First published on Wednesday, November 5, 2025
Last updated on Thursday, November 20, 2025
Jump to section
Cybersecurity is no longer just an IT issue – it’s a business issue. The Cyber Security Act 2024, recently passed in Australia, brings new rules and expectations that affect workplaces and businesses of all sizes. Here’s what employers need to know in plain language.
Why Cybersecurity matters
Cybercrime, ransomware attacks, and weak device security are growing problems. The government has introduced this law to make sure businesses are more secure, protect sensitive information, and encourage reporting of cyber incidents.
Even if your business is small, the law signals that everyone should take cybersecurity seriously.
Who the law affects
Small and medium businesses (SMEs): Many won’t face heavy new requirements right away, unless you:
Sell or supply smart devices (like connected gadgets or IoT devices) in Australia.
Operate in or supply a critical sector (like energy, water, healthcare, or communications).
Have a large turnover and could be impacted by ransomware reporting rules.
Larger businesses or critical sectors: There are stricter rules for reporting cyber-attacks and ensuring your systems are secure.
Key points for workplaces
Smart devices need to be secure
If your business sells or makes connected devices, you will need to meet new security standards.Ransomware and cyber incidents
Certain businesses must report ransomware payments to the government. Even if your business isn’t required to report, having a plan for cyber incidents is essential.Sharing information safely
The law encourages businesses to share information about cyber incidents with the government without fear of extra penalties.Cyber risk is a boardroom issue
Employers and managers are expected to take responsibility for cybersecurity. This includes:
Reviewing risks regularly
Having a plan for cyber incidents
Ensuring employees know what to do if a cyberattack happens
What SMEs should do now
Even if the law doesn’t apply directly, small and medium businesses should:
Check whether you supply smart devices or work in critical industries.
Make sure you have a basic cybersecurity plan in place.
Train staff to recognize phishing emails and unsafe links.
Keep software and systems updated.
Understand how to report cyber incidents safely.
The Cyber Security Act 2024 is a sign that Australia is serious about cybersecurity. For most SMEs, it doesn’t create immediate heavy legal obligations — but it does highlight the importance of protecting your business and your employees from cyber threats.
Taking steps now will save time, money, and stress later. Cybersecurity is no longer optional — it’s a core part of running a safe, responsible business.
Simplify your people management and stay compliant with BrightHR
BrightHR is an end-to-end software and support services provider that equips small businesses with everything they need to transform their people management.
With 24/7 employment relations phone advice, you can stay on top of legislation and handle tricky HR situations. Our HR policies also support employee training and onboarding, helping your business stay compliant and efficient.
Book a free product demo today and see how BrightHR can make your HR simple.
