Start Here
Over the first three sessions you built personal skills: locking down your accounts, spotting scams, and seeing through AI-made deception. This session is about what those skills add up to. Because the truth is that no single person can keep an organisation safe; a workplace is only as secure as the habits of everyone in it, and the speed at which they speak up when something looks wrong.
So this session is practical and reassuring. We cover what to do in the first minutes after a suspected incident, exactly who to tell, and why reporting early, even when you are not sure, is the single most valuable thing any staff member can do.
IT can build the walls, but every staff member holds a key. Keeping the workplace safe is a shared job, and your part of it is mostly this: notice, and speak up fast.
What a Security Incident Actually Looks Like
A security incident is rarely dramatic. It usually looks like a small, ordinary thing that does not feel quite right. The most common ones:
You clicked something you should not have
A link in a dodgy email, a dodgy attachment, a fake login page where you typed your password. Even if nothing obvious has happened since, it is worth reporting.
A device is lost or stolen
A work phone left at the shops, a laptop taken from a car. Even locked, a missing device is a security incident; the sooner it is reported, the sooner it can be locked or wiped.
An account is behaving strangely
You are logged out for no reason, you see sign-ins you do not recognise, sent emails you did not write, or a password that suddenly does not work.
An unexpected payment or money request
A supplier "bank change", an urgent payment from the "boss", an invoice that does not look right. Even if you did not act on it, IT should know it arrived.
Something is locking up or demanding money
Files you cannot open, a strange message on screen demanding payment to unlock them. This can be ransomware, and it is the most time-critical of all. Report it immediately and do not pay anything.
The most damaging mistake is deciding something is "probably nothing" and staying quiet. If in doubt, report it. A false alarm costs a few minutes; an unreported incident can cost far more. You will never be in trouble for reporting something that turns out to be fine.
Report It Inside Council First
For anything that touches your work account, a work device, or Council systems, your first call is always your own IT team. Not Scamwatch, not the police, not social media; your IT team. They are the ones who can act immediately to contain the problem, and they are the ones who handle any reporting Council is legally required to do (more on that next).
Your Council's reporting details
Phone the IT Service Desk: [ phone number to be confirmed ]
Log a ticket: [ ticket system or link to be confirmed ]
Email IT: [ email address to be confirmed ]
These three details are specific to your workplace and are confirmed with Council IT before delivery. Everything else on this page applies everywhere.
How to report well
In the first few minutes
Report straight away. Phone for anything urgent (a live ransomware message, money about to move, a lost device). Use a ticket or email for less urgent things. When in doubt, phone.
Say what happened plainly. What you saw, what you did, and when. You do not need to diagnose it or use technical words; just describe it.
Do not try to fix it yourself or cover it up. Do not delete the email, forward it around, or keep using a device you think is compromised. Keep the evidence and let IT guide you.
Then follow IT's instructions. They may ask you to change a password, disconnect a device, or simply sit tight. Follow their lead.
Two small skills that help IT help you
When you report a problem, a picture and a few details save everyone time and help IT work out what is going on. Two things worth knowing how to do:
Take a screenshot
A screenshot is a photo of whatever is on your screen. It captures the exact error or dodgy message so IT can see it themselves, instead of you trying to describe it.
On a Windows computer: press the Windows key, Shift, and S together, drag a box around what you want, then paste it into your email or ticket with Ctrl and V. (Pressing PrtScn grabs the whole screen.)
On an iPhone: press the side button and the volume-up button together. On an older iPhone with a home button, press the side button and the home button together.
On an Android phone: press the power button and the volume-down button together.
The picture saves to your photos; attach it to your ticket or email. If it shows personal information, send it only through approved channels.
Write down the error; do not just say "it's not working"
"The computer is broken" gives IT nothing to go on. A few specifics turn a guessing game into a quick fix. Before you call, jot down:
The exact words or error code on the screen. Copy them down letter for letter, or take a screenshot. Codes that look like gibberish are often exactly what tells IT what is wrong.
What you were doing when it happened. Which program, what you clicked, and whether it happens every time or just once.
When it started, and what changed. A new update, a new device, a different place or wi-fi. Small clues like these often point straight to the cause.
You do not need to be sure something is real before you report it. A workplace where people report early, without fear of getting into trouble, is the safest workplace there is. Reporting a mistake quickly is not a failure; it is exactly what good staff do, and it is what limits the damage.
Why Speed Matters: The Legal Clock
There is another reason your fast report matters so much. When a serious incident involves money paid to attackers, or people's personal information, the law puts Council on a clock, and that clock starts the moment the incident is discovered. You do not need to memorise the law; you just need to see why every hour counts.
Ransomware payments: 72 hours
Under the Cyber Security Act 2024, if Council ever makes a payment to a ransomware or cyber-extortion attacker, it must report that payment to the Australian Signals Directorate within 72 hours. This is handled by Council's management and IT, not by you, but it shows why a ransomware message on a screen has to be reported the instant you see it.
Data breaches: as soon as practicable
Under the Notifiable Data Breaches scheme (part of the Privacy Act 1988), if people's personal information is lost or exposed in a way likely to cause them serious harm, the affected people and the Office of the Australian Information Commissioner must be notified as soon as practicable. Northern Territory public bodies also have their own obligations under the NT Information Act. Again, the formal notifying is done by Council, not by you.
You are never the one who reports to the Australian Signals Directorate or the Information Commissioner; that is Council's job. But Council cannot start that clock until someone tells them. Your fast internal report is what lets Council meet its legal obligations and limit the harm. Reporting in the first hour, rather than the next day, can be the difference.
Reporting Outside Council
For a workplace incident, IT handles the outside reporting. But there are trusted national services that are worth knowing for your own personal protection, and for scams that have nothing to do with work. Keep this short list handy.
ReportCyber
The national place to report cybercrime: hacking, online fraud, identity theft, and money stolen online. Goes to police.
Scamwatch
Run by the ACCC. Report any scam here, whether or not you lost money. It helps authorities warn others.
IDCARE
A free service that helps you recover if your identity or personal details (Medicare, tax file number, ID) have been stolen.
eSafety Commissioner
For online abuse, harassment, and image-based abuse (intimate images shared without consent). They can help get content removed.
Anything involving your work account, device, or Council systems: tell Council IT first, and let them guide any outside reporting. Anything that is personal, your own email, your own money, your own identity, use the services above. If a personal incident also touches a work account or device, tell IT as well.
Building It Into the Everyday
The aim of this series was never to turn you into a security expert. It was to build a handful of habits that protect you and Council, and to make the safe choice the easy one. As we finish, here is the whole series in a few lines to carry forward.
The series, in one breath
Session 1. Long, unique passphrases, a password manager, and two-step login on the accounts that matter.
Session 2. Slow down on unexpected, urgent messages. Verify before you click. Never share a password or a code.
Session 3. Good writing proves nothing now. Check a familiar voice. Pause before you share. Keep Council information out of public AI tools.
Session 4. Notice, and report fast. No incident is too small, and there is no blame for speaking up.
To keep learning, cyber.gov.au has plain-language advice and a free alert service you can sign up to. And the rest of this series stays here for you to revisit any time.
What to Take Away
Your incident-response checklist. Click an item to tick it off.
- Treat a clicked link, a lost device, a strange account, or an odd payment request as something to report.
- Report anything touching work to Council IT first, fast, by phone if it is urgent.
- Describe what happened plainly; I do not need to diagnose it.
- Take a screenshot and note the exact error message or code, and what I was doing, before I call IT.
- Not try to fix it myself or cover it up; keep the evidence and follow IT's lead.
- Report even when I am not sure, and even if I made the mistake; speed beats certainty and there is no blame.
- Remember a ransomware message on screen is the most urgent of all; report it instantly and pay nothing.
- Use ReportCyber, Scamwatch, IDCARE, and eSafety for my own personal incidents.
- Keep up the everyday habits from the whole series; that is my part of keeping Council secure.
Knowledge Check
Five quick scenarios to see what has landed. Read each, decide what you would do, then click to reveal the answer. No score, no wrong answers; it is just a way to check your thinking.
01This morning you clicked a link in a dodgy email and typed your password before realising. Hours have passed and everything seems normal. It feels too small to bother IT. Do you report it?Answer
Yes, report it now. "Seems normal" does not mean it is; attackers often wait. Entering your password on a fake page is a genuine incident, and the sooner IT knows, the sooner they can reset access and watch for misuse. It is never too small, and you will not be in trouble. Reporting late is far worse than reporting something that turns out to be harmless.
02You left your work phone at the shops. It is locked with a PIN. Is that worth reporting?Answer
Yes, report it straight away. A lost or stolen device is a security incident even when it is locked. Reporting it quickly lets IT lock it remotely, wipe it if needed, and keep an eye on the accounts it could reach. A locked phone buys time; it is not a guarantee. Speed is what protects the information on it.
03A colleague calls you over: files on their screen will not open, and there is a message demanding payment to unlock them. What is the priority?Answer
Report it to IT immediately, by phone, and do not pay anything. This looks like ransomware, the most time-critical incident of all. Do not try to fix it, and do not keep using the machine. There is a legal clock here too: if Council ever paid such an attacker, it must report that within 72 hours under the Cyber Security Act 2024. Your instant report is what lets Council contain it and meet its obligations. The decision about payment is never yours or the colleague's to make alone.
04At home, you fell for a scam and your Medicare and tax file number have been stolen. This is personal, not work. Where do you go?Answer
Contact IDCARE (1800 595 160), and report it to ReportCyber and Scamwatch. IDCARE is a free service that helps you recover from identity theft step by step. Because it is personal, you do not report it to Council IT, unless you reused a work password, or it touches a work account or device, in which case tell IT as well so they can protect the work side.
05The incident was your fault: you approved a payment that turned out to be a scam. You are worried about getting into trouble. Should you stay quiet and hope it sorts itself out?Answer
No. Report it immediately; staying quiet is the only real mistake. The faster a fraudulent payment is flagged, the better the chance of stopping or recovering it; minutes matter. The no-blame principle exists for exactly this moment: organisations want people to report mistakes early, not hide them. You are helping everyone by speaking up, and the embarrassment passes far faster than the damage of a delay would.