It’s 4:47pm on a Friday.

Gary in accounts is three coffees deep, mentally already at the pub, and an email lands from “Microsoft Support” asking him to reset his password.

He clicks. He types. He goes home.

By Monday, your payroll system is locked, your team’s tax file numbers are circulating on a Telegram channel based in nobody-knows-where, and someone called Brad from IT is using the phrase “threat actor” with the calm of a man who has not slept.

Welcome to a modern cyber breach.

Not a hooded genius in a basement. Just Gary. And the worst part is, Gary is not even the villain of this story. You are. Because nobody told you that when the breach hits, half the problem stops being technical and starts being deeply, awkwardly human.

That’s the bit HR Gurus deals with. And it’s the bit founders never see coming.

Quick answer for the people scanning

What are the HR implications of a cyber attack?

When an Australian business is hacked, HR carries the people side of the fallout. That includes notifying staff about exposed personal data (tax file numbers, salaries, medical certificates, performance files), managing payroll disruption, meeting Privacy Act 1988 obligations, running internal investigations if the breach came from inside, rebuilding employee trust, and sometimes terminating staff involved. Most Australian SMEs have no plan for any of it.

Australia is getting absolutely hammered

The Australian Signals Directorate logged more than 84,000 cybercrime reports last year. That’s one every six minutes. While you read this sentence, someone’s getting hit.

And the businesses making headlines are not the ones you’d expect to fall over.

Medibank, 2022. 9.7 million customers had personal and health claims data leaked, including procedures so sensitive that the criminals threatened to release them by category. Imagine being the HR team explaining that one to staff who were also customers.

Optus, 2022. Roughly 10 million records exposed, including passport and Medicare numbers. Employees became the unpaid front line of public rage. A lot of them quit shortly after.

Latitude Financial, 2023. 14 million records stolen, including driver’s licence numbers going back to 2005. Customers were furious. Staff were exposed in the same dataset. Try running a town hall about that.

MediSecure, 2024. Health prescription data for around 12.9 million Australians lifted. The company entered administration not long after. That’s the polite phrase for “did not survive”.

Sydney University. Over 13,000 staff and former students had personal and employment information exposed.

iiNet. Hundreds of thousands of customer logins and account details accessed.

Then there are the businesses you’ve never heard of. The 40-person logistics firm in Dandenong. The accounting practice in Newcastle. The recruitment agency that lost the entire candidate database. These ones don’t make the news. They make the redundancy list six months later.

The thing your IT provider will never tell you

IT will get the systems back up. They will not:

  • Tell your staff their data is on the dark web
  • Manage the payroll panic
  • Handle Privacy Act notifications
  • Investigate whether one of your own employees sold the login
  • Rebuild trust with a workforce that just learned their disciplinary file was readable for 48 hours
  • Sit across from a sobbing 27-year-old payroll officer who feels personally responsible

That’s HR. That is entirely, unavoidably, awkwardly HR.

And most Australian SMEs do not have anyone holding that playbook.

The four things founders never see coming

1.  Trust collapses in about a day.

People assume their employer will protect their personal information the way a parent guards a Medicare card. When that breaks, it breaks fast. Retention, morale, recruitment and leadership credibility all take a hit at once. And vague corporate communication makes it ten times worse. Humans fill information gaps with anxiety. Then they fill them with WhatsApp groups. Then they fill them with resignations.

2. Payroll panic is a special kind of chaos.

Nothing destabilises a workforce faster than “we may not be able to process pay this week”. Mortgages, childcare, rent. Everyone’s calm professional veneer evaporates around 11am on a Wednesday. We’ve seen high-performing teams unravel inside 72 hours over a payroll delay that turned out to be 36 hours long. The damage doesn’t match the disruption, but it doesn’t have to.

3. The HR folder is a horror movie.

Salaries. Medical certificates. Investigation notes. Termination letters. Visa documents. Performance plans. The disciplinary file on Sarah from marketing. The settlement deed for the guy who left in 2021. All of it sitting in one cloud folder that one phishing email can crack open.

When staff find out, workplace relationships do not gently fray. They snap.

4. Leaders go weird.

This is the bit nobody warns you about. Smart, decisive founders, under pressure, start sounding like a press release. “There is no immediate concern at this stage.” “We are continuing to investigate.” “There is no evidence of misuse.”

Meanwhile half the office is whispering in the kitchen and the other half is updating their LinkedIn.

Clear, honest communication beats corporate hedging every single time.

Even when the truth is “we don’t know yet, here’s what we’re doing and you’ll hear from me again at 4pm”. Staff can handle uncertainty. They cannot handle a founder who suddenly sounds like an ASX announcement.

One founder we worked with

A client of ours, around 40 staff, got hit with a phishing breach that exposed their cloud HR system for about 48 hours. Salaries, contracts, disciplinary records, the lot.

The founder’s first instinct was to say nothing until they “knew more”.

We told her to do the opposite. Brief the team inside 24 hours. Name what was exposed. Explain the response. Tell them what was being done and when they’d hear next.

Result: zero resignations, no Fair Work claims, and leadership scored higher in the next pulse survey than before the breach.

Honesty did what spin couldn’t. It almost always does.

“We’re too small to get hacked”

The most dangerous sentence in Australian business right now.

Cyber criminals love small businesses. The security is weaker, the systems are older, the training is non-existent, the passwords are usually a child’s name plus the year, and leadership assumes IT has it covered.

IT has not got it covered. IT has a help desk and a monthly retainer. That is not a security strategy.

Cyber is now a leadership issue. A culture issue. A training issue. An HR issue. A business continuity issue.

Not just an IT one.

What you should actually be doing this quarter

You don’t need to become a cyber expert. You do need:

  • Proper cyber and acceptable-use policies that staff have actually read
  • Mandatory training, not the “complete this when you have time” kind that nobody completes
  • MFA enforced on everything, including the founder’s email (especially the founder’s email)
  • A breach response plan with named owners for each role
  • Pre-written communication templates so you’re not drafting under panic
  • Secure storage of HR files with proper access controls
  • Privacy Act compliance documented, not assumed

Because once the breach hits, you stop preparing. You’re just surviving.

Free webinar: The HR and legal fallout of cyber attacks

Wednesday 20th May. 45 minutes. Free.

We’re sitting down with Blaine Hattie, Partner and Commercial lawyer from Sutton Lawrence King Lawyers, who has walked Australian businesses through some of the worst cyber breaches you’ll ever hear about. He’s seen what works, what doesn’t, and what ends up costing six figures and a CEO.

He’s also built a practical tool SMEs can use this week to lower their exposure.

We’ll cover:

  • The legal risks most founders miss until it’s too late
  • HR implications nobody warns you about
  • What to actually say to staff when their data is exposed
  • Practical protections for businesses under 100 staff
  • The tool you can use this week

Hoping you won’t get hacked is not a strategy. Brad from IT is not your strategy. Blaine and HR Gurus, working together, are about as close to a strategy as a busy founder is going to get for free.

[REGISTER FOR THE FREE WEBINAR]

Want HR support that holds up when things go sideways?

HR Gurus builds practical people systems that protect the business when the worst happens. Straight-talking advice. Commercially smart support. No BS.

[BOOK A CHAT]

Meet Blaine: https://www.slklawyers.com.au/blaine-hattie/

Need HR Help?

Join our newsletter.

Make sure you stay up to date on all the HR goss.

Continue Reading

When Is It Time to Outsource HR? 5 Signs Your Australian Business Has Outgrown DIY People Management

When Is It Time to Outsource HR? 5 Signs Your Australian Business Has Outgrown DIY People Management

12 May 2026
They kept their top salesperson for four years. Here’s what it actually cost them.

They kept their top salesperson for four years. Here’s what it actually cost them.

11 May 2026
A Porcupine in the Shower, a CEO on a Drip. Welcome to the $500k Corporate Retreat From Hell.

A Porcupine in the Shower, a CEO on a Drip. Welcome to the $500k Corporate Retreat From Hell.

8 May 2026

Get a personal consultation.

Call us today at 1300 959 560.

Here in HR Gurus. We make HR simple because it should be.