Australia's Cyber Security Strategy 2023–2030: What It Means for Your Business

On 21 November 2023 the Australian Government published its Cyber Security Strategy, a plan to make Australia one of the most cyber secure nations in the world by 2030. For a business owner or a board, it is easy to file this under government policy that does not affect us. That would be a mistake. Parts of it are already law, and the obligations land on ordinary businesses, not just the big banks and critical infrastructure operators.

01What the strategy actually is

The strategy is a ten-year plan led by the Department of Home Affairs, backed by an initial investment of around $586.9 million. The stated goal is for Australia to be a world leader in cyber security by 2030. Rather than a single rulebook, it sets a direction and is delivered in stages.

The government describes three horizons. The first, from 2023 to 2025, strengthens foundations and supports the businesses most at risk. The second, to 2028, scales the work across the wider economy. The third, to 2030, positions Australia as a global leader. Each horizon brings its own legislation and programmes, which is why the strategy keeps producing new obligations rather than arriving all at once.

02The six shields

The strategy is organised around six cyber shields. Each is a layer of protection meant to hold even if the one before it fails.

• Strong businesses and citizens. Support and clearer obligations so organisations can protect themselves and recover quickly.
• Safe technology. Clear security standards for digital products, including the smart devices sold in Australia.
• World-class threat sharing and blocking. Faster exchange of threat intelligence between government and industry.
• Protected critical infrastructure. Stronger requirements for the systems the country depends on.
• Sovereign capabilities. A larger local cyber security workforce and industry.
• Resilient region and global leadership. Helping Pacific neighbours and shaping international rules.

Most of the public attention goes to critical infrastructure, but the first shield is the one that matters most for the average business. It is where the support, and the new obligations, are aimed.

03What is already law: the Cyber Security Act 2024

The strategy's first major piece of legislation, the Cyber Security Act 2024, passed Parliament in late 2024. It is Australia's first standalone cyber security act, and it introduces obligations that reach well beyond critical infrastructure.

Mandatory ransomware payment reporting

Since 30 May 2025, businesses with an annual turnover of $3 million or more must report a ransomware or cyber extortion payment to the Australian Signals Directorate within 72 hours of making it, or of becoming aware that a payment has been made on their behalf. The aim is informational rather than punitive. The government wants a clearer picture of how much is being paid and to whom. If your business would consider paying to recover from an attack, this obligation already applies to you.

Security standards for smart devices

The Act sets baseline security standards for internet-connected consumer products sold in Australia, such as cameras, smart speakers, and connected appliances. Manufacturers and suppliers carry most of this burden, but it raises what you can reasonably expect from the devices entering your network.

Limited use protection

To encourage businesses to come forward during an incident, the Act limits how information voluntarily shared with the Australian Signals Directorate can be used. The intent is to remove the fear that asking for help will invite a regulator. It is worth understanding before your next incident, because it changes the calculus of when to pick up the phone.

The Cyber Incident Review Board

The Act establishes a no-fault review board that examines significant incidents after the fact and publishes lessons for everyone else, much like an aviation safety investigation. It exists for shared learning rather than blame.

04What this means for small and medium businesses

The headline message of the strategy is that cyber security is no longer optional for businesses of any size. The government has been explicit that small and medium businesses are both the most targeted and the least prepared, and the strategy treats lifting that baseline as a national priority.

In practice it shows up in a few ways. Expectations are rising from insurers, from larger customers running supply chain checks, and from government procurement. The first hard obligations have arrived, starting with ransomware payment reporting. And the support available has grown too, through ACSC guidance, dedicated small business programmes, and a single place to get advice and report incidents at cyber.gov.au.

The strategy's clearest signal to business is simple. The baseline is moving, and the organisations that wait for an incident to act will be the ones explaining to a board why they did not.

05How it connects to the Essential Eight

The strategy does not replace the frameworks businesses already work to. It reinforces them. The ACSC Essential Eight remains the practical baseline the government points businesses toward, and its controls, multi-factor authentication, patching, backups, and restricted admin access, are exactly the ones that would prevent most of the incidents the strategy is designed to reduce.

If you want a concrete starting point, our Essential Eight guide walks through all eight controls, and our Essential Eight assessment shows you where you stand today.

06What you should be doing now

You do not need to read the full strategy to respond to it sensibly. A few steps cover most of what it asks of an average business.

1. Decide your position on ransom payments before an incident, and make sure whoever would authorise one knows about the 72-hour reporting obligation.
2. Get the Essential Eight baseline in place, starting with multi-factor authentication on every external service.
3. Write a short incident response plan and test it once, so the first time you use it is not during a real attack.
4. Confirm your backups are disconnected and have actually been restored in a test, not just scheduled.
5. Treat your suppliers and IT providers as part of your risk, and ask them what they have in place.

If you would rather not manage this in-house, Fortify covers monitoring, Essential Eight uplift, and incident response as a managed service, and a penetration test tells you where a real attacker would get in before one tries.

07Frequently asked questions

Does the Cyber Security Strategy apply to small businesses?

Yes. It is aimed squarely at lifting the security of small and medium businesses, and some of its obligations already apply to them. The ransomware payment reporting requirement, for example, applies to any business with an annual turnover of $3 million or more, which captures a large share of established SMEs.

Is reporting a ransomware payment mandatory?

For businesses above the $3 million turnover threshold, yes. A payment must be reported within 72 hours. Reporting does not make the payment legal or advisable, and you should get legal advice before paying, but the reporting obligation itself is now law.

What is the difference between the strategy and the Essential Eight?

The Cyber Security Strategy is the government's ten-year policy direction. The Essential Eight is a specific set of technical controls published by the ACSC. The strategy sets the goals; the Essential Eight is one of the practical tools for meeting them. They work together rather than competing.

Where can I read the official strategy?

The full strategy and its action plan are published by the Department of Home Affairs at homeaffairs.gov.au, and current threat advice and reporting tools are at cyber.gov.au. Those are the authoritative sources for anything in this article.