Overview
Victorian SMEs facing escalating cyber threats now have access to two government-backed support programs: a no-cost expert matching service through the Summer of Cyber Program, and up to $2,100 in federal funding for certified cyber health checks. This guide tells you exactly who qualifies, what kills applications, and how to submit before funding runs out.
At a Glance: Victoria Cyber Security SME Support 2026
| Feature | Summer of Cyber (VIC) | Cyber Health Check Grant (Federal) |
| Value | Free expert support (no cash) | Up to $2,100 (50% rebate) |
| Status | Applications open (closes 28 Sep 2025) | Active while funds last |
| Difficulty | Low-Medium | Low |
| Timeline | 10-12 week project (Dec 2025 – Mar 2026) | Apply, then book certified assessor |
| Who Delivers | Business Victoria + AWSN | Federal Government via CREST |
| Employee Limit | SME (no hard cap stated) | 19 or fewer FTE |
The “Hard” Eligibility Filter: Will You Win or Fail Before You Even Apply?
This is the section most business owners skip. Don’t. Running through these filters right now will save you hours of wasted effort or, worse, the public embarrassment of a rejected application.
Summer of Cyber Program (Victorian Government)
✅ Must-Haves:
- Your business must be registered in Victoria with a valid Australian Business Number (ABN) or hold an Office of the Registrar of Indigenous Organisations (ORIC) registration
- You must have an active, identifiable cyber security challenge, project, or problem that a skilled student could meaningfully work on
- You must be able to provide a physical workspace for a student (a desk, equipment access, and internet connectivity) for the duration of the engagement
- You must commit to meeting with the project team at least twice per week for 10-12 weeks
- You must be available between December 2025 and March 2026 for the full project delivery window
- You must be willing to provide in-kind mentorship and guidance to the student throughout the engagement
❌ Dealbreakers:
- Businesses registered outside Victoria are ineligible, regardless of where they operate
- If you cannot commit a physical workspace or meeting time, your application will not proceed
- Businesses applying without a concrete, scoped cyber challenge will be deprioritised
- If you have no capacity to mentor or guide a student, the program cannot match you
Federal Cyber Health Check Grant (up to $2,100)
✅ Must-Haves:
- Your business must have 19 or fewer full-time equivalent (FTE) employees (this is a hard cap, not a guideline)
- You must register for a certified health check through an approved CREST-certified assessor before applying for reimbursement
- The health check selected must match your business size (micro, small, or standard, based on device count)
- You must hold a valid ABN
❌ Dealbreakers:
- Businesses with 20 or more FTE employees are categorically excluded, with no exceptions
- Purchasing a health check from a non-CREST-certified provider makes the expense ineligible for reimbursement
- Retrospective applications for health checks already completed before registering are not accepted
Unsure of your eligibility? Check Your Eligibility Probability Here.
The “Application Killer” Section: 3 Non-Obvious Reasons Victorian SMEs Get Rejected
Every year, well-meaning Victorian business owners invest hours into applications only to fail on traps that are never spelled out in the program guidelines. Here are the three most common and most avoidable killers.
1. The “Vague Problem Statement” Trap
The single most common reason Summer of Cyber applications stall is that the business submits a problem statement that is too vague to match with a student. Saying “we want to improve our cyber security” is not a project. A matchable cyber challenge looks like this: “We need a review of our current remote access policy and VPN configuration because three staff now work from home permanently and we haven’t updated our security framework since 2019.” The program administrators and the Australian Women in Security Network (AWSN) are matching skilled tertiary students and recent graduates to real, time-bound problems. They cannot match a student to a feeling of unease. Before you apply, write down the specific system, process, or gap you want addressed. If you can describe it in one clear sentence, you are ready.
Consider a Melbourne-based bookkeeping firm with five remote accountants. That business would have strong grounds to request a student to assess their client data handling procedures and implement a structured access-control policy for their cloud-based practice management software. That is concrete. That is matchable. A general request to “look at our security” is not.
2. The “Provider Certification” Trap (Federal Health Check)
For the Federal Cyber Health Check Grant, the most costly mistake is purchasing a cyber health check from a provider who is not CREST-certified. Many IT consultants and managed service providers offer services they call “cyber security audits” or “security assessments.” These are not the same product as a certified small business cyber security health check under this program. The government only reimburses up to 50% of costs for assessments conducted by assessors listed on the official CREST small business directory. If your IT provider is not on that registry, the entire cost becomes your own. The gap between what an SME owner thinks they bought and what the government will fund has cost many applicants the full reimbursement. Always verify your assessor’s certification status before spending a dollar.
A common industry example: a small retail chain in regional Victoria pays $2,800 for a thorough security audit from their trusted IT support company, fully expecting to claim back half. The audit company is reputable but not CREST-certified for this specific program. The reimbursement claim is denied. The business is out $2,800 instead of $700.
3. The “Timing Window” Trap (Summer of Cyber)
The Summer of Cyber Program has a rigid delivery window: projects must be completed by the end of March 2026. The application deadline is 28 September 2025. What many SMEs miss is the implicit commitment they are making when they apply. If your business enters a peak trading period between December and March, if you are planning a major staff restructure, or if a key contact person is unavailable for extended periods across that window, you are not operationally ready for this program. AWSN requires matched businesses to be genuinely present, not merely enrolled. Businesses that accept a match and then become unavailable create serious problems for the students and supervisors involved, and they burn relationship capital with Business Victoria. If December through March is your busiest period (think: hospitality, retail, seasonal agriculture services), either plan your participation around your capacity or wait for the next intake.
Step-by-Step Submission Guide: How to Apply for Victorian Cyber Security SME Support
Pathway A: Summer of Cyber Program (Victorian Government)
Step 1: Scope Your Cyber Challenge Before touching an application form, write a one-to-two paragraph description of your specific cyber security problem or project. Be concrete. Reference the systems involved, the number of users, and what outcome you are trying to achieve.
Step 2: Confirm Your ABN and Victorian Registration Your ABN must be current and your business address must be registered in Victoria. Check your ABN status via the Australian Business Register if there is any doubt.
Step 3: Submit Your Expression of Interest Navigate to the Business Victoria Summer of Cyber Program page and submit your SME expression of interest before the 28 September 2025 deadline. You will be asked to describe your cyber challenge and confirm your capacity to host a student. Applications close firm on this date.
Step 4: Matching and Onboarding After the September close date, AWSN will review applications and begin matching SMEs with suitable women and gender-diverse tertiary cyber students or recent graduates. Pre-project training webinars run throughout November 2025. Your matched student will be announced ahead of the December project start.
Step 5: Project Delivery Work with your matched student across the three program phases: Assess, Implement, and Embed and Assure. Projects run for 10-12 weeks (minimum 180 hours of student work). You will be expected to attend regular check-ins, participate in milestone reviews, and attend the program showcase in late March or April 2026.
Documents to Have Ready:
- ABN registration confirmation
- Brief written description of your cyber challenge
- Contact details for the primary business mentor
- Confirmation of available workspace and equipment for the student
Unsure of your eligibility? Check Your Eligibility Probability Here.
Pathway B: Federal Cyber Health Check Grant (up to $2,100)
Step 1: Register for a Health Check Visit the CREST small business website and register your interest in a certified health check. There are three tiers: micro (few devices), small (moderate device count), and standard (broader scope). Select the tier appropriate to your business size.
Step 2: Book Your Certified Assessor Select a CREST-certified assessor from the official registry. Do not book with anyone not on this list. The assessment itself will identify your current cyber maturity and areas requiring immediate attention.
Step 3: Complete the Assessment The health check examines your current preventative strategies, your exposure to common attack vectors such as phishing and business email compromise, and your data backup practices. Most small business health checks are completed in a single session.
Step 4: Submit Your Reimbursement Claim After receiving your health check report, submit your reimbursement claim with proof of payment and the assessor’s certification details. The government will reimburse up to 50% of the cost, capped at $2,100 for the highest tier.
Documents to Have Ready:
- Invoice from your CREST-certified assessor
- Proof of payment
- Completed health check report
- ABN and business registration details
FAQ and Glossary: Answers to the Questions Victorian SMEs Are Actually Asking
Is the Summer of Cyber Program a cash grant? No. The Summer of Cyber Program provides expert support at no financial cost to your business, but does not transfer cash. The value is in the labour, expertise, and cyber uplift delivered by a skilled student across 10-12 weeks. For cash reimbursement, the Federal Cyber Health Check Grant (up to $2,100) is the relevant program.
Is this grant taxable income? The Summer of Cyber Program does not deliver cash, so there is no taxable income question for the SME. For the Federal Cyber Health Check Grant reimbursement, you should speak with your accountant about how to treat the rebate, as treatment can vary depending on your business structure and whether the original expense was claimed as a deduction.
Can sole traders apply? Yes. The Summer of Cyber Program is open to all Victorian SMEs with a valid ABN, which includes sole traders. The Federal Cyber Health Check Grant is similarly open to sole traders with 19 or fewer FTE employees.
What if I already had a cyber security assessment done last year? For the Summer of Cyber Program, a previous assessment does not disqualify you. If you have a current, documented cyber challenge, you can still participate. For the Federal Health Check Grant, retrospective reimbursement for assessments already completed is not available. The assessment must be registered and conducted through the program pathway.
Do I need to be in metro Melbourne to participate? No. Both programs are available to Victorian businesses in regional and metropolitan areas. The Summer of Cyber Program requires a workspace for the student, but this can be anywhere in Victoria.
What is a CREST-certified assessor? CREST is an international not-for-profit accreditation body for the technical security industry. Under the Federal Cyber Health Check program, only assessors who hold CREST certification for the small business health check product are eligible. This is a specific certification, separate from general IT or cybersecurity credentials.
What is business email compromise (BEC)? Business email compromise is a type of scam where a criminal poses as a known contact, such as a supplier or executive, to trick employees into transferring money or sensitive data. It is one of the most financially damaging forms of cybercrime targeting Australian SMEs. A cyber health check will assess your current exposure to BEC risk.
What is multi-factor authentication (MFA)? Multi-factor authentication requires a user to verify their identity through two or more independent methods before accessing a system. It is one of the most effective low-cost defences against account compromise and is assessed as part of most cyber health checks.
What does “cyber resilience” mean in a grant context? Cyber resilience refers to a business’s ability not just to prevent attacks, but to detect, respond to, and recover from cyber incidents quickly and with minimal disruption. Grant programs in this space fund activities that build both prevention and recovery capability.
Unsure of your eligibility? Check Your Eligibility Probability Here.
Internal Resources: Going Deeper on Victorian and Digital Funding
If you are navigating the Victorian SME funding landscape more broadly, these resources on Australian Grants will help you build a complete picture of what is available right now.
For an overview of all technology and digital funding streams available to Australian small businesses, see our guide to small business digital grants. This resource is particularly useful for businesses considering complementary programs alongside cyber-specific support.
Victorian business owners assessing their full grants landscape should also review our comprehensive overview of SME Victorian Government grants, which covers the breadth of state-level support programs beyond cyber security.
And for businesses that have identified cyber security as a strategic priority but want to understand the broader national funding picture, our dedicated resource on cyber security funding for businesses provides a thorough breakdown of both state and federal programs.
