In February 2026, the Federal Court ordered FIIG Securities to pay $2.5 million after a cyber attack exposed 18,000 clients and saw 385 gigabytes of data stolen. The case was a first for ASIC: civil penalties were imposed for cyber security failures under the general Australian financial services licence obligations. Among the failures ASIC identified was a basic one: FIIG had not provided mandatory cyber security awareness training to its staff.
The message to Australian boards was clear. Staff cyber capability is no longer simply good practice. It is an obligation a regulator will enforce, an exposure an insurer will price, and increasingly a condition that customers and partners expect organisations to evidence. The single control most organisations rely on to meet that expectation is cyber security awareness training. The difficulty is that the training most of them have was not built for the environment they now operate in.
The moment, however, looks very different than it did twelve months ago. Risk no longer arrives inside well-defined organisational perimeters, and staff now need to be able to recognise risks that arrive wrapped in regulatory framing they may not understand, or routed through a supplier relationship the organisation does not control. Most awareness training has not kept up, still focused on recognising familiar threats and following basic hygiene while the threats most likely to land inside complex organisations now look nothing like that. For organisations operating in regulated environments or with significant supplier exposure, this is where the training program stops contributing to cyber posture and starts producing completion certificates while the actual risk continues to accumulate.
Generic training does not prepare staff for the obligations that govern their decisions
Most organisations subject to cyber security frameworks understand them at a governance level. APRA CPS 234, the Essential Eight, ISO 27001, the Notifiable Data Breaches scheme: these are reviewed by auditors, signed off by directors, and treated as the cyber posture the business is held to. What is rarely considered is that the frameworks make specific demands of the staff who handle data, identity, and access every day, and that generic awareness training was not designed to translate those demands into the operational moments where they matter.
Take an APRA-regulated insurer as an example. CPS 234 requires the entity to maintain an information security capability that matches the threats it faces, including the skills and awareness of its people, and to be able to demonstrate that capability to the Australian Prudential Regulation Authority (APRA). When a claims officer at that insurer receives an MFA approval prompt from someone claiming to be IT, what happens next is a CPS 234 control event. Their response determines whether the organisation’s access management capability holds in practice, and whether the evidence base it must maintain for APRA remains intact. Generic training that teaches them to “be cautious of suspicious requests” has not equipped them to recognise that this specific request is the one their organisation must demonstrate it handled correctly.
The obligation sits at the framework level, but the fulfilment sits in a specific staff moment. Generic awareness training operates above one and below the other, training staff in good general habits while leaving the framework-specific moments structurally unaddressed.
The test for any organisation accountable to a regulatory framework is straightforward: does your awareness training map to the specific obligations of the framework you are held to, or does it teach good general practice that may or may not satisfy your auditor when tested?
Staff trained to suspect strangers cannot always recognise familiar threats
Most cyber security awareness training prepares staff to defend the organisation against threats from the outside. The challenge is that a meaningful share of cyber risk now arrives through the inside, carried by suppliers, software vendors, and partners whose own cyber posture the organisation does not control.
This gap is one which generic awareness training is not structurally designed to close. Phishing recognition is built on the principle of suspicion toward the unfamiliar, but supply chain threats arrive through the familiar contacts.
An accounts payable officer who has been trained to scrutinise unsolicited emails has not been trained to scrutinise a routine invoice from a vendor she has paid every month for three years, even when that vendor’s email environment has been quietly compromised and the bank details on the invoice have been changed. The training works against the wrong instinct.
Awareness training must do more than teach staff to spot the unfamiliar; it has to teach them to question the familiar, and to recognise when a trusted relationship is the carrier of risk rather than the absence of it. In complex operating environments where the perimeter no longer holds, this is the capability that separates a training program contributing to cyber posture from one that records attendance while exposure builds.
What awareness training must deliver in complex environments
For executives evaluating whether their current awareness training is fit for purpose, the best test is in how the program was designed. Training that holds up in complex operating environments shares four key principles:
- Contextual specificity: Training has to be built for the regulatory and operational environment the organisation actually operates in, not adapted from a generic international library. Australian staff need Australian examples: real local scams, real regulatory framing, real consequences they can recognise.
- Role and decision alignment: In complex environments, the consequences of a staff decision vary not just by role but by the frameworks and third-party relationships the role operates inside. Training has to be calibrated to the specific consequences each role’s decisions can trigger, not delivered as a uniform module across the workforce.
- Continuous reinforcement: Awareness that changes behaviour cannot only be done as an annual exercise. A year-round program with short modules, timely reminders, and coaching after risky clicks helps build stronger, more durable security habits that extend beyond the workplace.
- Defensible evidence: In complex operating environments, cyber training has to generate a record that demonstrates not just completion but capability: who has been trained on what, how recently, with what outcomes, and how the program is responding to where understanding is thin. Without that record, the training is a control the organisation cannot stand behind.
Training that changes behaviour and reduces risk
The issue with generic cyber training is not that awareness is unimportant, but that completion alone gives executives a shallow view of whether staff are prepared for the moments that now carry real organisational consequence.
In complex operating environments, those moments are shaped by regulatory obligations and the supplier relationships the organisation depends on. Training that sits above those realities may record participation, but it does not necessarily build the comprehension required to reduce risk.
Cyber Audit Team’s Cyber Security Awareness Training is designed for this kind of environment. Content is tailored to the regulatory frameworks each organisation is held to and the supplier and third-party realities it operates in, so staff are equipped for the specific moments that determine whether cyber posture holds in practice. The program also generates the evidence base regulators, insurers, and auditors increasingly expect, demonstrating not just completion but capability over time.
Explore how the program works here: Cyber Security Awareness Training.
Or speak to a specialist to discuss how behaviour-led training could strengthen your organisation and team’s security posture: Contact Us.
