consult.lil.business for a free cybersecurity assessment tailored to your business size and industry.

References

1. Australian Cyber Security Centre — Essential Eight
2. CrowdStrike 2025 State of SMB Cybersecurity Report
3. NIST SP 800-50 Rev. 1 — Building a Cybersecurity Awareness Training Program