Cyber Security – Defence in Depth for RTOs

Introduction

Cyber security has become one of the most serious business risks facing training organisations. It now shapes how we store student records, manage enrolments, process payments, and deliver training. One incident can stop operations, expose student data, and undo years of hard work and trust.

I have worked in this sector for a long time and have seen that change first hand. What started as a few antivirus checks has become a daily discipline involving every person and every system. I am not a cyber security expert. My perspective is practical. I am a business owner like many of you who had to learn how to protect my own organisation. I periodically engage cyber security specialists to give me advice, but I have needed to learn on the run and work hard to stay ahead. If you are a business owner these days, sound cyber security practices are as essential as accurate accounting or meeting workplace obligations.

Our company operates RTO Data Cloud, supporting providers across Australia. Cyber security for this service is our number one priority. Every decision I make about this service is through a data security lens. Newbery Consulting participate in the ACSC partner program. We see the sector’s reality up close. Most RTOs now rely almost entirely on cloud platforms for student management, finance, communication, and data storage. The convenience of services like these is huge, but so is the exposure. A weak password or a missed setting can be all it takes for operations to grind to a halt. Even at home, the same rules apply. Keep devices and software updated. Use strong multi-factor authentication. Back up data. Have the skills to identify scams. Cyber security is not just a business concern anymore; it is part of everyday life.

This article is written for the business owners, managers, and compliance leaders who keep training organisations running. You might not have a big IT department or large budgets, but the responsibility is the same. This is to protect student information and keep operations secure. My goal in this article is to interpret the latest Annual Cyber Threat Report 2024-2025 by the Australian Cyber Security Centre through the lens of the VET sector and offer practical, layered steps that any RTO can apply. I have tried to keep the jargon to a minimum and rely on real measures that build resilience.

Why this article, why now

The latest ACSC Annual Threat Report confirms what most of us already suspected that cyber incidents have become part of everyday business. More than 84,000 were reported in a single year, which is roughly one every six minutes. The average loss per business was over $80,000, and those costs climb sharply with organisation size. Behind each statistic is a real business owner trying to stay afloat after disruption, financial loss, and weeks of recovery stress.

In the VET sector, the risk is amplified by the way we now operate. Most RTOs run entirely on cloud systems for student management, finance, and storage. Staff access shared drives and web apps from multiple locations, often on personal devices. It is efficient, flexible, and familiar, but fragile. One compromised password or misconfigured setting can expose everything the business depends on. The data we hold makes the problem worse. RTOs store verified personal details including ID documents, payment information, addresses, and international student records. That information is gold to cyber criminals. It fuels identity theft, financial fraud, and resale on underground markets. Education providers have become ideal targets because they are rich in data and lean in protection.

Across Australia, the cyber conversation has shifted from awareness to action. Regulators and governments now expect stronger controls, and the public expects transparency when things go wrong. For RTOs, this is not just a compliance issue, it is a matter of integrity and trust. Cyber resilience has never been an IT project. It is a business responsibility. Strong systems only work when supported by clear management, accountability, and a culture that takes security seriously. The threat landscape is changing fast, but the fundamentals are achievable. With practical steps and consistent leadership, even small and medium RTOs can strengthen their defences and protect the people who rely on them. The goal here is simple. Let’s take the lessons learned from ACSC and turn these into everyday practice that fits the reality of modern training organisations.

The threat environment in plain English

The latest ACSC Annual Threat Report leaves little room for doubt, cybercrime in Australia has become routine, organised, and professional. The occurrence numbers quoted earlier are not abstract numbers. They represent fraud, extortion, downtime, and disruption that hits directly at the heart of operations. The leading threats are familiar including business email compromise, identity fraud, and ransomware. Attackers trick staff into clicking on an attached file to steal personal data for later fraud, or lock systems for ransom. Many now use “double extortion” which involves stealing data first and then threatening to publish it even after payment. Increasingly, they also exploit legitimate system tools, a method known as “living off the land,” which makes detection harder and blurs the line between criminal and state-linked activity.

The education and training sector remains a prime target. RTOs hold verified personal information and payment records but often operate with tight budgets and limited IT capacity. This mix of valuable data and modest defences makes RTOs attractive to attackers looking for easy access. ACSC advises businesses to operate with a mindset of ‘assume compromise’ and prioritise the assets that need the most protection. Do not only aim to prevent attacks, but plan also to detect and respond fast when they occur. Identify the systems and data you cannot afford to lose and protect those first. For small and medium sized RTOs, the takeaway is, cyber criminals do not care about your size or sector, they care about opportunity. The good news is that most defences are achievable with existing tools and disciplined routines. The real challenge is no longer awareness; it is just about taking action.

Just in our network of clients, I see two to three cyber security incidents per month, and they are increasingly getting more sophisticated. On our website alone, the firewall is blocking on average 31,324 visitors per month (that includes Bots and Humans). It’s an extraordinary figure. Most of these relate to known blacklisted IPs managed by Wordfence, our geo blocking rules or complex attacks such as denial of service attacks. About six months ago we had an overseas cybercrime network attempt to use our checkout to wash through thousands of stolen credit cards before the system locked them out automatically. Recently, a client had their email compromised which allowed a cybercrime network to harvest thousands of student details and documents stolen from archived emails. The threat environment has changed and evolves every day.

Emerging threats

The latest ACSC Annual Threat Report shows how far the landscape has shifted. Criminal groups now operate more like businesses which are well-funded, coordinated, and persistent. Their motives differ, but their methods are shared, and their precision keeps improving. For the VET sector, several patterns stand out. These are the threats you need to be looking out for:

Credential theft and password reuse. The simplest doorway in remains the staff login. Stolen usernames and passwords are traded and reused across platforms, giving attackers a free pass into multiple systems. Many staff still use the same password for different accounts, which allows intruders to move about once they are in. ACSC continues to list stolen credentials as the leading cause of breaches in Australia.
Business email compromise. This is still the most expensive and damaging threat. Attackers either gain access to legitimate accounts or impersonate trusted staff, usually someone in admin or management. They send convincing requests to change bank details or approve payments, and staff act in good faith. Nearly one in five reported incidents now involve this tactic.
Ransomware and data extortion. Ransomware is no longer random. Attackers now study their targets first, steal key data, and only then encrypt systems, threatening to publish the stolen information if payment is refused. For an RTO, that could mean exposure of student records, financial data, or internal emails. Even with backups, recovery is slow, costly, and stressful.
Supply chain attacks. Attackers have learned that breaching one software provider can open doors to hundreds of clients. Instead of going after an RTO directly, they target a linked service like a student management or finance platform and reach multiple organisations through that trusted connection.
Artificial intelligence and deception. AI has changed the game. Criminals now use it to write polished phishing emails, clone voices, and generate fake documents or websites. The old clues of bad spelling and awkward phrasing can no longer be relied on. AI also automates password attacks and processes stolen data faster than any human could.
Denial of service and website disruption. Denial-of-service attacks are increasing. These overwhelm systems until they crash, taking down websites and portals that students rely on. Even short outages can erode confidence and sometimes disguise deeper attempts to breach the network.
Living off the land. Attackers are using legitimate administrative tools already built into systems. Because these tools are genuine, traditional antivirus software may not detect their misuse. Examples of this type of attack include:
- An admissions officer clicks a convincing phishing link and the attacker harvests their credentials.
- The attacker uses the stolen account to log in and discovers an unattended admin workstation or a shared credentials file.
- The attacker creates a new local admin account with net user so they can return later, then hides activity by clearing logs.
Social engineering and human error. Despite all the technology, most breaches still start with people. Attackers manipulate trust and urgency to trigger mistakes. The most effective defence remains simple: pause, verify, and double-check before acting.

Taken together, these threats show a shift from random disruption to deliberate, sustained attacks. They target sectors like ours which are highly connected, data-rich, and often under-resourced in IT. The ACSC’s advice is the same across the board: assume compromise and build resilience through layered defences that make attacks harder to succeed and recovery faster when they do.

Operational impact on an RTO

When a cyber incident hits a training organisation, the disruption is immediate. ACSC has long noted that the greatest cost is often not the ransom or the fraud itself, but the breakdown in business continuity that follows. For RTOs, that disruption ripples through every part of operations. Enrolments stall. Online payments fail. Staff cannot confirm new students or reconcile fees, and cash flow tightens almost overnight. Trainers lose access to shared drives and learning systems, leading to cancelled classes, frustrated students, and growing uncertainty. Compliance obligations soon come under pressure. If the student management system is offline, AVETMISS or CRICOS reporting cannot be completed. Missed deadlines attract regulatory fines, and when systems are finally restored, data integrity issues can make accurate reporting even harder.

Students feel the impact directly. When results or records are encrypted, certificates cannot be issued, leaving graduates unable to prove their qualifications. For international students, these failures can even affect visa conditions tied to course progress. The reputational damage is often the hardest to recover from. A public breach shakes confidence among students, employers, and regulators and smaller organisations may never fully regain that trust. Recovery is also expensive. Technical specialists, forensic investigations, and replacement systems all add cost, while the pressure on staff often leads to burnout and turnover. None of this is random. These are predictable outcomes of weak or incomplete controls. Prevention always costs less than recovery. Real resilience comes from building layers of protection that work together, a model known as defence in depth.

Defence in depth explained

The most effective way to protect a modern training organisation is through defence in depth. The idea that real security relies on several safeguards working together, not a single point of protection. Each layer protects your systems, your data, and your people. If one fails, the others still stand. Defence in depth covers four key elements: prevention, detection, response, and recovery. The outer layers stop most attacks from reaching your systems. The middle layers pick up unusual activity early. The inner layers limit damage and help restore normal operations. Together, they form a safety net that stops minor incidents from turning into major crises.

Each layer has a purpose. Identity controls manage who can access systems. Network and device controls manage how those systems connect. Staff training and governance shape how people behave and make decisions. No single measure is perfect, but when combined, they create a structure that is much harder to breach. For small and medium RTOs, this model is both realistic and achievable. It does not require complex technology or big budgets. Mostly it requires discipline, routines, and leadership. Defence in depth is about building habits and systems that support one another, so a single oversight does not bring everything undone. The following sections unpack each layer in practical terms starting with identity and access, then moving through devices, email, networks, applications, people, and suppliers. Together, these layers form the foundation of cyber resilience for every RTO, no matter its size or resources.

Layer 1. Identity and access

The first layer of defence is knowing exactly who can access your systems and under what conditions. Most RTOs have dozens of people logging into student management, finance, and cloud platforms every day. Each login is a doorway, and every doorway needs to be secure. Multi-factor authentication (MFA) remains the single most effective control. It adds a second step like a code or prompt on a trusted device that makes stolen passwords useless. The ACSC strongly recommends MFA on all accounts, especially those with administrative or financial access.

Strong passwords still matter. A simple password can be cracked far faster than a long passphrase or a password made up of random letters, numbers, and special characters. Staff should avoid reusing passwords, and password managers can help generate and store unique passwords automatically. If you are using a password management software like commercial password management software, you can make all of your passwords complex and different.

Access should always follow the principle of “need to know”. People should only have the permissions they need to do their job. Role-based access makes this simple and limits the damage if one account is ever compromised.

Account management is another common weak spot. Create new accounts carefully, adjust permissions when roles change, and disable accounts the moment someone leaves. Many breaches happen because old logins were never closed.

Modern cloud systems can also apply conditional access for example, blocking overseas logins, requiring extra checks for sensitive data, or automatically logging out inactive users.

Identity and access management is not complicated, but it does demand consistency. Regular reviews, strong authentication, and simple access rules stop most attacks before they even begin. For any RTO, this is the foundation of a secure and well-governed information system.

Layer 2. Devices and endpoints

The second layer of defence focuses on the devices your staff use every day such as laptops, desktops, tablets, and phones. Each one is a potential doorway into your systems, and it only takes one unprotected device to undo even the best network security. Start by making sure every work device is properly managed. This includes applying consistent settings for updates, passwords, and access. Managed devices can be tracked, and if one is lost or stolen, access can be revoked, and data wiped remotely.

Automatic updates are one of the simplest and most powerful controls. Operating systems and applications release patches all the time to fix known vulnerabilities. Attackers take advantage of delays, so set updates to install automatically rather than relying on staff to remember.

Basic settings like disk encryption and screen locks also make a big difference. Encryption makes stored data unreadable without the right login, and screen locks stop anyone else from accessing a device that has been left unattended.

Every device should also run reputable endpoint protection software. Modern antivirus tools are far more advanced than their older versions. These combine traditional virus scanning with real-time monitoring, browser integration, and behaviour-based threat detection. Whether using a commercial suite such as Norton 365, McAfee Total Protection or built-in protection like Microsoft Defender, this software forms a critical layer of defence by detecting and quarantining threats before they spread across the network. Endpoint security tools should update automatically and be managed centrally where possible, so no device is left unprotected.

Phones and tablets should follow the same approach. Staff often access emails and cloud files from their mobile devices, so enable passcodes, auto-lock, and the ability to remotely erase data if a device goes missing.

For higher-risk roles such as finance or system administrators, it is worth restricting which software can be installed. This prevents malicious apps or accidental downloads that could compromise the wider network.

Keeping devices updated, managed, and secure builds a strong second line of defence. It ensures that even if one account is breached, the device itself does not become another way into your systems.

Layer 3. Email and collaboration security

Email is still the main doorway for cyber attacks. It is how RTOs confirm enrolments, process payments, and share documents all built on trust. Unfortunately, that same trust is what criminals exploit, which makes securing email and collaboration tools one of the most critical layers of defence. Start by making sure only legitimate emails can come from your domain. Most business email systems include authentication settings that verify your identity and block others from pretending to be you. These checks happen behind the scenes but are incredibly effective at preventing spoofed messages. Your IT provider can confirm that these protections are switched on.

Everyone also receives spam and scam emails daily, and one of the simplest habits is to block them consistently. Each time a suspicious or unwanted message appears, add the sender to your block list so future emails go straight to the junk folder. Over time this makes a real difference: your inbox stays cleaner and potential scams are filtered automatically. It is still worth checking your junk folder occasionally to make sure legitimate messages have not been caught by mistake, then clearing it out. This small routine strengthens your protection and reduces the chance of someone clicking a malicious email out of distraction or habit.

Modern email platforms already include tools that scan attachments and links for malware, but these features often need to be activated. Many incidents occur simply because these protections were available but never turned on.

Another smart safeguard is tagging emails that come from outside the organisation. A short banner at the top of each external message reminds staff to pause before clicking links or approving payments. In finance or admissions, combine this with a rule that any change to bank details must be verified by a second person before action is taken.

Cloud tools like OneDrive, Google Drive, and SharePoint have made collaboration easier than ever, but open sharing settings can expose sensitive data. Set safe defaults so files are visible only to staff unless deliberately shared and review public links regularly.

Strong email and collaboration security depends as much on behaviour as on technology. When staff trust their systems, pause before acting, and follow clear verification steps, most email-based attacks fail. A well-managed email environment creates confidence, consistency, and one of the strongest everyday layers of protection.

Layer 4. Networks and cloud configuration

This layer is about the systems that keep your organisation connected. This includes your internet, cloud platforms, and any on-site equipment. They form the backbone of daily operations, and if they are not configured or monitored correctly, attackers can move through them quietly and undetected.

Start with a zero-trust mindset. In simple terms, no device or user should be trusted by default. Every login, connection, and system request should be verified. For small organisations, that can be as straightforward as requiring authentication for shared drives, limiting admin rights, and reviewing access regularly.

Each cloud platform whether it handles student management, finance, storage, or email, should be set up using the vendor’s recommended security settings. Apply strong access controls, restrict sharing, and enable automatic updates. Many breaches happen because default settings were never changed.

The logging of activity data and alerts is another critical but often overlooked control. They record who logged in, from where, when, and what actions they took. Event logs allow you to spot early warning signs like repeated failed logins or large data downloads. The ACSC lists event logging as one of the most effective defences for small organisations.

You can also reduce exposure through geo-blocking and conditional access. Tools such as Wordfence can block traffic from countries that have no legitimate reason to connect to your website, filtering out most automated attacks before they start. Conditional access can also require extra verification for logins from unfamiliar devices or locations.

Do not overlook the security of routers and connected devices such as printers or multifunction machines. These devices often store copies of digital files and may be connected wirelessly to staff computers. Without proper protection, they can be discovered and accessed remotely. Every router should have a firewall enabled and be configured with a strong administrator password and keep device firmware up to date. Keep printers behind the router’s firewall (not internet-exposed) and, where practical, place them on a separate local area network or network segment.

If you operate any on-site or connected training equipment, keep it separate from your business systems. Network segmentation prevents a problem in one area from spreading to another.

Network and cloud configuration might sound routine, but it is one of the most powerful forms of protection you can have. Getting these settings right and checking them regularly closes many of the quiet gaps that attackers depend on.

Layer 5. Applications and data

This layer focuses on the tools you use to run your business and the information they hold. Every RTO depends on cloud applications for student management, learning, finance, and file storage and each comes with responsibility for how data is collected, stored, and protected.

Start by choosing systems that are secure by design. Look for products with built-in security features such as multi-factor authentication, automatic updates, and role-based access controls. Reputable providers make security part of their core design, not a feature you add later, and that is something worth prioritising when selecting or renewing your systems.

Once your systems are in place, focus on managing the data within them. Classify information according to its sensitivity. Student records, financial transactions, and ID documents require the strongest protection, while general operational data can be managed with lighter controls.

Retention and minimisation are equally critical. Sensitive documents such as payment details, identity records, or scanned student IDs, should be actively removed once they are no longer required. Holding on to old files only increases exposure. The Unique Student Identifiers Act places a clear legal obligation on training organisations: where student identification documents are collected, they must not be retained after the purpose for which they were collected has passed. This means data must be systematically deleted to ensure compliance and reduce risk. Keeping only what you genuinely need and deleting or archiving everything else significantly lowers your risk exposure and strengthens your overall data governance.

A sound backup strategy is essential. Backups should be automatic, isolated from your main systems, and tested regularly. Too many organisations discover too late that their backups were incomplete or outdated. Running regular restore tests confirms that recovery will actually work when it is needed.

Encryption is another vital control. Data should be encrypted both when stored (“at rest”) and when it moves between systems (“in transit”). Most modern cloud platforms handle this automatically, but it is worth checking your provider’s settings or documentation to be sure.

If your systems are integrated for example, linking your student management, finance, and learning management platforms, your API keys must be managed carefully. An API key is a unique string of characters that allows these systems to communicate securely with one another. It acts like a digital pass between platforms. Store keys in a secure location, rotate them regularly, and limit the permissions they provide. Unsecured, shared, or expired keys are a common way for attackers to gain access.

Layer 6. People and culture

Even the strongest technical systems will fail if the people using them are not alert to the risks. The 2024–25 Annual Cyber Threat Report makes this clear: human behaviour is the deciding factor in most incidents. Attackers know that people are easier to trick than systems are to hack, which is why building a strong cyber culture is one of the most effective forms of defence.

The best approach is short, regular awareness sessions. Ten or fifteen minutes every few months is enough to keep staff alert to phishing, password reuse, and scams. Training works best when it is practical, current, and built into daily routines rather than treated as a one-off activity. The ACSC website (www.cyber.gov.au/learn-basics) has some great resources which are free and ready to go.

Different roles face different risks. Finance and admissions staff handle payments and personal information every day, making them prime targets for email compromise and fraud. They need to know exactly how to verify a payment request or authorise bank payments before acting. Trainers and assessors, on the other hand, need to focus on protecting student information and using cloud systems safely in the classroom.

Simulated phishing exercises are also highly effective. These controlled mock emails show who clicks, who reports, and how quickly staff respond. The aim is not to embarrass anyone but to coach them, turning small mistakes into learning moments that strengthen habits.

Clear reporting pathways are just as important. Staff must know exactly who to contact if they suspect a problem, whether it is IT support, a manager, or a nominated security lead. Early reporting can stop a small issue from turning into a major breach. A no-blame culture encourages openness and quick action.

Ultimately, a healthy cyber culture depends on leadership tone. The best organisations treat security as a shared responsibility, reward early reporting, and support staff who act with care. When security becomes part of everyday work rather than just an IT task, people stay alert, and issues are resolved quickly. A strong culture connects every layer and makes resilience the norm.

Layer 7. Third-party and supply chain

Every training organisation depends on external partners such as software vendors, cloud providers, education agents, and sometimes subcontracted trainers. Each one connects in some way to your systems or data. That connection brings convenience, but it also brings exposure. Attackers often find it easier to compromise a supplier than the organisation itself, which is why managing these relationships carefully forms the final layer of defence in depth.

Start by keeping a clear inventory of all your vendors and partners, grouped by their level of risk. High-risk vendors are those that store or process sensitive data, such as your student management system or payment gateway. Lower-risk vendors might provide tools that do not handle student information. Knowing exactly who connects to your business and what data they can access is the foundation of control.

Contracts with key vendors should include minimum security requirements. These do not have to be complicated. A few simple clauses such as multi-factor authentication, encryption of stored data, and timely software updates are important. For critical systems, it is worth requiring that vendors follow recognised security standards or conduct regular testing of their controls.

Include clear notification clauses as well. If a vendor experiences a breach that involves your data, they must be required to notify you quickly and transparently. The ACSC continues to report cases where organisations only discovered incidents after data had already been exposed. Early notification allows you to act quickly, protect your students, and meet any regulatory reporting obligations.

Vendors and agents should also be offboarded as carefully as they are onboarded. When a contract ends, revoke access, remove shared data, and disconnect any integrations. Old accounts and unused connections are common sources of residual risk.

It also helps to develop a simple shared responsibility map for your key systems. This clarifies who is responsible for what. For example, your student management provider may secure the infrastructure, but you are still responsible for user access and staff training. Clear boundaries prevent assumptions and make accountability visible.

Supply chain security is not about mistrust, it is about shared responsibility. Every organisation that handles your information becomes part of your extended security network. When each of those links is strong and transparent, the whole chain becomes much harder to break.

Incident response that actually works

Even the best-prepared organisations can experience a cyber incident. What matters most is how they respond. Under the Outcome Standards, every training organisation must manage operational risk, including Your obligations under privacy legislation. A clear, well-practiced incident response plan is the key to containing damage, protecting students, and restoring confidence.

An effective response follows five simple stages: prepare, identify, contain, eradicate, and recover. These are explained below:

Preparation is the most important step. It means having an agreed plan that outlines who makes decisions, how incidents are reported, and what actions will be taken. The plan should include key contacts such as your IT provider, insurer, legal adviser, and communications lead. These details need to be written down, kept current, and tested.
Identification is about spotting when something is wrong. Warning signs might include unusual logins, missing data, or staff being locked out. Everyone in the organisation should know what to do if they suspect a breach and how to escalate it quickly. Early detection can be the difference between a minor disruption and a full-scale crisis.
Containment focuses on stopping the spread. This might involve disconnecting affected devices, isolating accounts, or taking systems offline. Smaller RTOs often rely on external IT providers at this stage, so having clear contact arrangements in advance is critical.
Eradication removes the cause. Once the threat is contained, technicians work out how it entered the system and close those entry points. This can involve cleaning devices, resetting credentials, or reinstalling software. Keep records of every action taken; will be important for both insurance and regulatory reporting.
Recovery brings systems back online. Data is restored from backups, staff are briefed, and communication becomes the priority. Students, employers, and partners need timely and accurate updates. Having pre-prepared message templates ready makes this much easier and keeps communication consistent.

Throughout every stage, pay attention to evidence handling and legal obligations. Preserve logs and notes, and avoid deleting anything that could be used for investigation. If personal information is affected, privacy laws may require notification to regulators or individuals. All incidents should also be reported through the ACSC’s ReportCyber service.

One of the hardest decisions is whether to pay a ransom. The ACSC’s advice is clear, there is no guarantee that paying will restore access or protect your data. The better strategy is to invest in strong backups and a tested recovery plan so that payment is never the only option. It’s important to acknowledge that paying a ransom demand only reinforces the criminal activity. Remember that criminals have committed the crime and regardless of what they might promise you if they receive payment there’s no guarantee that they will honour this commitment. In fact it’s quite unlikely.

Finally, conduct a post-incident review. Look at what worked, what did not, and what can be improved. Every incident, no matter how small, is an opportunity to strengthen systems and awareness.

Business continuity for cyber scenarios

Cyber incidents do not just affect data and systems, they can bring a training organisation to a complete halt. When your student management, email, or finance systems go down, everything slows or stops. That is why business continuity planning is an essential part of managing operational and consequence risk under the Standards.

Start by identifying your critical processes which are the activities that must continue even during disruption, such as enrolments, fee processing, attendance, and communication with students. For each one, set recovery time targets that define how long you can tolerate an outage and how quickly services must be restored. These priorities help determine the order of recovery when things go wrong.

Every RTO should have simple manual workarounds for enrolments and attendance. If your student management system is offline, record attendance using paper rolls or spreadsheets and upload the data later. Maintaining training continuity during recovery protects both operations and student confidence.

Communication is just as important. If email or learning systems are down, you will need alternate modes of communication ready — SMS, messaging apps, or a temporary website notice. Clear and timely communication reassures students and staff and demonstrates that the situation is under control.

Backups alone are not enough. They must be tested through regular restore drills to make sure recovery actually works and that staff know what to do. The worst time to discover a failed backup is during an incident. Short, structured restore tests once or twice a year give everyone confidence that recovery will work when it matters most.

Keep paper or offline copies of key contacts, credentials, and procedures. If your network or cloud systems are inaccessible, you still need to reach your IT provider, insurer, and leadership team. Secure printed copies allow you to act even when your systems are down.

Business continuity is ultimately about resilience. Even with strong defences, disruptions will happen. The question is not whether you can prevent every incident, but whether you can keep operating and recover quickly when one occurs.

Governance and accountability

Strong governance is what separates organisations that manage cyber risk from those that simply react to it. Cyber resilience is not just a technical issue, it is a leadership responsibility. For training organisations, that responsibility sits squarely with the Executive Officer as the responsible person.

Under the Outcome Standards, the Executive Officer is responsible for the systems, oversight, and assurance processes that protect the organisation and its students. This includes cyber security. While IT providers may handle the technical controls, it is the Executive Officer’s job to ensure there are clear policies, defined responsibilities, and regular reviews of how cyber risk is being managed. Delegation does not remove accountability.

Roles across the organisation should be well defined. IT staff or providers manage systems and updates. Compliance staff make sure data handling and reporting align with standards. Trainers and support staff follow safe practices, protect student information, and stay alert to suspicious activity. Everyone contributes to security in their role, but coordination and results ultimately sit with leadership.

The organisation’s risk register should also make cyber threats clear. Each risk should describe the threat, outline existing controls, and identify any further actions to reduce likelihood or impact. Common entries include data breaches, ransomware, and business email compromise. Reviewing these regularly keeps the organisation’s understanding of its exposure current.

Internal reporting should lead to improvement, not just documentation. A strong governance culture means incidents are logged, lessons are recorded, and corrective actions are tracked through to completion. When staff see that real changes come from reporting issues, confidence and engagement grow.

Governance and accountability turn good intent into discipline. They ensure cyber resilience is not left to chance or outsourced entirely to technology providers. When the Executive Officer leads the discussion, asks the right questions, and insist on transparency, they create a culture that manages risk proactively.

A Practical Roadmap for RTOs

Becoming cyber resilient is not about perfection, it is about steady, visible progress. The organisations that manage risk best are not the ones with the biggest budgets, but the ones that build discipline over time. For most small and medium RTOs, the goal is not military-grade security but gradual improvement until good habits become part of everyday practice.

Start with a simple 90-day plan that focuses on quick, high-impact actions. These steps reduce immediate risk and build momentum:

Enable multi-factor authentication across all cloud systems
Turn on automatic updates and apply outstanding patches
Review user access and remove unused accounts
Test that backups can be restored quickly and completely
Deliver a short, practical awareness session for all staff

These actions are achievable for any business owner or training manager. They show leadership in action, reduce exposure, and give staff confidence that security is being taken seriously.

Next, move to a 12-month roadmap that builds structure and accountability. Over that year, aim to:

Develop a clear privacy and business continuity policy that defines roles, responsibilities, and escalation pathways
Schedule quarterly reviews of access, patching, and incident logs
Conduct an annual test of business continuity and backup restoration
Create a simple supplier risk register covering IT, student systems, and finance
Include cyber security as a standing item in management meetings and board reports

These measures embed cyber management into everyday governance routines and prevent leadership from being caught off guard.

Then, establish a continuous training rhythm. Short awareness updates every few months keep people alert and informed. New starters should receive a quick induction on password management, recognising suspicious emails, and protecting student data. Finance and admissions teams need focused guidance on invoice scams, payment verification, and handling ID documents safely. The key is repetition as awareness fades quickly when it is not maintained.

Looking ahead, leaders should stay aware of emerging changes such as post-quantum encryption. Quantum computing may one day challenge current encryption standards, prompting global updates. For now, RTOs simply need to stay informed and work with reputable software vendors who are planning for that transition. Multi-factor authentication is critical to combat these risks.

Conclusion

The message I have tried to communicate here could not be clearer. The threat is real, and the responsibility rests with each of us who lead and operate within this sector. Cyber incidents are not random accidents; they are the predictable result of gaps left unaddressed. Every organisation, no matter its size, has the capacity to strengthen its defences and protect the trust that students and staff place in it.

What matters now is action. Cyber resilience is built one decision at a time by enabling multi-factor authentication, testing a backup, training staff, updating software, etc. None of this is out of reach. What it requires is leadership and a steady commitment to protect, prepare, and improve. Taking these steps not only defends against cyber threats but also strengthens compliance, reduces liability, and protects reputation. Make it a priority in your RTO.

Good training,

Joe Newbery

Published: 23rd October 2025

Back to Articles