Revealing Resilience: CAAA Case Study

Company Overview

Commercial Associates Accountants and Advisors (“CAAA”), a fullservice Accounting and Advisory firm recognised by the Australian Financial Review in consecutive years as a Top 50 firm. They offer their clients solutions, advice, and premium services to maximise their commercial lives for over 20 years. 


CAAA having recently seen other firms going through security breach issues approached PhishNet as they wanted to be proactive in their business and protect their staff and clients from online cyber-attacks. The CEO Fleming highlighted his responsibilities under the APES 325 Risk Management for Firms. There are mandatory requirements for members in public practice to establish and maintain a risk management framework, and to provide quality and ethical professional services. We also talked about the potential brand and revenue impacts.


The requirement spanned a number of areas. Directors Fleming and Keith, and the COO Fiona wanted a strategy and process in place to minimise the risk of any incident occurring. With hybrid working arrangements, including staff working from home and a small offshore service team, it was important that the course of action was easy to deliver, effective and measurable. As directors, Fleming and Keith needed to ensure they were able
to fulfil their APES 325 obligations in a clear and measurable manner. They felt the best way to do this was through dedicated cybersecurity awareness training.


Key challenges to be solved:

  • How to deliver staff training that doesn’t lock people away for substantial amounts of time during their working day. 
  • How to ensure the training is comprehensive, yet isn’t delivered as a one off, which often sees people complete and then forget over time. 
  • To be time effective , they needed a solution that was automated – a set-and-forget system that is reliable and effective.

Identification and reporting of high-risk areas was also required so that additional training and help could be provided.


The PhishNet online eLearning solution was selected as the best choice for meeting all of CAAA’s needs and challenges.

  • For management – it met the regulatory requirements, reporting needs, minimal disruption and reliable automated delivery.
  • For staff – it provides a fun and effective training system that takes only 5 minutes per month to complete. It also tests participants’ understanding and actions by randomly issuing real looking fake phishing emails.
  • Additionally, the company has been provided with a comprehensive toolkit of Policy templates, Awareness material and Operational checklists that they have been able to tailor and implement to suit their precise needs.


The CAAA staff are now well informed on the threat vectors of cyber criminals and are vigilant when opening emails.

In the first 6 months, the PhishNet solution delivered:

  • 378 Training Sessions
  • 345 Phishing Simulations

The training covered 6 cyber security threat vectors. These included
2 factor authentication, password usage, and identity theft.

The PhishNet team have shown us that the education of staff is the greatest tool to minimising the chance of cyber threats to the firm. Their programme has helped us be proactive in educating staff to potential risks.

Fiona Tindal,  Chief Operating Officer.