Vendor Risk Management for SMEs: The Lite Version That Actually Works

Enterprise vendor risk management assumes you have a four-person governance, risk and compliance team. Most Melbourne SMEs have zero. This is a deliberately stripped ‘lite’ framework for businesses with 20 to 200 staff: three vendor tiers, a one-page questionnaire, the only evidence that matters, and the playbook for when a critical vendor fails the assessment.

Why the enterprise playbook fails for SMEs

Open any vendor risk management framework written for a bank or a listed company and you will find a 130-question security questionnaire, a quarterly review cadence, on-site audits, and a control library mapped to NIST CSF, ISO 27001, SOC 2, PCI DSS and the APRA standards. It works because there is a team paid full-time to run it.

An accounting firm in Hawthorn with 45 staff cannot run that programme. The office manager who ‘owns IT’ has neither the hours nor the technical background to read a SOC 2 Type II report properly, let alone challenge the boundaries it covers. And yet that same firm now uses 60 to 90 SaaS products that touch client data: Xero, a practice management system, an e-signature tool, four AI products, a payroll bureau, a document portal, a cloud archive, a CRM, and so on. The risk surface is the same as a mid-market enterprise. The team to manage it is not.

The lite framework below is what we run with our co-managed clients. It is opinionated, it ignores parts of the textbook on purpose, and it produces a defensible position that holds up in a cyber insurance application or a Privacy Act incident review. We have refined it across 12 years of running managed IT services in Melbourne since founding TechAssist in 2014, and it has now been deployed across professional services, healthcare admin, light manufacturing and not-for-profit clients.

The three-tier vendor categorisation

The single most useful move you can make is to stop treating all vendors the same. About 80% of the SaaS in a typical SME is low-risk; about 5% will hurt badly if it is breached or goes down. Sort the list once, properly, and you can focus your effort on the 5%.

Tier 1: Critical

A vendor is Tier 1 if any one of these is true:

• They process or store regulated personal data at scale (health records, financial accounts, legal matters, identity documents)
• Their outage stops the business from operating within 24 hours (your finance system, your line-of-business platform, your phone system, Microsoft 365)
• They have privileged access into your network, your identity provider, or your endpoints (your MSP, your security tooling, your remote support tools)
• They handle payments or move money

Expect 5 to 12 Tier 1 vendors in a typical SME. These get the full questionnaire, evidence requirements, and an annual review.

Tier 2: Important

A vendor is Tier 2 if they hold business data that you would care about leaking, but their outage is tolerable for a few days, or the data set is limited. Examples: your CRM, your marketing automation tool, your e-signature service, an HR information system that holds employee records, project management tools.

Expect 15 to 30 Tier 2 vendors. They get the short questionnaire and a light evidence check (the security page on their website is acceptable if it lists the right certifications).

Tier 3: Everyone else

Free productivity tools, internal-only utilities, vendors that hold nothing more sensitive than a contact list. The control is the procurement gate (someone signs off before the credit card goes in) and an annual list review. No questionnaire, no evidence, no annual reassessment.

Expect 30 to 60 Tier 3 vendors. The point is to have them on the list, not to spend any meaningful time on them.

The 12-question questionnaire that fits on one page

Long questionnaires (the SIG, the CAIQ, an internal 140-item monster) do not produce better risk decisions for SMEs. The vendor copies their answers from the last questionnaire, you have no way to verify most of it, and you sign anyway because you need the product. Strip it down to 12 questions that you will actually read.

Twelve questions. One page. Most credible vendors can answer it in 30 minutes; if a Tier 1 vendor takes three weeks to respond or sends boilerplate that does not address the question, that is your answer. We have seen serious Australian SaaS vendors fill this out in a working day. We have also seen offshore platforms ignore it entirely. Both outcomes are useful information.

What ‘evidence’ you actually need

The textbook says: review their SOC 2 report, walk through their controls, validate their penetration testing, examine their incident response runbooks. In practice, for an SME, the evidence stack is much simpler. Either the vendor has an independent third-party attestation that you can rely on, or they do not.

Accept (Tier 1 and Tier 2)

• SOC 2 Type II covering at least the last 12 months and covering the product you are using. Type I is a snapshot and is worth far less. The scope matters – if the SOC 2 covers their corporate environment but not the production service you are buying, it is window dressing.
• ISO 27001 certification with a recent certificate (within the three-year cycle) and a scope statement that includes the relevant systems. Insist on the scope statement, not just the certificate number.
• IRAP assessment at PROTECTED or higher, for any vendor handling government-adjacent or sensitive data.

Acceptable with caveats (Tier 2 only)

• A current public security page that lists controls in detail and names specific frameworks they align with.
• A signed letter from their CISO or equivalent stating the controls in place, where no certification exists.

Not acceptable for Tier 1

• ‘We follow industry best practice.’
• ‘We are SOC 2 compliant’ with no report attached.
• ‘Our hosting provider (AWS) is certified.’ AWS being certified does not certify the customer running on AWS.
• A self-assessment questionnaire as the only evidence.

This is where most SME vendor programmes drift. The temptation is to accept a marketing page and move on because the alternative is to delay a project. Hold the line on Tier 1. Be pragmatic on Tier 2.

The playbook for when a key vendor fails

Here is what the textbook gets wrong: it implies that a failed vendor risk assessment means you switch vendors. In SME reality, you almost never do. You have a contract, you have integrations, you have user training, and switching costs are punishing. The realistic outcome of a failed assessment is risk acceptance with compensating mitigations.

The playbook we run with clients has five steps.

Step 1: Identify the specific gap

Not ‘they failed the questionnaire.’ Specifically: they have no SOC 2, their breach notification is 30 days, they do not support SSO on our tier, they will not name their sub-processors. Write down the actual gap.

Step 2: Quantify the exposure

What is the worst credible outcome if this gap is exploited? Loss of which data set, of what volume, with what regulatory and reputational consequences? Document the number of records and the personally identifiable information categories.

Step 3: Design compensating controls

Most gaps can be mitigated on your side. If they do not support SSO on your tier, enforce a strong password manager policy, rotate the shared credentials quarterly, and put an alert on the account. If their breach notification is 30 days, monitor publicly available breach feeds yourself. If they will not name sub-processors, restrict the data set you send them. If they do not have MFA on admin accounts, do not send them your most sensitive data.

Step 4: Document the acceptance

A risk acceptance document that names the gap, the mitigations, the residual risk, the business benefit of continuing, and the executive who signed off. This is what makes the position defensible later. Insurance underwriters and OAIC investigators do not expect perfection; they expect documented, considered decisions.

Step 5: Set a review date

Twelve months from now, are the mitigations still in place? Has the vendor improved their controls? Should the risk acceptance be renewed, withdrawn, or escalated?

A 70-staff law firm in Camberwell we work with ran this playbook recently on a US-based legal AI vendor. The vendor had no SOC 2, no SSO on the relevant tier, and stored data in US-East. The partners wanted the product. The compensating controls: a dedicated tenant configuration that limited what content could be sent to the tool, an enforced data classification policy on the matter management side, quarterly review of the vendor’s audit log exports, and a contractual addendum on breach notification. Risk accepted, documented, signed by the managing partner, reviewed annually. That is a defensible position.

The Australian Privacy Act 1988 angle

The Privacy Act amendments that came through in 2024 and 2025 changed the conversation for SMEs. The small business exemption is being narrowed; the maximum penalty for serious or repeated breaches is now the greater of $50 million, three times the benefit obtained, or 30% of adjusted turnover during the breach period. Vendor risk management is now a Privacy Act obligation in practice if not in name. The OAIC has been clear: if your vendor has a breach involving your customers’ data, you are the entity that has obligations to notify and remediate, not the vendor.

Australian Privacy Principle 8 (cross-border disclosure) is the clause that catches most SMEs. Sending personal information overseas – which you do every time you sign up for a US SaaS – generally requires that you take reasonable steps to ensure the overseas recipient does not breach the APPs. Your vendor risk assessment is the ‘reasonable steps’ evidence. Without it, you are exposed.

For the detail on what this means in practice, see our companion piece on the Australian Privacy Act for SMBs and what your IT team must do. The vendor risk programme described here is one of the four foundational pieces of that broader compliance posture, alongside data minimisation, identity hygiene, and breach response readiness.

The cyber insurance vendor list creep problem

Cyber insurance applications now routinely ask for a vendor list. Some carriers want the top 10 by data sensitivity; some want every vendor with access to your systems; the more thorough underwriters want the questionnaire results for your Tier 1 vendors. Three observations from running these applications for clients over the past two years.

First, the list grows every year and the questions get sharper. A 2023 application that asked ‘do you use any third-party SaaS providers’ became a 2025 application that asks ‘list all third-party providers with access to personal information, the data categories involved, and your last review date for each.’ Expect this trajectory to continue. Your vendor list and tiering work is also insurance application work.

Second, an inaccurate disclosure on the insurance application can void the policy. We have seen clients tick ‘all critical vendors reviewed in the last 12 months’ when the answer was closer to ‘three of them.’ If a breach involves an unreviewed vendor, the carrier may decline. Be honest on the form, even if the answer is uncomfortable.

Third, insurers increasingly want evidence that you have an MSP or internal team running this programme. A client of ours in Box Hill had a cyber renewal in late 2025 where the carrier asked for proof of an MSP relationship covering vendor risk before they would renew on the existing premium. The co-managed IT support arrangement we had in place satisfied the underwriter; without it, the renewal would have been 40% more expensive.

What to run yourself versus what to delegate

The split we recommend for a 30 to 150 staff SME is:

The work the MSP does is the technical assessment and the document handling. The work the business owns is the procurement decision and the risk acceptance. That separation matters. Risk acceptance is a business decision, not an IT decision; the MSP should not be signing it off, but should provide the analysis that informs it.

Our own approach at TechAssist is to maintain a vendor register for each managed client, run the questionnaire cycle from our 24/7 NOC at Tecoma, and bring findings to the client quarterly. When a P1 event involves a vendor (a Microsoft 365 outage, a confirmed third-party breach, a vendor that fails an audit), our sub-15-minute P1 response runs from the same NOC, and our 13 Australian engineers are the team that does the assessment work. No offshore questionnaire mills, no automated tooling that emails the vendor and walks away from the answer.

A realistic first 90 days

If you have nothing in place today and you want to start, here is the shape of the first quarter.

Weeks 1 to 2: List every SaaS, every vendor with a login, every contractor with system access. Pull it from your accounting system (every recurring expense), your password manager, and your single sign-on tenant. Expect to find 30 to 50 more than anyone thought existed.

Weeks 3 to 4: Tier the list. Most vendors will be Tier 3 in five minutes. The Tier 1 conversation is the one that takes time and judgement.

Weeks 5 to 8: Issue the 12-question questionnaire to Tier 1. Chase, read, file. Note the gaps.

Weeks 9 to 12: Risk acceptances or remediations for each Tier 1 gap. Document the position. Schedule the 12-month review. Brief the executive on residual risk.

At the end of 90 days you have a defensible vendor risk position, a paper trail for insurance and Privacy Act purposes, and a list that you can maintain in two to four hours a month rather than rebuilding from scratch every year. That is the goal of the lite programme: defensible, sustainable, and proportionate.

Frequently Asked Questions

Do we need a vendor risk programme if we are under the small business turnover threshold for the Privacy Act?

The small business exemption (under $3 million turnover) is being narrowed by the Privacy Act reforms, and even today the exemption does not apply to health service providers, businesses that buy or sell personal information, contractors to the Commonwealth, and a few other categories. More practically, your customers, your insurers, and your enterprise prospects increasingly require vendor risk evidence regardless of whether the Act technically applies to you. We recommend a lite programme for every SME with more than 20 staff.

Is a SOC 2 Type I report sufficient for Tier 1 vendors?

No. SOC 2 Type I is a point-in-time review and tells you very little about how the vendor actually operates the controls over time. For Tier 1, insist on a SOC 2 Type II covering at least six months and ideally twelve. Type I is acceptable for Tier 2 alongside other evidence.

What do we do about vendors that refuse to respond to the questionnaire?

For Tier 1, non-response is the answer. Either escalate to their account team (often the account manager can move the request through their internal security team) or accept that you cannot use them for Tier 1 workloads. For Tier 2, document the non-response, look at their public security page, and consider whether the gap is acceptable. Some smaller vendors genuinely do not have the team to respond, and that is itself a risk signal.

Should we use an automated vendor risk platform?

Probably not for an SME under 100 staff. The platforms (UpGuard, SecurityScorecard, BitSight, OneTrust) are excellent but priced for an enterprise budget and produce more data than a small team can act on. A spreadsheet, a shared mailbox for evidence collection, and a calendar reminder for annual review will do the job for most SMEs. Revisit the tooling question if you grow past 200 staff or if your customers start asking for vendor risk evidence in a specific format.

Who in the business should own vendor risk?

The accountability should sit with a named executive (CFO, COO or general manager in a typical SME). The day-to-day work can be delegated to an office manager, an internal IT lead, or your MSP. The risk acceptance decisions cannot be delegated below executive level.

How does this fit with our existing cyber security work?

Vendor risk is one pillar of a broader programme that also includes endpoint and identity controls, backup and recovery, and incident response. Our Melbourne cyber security services wrap these pillars together for managed clients, and the vendor risk lite framework is part of the standard offering. If you want to talk through how the pieces fit for your business, our team is reachable through the contact page.

Most cost-of-breach articles quote the IBM global average of 4.45 million US dollars. That number is useless if you run a 40-person professional services firm in Melbourne. It is calculated across global enterprises and tells you almost nothing about what a real incident costs an Australian SME.

This article does the opposite. It walks through a composite case study, anonymised but with real numbers from incidents we have helped respond to in late 2025, of a Melbourne professional services SME hit by a phishing-led business email compromise that escalated into a partial ransomware event. Line by line. Every number traceable to a real invoice, productivity calculation, or insurance excess. By the end you will have a defensible cost-of-incident model you can take to your board.

TechAssist has been responding to incidents like this since we were founded in 2014. Our cybersecurity services Melbourne team has worked on enough breaches across the Melbourne metro to know that the line-by-line numbers are remarkably consistent across firms of similar size. The variability is in the tail (insurance, customer churn, vendor questionnaires), and the tail is bigger than people expect.

The Case: A Hawthorn Professional Services Firm

The composite firm is 42 staff. Professional services, business advisory. Office in Hawthorn. Average revenue per consultant is $380,000 per year. Average gross margin around 55 percent. They had Microsoft 365 Business Standard (note: not Premium), a basic backup tool, MFA enabled but not enforced through conditional access, and a flat network with no segmentation. They had no formal incident response retainer, no tabletop exercises, and no cyber insurance until six months before the incident, when their bank required it as a condition of a working capital facility.

This is a deliberately realistic baseline. It is the security posture we see in roughly 30 to 40 percent of mid-market Melbourne firms when we first engage. Not abysmal, not great. Compliance with the obvious basics, gaps in the less-obvious depth.

The incident timeline: a senior consultant clicked a phishing link on a Wednesday afternoon, entered Microsoft 365 credentials into a credential-harvesting page, and the attacker logged into her mailbox at 4:47pm Melbourne time. By the time the consultant noticed something was off (Thursday morning), the attacker had set up inbox forwarding rules, created an OAuth app with mailbox-read permissions for persistence, and identified a finance team payment workflow they could exploit. Over the next four days, the attacker conducted classic business email compromise activities while also deploying ransomware on a file server the consultant had access to via mapped network drive.

The ransomware did not encrypt the entire estate. It encrypted approximately 40 percent of the file server contents, which included the active client engagement directory. The Microsoft 365 mailboxes and SharePoint were not encrypted but were exfiltrated, with evidence of approximately 12GB of data taken to an external server before the attacker was kicked out.

Line-by-Line: The Direct Costs

These are the invoices that hit the firm’s accounts payable system in the 90 days following the incident.

These are the invoices. They are the part most articles cover. They are also, in our experience, only about 35 to 45 percent of the actual total cost of the incident. The bigger numbers are the indirect costs, which we will get to next.

Line-by-Line: The Productivity and Revenue Losses

The firm was substantially offline for nine business days. Full operations did not resume for fourteen business days. Email was down for four days during the cleanup. The shared file environment was down or partially down for seven days. The active client engagement directory took the longest to fully restore because some of the data required reconstruction from local copies, email attachments, and supplier records.

Here is what the productivity loss looked like.

This is where the cost actually lives. The productivity loss is bigger than every invoice combined. And the only way to avoid this number is to maintain operations during the incident, which requires segmentation (so the incident does not take everything), backups that actually work (not just exist), and an incident response plan that has been rehearsed so the firm can keep working in a degraded mode while specialists clean up.

Note the calculation method. We are not double-counting. The 40 percent efficiency loss accounts for the fact that some work could continue on local copies, mobile devices, and via personal email. It is not a full revenue loss; it is the proportion of consultant time that was actually unproductive during the disruption period. For a fully air-gapped firm with no degraded-mode capability, this number would have been closer to $200,000.

The Indirect Costs: Where the Tail Really Hurts

The direct and productivity costs are large. The indirect costs are where the real long-term damage shows up, and these are the numbers boards consistently underestimate.

Customer churn. Two of the firm’s clients ended their engagement within four months of the incident. One cited the incident directly. The other did not, but the timing was clear. Combined annual revenue from those two clients: $340,000. Even attributing only 50 percent of the loss to the incident (because both clients had other contributing factors), the cost is $170,000 in lost annual revenue, or roughly $93,500 in gross margin in the first year. The two-year tail is materially worse.

Cyber insurance premium uplift. The firm’s cyber insurance premium at renewal increased from $11,400 per year to $34,800 per year, with a higher excess, more exclusions, and a requirement to demonstrate ongoing security controls (a quarterly attestation). Across a five-year window before they can credibly negotiate back down, that is roughly $117,000 in additional insurance cost.

Vendor security questionnaires. This is the cost that surprises most firms. Every existing enterprise client (and they had four) requested a detailed security questionnaire within three months of the incident becoming known. Each questionnaire required 8 to 14 hours of senior engineering time to complete, plus partner review and signoff. New business pursuits were paused for four months while they rebuilt their security posture sufficiently to credibly respond to procurement processes. We estimated the 14-month tail of vendor questionnaires and rebuilt pursuit activity at roughly $48,000 of internal time and $35,000 of opportunity cost from delayed new business.

Brand and recruitment impact. Harder to quantify. The firm reported two senior consultant hires falling through after the candidates raised the incident in second-round conversations. The estimated cost of the delayed hires and the additional recruitment spend was around $22,000.

The Total: A Real Number

Direct costs: $163,800. Productivity and revenue losses: $176,500. Indirect costs: $315,500. Total cost of the incident over the 14-month tail: $655,800.

That number, $655,800, is the realistic cost of a phishing-led BEC and partial ransomware incident for a 42-person Melbourne professional services SME with the security posture we described. Not 4.45 million dollars. Not 100,000 dollars. Somewhere between half a million and a million Australian dollars, depending on customer churn and how cleanly the insurance claim is handled.

If you scale this for a smaller firm (say 20 staff with $5m revenue), the number scales down roughly proportionally, but not linearly because the fixed costs (legal, IR, forensics) compress less. A similar incident at a 20-person firm typically lands between $300,000 and $500,000. For a 100-person firm, similar incidents land between $1.2 million and $2.5 million.

What Cyber Insurance Did and Did Not Cover

Cyber insurance is genuinely useful but is not a substitute for prevention. The Hawthorn firm’s policy covered most of the incident response retainer, forensics, legal counsel, and notification costs (about $99,000 of the first-party costs above the $25,000 excess). It did not cover the productivity loss, the customer churn, the premium uplift, or the indirect business impact.

The lesson: cyber insurance covers the bill from external responders. It does not cover the cost of being offline. It does not pay your consultants while they cannot work. It does not retain clients who have lost confidence. Insurance is a backstop for the invoiced costs. The productivity and tail costs are yours either way.

A second lesson: the insurer required, as part of claim acceptance, evidence of the controls the firm had attested to at policy inception. Their attestation said MFA was enforced on all users. In reality MFA was enabled but not enforced through conditional access, and the specific consultant whose credentials were compromised had MFA disabled via a legacy authentication grandfather clause. The claim was paid, but the next year’s renewal was tougher because the discrepancy was visible. Be careful what you attest to. Insurers will check.

What Would Have Prevented This Incident

Almost all of it was preventable, and almost none of the preventative controls were expensive relative to the incident cost. Here are the specific controls that would have prevented or substantially mitigated each phase.

The credential phishing would have been mitigated by phishing-resistant MFA (a hardware token or platform authenticator) instead of SMS or push notification MFA. Hardware tokens cost about $80 each. Platform authenticators (Windows Hello, Face ID) are free.

The credential theft, if MFA had been bypassed via a session-token phishing attack, would have been further mitigated by conditional access policies requiring a compliant device. The attacker’s session would have failed the device compliance check.

The OAuth app persistence would have been blocked by Microsoft 365’s Defender for Office 365 default policies (which block unverified app consent for users) and by an admin policy disabling user consent to apps without admin approval.

The lateral movement to the file server would have been mitigated by network segmentation (the consultant’s laptop should not have had unfiltered SMB access to the file server) and by application control (the ransomware payload should not have executed on the file server).

The ransomware impact would have been minimised by immutable backups with shorter recovery time objectives. The firm’s backup tool was working but the recovery process took four days because they had never tested it under realistic load.

The data exfiltration would have been detectable, and potentially preventable, by SharePoint download volume alerting and by data loss prevention policies on sensitive document libraries.

None of those controls is expensive. Microsoft 365 Business Premium (which includes most of them) costs about $36 per user per month, roughly $18,000 per year for the 42-person firm. The incident cost was $655,800. The math does not require a spreadsheet.

For the framework view, our zero trust security model explained guide covers how these controls fit together. For the backup and recovery side specifically, see our backup and disaster recovery Melbourne 2026 guide.

What Got Done in the Six Months After

The firm engaged us for remediation about three weeks into the incident response (their existing IT provider was not equipped to run incident response). Over the six months following the incident, the security posture was substantially rebuilt. Here is the rough sequence and cost.

The remediation cost less than the incident cost by a factor of five. If the same investment had been made before the incident, the incident would either not have happened, or would have been contained at a cost roughly an order of magnitude smaller.

The firm is now aligned with Essential Eight Maturity Level Two on most controls and is targeting Maturity Level Three for the controls that matter most to their client base. They moved to managed IT services Melbourne with us under per-user fixed monthly pricing, which gave them predictable costs and 24/7 NOC coverage out of our Tecoma office. P1 incidents are responded to in under 15 minutes, and same-business-day on-site coverage across Melbourne metro is the standard SLA.

Lessons for Boards and Owners

If you read nothing else from this article, read this section. These are the takeaways for non-technical decision-makers.

The IBM global average is irrelevant. Your number is between three and ten times your annual cybersecurity budget, and the multiplier is higher the worse your starting posture is. Calculate your number based on your headcount, your revenue per head, your billable model, and your client base.

The invoice is the smallest part. Productivity loss and indirect cost are 60 to 70 percent of the real total. Reducing the incident cost means reducing time-to-recovery and reducing customer impact, not just having someone to call when it happens.

Cyber insurance is necessary but not sufficient. It pays the bills from external responders. It does not pay your staff while they cannot work, and it does not prevent customer churn.

The controls that matter most are not expensive. Microsoft 365 Business Premium, conditional access, MFA enforcement, network segmentation, immutable backups, and application control collectively cost less than 5 percent of the realistic incident cost for an SME of this size.

Your client base will assess your security posture after an incident, and possibly before. If you serve enterprise clients, expect vendor questionnaires. If you serve government, expect IRAP-adjacent assessments. The post-incident scramble to answer questionnaires you should have answered years ago is one of the bigger hidden costs.

For the broader buyer’s guide on getting the right partner in place, see how to choose an MSP Melbourne and our top managed service providers Melbourne review. Privacy obligations are covered in our Australian Privacy Act for SMBs guide.

Frequently Asked Questions

How long does an incident response engagement typically take?

The intense phase is two to three weeks. Containment is days one to three. Forensics and scoping is the first ten days. Remediation continues for one to three months depending on the depth of the cleanup required. The notification and regulatory tail can run six to nine months. The vendor questionnaire and customer trust tail runs twelve to eighteen months.

Does paying the ransom make sense?

Almost never. In this case the firm did not pay because backups, while slow to restore, were intact. In cases where backups are not viable, paying the ransom is a partial gamble even with reputable negotiation specialists, and the legal and reputational ramifications are significant. The Australian Government discourages ransom payment and is moving toward mandatory reporting of payments. Our advice is to invest in recovery capability so paying is not on the table.

What is the single highest-leverage control to deploy first?

MFA enforcement with conditional access for every user. It is the single control that would have prevented the largest proportion of the incidents we have responded to over the last three years. Specifically: MFA enforced at the conditional access layer (not just enabled), with phishing-resistant methods (passkeys, platform authenticators, or hardware tokens) for at least admin accounts and high-value users.

Do I need a 24/7 SOC?

For most SMEs, no. A managed service provider with 24/7 NOC monitoring and a documented escalation path to an incident response specialist covers the same risk at a fraction of the cost of a dedicated SOC. We provide this as part of our managed service from our Tecoma NOC. Once you exceed 200 staff or move into highly regulated industries, the calculus changes.

How often should we run tabletop exercises?

Quarterly for the first year after starting a security programme. Twice yearly thereafter. The first tabletop usually exposes more gaps than the actual control review did, because it surfaces decision-making issues that controls do not address (who calls the lawyer, who briefs the board, who talks to clients).

Where do I start if my security posture is similar to the case study firm?

Start with an assessment. Not a vendor pitch. An honest evaluation of where your gaps are, what they would cost to remediate, and what they would cost if exploited. We do this for Melbourne SMEs out of our Tecoma office and our 575 Bourke St CBD office. Reach the team via the contact page and we will run the assessment with you.

Network segmentation gets explained as a zero-trust enterprise project with microsegmentation and identity-aware proxies. That framing scares SMEs off, which is a shame. A 30-person Melbourne business can segment its network usefully in a weekend with a UniFi stack and four VLANs. The hard part is sequencing the work so each step reduces real risk.

This guide is the practical version. We will walk through the minimum-viable segmentation that actually reduces lateral movement risk for an Australian SME, the priority order (guest Wi-Fi first, because it is the cheapest win and stops half the dumb risks), where SMEs over-engineer and waste budget, a sample VLAN and firewall rule pack you can adapt, and the trap of segmenting your network without doing the identity work alongside it.

TechAssist has been deploying these stacks for Melbourne SMEs since we were founded in 2014. Our cybersecurity services Melbourne team treats segmentation as one of the highest-leverage controls available to a small business. It is not the most exciting work, but it is the work that means a phished receptionist credential does not become a domain-wide ransomware incident.

What Network Segmentation Actually Is

Segmentation is the practice of dividing your network into separate zones so that a device or user in one zone cannot freely communicate with devices in another zone. Each zone is governed by firewall rules that say what traffic is permitted between it and other zones.

The simplest example: your guest Wi-Fi should not be able to talk to your office laptops. Your office laptops should not be able to talk to your CCTV cameras. Your CCTV cameras should not be able to talk to your phone system. Your phone system should not be able to talk to anything except the SIP provider. If you implement those four rules, you have already done most of the segmentation work that meaningfully reduces risk.

The reason segmentation matters is lateral movement. Modern ransomware does not just encrypt the machine it lands on. It enumerates the local network, finds open shares, weak credentials, and unpatched services on other devices, and spreads. A flat network gives the attacker the entire estate. A segmented network gives them one VLAN.

This is not zero trust, despite what some vendors will tell you. It is the perimeter approach with internal perimeters added. Zero trust is the next step beyond segmentation, where every connection is authenticated and authorised regardless of zone. Read our zero trust security model explained guide for that broader picture. For most SMEs, getting segmentation right is the prerequisite, and the right place to stop for now.

The Minimum Four VLANs for a Melbourne SME

If you run a 15-to-100-person business and you want a segmentation design that actually reduces risk without becoming a multi-month project, run four VLANs. We deploy this exact pattern several times a quarter across our client base.

Four VLANs sound trivial. The reason it is enough for most SMEs is that each one represents a meaningfully different risk profile. Guest devices are unmanaged and untrusted. IoT devices are notoriously badly patched and run weird firmware. Voice devices have their own QoS needs and should not be exposed to general office traffic. Corporate is the only zone where managed, patched, and authenticated devices live.

If you have a meaningfully different workload, like a manufacturing floor with PLCs, an OT environment, or a clinical environment with medical devices, add a fifth VLAN for that. Do not collapse it into the IoT VLAN. The blast radius if it gets compromised is too different.

Priority Order: Guest WiFi First

The single highest-leverage step you can take is splitting guest Wi-Fi from corporate Wi-Fi. It is cheap, it is fast, and it removes the most common dumb risk: a visitor’s compromised phone or a contractor’s malware-laden laptop pivoting onto your file server because they got the office Wi-Fi password.

The order we deploy in for a typical Melbourne SME segmentation engagement is as follows.

Week one. Guest Wi-Fi on its own VLAN with a captive portal, time-limited credentials, and a firewall rule that permits internet egress only. No access to internal subnets. This alone removes about 40 percent of the lateral movement risk for a typical SME.

Week two. Voice VLAN. Move the SIP phones onto their own VLAN, lock egress to your SIP provider’s IP range only, and prioritise QoS. This stops a compromised phone from talking to anything except the SIP provider and improves call quality at the same time.

Week three. IoT and AV VLAN. Move printers, cameras, smart TVs, AV gear, and any other unmanaged device onto its own VLAN. Permit only the management traffic the corporate VLAN needs (Bonjour and mDNS reflection for AirPrint, print server traffic, RTSP for camera viewing). Block everything else.

Week four. Corporate VLAN cleanup. Remove anything that should not be on the corporate VLAN, audit static IPs, document the segmentation in a network diagram, and set up monitoring alerts for inter-VLAN traffic that violates the rule set.

That is a four-week project for a typical 30-person Melbourne SME. Most of the cost is engineering time, not hardware. If you are already on UniFi, the hardware is essentially free, and the labour is roughly fifteen to twenty engineer-hours including documentation.

Where SMEs Over-Engineer

Segmentation has a way of attracting over-engineering. Here is what to skip if you are a 30-to-100-person business.

Microsegmentation. This is the practice of giving each workload or application its own segment with policies down to the application port level. It is the right answer for large enterprises with data centres and dozens of regulated workloads. It is not the right answer for a 40-person Melbourne law firm with one practice management system. Microsegmentation tooling costs more than the entire SME’s segmentation budget and adds operational complexity that the IT team cannot maintain.

Per-application firewalls. The pattern where each application has its own next-generation firewall with deep packet inspection rules. Same logic as above. It belongs to the enterprise data centre, not the SME network. For SMEs, a single perimeter firewall with sensible inter-VLAN rules covers the same risk at a fraction of the cost.

Identity-aware proxies for every internal application. Good idea in theory. In practice, deploying ZTNA across every internal app for a 30-person business takes three to six months of integration work, costs tens of thousands in licensing, and leaves the team frustrated. Start with corporate, guest, IoT, and voice segmentation. Then layer identity-aware access onto the two or three highest-value internal applications. Do not try to do all of it at once.

Dedicated SIEM and SOAR. SMEs that try to deploy a SIEM and incident orchestration platform alongside segmentation usually end up with both half-deployed. Use Microsoft Defender for Business or your MSP’s monitoring stack until you genuinely outgrow it. Our managed IT services Melbourne programme includes 24/7 NOC monitoring out of our Tecoma office, which covers what a small SIEM does for a fraction of the cost.

Sample VLAN and Firewall Rule Pack

Here is a sample rule pack that we deploy as a starting point on UniFi, pfSense, or Meraki gear. Adapt the IP ranges to your environment. The rules are written as “from-to: permit/deny.”

The thing to notice about this rule pack is how restrictive it is by default. Most SMEs run flat networks where everything can talk to everything. That is the disease. The cure is “deny by default” between VLANs and explicit permits only for the traffic you actually need. If you do not know whether a traffic flow is needed, it is not needed. Add it back if something breaks.

One detail that catches people out: print discovery. Modern printers use mDNS and Bonjour for discovery, which is broadcast-based and does not cross VLAN boundaries by default. You need either an mDNS reflector (UniFi calls it mDNS, Meraki calls it Bonjour Forwarding) configured between corporate and IoT VLANs, or you fix the printers in DNS with static A records and add them as IP-based printers. Both work. We usually prefer the static DNS approach because it is more deterministic.

The Trap: Segmenting Without Identity

This is the trap that costs SMEs more than any other in segmentation projects. You spend a weekend deploying four VLANs, you write a clean rule pack, you feel great, and then a phished user credential turns out to be a domain admin because identity hygiene was never done. The attacker authenticates as a privileged user, traverses your VLAN rules using legitimate credentials, and segmentation buys you nothing.

Segmentation is necessary but not sufficient. You also need identity hygiene. The minimum identity work to do alongside segmentation is as follows.

One. No standing domain admin. Domain admin rights are granted just-in-time, ideally through Privileged Identity Management in Entra ID, or at minimum through a separate dedicated admin account that requires MFA and is not used for email or browsing.

Two. MFA on everything. Not just email. RDP gateways, VPN, the firewall admin interface, the switch management interface, the wireless controller, the file server admin. If a credential gives access to something, that access requires MFA.

Three. Conditional access policies on Entra ID. At a minimum, require MFA for all users, block legacy authentication protocols, and require a compliant device for access to admin roles and high-value applications. This is included in Microsoft 365 Business Premium and is one of the highest-leverage controls available.

Four. Local admin password randomisation. Every Windows endpoint should have a unique, randomised local administrator password managed via LAPS or its modern equivalent in Intune. A consistent local admin password is one of the fastest paths to lateral movement, and most SMEs still have it.

Five. Application control allowlisting on at least the corporate VLAN endpoints. This is the hardest of the Essential Eight to deploy well, but it is also one of the most effective. See our deep dive on application control for the practical playbook.

Without those identity controls, segmentation is theatre. With them, segmentation becomes a meaningful second line of defence.

A Melbourne Example: 38-Person Architecture Practice in Richmond

A 38-person architecture practice in Richmond engaged us in early 2025 after a near-miss incident. A user clicked a phishing link, entered credentials into a fake Microsoft login page, and an attacker logged into their mailbox. The mailbox had access to a shared SharePoint library with five years of client documents, and the attacker started downloading files before MFA challenges (delayed by a policy gap) interrupted them.

The post-incident review showed three problems. First, no conditional access policy requiring MFA on every sign-in. Second, no device compliance check, so the attacker authenticated from an unmanaged device with no resistance. Third, flat network with no segmentation, so if the attacker had pivoted from email to internal systems, nothing would have stopped them.

We deployed in three phases. Phase one was identity hardening: conditional access, device compliance, MFA enforcement, LAPS on the Windows fleet. Phase two was segmentation, exactly the four-VLAN pattern above, with the addition of a fifth VLAN for the Revit project file server because it is high-value and warrants its own zone. Phase three was monitoring: alerting on inter-VLAN traffic that violated rules, alerts on impossible-travel sign-ins, and alerts on download volume anomalies in SharePoint.

Total project cost: just under $34,000 across three months. Total engineer time: 58 hours. Hardware: $4,800 of UniFi gear that replaced a single flat-network router and a consumer-grade access point. They have had zero security incidents in the eighteen months since.

The most important detail: the segmentation work would have been worthless without the identity work that came first. We do not deploy VLANs as a standalone project anymore. Segmentation comes packaged with identity hardening, or it does not come at all.

Hardware Choices: UniFi, Meraki Go, or Meraki Proper

Three tiers cover almost all Melbourne SME deployments. Each has trade-offs.

UniFi from Ubiquiti is the SME favourite for good reason. Hardware is one-time-cost, no recurring licences, the controller is good, and the gear is genuinely capable of handling four-to-six VLANs and the rule pack above. The trade-off is that you (or your MSP) own the operational lift. If the controller falls over, no vendor support phone number rescues you. We deploy UniFi for clients with an MSP relationship in place, because the MSP carries the operational responsibility.

Meraki Go is the entry-level cloud-managed option from Cisco. It is easy to set up, has a clean phone app, and is a good fit for businesses under 20 staff who want minimal operational complexity. The trade-off is feature ceiling. Once you want VLAN-aware DHCP scopes, more than basic firewall rules, or advanced visibility, you hit the ceiling. We tend to deploy Meraki Go for businesses we do not co-manage.

Meraki proper (the full Cisco Meraki dashboard) is the right answer for SMEs with serious compliance ambitions or with multi-site setups. The licensing cost is real (typically $80-$200 per device per year), but the cloud management, deep visibility, and reliability are excellent. We deploy this for clients in regulated sectors and for clients with three or more sites where central management saves enough engineer time to pay for itself.

None of these is the wrong answer. The right answer depends on whether you have an MSP, your compliance trajectory, and how much operational lift you want to carry yourself. Our MSP Melbourne team scopes the hardware decision as part of the segmentation engagement so the gear matches the operating model.

Monitoring: How You Know Segmentation Is Working

Deploying segmentation and not monitoring it is half the job. You need to know when a rule is being violated, when a device is in the wrong VLAN, and when traffic patterns indicate something abnormal.

The minimum monitoring set for an SME deployment:

Alert on denied inter-VLAN traffic above a threshold. A few denied packets are normal background noise. A sustained pattern of denied traffic from one IoT device trying to talk to a corporate file share is a signal worth investigating.

Alert on new devices in any VLAN. Especially the corporate VLAN. If an unknown MAC address suddenly appears, you want to know.

Alert on devices moving between VLANs. This should almost never happen during normal operations. If a device hops from IoT to corporate, something is misconfigured or, worse, someone is poking at the network.

Alert on rule changes. The firewall rule pack is now a security control. Changes to it should be logged, ideally reviewed, and definitely not made silently.

Our 24/7 NOC out of Tecoma handles this monitoring for our managed clients. We respond to P1 incidents in under 15 minutes and are on-site across Melbourne metro within the same business day when something needs hands on gear. For clients running their own ops with our co-managed IT support model, we share the monitoring with the internal team and escalate when thresholds are crossed.

How This Fits With Essential Eight and ISO 27001

Segmentation is not explicitly an Essential Eight strategy, but it is referenced under several of them and is foundational to a Maturity Level Two posture. Restricting administrative privileges, restricting Microsoft Office macros, and application control all become more enforceable when segmentation has limited the blast radius of any single compromised endpoint.

For ISO 27001, segmentation falls under Annex A.13 (Communications Security) and contributes evidence for several other controls. We do not certify clients (we are ISO 27001 capable, not a certifying body), but we have helped a number of Melbourne SMEs pass certification audits, and segmentation always shows up positively in the auditor’s review.

For Privacy Act obligations, segmentation reduces the population of data potentially affected in a breach, which can change the calculus on notifiable data breach decisions. See our Privacy Act for SMBs guide for the data handling context.

What This Costs for a Typical Melbourne SME

The all-in cost for a 30-to-50-person SME segmentation engagement, including identity hardening and ongoing monitoring, breaks down roughly as follows.

Total project cost typically lands between 20 and 30 thousand dollars depending on existing hardware, site complexity, and how much identity work is needed alongside the segmentation. The ongoing monitoring sits inside our per-user fixed monthly managed service pricing, so there is no surprise on the operational side.

Compared to the cost of a single ransomware incident (we covered this in another article and the realistic number for an SME is between $150,000 and $400,000 including downtime and customer churn), the segmentation project pays for itself if it prevents one incident. The maths is usually obvious in the boardroom.

Frequently Asked Questions

Can I do segmentation myself with a consumer router?

No. Consumer routers do not support meaningful VLAN tagging, and the firewall capabilities are not granular enough to write the kind of rule pack that makes segmentation worth doing. You need at minimum a small-business gateway like a UniFi Cloud Gateway, a Meraki Go GX, or an equivalent. The hardware costs less than a couple of staff laptops, so the price is not the obstacle.

Will segmentation slow down my network?

On modern gear, no. The gateway processes inter-VLAN routing at line rate, and the firewall rules add microseconds of latency, not milliseconds. The only place we see performance issues is when an SME tries to deploy deep packet inspection and TLS interception on undersized hardware. If you size the gateway correctly for your throughput, segmentation is invisible to users.

Do I need separate physical switches for each VLAN?

No. VLANs are logical, not physical. One managed switch handles all four VLANs at once, tagging traffic on the uplink to the gateway. The only reason to use physically separate switches is for an OT or industrial environment with very strict isolation requirements, and that is not most SMEs.

What about working from home: do segmentation rules apply on the VPN?

This is the part that gets missed. If your remote workers VPN in and land in the corporate VLAN by default, your segmentation has a hole. The fix is either a separate VPN VLAN with its own rule set, or, better, moving away from VPN entirely and using Entra ID conditional access with device compliance checks for application access. The latter is the modern approach and avoids the VPN-as-trust-domain problem entirely.

How often should the rule pack be reviewed?

Quarterly at minimum, and after any significant change to the application stack. We review rule packs as part of our managed client quarterly business reviews, and we use those reviews to remove rules that are no longer needed (which is more common than adding new ones).

What if a vendor needs access to one of my internal systems?

Vendor access should land in a dedicated vendor-access zone with explicit rules to the specific systems they need. Do not give vendors guest Wi-Fi credentials and ask them to VPN. Do not give them corporate Wi-Fi access. A dedicated zone with explicit permissions, ideally with MFA and time-bound credentials, is the right pattern.

How do I get started?

The honest first step is an assessment. We will look at your existing network, your endpoint fleet, your identity setup, and your compliance trajectory, and we will give you a sequenced plan. We do this for Melbourne clients regularly out of both our Tecoma office and our 575 Bourke St CBD office. Reach the team via the contact page and we will sort out a discovery session.

Shadow IT Discovery: Finding the SaaS Tools Your Staff Bought on a Credit Card

The average 50-person Melbourne SME has 60 to 80 SaaS apps in use. Finance can see maybe 15 of them. The rest were signed up to by individual staff on free trials or personal credit cards. The fix is discovery, triage and a clear sanctioning path, not a memo telling people to stop.

Why shadow IT happens (and why blaming users is the wrong move)

Before we talk discovery, it is worth being honest about why shadow IT exists. Three reasons account for almost all of it.

The first is speed. The official process for getting a new SaaS tool approved at most Melbourne SMEs is “raise a request, wait two weeks, get told no”. Trello is free. Notion is free. Calendly is free. ChatGPT is free. A salesperson who needs to send a polished proposal to a prospect by Friday will not wait two weeks. They will sign up for the free tier on Wednesday and put the paid upgrade through their personal card if the trial expires before they have proven the case for an official tool.

The second is feature gaps. Microsoft 365 is excellent at a lot of things and mediocre at a few. Planner is not Trello. Forms is not Typeform. SharePoint document collaboration is not Notion. When the official toolset has a feature shaped hole, staff fill it from outside. The accounting firm we audited last quarter had three separate Notion workspaces precisely because nobody could agree whether SharePoint or Teams was the right place to do running notes.

The third is autonomy. Department heads — particularly in sales and marketing — often have their own budget and the authority to spend it. They are not breaking any rules when they sign up to HubSpot, Mailchimp, Canva Pro or Loom. They are exercising the budget authority they were given. IT only finds out when something integrates badly with the core stack, or when the credit card runs through to finance.

The right framing is: shadow IT is a signal that your official tooling is missing something. Treat it as feedback, not as misbehaviour.

The actual cost of unsanctioned SaaS

Shadow IT is not free for the business. It costs in five distinct ways.

Direct duplication. Three different teams each paying $50 a month for the same tool because none of them knows the others have it. We have audited Melbourne SMEs that were paying for Slack, Microsoft Teams, Google Chat and Discord simultaneously. None of the leaders knew about all four.

Data exposure. Client data in unmanaged tools the business has no idea exists, with no DLP, no retention policy, and no offboarding when the staff member leaves. The Notion workspace tied to someone’s personal email survives their departure indefinitely unless someone goes looking.

Compliance failure. The Australian Privacy Act obligations apply to personal information regardless of which SaaS tool the staff member chose to store it in. The fact that the tool was not sanctioned by IT is not a defence. The 2024-25 amendments tightened the breach notification and accountability requirements specifically here.

Integration risk. Every shadow tool that connects to Microsoft 365 via OAuth gets a slice of access to your tenant. Most of them are fine. Some of them are not. There is a non-trivial number of “free productivity apps” with read access to mailbox content.

Exit friction. When a senior staff member leaves and they have been the de facto owner of three shadow SaaS tools the rest of the team relies on, you are now in the position of either paying ransom to get the data out, or rebuilding the institutional knowledge from scratch.

Four discovery methods that actually work for SMEs

You do not need to buy a Cloud Access Security Broker for $40,000 a year to find your shadow IT. There are four cheap and effective methods, and the right answer for most Melbourne SMEs is to run all four sequentially.

Method 1: Microsoft Defender for Cloud Apps (if you have it)

If you are on Microsoft 365 E5, Defender for Cloud Apps is built in. If you are on Business Premium, it is not, but the related “Cloud Discovery” features in Microsoft Defender for Endpoint give you a surprisingly useful subset. Both work by analysing endpoint and firewall logs for outbound connections to known SaaS providers, then producing a discovery report that maps which staff are using what.

The first run of this against a tenant is always sobering. We ran it for a 70-person legal firm in Richmond and the discovery report identified 137 distinct cloud services in use, of which the firm had formally sanctioned 12. The rest broke down into “harmless free tools nobody minds” (about 80), “duplicates of things we already pay for” (about 20), “things that should probably be replaced” (about 15), and “wait what is this” (about 10).

Defender for Cloud Apps gives you a risk score per service based on a published catalogue of about 30,000 cloud apps with their compliance and security attributes. That risk score is a useful starting point for triage but should not be treated as the final word.

Method 2: Expense report keyword scan

This costs nothing. Export the last twelve months of corporate card transactions and personal expense reimbursements. Scan for the obvious keywords: Notion, Trello, Asana, Monday, Loom, Calendly, Canva, HubSpot, Mailchimp, ChatGPT, Anthropic, OpenAI, Zapier, Make, Airtable, Slack, Zoom, Lucidchart, Miro, Figma, Dropbox, Google. Add any local Australian SaaS providers relevant to your industry.

This catches everything that has gone through finance — which is roughly two-thirds of all shadow IT, in our experience. The expense report scan is fast, cheap, and produces a list with names attached, which is the part that makes the conversation possible. A salesperson cannot deny they signed up to HubSpot when the $80 a month is on their May expense report.

We did this exercise for a Geelong construction firm and the keyword scan caught more shadow SaaS than the Defender for Cloud Apps discovery did, because so much of the spend was on personal cards being expensed back.

Method 3: Browser extension audit

If your staff use Chrome or Edge on managed devices, the installed extensions list is a goldmine of shadow tooling. Grammarly, Loom, Asana, Notion Web Clipper, ChatGPT extensions, password manager extensions that are not the corporate one, screen recorders, AI writing assistants — they all show up.

This is also where you find the genuinely risky stuff. There is a long tail of malicious browser extensions that survive on the Chrome Web Store for weeks at a time before being pulled, often with names that look like productivity tools. An extension audit catches these and is also a chance to enforce an allowlist via Microsoft Edge for Business or Chrome Enterprise policies.

For Melbourne SMEs on Microsoft Intune, this is a one-page report. For unmanaged endpoints it requires a walk-the-floor approach, which is part of why endpoint management matters.

Method 4: Microsoft 365 OAuth consent report

This is the one most people miss. Every time a staff member clicks “Sign in with Microsoft” on a third-party SaaS app, that app gets an OAuth token to access some scope of their Microsoft 365 data. The list of apps with active OAuth consent against your tenant lives in the Entra admin centre under Enterprise Applications, and is usually astonishing the first time someone looks.

We did this for a Camberwell architecture firm and found 89 third-party applications with active OAuth consent against their tenant, including three that had been granted “read all mail” scope — one of which was a free email tracking tool an account manager had signed up to in 2022 and forgotten about. That OAuth grant survived their staff turnover and was still active two years later.

The OAuth consent report is also where you find the AI integrations. ChatGPT plugins, Anthropic Claude connections, Zapier OAuth grants, all the new wave of AI productivity tools that are wiring themselves into Microsoft 365. None of them are inherently malicious. All of them deserve to be looked at.

The four-bucket triage: sanction, replace, retire, ignore

Once you have a discovery list, every item goes into one of four buckets. The bucket determines the action. This is the framework we use with every Melbourne SME shadow IT engagement.

The ignore bucket is important. The temptation in shadow IT projects is to try to bring everything under formal control, which is both impossible and counterproductive. If a salesperson has Grammarly installed on their personal browser profile and uses it occasionally, that does not need to be on a vendor management register. Pick your battles.

Case study: a Melbourne accounting firm with three Trellos

A mid-sized accounting firm we work with — about 60 staff across two offices, including one in South Yarra — asked us to run a shadow IT discovery exercise in mid-2025 because their cyber insurer had started asking pointed questions about SaaS inventory at renewal. The findings were instructive.

The expense report scan turned up three separate Trello accounts run by three different teams. None of the teams knew the others had one. Each was paying $13 per user per month for the standard tier. The combined annual spend was $14,400, and the equivalent functionality was already available in Microsoft Planner and Loop, which were included in their existing M365 Business Premium subscription.

The OAuth consent report identified two Notion workspaces with active access to mailbox content. One was being actively used by the marketing team; the other belonged to a partner who had set it up in 2023 to draft a strategy document and then forgotten about it. The forgotten one still had read access to his mailbox via OAuth.

Most concerning, the browser extension audit identified a competitor’s project management tool — a SaaS aimed at accounting firms specifically — installed by a junior accountant on her work laptop. She had been adding live client data into it as a personal productivity tool because she found it easier than the firm’s official practice management software. The client data exposure was real, the staff member’s intent was harmless, and the underlying problem was that the official tool was genuinely worse than the alternative she found.

The triage outcome: Trellos consolidated and replaced with Planner over six weeks. The active Notion workspace was sanctioned and brought under IT management with proper offboarding workflow. The forgotten one was retired and OAuth revoked. The competitor tool was retired, the data was migrated out and into the firm’s official system, and the practice management software was put on the roadmap for replacement because the staff feedback was now formally on the table. None of this would have happened without the discovery exercise.

Building a sanctioning path so this does not happen again

Discovery is the first step. The longer-term fix is to build an internal path for staff to legitimately request new SaaS tools, with a turnaround time fast enough that they do not need to go around it. Three principles.

Time-box the approval. Five business days from request to yes/no. Longer than that and people will revert to shadow IT. The five-day commitment is enforceable if the assessment is structured: data classification, vendor security posture, integration impact, cost. A senior engineer can usually run this in two hours.

Pre-approve common categories. Maintain a list of SaaS categories where any tool from a pre-approved shortlist can be self-served by staff. Design tools, video conferencing, scheduling tools — none of these need a full assessment every time someone wants to use one. The shortlist gets reviewed quarterly.

Make rejection mean something. If you say no to a tool, you owe the requester either an alternative that meets their need or a clear explanation of why the problem cannot be solved that way. “No” without context is what drives staff into the shadow IT cycle. Co-managed IT models often work well here because they give internal IT the capacity to run this assessment without becoming the bottleneck.

The role of identity and conditional access

Shadow IT discovery is closely related to the broader identity story. The more you centralise authentication through Microsoft Entra ID, the more visibility you get over what is connected to your tenant. Tools that require staff to create separate accounts with personal email addresses are inherently invisible; tools that integrate via “Sign in with Microsoft” show up in the OAuth consent report.

Conditional Access policies can be configured to require admin consent for any new third-party application requesting Microsoft 365 data access, which closes the OAuth-grant-from-2022 problem at the source. This is one configuration change, takes about thirty minutes, and stops new shadow IT from accumulating in that specific way. We make it a standard part of the cybersecurity baseline for every new client tenant we onboard.

The trade-off is that admin consent becomes a queue you have to service. If the queue is slow, staff will route around it. Five business days, again.

What this costs to fix

For a typical 50-person Melbourne SME, a complete shadow IT discovery and triage engagement runs four to six weeks of elapsed time and one to two days of senior engineer effort. The deliverables are: an inventory of cloud services in use, a triage report with recommended actions per service, a remediation plan for the high-risk items, and a sanctioning workflow design for ongoing requests.

The hard-dollar return varies but is almost always positive. The Geelong construction firm saved $9,400 a year in duplicate SaaS subscriptions identified during discovery. The Richmond legal firm saved closer to $22,000 because they had been paying for three project management tools and four file-sharing tools simultaneously. The South Yarra accounting firm broke even on direct cost but eliminated a real data exposure that would have been a notifiable breach if it had been discovered later.

The softer return — the reduction in compliance risk, the cleaner OAuth surface, the ability to answer “what SaaS tools do you use” honestly on an insurance renewal — is harder to put a number on but matters more.

How TechAssist runs shadow IT discovery

We treat shadow IT discovery as a structured engagement, not an ongoing service. The work is intensive for four to six weeks and then transitions into a steady-state sanctioning process that internal stakeholders can run themselves with our support.

Founded in 2014, we have 13 Australian-employed engineers and a 24/7 NOC in Tecoma. Our two offices — Tecoma and 575 Bourke Street CBD — let us run on-site sessions for Melbourne metro clients on the same business day where the discovery work needs human follow-up. We are Essential Eight aligned and ISO 27001 capable, which matters when the deliverable from the engagement needs to land in front of an auditor or cyber insurer.

We have run shadow IT engagements for clients in construction, manufacturing, logistics, law firms, accounting firms and healthcare. The methodology is broadly similar; the specific tools that show up vary wildly by industry. A construction firm’s shadow IT is almost entirely site-management apps and free file-sharing tools. A law firm’s is document collaboration and AI drafting tools. A healthcare provider’s is patient communication platforms — which is where the regulatory stakes get serious.

Frequently Asked Questions

Is shadow IT really a security problem or just an IT housekeeping issue?

Both, depending on which tool. A free Calendly account with no client data in it is housekeeping. A Notion workspace holding client matter notes with OAuth access to a partner’s mailbox is a security problem. The point of discovery and triage is to tell the difference and act accordingly.

Can we just ban shadow IT outright?

You can write a policy that says so, but you cannot enforce it without either heavy egress controls (which most SMEs find impractical) or a fast sanctioning process (which most do not have). The realistic answer is “discover, triage, sanction the useful, retire the risky, build a fast path for new requests so people use it”.

How often should we run a discovery exercise?

The first run is the big one. After that, an annual refresh combined with a quarterly OAuth consent review is enough for most Melbourne SMEs. If your business is going through rapid headcount growth or a significant tooling change, run discovery more often.

Do free SaaS tools count as shadow IT?

Yes. The pricing is irrelevant to the risk assessment. A free Trello account with client tasks in it is the same data exposure problem as a paid one. The triage matters more than the cost.

What about staff using their personal ChatGPT account for work?

This is the 2026 version of the shadow IT problem and it deserves its own conversation. Personal AI accounts in use for work tasks need to be either replaced with sanctioned enterprise alternatives (Microsoft 365 Copilot Chat, ChatGPT Team, Anthropic Claude Team) or actively prohibited. The middle ground — “just be careful” — does not work because there is no audit trail.

Should we tell staff we are running discovery?

Yes. Transparency makes the exercise work better. Staff who know discovery is happening volunteer information that the technical methods would not have caught. Frame it as “we want to make sure the tools you need are properly supported”, not as “we are looking for who broke the rules”.

What to do this week

Pick one of the four discovery methods and run it. The expense report scan is the easiest starting point and requires nothing more than a spreadsheet and an hour. The OAuth consent review is the second easiest if you have Microsoft 365 admin access. Both will turn up enough to justify a broader conversation.

Whatever you find, do not lead with blame. Lead with curiosity. The staff who signed up for these tools were trying to do their jobs. The fix is to build a system where doing their jobs and following the rules are the same thing.

If you want a hand running a structured shadow IT discovery and triage across your Melbourne business, get in touch. We will tell you what is worth fixing and what is not.

Phishing-Resistant MFA: Why It’s Time to Move Past SMS Codes

SMS-based MFA is now treated as a failed control by ASD’s Essential Eight guidance and by every major cyber insurer. If your Melbourne business still relies on text-message codes for accounts that matter, you are running a security control your insurer will dispute on claim day. Here is the practical fix.

What “phishing-resistant” actually means

The term gets thrown around loosely. The technical definition is sharper than people realise. A phishing-resistant authenticator is one where the secret used to prove identity cannot be replayed, phished or intercepted between the user and the legitimate service, and where the authentication is cryptographically bound to the actual domain being authenticated to.

In practice that means the authenticator checks the relying party — the actual domain the browser is connecting to — and refuses to release credentials to an attacker’s lookalike site. SMS does not do this. TOTP authenticator apps that spit out six-digit codes do not do this. Push notifications that show “approve or deny” without binding to a domain do not do this either, which is why attackers spent 2022-2024 perfecting MFA fatigue attacks.

The three things that actually qualify as phishing-resistant in 2026:

• FIDO2 security keys — physical hardware tokens like YubiKey 5, Google Titan, or Feitian devices that perform cryptographic challenge-response against the verified origin.
• Platform passkeys — credentials stored in Windows Hello, Touch ID, Face ID or Android’s keystore, syncing through iCloud Keychain or Google Password Manager, using the same FIDO2 protocol.
• Microsoft Authenticator with number matching and Authenticator-based passkeys — the modern Microsoft Authenticator experience now supports both number-matching push (a meaningful improvement) and full FIDO2 passkeys (the actual fix).

Notice what is missing. SMS, voice calls, email codes, TOTP apps like Google Authenticator or Authy, and old-school push notifications without number matching. All of those are second-factor controls, but none of them is phishing-resistant in the technical sense. Your insurer’s renewal questionnaire is going to ask very specifically.

Why SMS failed

SMS as a second factor has four structural problems that no configuration can fix.

SIM swapping. An attacker convinces your telco to port your number to their SIM. We have seen this happen to a director at a Camberwell professional services firm in 2024 — the entire attack ran from “ported number” to “Microsoft 365 inbox compromised” in under ninety minutes, on a Sunday afternoon, with no malware involved. The MFA code went straight to the attacker.

SS7 interception. The signalling protocol that routes SMS messages between carriers has known weaknesses that allow message interception without touching the victim’s phone. Less common than SIM swapping, but documented in the wild against high-value targets.

Phishing kits with relay. Modern phishing kits (Evilginx, Modlishka, EvilProxy and their successors) act as transparent proxies between the user and the real Microsoft login page. The user types their password and SMS code into the attacker’s lookalike, the attacker relays both to Microsoft in real time, and walks away with a valid session cookie. SMS does not stop this attack at all. The user is genuinely authenticating; the attacker is just sitting in the middle.

User behaviour. SMS codes get forwarded, screenshotted, read out loud in open-plan offices, and pasted into chat windows. They are six-digit numbers transmitted in plain text. They were never designed to be a hard security control.

The ASD’s Essential Eight maturity model now explicitly requires phishing-resistant MFA at Maturity Level 2 for privileged users and Maturity Level 3 for all users. If you are aiming for ML2 or higher, SMS does not count. Essential Eight alignment is becoming a procurement prerequisite for state government work and an increasing number of private contracts, so this is not just a security debate.

YubiKey 5 vs platform passkeys: the cost comparison

Once you accept that SMS has to go, the next question is which phishing-resistant option to standardise on. The honest answer is “both, for different purposes”. Here is the comparison we walk Melbourne clients through.

For most Melbourne SMEs, the right answer is platform passkeys or Authenticator passkeys for the general staff population, plus YubiKey 5 (in pairs — primary and backup) for the privileged admin accounts and the break-glass emergency account. Total hardware spend for a 50-person business is usually in the $800-$1,500 range, not the eye-watering number people imagine.

TechAssist’s rollout order: privileged first, then finance/exec, then all staff

Doing this in the wrong order is how rollouts get stuck. We have run dozens of these and the sequencing matters more than the technology choice. Here is the order that actually works.

Phase 1: privileged accounts (week 1-2)

Every global admin, every Exchange admin, every SharePoint admin, every Azure subscription owner. Two YubiKeys each (one carried, one in a safe). FIDO2 enforced via Conditional Access. Old MFA methods removed for those accounts entirely. This is the population an attacker actually wants, and it is small enough to do in a fortnight.

For a 45-person construction firm in Port Melbourne we onboarded recently, this phase covered seven accounts — four IT-admin, the CEO, the CFO, and the office manager who had been a global admin since 2017 for reasons nobody remembered. Three of those seven had their admin rights stripped during the phase, because they did not need them.

Phase 2: finance and executive (week 3-4)

Anyone who can authorise a payment, anyone who can sign a contract, anyone whose inbox compromise would lead to a business email compromise wire fraud incident. Platform passkeys or Authenticator passkeys are usually the right tool here, with YubiKeys offered for users who travel internationally or work across multiple devices.

This phase is the one the CEO cares about, because it is also the population most likely to be socially engineered. BEC against the CFO’s inbox is the single most common direct-loss incident we see in Melbourne SMEs. The phishing-resistant control is the actual fix.

Phase 3: all remaining staff (week 5-8)

Roll passkeys out by department, in waves of fifteen to twenty users. Set a hard date by which SMS-based MFA is removed as an option in Conditional Access. Provide hands-on registration in the office for anyone who needs it. We typically allocate one engineer-hour for every five users for the registration push.

By week eight, your Conditional Access policies should be enforcing phishing-resistant MFA for all user sign-ins, with SMS removed from the available authentication methods list. That is the point you can tell the insurer the work is done.

The three traps that derail most rollouts

Even with the right order, three things consistently trip up MFA migration projects. We have learned to address these up front, not as afterthoughts.

Trap 1: shared mailboxes

Shared mailboxes in Microsoft 365 do not have their own sign-in credentials. They cannot have MFA in the traditional sense. The trap is that people forget about the user accounts behind them — the “reception”, “accounts”, “support” mailboxes that started life as full licensed users and got converted to shared at some point, but where the underlying user object is still active and signable-in.

We did a sweep at a Box Hill manufacturer last quarter and found four accounts converted to shared mailboxes years earlier where the user object still had a password, no MFA, and was a member of the global admin group. That is a real incident waiting to happen, and Conditional Access alone will not catch it unless the accounts are properly disabled.

Trap 2: service accounts

Service accounts — for the scan-to-email function on the photocopier, for the integration with the line-of-business app, for the legacy reporting tool that runs at 2am — were typically created without MFA because “you can’t put MFA on a service account”. This is partially true and entirely solvable.

The fix is a combination of: moving to certificate-based auth or app registrations with managed identities where possible, applying conditional access policies that restrict service accounts to specific source IPs or compliant device states, and putting compensating controls (privileged access workstations, vaulted credentials) around the genuinely legacy ones that cannot be modernised. Our managed IT services team treats this as a separate workstream because it always takes longer than the human user migration.

Trap 3: break-glass admin accounts

You need at least one global admin account that is excluded from your Conditional Access policies, so that if your tenant configuration somehow locks everyone out you can still log in and fix it. This account is by definition not protected by your normal controls, which makes it the single highest-value target in the tenant.

The correct setup is two break-glass accounts, each with a long random password stored in two separate physical safes, each requiring a FIDO2 security key (also stored separately), with sign-in alerts configured to notify multiple senior people if either account is ever used. The accounts should be tested quarterly to make sure they still work, and the test should be logged. Most Melbourne SMEs we audit have either no break-glass account, a break-glass account that is also a daily-driver, or a break-glass account whose password is in a sticky note in the IT manager’s desk. All three are wrong.

Conditional Access: the policy that makes it real

You can buy all the YubiKeys you like, but if your Conditional Access policies still allow SMS as a fallback, users will fall back to SMS. The policy work is what turns the rollout from “available” to “enforced”.

The minimum viable policy set for a Melbourne SME running Entra ID (formerly Azure AD) looks like this:

• All users (excluding break-glass) require phishing-resistant MFA for all cloud apps.
• Privileged role activations require FIDO2 security key specifically, not just any MFA method.
• Legacy authentication protocols (POP, IMAP, SMTP AUTH, legacy ActiveSync) are blocked entirely.
• Sign-ins from outside Australia require either compliant device state or additional verification.
• Risky sign-ins (per Microsoft Entra ID Protection signals) require password reset.

This policy stack costs nothing extra if you already have Microsoft 365 Business Premium, which includes the relevant Entra ID P1 features. If you are on Business Standard, the gap is about $9 per user per month for the Entra ID P1 add-on. For a 30-person business that is roughly $3,200 a year — cheaper than a single business email compromise incident excess on most cyber policies.

Cyber insurance: the elephant in the room

Every Australian cyber insurance renewal questionnaire we have seen in the last twelve months asks the phishing-resistant MFA question directly, in some form. The wording varies, but the intent is identical: “Do all privileged accounts use phishing-resistant MFA? Yes/No.” A “No” answer either triggers a steep premium increase, a coverage exclusion for BEC-related losses, or in some cases a refusal to quote.

We had a Hawthorn law firm client whose 2025 renewal came back with a 60% premium increase plus a $50,000 BEC sub-limit, specifically because they were still on SMS MFA for the partners. We did the rollout in three weeks, got the underwriter the updated configuration evidence, and the renewal was repriced to the previous year’s level with the sub-limit removed. The phishing-resistant MFA work paid for itself in one premium cycle.

This is now the most cost-effective security investment a Melbourne SME can make on an ROI basis, full stop. The technology cost is modest, the configuration time is measurable in days not weeks, and the insurance saving is direct and immediate. There is no better-value security project on the table in 2026.

What this looks like at TechAssist

We have been running phishing-resistant MFA rollouts as a structured project type since early 2024. A typical engagement runs four to eight weeks elapsed, depending on the size of the user base and the state of the existing Conditional Access policies. We do the discovery, the policy design, the YubiKey procurement and shipping, the user registration sessions (on-site for Melbourne metro clients with same-business-day response if anything goes wrong), and the cutover.

Because we are Essential Eight aligned and ISO 27001 capable, our documentation pack is structured to give your insurer or auditor exactly what they ask for. That matters more than it sounds — we have had clients try to do MFA rollouts internally and then struggle to produce the evidence the underwriter wanted at renewal. The rollout was fine; the paperwork was the problem.

Our Tecoma cybersecurity practice has done this for construction firms, manufacturers, law firms, healthcare providers and a couple of schools. The technical work is similar across industries; the change management is what varies. A law firm partnership is a different conversation from a warehouse-floor manufacturer, and the rollout plan has to reflect that.

Frequently Asked Questions

Will my staff actually use FIDO2 keys or will they revolt?

Genuine objections drop fast once people use the keys for a week. The sign-in experience with a YubiKey is faster than typing a six-digit SMS code — touch the key, done. Platform passkeys are even faster because they use the biometric the user is already using to unlock the laptop. The main grumbling tends to come from executives who travel and need to use multiple devices, which is a real concern that pairs of YubiKeys solve.

What happens if a user loses their YubiKey?

This is why we issue two per privileged user. The user uses the primary, the backup is in a safe (often a home safe for senior staff who travel, or a locked drawer in the office). If both are lost simultaneously, the admin can reset the user’s authentication methods via a separate verified process. The point is to design the recovery path before it is needed, not after.

Can we just use Microsoft Authenticator and skip the hardware keys?

For general staff, yes. Microsoft Authenticator with passkey support is genuinely phishing-resistant and meets the bar. For privileged admin accounts and break-glass accounts, we still recommend hardware keys because they are not tied to a phone that can be lost, stolen, broken or compromised. The privileged accounts justify the extra cost.

Do we need to upgrade our Microsoft 365 licences for this?

If you are on Microsoft 365 Business Premium, no — you already have the Entra ID P1 features needed for Conditional Access. If you are on Business Standard or Business Basic, you need either to upgrade to Premium or add Entra ID P1 as an add-on. The cost is usually in the order of $5-$10 per user per month depending on the path.

How does this interact with our existing TOTP authenticator app?

TOTP (the six-digit code apps like Google Authenticator) is not phishing-resistant and should be retired alongside SMS. The migration usually runs in parallel — users register their passkey or YubiKey, verify it works, then remove TOTP as a registered method. Conditional Access policies should explicitly require phishing-resistant authentication strength, which excludes TOTP from being a valid method.

How long does the whole project take?

For a typical 40-person Melbourne SME on Microsoft 365, four to six weeks from kickoff to fully enforced. The first fortnight covers discovery, policy design and privileged accounts. Weeks three and four cover finance and executive. Weeks five and six cover the broader staff base. Faster is possible but rarely advisable — the change management is what determines whether the rollout sticks.

What to do this week

If you take nothing else from this article, do three things this week. First, find out what authentication methods your Microsoft 365 tenant currently allows — the “Authentication methods” blade in the Entra admin centre tells you. Second, identify how many of your global admin accounts could be compromised by an SMS-based phishing attack today. Third, get a quote for FIDO2 security keys in pairs for that admin population.

That is a half-day of work that gives you the starting position. From there, the rollout is a structured project with measurable milestones. The Melbourne SMEs that have done this in 2025 are now paying lower insurance premiums, sleeping better, and not having the awkward “yes we still use SMS” conversation with their auditors.

If you would like a hand running this for your business — discovery through cutover — talk to us. We have done enough of these to know where the traps are.

Half the vendor pitches landing this quarter promise that some flavour of frontier AI will rewrite your cybersecurity stack. The federal government just told its own agencies, on the record, not to buy it. If that’s the call for a department with a nine-figure security budget, it’s an even sharper call for a 40-staff Melbourne SME.

The document driving this is the Department of Home Affairs’ Protective Security Policy Framework (PSPF) advisory 001-2026, published late May. Its headline finding: “Australian government entities do not need access to the most advanced frontier AI models to stay protected.” The advisory points agencies at the Australian Signals Directorate’s Essential Eight and the Information Security Manual instead, and sets out a six-step maturity model where AI for cyber defence only enters the picture after the basics are locked down.

This post unpacks what the advisory actually says, why it lands harder for SMEs than for Canberra, and what a Melbourne business should do about it this quarter. The short version is in the next paragraph if that’s all you have time for.

The short version

The federal government has just put its name to an argument many of us in the Australian managed services industry have been making for two years. Frontier AI — the GPT-5-tier and Anthropic Claude Mythos-tier models the consumer press calls “AI” — is not the binding constraint on your security posture. Patching, MFA on every account, application control, and EDR are. If you spend the next twelve months building out an AI security capability while your patching backlog grows and a third of your users still don’t have MFA on their privileged accounts, you will be less secure, not more. The PSPF advisory is the same argument with the Commonwealth coat of arms attached.

What PSPF Advisory 001-2026 actually says

The advisory is short, plain-language, and binding on Commonwealth entities. The core findings are worth quoting because the original is being filtered through vendor marketing and consultant commentary that often softens the edges.

First, frontier AI is collapsing the window between vulnerability discovery and active exploitation from days to hours. The advisory uses the phrase “vulnerability storm” to describe what’s coming — a sustained pace of new vulnerability discovery, accelerated by AI-assisted bug-hunting on both the attacker and researcher sides, that patching teams in their current shape cannot keep up with.

Second, the answer is not “buy a more advanced AI”. The answer is “fix the fundamentals so the storm doesn’t break the roof”. The advisory points entities to Essential Eight Maturity Level Two for user application hardening and patching, and to the broader ISM controls for the rest of the environment.

Third, AI is not banned. The Australian Cyber Security Centre’s companion guidance treats AI as a medium-term lever for reducing analyst workload, sharpening threat prioritisation, and accelerating detection and response — once the configuration baselines, attack surface reduction, and legacy system debt are dealt with. There’s a six-step maturity model that puts “AI used for cyber defence in a secure, controllable, human-supervised, ethical and accountable manner” at the top, not the start.

Fourth, and this is the line most vendors are quietly skipping in their summaries, the ACSC warns that poorly implemented AI can introduce more risk than it removes. A model with broad data access, weak authentication, and inadequate logging is a new attack surface — not a security capability.

The Australian National Audit Office has previously found that federal agencies are not yet meeting the Essential Eight obligations they already have. So the advisory is, in effect, telling agencies: finish the work you’ve already been asked to do before chasing the next thing.

Why this hits SMEs harder than Canberra

The Commonwealth has security teams, dedicated identity engineers, and panels of cleared SOC providers on retainer. A Melbourne SME with 25 staff has, in our experience, an outsourced helpdesk, one part-time internal champion, and a Microsoft 365 Business Premium tenant somebody set up in 2019 and hasn’t touched since.

If the federal government, with that depth of security capability, is being told that frontier AI is not the answer right now, the implication for an SME is sharper still. The marginal dollar spent on an AI security agent for a 25-person firm in Box Hill is a worse investment than the same dollar spent on closing the long tail of unpatched line-of-business applications, deploying conditional access policies that actually block legacy authentication, or moving the firm off the local-admin-for-all model that’s been sitting unaddressed since the original device rollout.

Three things make the SME case sharper.

One, blast radius. A federal agency with mature segmentation, monitored gateways, and a SOC on watch may be able to contain the consequences of an experimental AI tool with broad data access. A 25-staff Melbourne firm where the same person who answers the phone also has SharePoint admin cannot. A poorly configured AI agent on that tenant has the keys to the whole organisation.

Two, talent. AI security tooling does not deploy itself. It needs people who understand the threat model, who can write the playbooks, who can tune false positives, and who can read the model’s reasoning when it flags something. SMEs do not have those people. Buying the tool without the people is buying an expensive logging product that nobody reads.

Three, sequencing. The Essential Eight controls compound. MFA reduces the attack rate, which reduces the volume of incidents the EDR has to respond to, which reduces the noise the SOC has to wade through, which reduces the need for AI triage. Skip the MFA layer and the AI tool inherits an unfiltered firehose of alerts it cannot meaningfully reason about. The advisory is essentially saying: do the upstream work first, because everything downstream becomes cheaper and more effective afterwards.

The Essential Eight, translated for an SME

Most SMEs we onboard have heard of the Essential Eight, can name two or three of the strategies, and have implemented somewhere between zero and three of them properly. The framework is from the Australian Signals Directorate and applies to any organisation, not just Commonwealth entities. Maturity Level One is the floor; Maturity Level Two is where insurers, larger clients, and now the PSPF want most organisations to sit. We’ve covered the framework in depth in our plain-English Essential Eight guide and our Essential Eight compliance guide; the short translation for an SME owner reading the PSPF advisory is below.

Working through this table is uncomfortable because most SMEs find they have one or two strategies covered, one or two half-done, and the rest left as “we’ll get to it”. The PSPF advisory is the most senior endorsement Australia has yet produced of the position that no AI-flavoured purchase fixes that gap. Only the work fixes it.

What the “vulnerability storm” looks like at SME scale

The advisory’s framing of a “vulnerability storm” is not abstract. The pattern we’ve watched accelerate since 2024 looks like this. A vulnerability lands in a widely deployed product — a Fortinet appliance, an Exchange server, a content management plugin, a remote access tool. Within hours, AI-assisted reverse engineering produces a working exploit. Within a day, scanning campaigns hit every IP that exposes the product. Within two days, opportunistic ransomware operators are inside the businesses that didn’t patch.

For SMEs the pattern is brutal because the patching pipeline has not shortened. A typical Melbourne SME without managed IT discovers a Fortinet patch when their MSP newsletter arrives, schedules a maintenance window for the weekend, and applies it on Saturday night. The vulnerability has been actively exploited since Tuesday morning. That gap is what the PSPF advisory is trying to close at the Commonwealth level.

The control that defends against this is not AI. It is having someone, somewhere, whose job it is to watch the vendor advisories for the products you actually run and to ship the patches within the timeframes the Essential Eight specifies. For a 25-staff firm in Hawthorn, that someone is almost always a managed service provider with a NOC. For us, that NOC runs 24/7 from Tecoma and covers the patching pipeline as a baseline part of the managed agreement, not as a premium add-on.

“But the vendor said their AI tool reduces our risk”

It might. Read the PSPF advisory’s companion guidance carefully — the ACSC is explicit that AI can meaningfully reduce manual workload, sharpen threat prioritisation, and accelerate detection and response. The objection is not that AI is useless. The objection is that it sits at the top of a maturity ladder, not the bottom.

There are three honest tests for any AI security pitch landing in your inbox right now.

One, does it require capabilities you don’t yet have to be useful? An AI triage tool fed by a SIEM you don’t have, watching logs you don’t collect, against a baseline you haven’t built, will not produce signal. It will produce noise that costs money. If the answer to “what does this AI tool need to work?” includes “your existing telemetry”, and you don’t have existing telemetry, the prerequisite is the telemetry, not the AI.

Two, does it have the access it claims to need, and have you understood what that means? AI agents that read your mailboxes, your file shares, and your SaaS apps to “find risk” need credentials to do so. Those credentials become a target. The advisory’s warning about poorly implemented AI introducing risk is exactly this concern. Before approving the access, ask what happens if the model itself is compromised.

Three, does it replace a control or add a layer? An AI tool that replaces your existing EDR is a forklift. An AI tool that augments your existing EDR with better triage is a layer. For SMEs, layers are easier to roll back than forklifts. Forklifts during a vulnerability storm are how a firm ends up running two products at half-capacity through the period when the storm hits.

None of this means saying no to AI. It means saying “after” to AI for most SMEs in 2026, and meaning it.

What an SME should actually do this quarter

Take the advisory at face value and treat it as cover for postponing the AI pitch until next year. Spend the budget on the four moves below instead.

Move one: do an honest Essential Eight self-assessment. Not a vendor questionnaire. The ASD publishes the assessment guide; we publish a plain-English version in our Essential Eight guide. Walk through each of the eight strategies and grade your current state at Maturity Level Zero, One, Two, or Three. Be honest. Most SMEs land somewhere between Zero and One overall, with one or two strategies at Two.

Move two: pick the worst score and close it within 90 days. If MFA coverage is incomplete, finish it. If patching for line-of-business apps is ad-hoc, build the pipeline. If admin privileges are scattered across the user base, separate them. Closing the worst gap does more than closing three middle gaps because attackers find the worst gap first.

Move three: make sure your backup story holds. The PSPF advisory’s framing of accelerated attack timelines means the time from compromise to ransomware execution is shrinking. If your backups are reachable from the production domain, they will be encrypted alongside production. Immutable copies, offline copies, and quarterly restore tests are the difference between a bad week and a fatal one. The fundamentals are the same as we set out in our Essential Eight guide’s backup section.

Move four: write an AI acceptable use policy so staff don’t bring frontier AI through the back door. While the advisory is telling agencies not to chase frontier AI for security, staff are pasting client data into ChatGPT to summarise emails. The risk is the inverse of the one the advisory addresses, and SMEs need both sides covered. Our AI acceptable use policy template walks through the structure.

None of these four moves require buying frontier AI. All of them reduce the probability and impact of the next incident. That is what the PSPF advisory is asking Commonwealth entities to do; it is what SMEs should be doing too.

Where AI does belong in an SME security stack — eventually

The honest position is not “never AI”. It is “AI when the upstream work is done”. For an SME at Essential Eight Maturity Level Two, with EDR deployed, telemetry centralised, a working SOC relationship, and an identity platform that can reason about access, AI-augmented tooling starts to earn its keep. The places it earns it first are alert triage on a working SIEM, phishing analysis on email that already has DMARC at p=reject, and identity risk scoring on a tenant where conditional access already exists.

The pattern is the same as automation generally. AI amplifies whatever it sits on top of. On a mature stack, it amplifies signal. On an immature stack, it amplifies noise — and noise during a vulnerability storm is how incidents go undetected.

The PSPF advisory’s six-step maturity model puts AI at step six for a reason. The steps below it are the controls that make step six work. There is no shortcut.

How TechAssist is thinking about this with clients

We’ve been running managed IT for Melbourne SMEs since 2014. Thirteen Australian engineers, two offices — Tecoma and Melbourne CBD at 575 Bourke Street — and a 24/7 NOC at Tecoma covering response under fifteen minutes on P1 issues. Our delivery is Essential Eight aligned and ISO 27001 capable, which is the table-stakes posture the PSPF advisory is asking everyone to reach.

The PSPF advisory has not changed our roadmap with clients. It has, helpfully, given us a Commonwealth-level reference for the conversation we were already having when a director forwards a frontier-AI vendor pitch and asks whether to take the meeting. Our standing answer has been: take the meeting next year. Read the advisory, run the gap assessment, close the worst gap. The advisory is now the citation at the bottom of the email.

The broader picture of how we approach security for SMEs is in our Melbourne cybersecurity services page; the operational layer underneath is in our managed IT services page. If you want help reading the PSPF advisory against your own environment, get in touch via our contact page or call 1300 028 324. Mention the advisory; we’ll structure the conversation around your Essential Eight position rather than running a generic discovery.

Frequently asked questions

Is the PSPF advisory binding on private businesses?

No. The PSPF is binding on Commonwealth non-corporate entities only. Private businesses, including SMEs, are not legally required to follow it. The reason it matters anyway is that the underlying control set — Essential Eight and the ISM — is what insurers, larger clients, and most state-government procurement processes now expect, and the PSPF advisory is the most authoritative recent statement of what good looks like. Treat it as the strongest available reference, not a regulation.

We already use Microsoft Copilot. Does the advisory say we should stop?

No. The advisory is about frontier AI for security operations — large language models used to detect and respond to threats in a security operations centre. Copilot for productivity is a separate question with separate controls. The controls that matter for Copilot are data classification, sensitivity labels, conditional access, and an AI acceptable use policy that staff have read. Our AI acceptable use policy guide covers the SME side.

How quickly can a 25-staff Melbourne SME reach Essential Eight Maturity Level Two?

For a firm starting at Maturity Level Zero across most strategies, a realistic timeline is 90 to 180 days with a managed service provider doing the work. The fast wins are MFA rollout (two to four weeks), patching pipeline (four to six weeks), and admin privilege separation (four to eight weeks). The slower ones are application control and application hardening, both of which require workflow testing to avoid breaking staff productivity. We’ve described the staged approach in our 90-day Essential Eight compliance roadmap for Melbourne.

What’s the difference between Essential Eight and the ISM?

The Essential Eight is a small set of high-impact mitigation strategies — eight of them — designed as a baseline. The Information Security Manual is the comprehensive ASD control catalogue covering everything else: cryptography, gateways, system administration, personnel security, supply chain, physical controls, and the rest. The Essential Eight is the prioritised starting set; the ISM is the full reference. For most SMEs, getting to Essential Eight Maturity Level Two is the goal; the ISM becomes relevant if you’re tendering for Commonwealth or large-enterprise work.

Will my cyber insurance cover this?

Cyber insurance does not pay for Essential Eight implementation; it pays out after an incident, and only if you can demonstrate the controls you said you had at the time the policy was written. The trend in 2025 and 2026 has been steeper questionnaires, lower limits where controls are weak, and tighter exclusions on ransomware where backups are not immutable. The PSPF advisory accelerates this — underwriters cite ASD frameworks in their underwriting and will price your renewal accordingly. Closing your Essential Eight gaps reduces both the probability of a claim and the cost of the premium that covers it.

If frontier AI is bad for cyber, why are vendors selling so much of it?

The advisory does not say frontier AI is bad. It says it is not the binding constraint on most defenders’ security posture right now, and that buying it before fixing fundamentals creates more risk than it removes. The vendor incentive to sell AI is unrelated to whether you should be buying it this quarter. Read the pitch, ask the three honest tests we set out above, and put the answer in writing for the file.

Where can I read the PSPF advisory myself?

The advisory is published on the Department of Home Affairs Protective Security Policy Framework website, listed as advisory 001-2026. The companion guidance from the Australian Cyber Security Centre is published on the cyber.gov.au site. Both are public documents. Read them in that order — the PSPF advisory sets the obligation, the ACSC guidance sets the technical detail.

If your Melbourne SME handles routine business data with sensible security baked into IT operations, an MSP is usually the right call. If you’re regulated, a frequent target, or you’ve had an incident, you likely need MSSP-grade detection and response on top. The honest answer for most 50-300 staff businesses sits between.

That middle ground is where most of the confusion lives. The acronyms get used interchangeably by sales teams, the pricing models look superficially similar, and the marketing pages all promise the same outcomes. But the operational reality is very different, and choosing the wrong model leaves you either overpaying for capability you can’t consume, or underprotected against threats your provider was never set up to catch.

This post compares the three operating models — MSP, MSSP, and internal security team — through the lens of risk profile rather than feature list. If you’ve already read our cost comparison between managed security and an in-house team, this is the companion piece: same decision, different angle.

What each model actually does in practice

Before we get to the comparison, it’s worth being concrete about what these labels mean on the ground in 2026, because the definitions have drifted.

MSP (Managed Service Provider)

An MSP runs your IT. That covers user onboarding and offboarding, endpoint management, Microsoft 365 administration, server and network operations, backup, patching, vendor liaison, and the help desk your staff ring when their laptop won’t connect to the printer. A modern MSP also runs a competent security baseline as part of that work — and this is the part most decision-makers misunderstand. A capable Australian MSP in 2026 should be delivering, as standard:

• MFA enforcement across all identity surfaces, with conditional access policies tuned to your risk
• EDR (endpoint detection and response) deployed and managed on every endpoint
• Patch management on a defined cadence, with exception reporting
• Backup with immutable copies and tested restore procedures
• Email security with sandboxing and impersonation protection
• Alignment to the Essential Eight at a documented maturity level
• Quarterly security reviews and a documented risk register

That’s not a security service in the MSSP sense — it’s hygiene. But it’s the hygiene that prevents most incidents. The Australian Cyber Security Centre’s annual reporting consistently shows that the bulk of compromises against SMEs come through gaps in exactly these controls, not through sophisticated targeted attacks.

MSSP (Managed Security Service Provider)

An MSSP doesn’t run your IT. It runs your detection and response capability. The core deliverables look like this:

• 24/7 Security Operations Centre (SOC) staffed by analysts whose entire job is watching alerts
• SIEM (security information and event management) — ingesting logs from your endpoints, identity, network, cloud, and SaaS, and correlating them in real time
• MDR (managed detection and response) — active threat hunting and containment, not just alerting
• Vulnerability management as an ongoing programme with prioritised remediation
• Incident response with defined containment playbooks and a retainer for serious events
• Threat intelligence specific to your sector and geography
• Compliance reporting against frameworks like ISO 27001, SOC 2, APRA CPS 234, or the Privacy Act

That’s a different operation entirely. The skill set is different (security analysts, not generalist engineers), the tooling is different (SIEM platforms cost serious money before you’ve hired anyone), and the operating model is different (event-driven, 24/7, with measured time-to-detect and time-to-contain).

Internal security team

An internal security team is exactly what it sounds like — people on your payroll who own security as their job. In Australian SME context, the entry point is usually a single security manager or CISO-equivalent, supported by IT staff who pick up some security work. A proper internal capability that can actually detect and respond to incidents needs at minimum three to four people to cover a 24/7 roster, plus tooling — and at that point you’re looking at $700k-$900k a year in salary and licences before you’ve turned the lights on.

The comparison by risk profile

The right model depends on your risk profile, not your headcount. A 60-person law firm dealing with sensitive client matters has a different threat picture to a 250-person manufacturer making widgets. Here’s how the three models map against typical Melbourne SME risk profiles.

How to read your own risk profile honestly

The question isn’t “are we at risk” — every business is. The question is what kind of risk, and what level of capability that justifies. A few practical tests we use when scoping work for new clients:

What’s the data you actually hold? A 120-staff accounting firm holding trust account data, ATO records, and personal financial information for several thousand clients has materially different exposure to a 120-staff industrial supplier. The former is a high-value target with legal obligations; the latter mostly needs to not be the easiest door on the street. We’ve written separately about accounting firm data security and trust account protection because that sector’s risk profile is genuinely different.

What’s your regulatory exposure? If you’re subject to APRA CPS 234, the Privacy Act notifiable breach scheme with material consequences, ISO 27001 certification for tendering, SOC 2 for SaaS customers, or sector-specific obligations (healthcare, legal, financial services), you need defensible detection and response. An MSP security baseline won’t pass that audit. You need MSSP-grade logging, retention, and incident handling.

Have you been hit before? Past incidents are the strongest predictor of future ones. If you’ve had a serious phishing-led compromise, a business email compromise event, or a near-miss with ransomware, your risk profile has changed. Threat actors share target lists. Going back to baseline hygiene after an incident is rarely sufficient.

What’s the impact of 72 hours of downtime? If a ransomware event would cost you tens of millions in lost revenue, contractual penalties, or customer churn, the maths on MSSP coverage gets simple very quickly. If three days of disruption would be painful but survivable, you can probably tolerate the slightly longer response curve of MSP-managed security with on-call escalation.

A concrete example: 120-staff CBD financial services firm

To make this less abstract — we onboarded a financial planning firm in the Melbourne CBD last year, about 120 staff across two offices, holding personal financial data and SOA documentation for around 4,000 clients. They came to us convinced they needed a full MSSP engagement because their incumbent IT provider had been quietly running on autopilot for years and they’d had a phishing scare.

What they actually needed was different. Their immediate exposure was the hygiene gap — MFA was inconsistent, EDR was deployed but never reviewed, patch cadence had slipped, and there was no documented backup test in the previous twelve months. We spent the first 90 days closing that gap as part of standard managed IT work, and aligned them to Essential Eight Maturity Level Two.

Six months in, with the baseline solid, we added managed SOC services through our Tecoma facility — SIEM ingestion of their identity, endpoint, and Microsoft 365 logs, 24/7 monitoring, and a defined incident response runbook. Total annual spend ended up roughly $190k for managed IT plus $95k for the SOC overlay. A full MSSP-only engagement would have cost similar money but left their underlying IT untouched, which was the actual source of risk.

That’s the pattern we see most often. The MSP-versus-MSSP framing is usually a false choice. What most Melbourne SMEs need is a strong MSP foundation with security overlays added where the risk justifies them.

Where the hybrid model fits

The integrated approach — MSP with embedded or overlaid SOC services — is increasingly common among Australian providers, and for good reason. The handoff problem between an MSP and a separate MSSP is real: when a SIEM alert fires at 2am, who patches the server, who isolates the endpoint, who talks to the client? Two providers means two contracts, two sets of runbooks, and a coordination gap right at the worst moment.

TechAssist runs an integrated model out of our Tecoma facility. The 24/7 NOC handles infrastructure monitoring and the managed SOC services overlay handles security event detection and response, with the same engineering team handling containment and remediation. Sub-15-minute response on P1 events. Essential Eight aligned by default. Thirteen Australian-based engineers, no offshore tier-one. We’ve been operating this model since 2014 and the integration matters — it’s the difference between a fast alert and a fast response.

This isn’t the right answer for every business. If you’re a 500-staff financial services firm with mature internal IT and you need to overlay specialist detection, a pure MSSP engagement on top of your existing team makes sense. If you’re a 60-staff professional services firm where IT is one person plus a help desk, the integrated MSP-plus-SOC model is usually a better fit than trying to manage two providers.

The decision framework

If you take nothing else from this post, work through these questions in order:

1. What’s our current security maturity? If you don’t have MFA universally enforced, EDR managed and reviewed, current patching, tested backups, and Essential Eight alignment, that’s where to start. No amount of SOC monitoring compensates for missing baseline. This is MSP territory — see our managed IT services page for what that scope looks like.
2. What’s our regulatory and contractual exposure? If audits, certifications, or customer contracts require defensible detection and response, you need MSSP-grade capability. Document the specific clauses driving this — it sharpens the conversation.
3. What’s the business impact of a serious incident? Run the numbers honestly. Lost revenue per day of downtime, customer churn, contractual penalties, regulatory fines, remediation costs, reputational damage. If that number is significant relative to your annual revenue, the maths on 24/7 SOC coverage works.
4. Do we have the internal capacity to consume security services? An MSSP that ships you a hundred alerts a week is worthless if nobody on your side reads them. You need either an internal point of contact or an MSP partner who can act on the alerts. Our managed cyber security services are designed around this — SIEM, MDR, and EDR delivered as a managed service so you’re not drowning in alerts.
5. What’s our growth trajectory? A 100-staff business heading to 250 over two years has different needs to one that’s stable. Build the operating model for where you’ll be, not where you are.

Cost reality check

The pricing in the comparison table reflects what we see in the Australian market in 2026, but ranges hide a lot. A few honest observations on cost.

MSP pricing in Melbourne for 100 staff is genuinely competitive — the market has matured and rates have compressed. $120k-$220k a year all-in is realistic for managed IT with a good security baseline. If you’re paying less, check what’s missing (almost always EDR management, backup testing, or genuine 24/7 escalation). If you’re paying significantly more, check what you’re getting that justifies it.

MSSP pricing is harder to benchmark because the deliverables vary wildly. Some “MSSP” offerings are essentially log forwarding with email alerts and a pretty dashboard — at $40k a year, you get what you pay for. Genuine 24/7 SOC with named analysts, MDR, and incident response retainer runs $80k-$180k for a 100-staff environment. The gap between cheap and credible MSSP is bigger than the gap between cheap and credible MSP.

Internal teams remain expensive. The economics only work at scale or when you have specific reasons (sovereign data, board mandate, M&A history that built a team) that make outsourcing untenable. For most Melbourne SMEs in the 50-300 staff range, the build-versus-buy maths favours managed services by a wide margin. We’ve gone deeper on this in the co-managed versus managed versus internal IT comparison.

What good looks like

A useful test when you’re evaluating any provider — MSP, MSSP, or hybrid — is to ask specific questions and listen for specific answers:

• What’s your time-to-detect and time-to-contain on a typical credential compromise event? (Vague answers are a red flag.)
• How do you ingest and retain logs, and what’s the retention period?
• What’s your incident response runbook? Walk me through the first hour of a ransomware event.
• What’s your Essential Eight maturity assessment for your own operations?
• Who’s on shift at 3am on a Sunday, and what’s their authority to act?
• What’s your escalation path to my team, and at what point do you involve us?
• Can I see a sanitised incident report from a real event you’ve handled?

Providers who can answer these crisply have operational maturity. Providers who deflect or speak only in marketing language don’t. This applies equally to MSPs claiming security capability and MSSPs claiming SOC depth.

Frequently asked questions

What’s an MSSP and how is it different from an MSP?

An MSP (Managed Service Provider) runs your IT operations — endpoints, identity, infrastructure, help desk, backup, and patching — with a security baseline built in. An MSSP (Managed Security Service Provider) is specialised in security detection and response: 24/7 SOC, SIEM operations, threat hunting, incident response, and vulnerability management. The MSP keeps the lights on; the MSSP watches the perimeter and inside the network for active threats.

Do we need both an MSP and an MSSP?

Most Melbourne SMEs in the 50-300 staff range don’t need two separate providers. The two common solutions are either an MSP with a strong managed security baseline (suitable for standard risk profiles) or an integrated provider offering both MSP and managed SOC services from one operations centre. Running two separate providers introduces coordination problems during incidents, which is exactly when coordination matters most. The exception is larger or highly regulated businesses where deep MSSP specialisation justifies the handoff complexity.

What does an MSSP cost in Australia?

For a 100-staff Australian SME, credible MSSP services run $80k-$180k per year on top of existing IT spend. That covers 24/7 SOC monitoring, SIEM ingestion across endpoints and identity, MDR, vulnerability management, and incident response retainer. Cheaper offerings exist but usually reduce to log forwarding with email alerts — not the same thing. Pricing scales with log volume, endpoint count, and the breadth of sources ingested (cloud, SaaS, network, identity, endpoint).

When is an internal security team the right answer?

An internal team makes sense when you’re at 500+ staff, have specific sovereign data or regulatory obligations that prevent outsourcing, have board-level mandate for in-house capability, or have inherited a team through acquisition. Below that, the economics rarely work — a credible 24/7 internal capability costs $700k-$900k a year before tooling, and Australian security talent is in short supply. Most SMEs are better served by managed services and selectively building internal capability (typically a security manager or CISO) on top.

How do we know if our current MSP is doing enough on security?

A few quick tests. Ask for evidence of: MFA enforcement across all users with conditional access policies, EDR deployed and actively managed with monthly reviews, current patch status report, last successful backup restore test (within 90 days), Essential Eight maturity assessment, and quarterly security review meetings. If your provider can’t produce this evidence within a week, security is not being actively managed regardless of what your contract says.

Where to start

If you’re trying to work out which model fits your business, the most useful first step is an honest assessment of where you are now — current controls, current gaps, current risk profile, and current regulatory exposure. From there the right operating model becomes clearer. We do this assessment as part of scoping for new clients, and it doesn’t commit you to anything.

Have a look at our cybersecurity services overview for the broader picture of what we cover, or get in touch if you’d rather have a direct conversation. Phone 1300 028 324 — we’ll tell you straight whether you need MSP, MSSP, the hybrid, or none of the above.

Your Professional Indemnity insurer wants proof, not promises. At 2026 renewal they expect documented evidence of MFA on every account, EDR on every endpoint, immutable backups, a tested incident response plan, vendor risk records, and current security awareness training logs. If you can’t produce these on demand, expect higher premiums, tighter sub-limits, or a declinature.

That’s the short answer. The longer answer is that law firm cybersecurity australia conversations have changed shape since 2023. PI underwriters in the Australian legal market — Lawcover, LMI, Marsh-placed syndicates, and the London market behind most boutique brokers — used to ask a single tick-box question about “having antivirus”. Renewal questionnaires in 2025 and 2026 run twenty to forty technical questions deep, and a “yes” with no evidence is functionally a “no” at claim time.

This post is the practical brief for partners, principals, and practice managers at Melbourne firms with five to a hundred staff. It’s written from the engineering side: what underwriters now demand, what that actually looks like in a working firm, where Melbourne practices keep getting caught, and what to have ready before your broker rings.

Why PI underwriting changed

The Optus breach in September 2022 and Medibank a month later reframed cyber risk in the Australian insurance market. Reinsurers based in London and Munich repriced Australian cyber and PI cover almost immediately. By the 2024 renewal cycle, every Australian PI insurer touching the legal sector had rebuilt their underwriting questionnaires around the same control set — the one the Australian Cyber Security Centre had been publishing as the Essential Eight since 2017.

Three things shifted at once. First, the Notifiable Data Breaches scheme — administered by the OAIC under the Privacy Act 1988 — generated enough public data that underwriters could finally model breach frequency by sector. Legal services consistently sit in the top five by notifications per thousand businesses. Second, the Legal Profession Uniform Law’s professional conduct rules around client confidentiality were tested in several disciplinary matters where the underlying cause was a cyber incident, not deliberate disclosure. The VLSB+C (Victorian Legal Services Board and Commissioner) takes a dim view of practitioners who lose privileged material through preventable controls failures. Third, business email compromise losses on conveyancing and family law settlements stopped being rare. They became the most common notification type from the legal sector.

The combined effect: insurers stopped treating cyber as an adjacent line and started treating it as a core PI risk. A breach that exposes client trust account details, leaks privileged advice, or redirects settlement funds is now a PI loss, not just a cyber loss. That’s why the questionnaires got longer.

The controls underwriters now require evidence of

Below is the control set we see consistently across renewal questionnaires for Melbourne legal practices in 2025 and 2026. The exact wording varies between insurers in the Australian legal market, but the substance is consistent. “Evidence” in the right column means what we hand to the broker — not a verbal assurance.

This is the spine of the Essential Eight in legal-firm clothing. If you’ve already mapped your controls to the ACSC framework, you’ve done most of the work — see our Essential 8 compliance guide for how the maturity levels translate into renewal evidence. The broader operational picture for Melbourne firms is covered in our piece on managed IT for Melbourne law firms, which goes deeper on day-to-day workflows. This post stays focused on what the underwriter wants to see.

How Melbourne law firms actually get caught

The questionnaire controls aren’t theoretical. Each one exists because insurers paid claims on a specific failure mode. Three patterns dominate the legal-sector losses we see across Melbourne.

BEC during property settlement

A boutique conveyancing practice in Hawthorn, eight staff, ran a standard residential settlement through PEXA. Two weeks before settlement, the conveyancer’s email account was compromised through a credential-stuffing attack — the practitioner reused a password that had appeared in a 2021 breach dump. The attacker sat in the mailbox for nine days, set up an Outlook rule to auto-forward and delete anything containing the matter reference, and at the right moment sent the purchaser’s solicitor a “corrected” trust account BSB and account number from a lookalike domain registered three weeks earlier.

The purchaser’s funds — $847,000 — landed in a mule account in Sydney and were withdrawn within ninety minutes. The PI claim covered the loss but the renewal premium tripled, the firm was placed on a remediation programme by the insurer, and the principal had a conversation with the VLSB+C that no principal wants to have.

What would have stopped it: MFA on the email account (would have blocked the credential stuffing); DMARC at p=reject on the firm’s domain (would have made the lookalike-domain trick harder); a dual-approval process for any change to settlement bank details that requires verbal confirmation on a known phone number; an inbox rule audit running weekly. Every one of those is now a tick-box on the renewal questionnaire.

Ransomware on the practice management system

A 22-lawyer commercial firm in William Street ran LEAP on an on-premises Windows server. The server was patched, the firm had antivirus, and they had backups on a Synology NAS that was reachable from the domain. On a Tuesday afternoon a paralegal opened an invoice attachment that wasn’t an invoice. By Wednesday morning the LEAP database was encrypted, the file shares were encrypted, the Synology backups had been encrypted because the backup service account had write access to the NAS, and the only clean restore point was a three-month-old archive on a USB drive in the office manager’s desk drawer.

The firm was offline for nine business days. Court deadlines were missed. The reconstruction of work-in-progress cost more than the ransom demand. PI cover responded but the insurer required, as a condition of renewal, EDR with managed response, immutable backups with offline copies, and segregation of the backup environment from the production domain. They also required documented evidence that the firm had moved off the legacy AV product within sixty days.

What would have stopped it: EDR with behavioural detection (would have killed the ransomware process before encryption started); immutable backups (the Synology was the single point of failure); least-privilege on the backup service account (it had no business being able to write to anything except the backup repository); a tested restore process.

Departing-staff conflict-of-interest exfiltration

A family law boutique in Camberwell, six lawyers, had an associate resign and move to a competing practice down the road. In her last fortnight she synced her firm OneDrive to a personal Dropbox, emailed forty-seven matter files to a Gmail address, and copied the client list to a USB stick. The firm only found out when a former client rang asking why the new practice already knew about her matter.

This isn’t a hacker story. It’s a controls story. The OneDrive sync to personal storage was permitted because nobody had configured a conditional access policy blocking personal Microsoft accounts on managed devices. The email exfiltration ran unnoticed because the firm had no DLP rules on outbound attachments. The USB copy worked because removable storage wasn’t blocked. The PI insurer paid the resulting client claims but the firm now has formal data loss prevention controls in place — because the renewal questionnaire asked, and a “no” wasn’t an option.

Where the LIV, VLSB+C, and Uniform Law sit in this

The Law Institute of Victoria publishes practice guidance on technology use and increasingly references the Essential Eight directly. The VLSB+C, as the regulator, doesn’t run a separate cyber compliance regime — but the Legal Profession Uniform Law’s professional conduct rules around client confidentiality apply to electronic records the same way they apply to paper. If privileged material walks out the door because controls were absent, that’s potentially a conduct matter, not just a cyber incident.

The OAIC sits across this as the regulator for the Notifiable Data Breaches scheme. Any breach involving personal information that’s likely to result in serious harm must be notified within thirty days. For a law firm, almost any breach meets that threshold because the data is, by definition, sensitive. The OAIC’s reasonable steps test under APP 11 looks remarkably similar to the Essential Eight in practice.

None of these bodies mandate a specific technical control set. Together they make absence of one indefensible. PI underwriters know this, which is why their questionnaires read like an APP 11 audit with a managed-services flavour. Our guide to IT compliance for legal practices goes deeper on the regulatory side; this post is focused on the insurance side because that’s the meeting that’s coming up next.

The PI questionnaire decoded

If you’ve been handed a 2026 renewal questionnaire, the questions tend to cluster into seven domains. Here’s how to read them.

What “evidence-ready” actually looks like

The phrase brokers use is “evidence-ready”. Insurers want a folder — usually shared via a secure portal — containing the documents that back each questionnaire answer. For a 30-person Melbourne firm, that folder typically holds:

• An information security policy, signed by the managing partner, dated within the last twelve months.
• The incident response plan, with a tabletop exercise record from the last six months.
• A network diagram showing the firm’s environment, including cloud tenancy boundaries.
• A data flow map showing where client data lives — practice management, document management, email, archives.
• Backup architecture and the most recent restore test report.
• MFA coverage report exported from Entra ID or the equivalent identity platform.
• EDR licence and coverage report.
• Patch compliance report by device.
• Phishing simulation results for the last twelve months.
• Security awareness training completion records for every employee.
• Vendor risk register with current SOC 2 or ISO 27001 reports for material vendors.
• Penetration test report or vulnerability assessment dated within the last twelve months.
• Cyber insurance certificate if held separately from PI.
• IR retainer agreement with a DFIR firm.

This is roughly what we maintain for our legal-sector clients on a rolling basis. The first time a firm builds this folder it takes about six weeks. After that it’s a quarterly review.

The trust account angle

Trust accounts deserve their own paragraph because they’re where the PI conversation gets sharpest. The VLSB+C’s trust account inspection regime focuses on financial controls, not cyber controls — but a compromised email account that authorises a trust withdrawal is a trust account failure with a cyber root cause. The principles are similar to what we’ve written about for the accounting sector in our accounting firm data security and trust account protection piece, but legal practices have additional confidentiality obligations on top.

For trust account-handling firms, the additional controls underwriters look for are:

• Segregation of duties so no single person can authorise a trust payment and change a bank detail.
• Out-of-band verification — a phone call to a known number, not the number in the email — for any change to settlement banking details.
• Logging of every change to bank account details in the practice management system.
• Restrictions on remote access to the trust accounting module.

The IR retainer question

This one trips firms up consistently. A growing number of PI questionnaires ask whether the firm has a “pre-engagement with an incident response provider”. A yes-or-no answer with no documentation isn’t enough; underwriters want to see the agreement, the SLA on response time, and the name of the DFIR firm.

The reason is practical. A breach at 4pm on a Friday in a firm without a retainer means the principal spends Friday night ringing law firms (ironic) for referrals, then ringing IR firms who all quote a five-figure engagement fee before they’ll start work, then waiting until Monday morning for forensics to begin. By then the attacker has been in the environment for sixty-plus additional hours. With a retainer, the call goes to a 24/7 hotline, the engagement is pre-papered, and the analyst is in your environment within an hour.

TechAssist’s NOC at Tecoma runs 24/7 with sub-fifteen-minute P1 response, and we maintain DFIR relationships for clients who need separate forensics capability. The retainer doesn’t replace your MSP’s incident response — it’s the specialist forensics and legal-privilege layer that sits above it.

Cost framing

The question every managing partner asks is what this costs. Rough order of magnitude for a Melbourne firm of 25 staff, looking at what insurers now expect as table stakes:

The savings sit on the other side of the ledger — in PI premium itself, in the avoided cost of a single BEC loss, and in the avoided cost of unwinding a ransomware event. A 25-staff firm seeing premium reductions of 10-20% on a $40,000-$80,000 PI line is paying for most of the control uplift through the insurance line alone.

How TechAssist works with law firms on this

We’ve been running managed IT for Melbourne legal practices since 2014. The team is thirteen Australian engineers, all local, with the 24/7 NOC at Tecoma in Melbourne’s east. Our controls are Essential Eight aligned and our delivery is ISO 27001 capable, which matters because the same questionnaire that asks about your controls also asks about your MSP’s controls — and your MSP either passes that sub-questionnaire or becomes the weak link in your renewal.

For PI-renewal-ready engagements we work to a four-stage pattern: gap assessment against the questionnaire your broker uses; remediation plan with priority order driven by the questions most likely to determine pricing; implementation with evidence captured from day one; and a documentation pack handed to your broker. The full picture of how we handle ongoing operations for legal sector clients is in our broader piece on IT support for Australian law firms, which covers the day-to-day. The cybersecurity layer is detailed at cybersecurity services Melbourne.

P1 response sits under fifteen minutes by SLA. We’ve had to use that response time on legal-sector incidents, including BEC attempts caught mid-attack and one ransomware event isolated before encryption spread off the patient-zero machine. The pre-existing IR retainer made the difference in both cases.

If your renewal is coming up

Pull the questionnaire from your broker now, not when the renewal date arrives. Read it cold and mark each question green, amber, or red. Green is “yes, with evidence in the folder”. Amber is “yes, but the evidence is thin”. Red is “no, or I don’t know”.

Take the reds first. The high-leverage ones are usually MFA-everywhere, EDR with managed response, immutable backups, an IR retainer, and a dual-approval process on settlement banking details. Those five, properly implemented and documented, move the needle on premium more than any other combination.

If the questionnaire mentions specific frameworks — Essential Eight, ISO 27001, NIST CSF — ask the broker which one the underwriter weights most heavily. For the Australian legal market it’s almost always Essential Eight, and the maturity level expected is typically ML2 for firms over twenty staff.

If you’d like a hand with any of this — the gap assessment, the remediation, the evidence pack — get in touch via our contact page or call 1300 028 324. Mention you’re working on a PI renewal and we’ll structure the conversation around the questionnaire rather than running through a generic discovery.

Frequently asked questions

What does Lawcover require for cyber controls at renewal?

We don’t speak for any specific insurer’s underwriting position and you should confirm directly with your broker. What we observe across questionnaires from insurers active in the Australian legal market — including Lawcover-placed risks, LMI, and London-market boutique syndicates — is convergence on the Essential Eight control set, EDR rather than signature AV, immutable backups, documented IR plans, and security awareness training records. Specific wording and thresholds vary; the underlying expectations don’t.

Our PI insurer wants “evidence of MFA”. What does that mean in practice?

They want a report, not a statement. For Microsoft 365 environments that’s typically the Authentication Methods Activity report or a conditional access policy export from Entra ID showing the policy, its assignment to all users, and sign-in logs proving MFA fires on every sign-in. For other identity platforms the equivalent applies. A screenshot of the MFA setup page isn’t evidence; a sign-in log is.

Do we need a separate incident response retainer if we already have a managed service provider?

Most renewal questionnaires ask the question in a way that expects yes. The MSP handles operational response — isolating endpoints, restoring from backup, locking down accounts. A DFIR retainer adds forensics under legal privilege, breach notification advice, and the chain-of-custody work that holds up in a regulator investigation or insurance claim dispute. The two are complementary. For smaller firms we sometimes structure this through the MSP’s partnerships rather than a direct DFIR retainer, which is generally acceptable to underwriters if the arrangement is documented.

How long does it take to get evidence-ready for a renewal?

For a firm starting from “we have antivirus and basic backups”, expect six to twelve weeks to reach evidence-ready, depending on the existing environment. The technical implementations can happen quickly — MFA rollout in two weeks, EDR deployment in a week, backup re-architecture in three to four weeks. The documentation and policy work is what extends the timeline. Most firms underestimate the policy side and overestimate the technical side.

If we fail the questionnaire, will we lose cover?

Outright declinature is rare; what happens more often is higher premium, lower limits, ransomware sub-limits, or specific exclusions written into the policy. Some insurers in the Australian legal market will offer cover conditionally — with a remediation deadline and a follow-up assessment in six months. The worst outcome we see isn’t refusal; it’s a policy that pays out at claim time only to the extent the firm can prove it met the controls it said it had at renewal. Failure-to-disclose claims are a recurring source of disputes.

We’re a five-partner firm with one practice manager and no IT staff. Is this all proportionate?

The control set scales down well. MFA is free with your Microsoft licensing. EDR for ten endpoints is around $600-1200 a year. Immutable backup for a small firm is a few thousand. The documentation is shorter because the environment is simpler. The premium savings are proportional too — small firms see absolute premium reductions that more than cover the spend. The trap small firms fall into is assuming size buys them out of the questionnaire. It doesn’t.

An AI acceptable use policy tells your staff which AI tools they can use, what they can paste in, and what happens when somebody pastes the wrong thing. For a Melbourne SME it is now a baseline governance document, sitting next to your password policy and breach response plan. Write it before something goes wrong.

We have spent the last eighteen months helping clients across construction, accounting, law, and healthcare write and roll these out. The pattern is consistent: people are already using ChatGPT and Copilot on company data, leadership has no visibility, and nobody can articulate the rules because there are no rules. This post is the practical guide to fixing that.

Why every Melbourne SME needs an AI acceptable use policy by 2026

The regulatory ground has shifted under Australian businesses in the last twelve months. The Privacy and Other Legislation Amendment Act 2024 introduced a statutory tort for serious invasions of privacy, expanded the Australian Information Commissioner’s enforcement powers, and brought in tiered civil penalties. The reforms are being rolled out in tranches through 2025 and 2026, and the OAIC has explicitly signalled AI-related privacy practices as a focus area.

The OAIC’s guidance on generative AI, published in October 2024, is unambiguous on three points. Personal information entered as a prompt triggers Australian Privacy Principle obligations. Organisations should not enter personal or sensitive information into publicly available generative AI tools by default. Organisations need policies and staff training, not just technical controls. If your business hits the $3 million annual turnover threshold and you do not have a documented position on AI tool usage, you are exposed.

Then there is the insurance side, which is the conversation that usually focuses minds. Most professional indemnity and cyber insurers renewing policies in 2025 and 2026 are asking specific questions about AI usage and whether the insured has an acceptable use policy in place. Answering “no” is not yet a coverage exclusion, but it is increasingly a premium loading factor and, in the event of a claim involving AI-assisted error, a question your broker would rather not have to answer for you.

A Hawthorn accounting firm we onboarded earlier this year discovered, during the initial security review, that two of their senior accountants had been pasting client trial balances into ChatGPT to draft management reports. The data was technically anonymised, but client revenue figures, GST positions, and director loan accounts were sitting in OpenAI’s training-eligible consumer tier. There was no malice and no policy. The partners had not realised what their staff were doing because nobody had told the staff what they could or could not do. The remediation took a fortnight. The conversation with their PI insurer took considerably longer.

What an AI acceptable use policy should actually contain

A workable AI AUP for a Melbourne SME runs to about eight to twelve pages. Anything shorter is a marketing document; anything longer will not be read. We structure ours around nine sections, and the framing matters — the document should read as a set of practical rules with reasons attached, not as a legal artefact that requires a lawyer to interpret.

Sample wording: Acceptable uses

This is the section that tells staff what AI is for. Get this right and the rest of the policy reads as enabling rather than restrictive. Sample wording:

Staff are encouraged to use approved AI tools to: draft and refine internal communications; summarise long documents that the staff member has the right to access; generate first-draft code, scripts, and spreadsheet formulas; brainstorm options and structure arguments; translate text where no client-confidential content is involved; transcribe and summarise meetings where all participants have consented and the meeting platform’s AI features have been approved. The expectation is that AI accelerates work; the staff member remains accountable for the output.

Sample wording: Prohibited inputs

This is the section that does the heaviest lifting. Be specific. Vague prohibitions (“do not enter sensitive data”) are unenforceable because nobody agrees on what sensitive means. Sample wording:

The following must never be entered into any AI tool, regardless of tier, unless the tool is explicitly listed as approved for that data type in the tools register: full names combined with any other identifier of clients, patients, students, or staff; financial account numbers, credit card numbers, or tax file numbers; health information of any kind; legal advice received from the firm’s solicitors; commercially sensitive information about live tenders, M&A activity, or unannounced pricing changes; passwords, API keys, certificates, or any other authentication material; source code that the company does not own or that is covered by a non-disclosure agreement; CCTV footage, voice recordings, or biometric data.

Sample wording: Data handling for client information

This is where most policies fall over because the authors try to write a single rule that covers all client data. It does not work. The cleaner approach is to define tiers and map tools to tiers. Sample wording:

Client information is classified into three tiers. Tier 1 is publicly available information about the client (their published address, their listed directors, their ABN); this may be used with any approved AI tool. Tier 2 is non-public but non-sensitive client information (meeting notes, project plans, draft scopes of work); this may only be used with AI tools running in the company’s Microsoft 365 tenancy or other approved enterprise tenancies, and only where the client engagement letter does not prohibit it. Tier 3 is confidential or regulated client information (financial records, legal matters, health records, personally identifying details of the client’s customers or staff); this must not be entered into any AI tool without written authorisation from the engagement partner and, where required, the client.

Tool-by-tool guidance: where the data actually goes

The single most useful section of an AI AUP, in our experience, is the per-tool guidance. Staff do not care about abstractions; they care about whether they can use the specific tool that is open on their screen. The honest answer for each major tool depends on which tier you are on, and most staff have no idea what tier their employer is paying for.

ChatGPT

The free and ChatGPT Plus consumer tiers train on user inputs by default unless the user opts out, and they sit outside any contractual arrangement your business has with OpenAI. These tiers should be in the prohibited column for anything beyond Tier 1 client information. ChatGPT Team and ChatGPT Enterprise do not train on business data and offer SAML SSO, audit logs, and data residency commitments. If your business has a Team or Enterprise subscription, ChatGPT can be used for Tier 1 and Tier 2 client data. The policy should state which tier the business holds and forbid use of personal ChatGPT accounts for work purposes.

Microsoft Copilot

This is where most policies get muddled because Microsoft uses the word “Copilot” for at least four different products. Microsoft 365 Copilot, included as a per-user licence on top of a Business Standard or Premium subscription, runs against your Microsoft 365 tenancy, respects your existing SharePoint and OneDrive permissions, and does not train on your data. It is generally safe for Tier 1 and Tier 2 data, with the important caveat that Copilot will surface anything a user has permission to access — so an oversharing problem in SharePoint becomes a Copilot problem the day you turn it on. Copilot Chat (the free tier formerly known as Bing Chat Enterprise) offers commercial data protection but does not access tenancy data. GitHub Copilot is a separate product with its own data handling. Copilot in Windows is a Bing-backed consumer experience and should be treated like consumer ChatGPT.

Claude

Anthropic’s consumer Claude.ai free and Pro tiers do not train on user conversations by default, which puts Claude in a better starting position than consumer ChatGPT, but the consumer terms still apply and the data sits outside any business agreement. Claude for Work (Team and Enterprise) provides the contractual framework, SSO, and admin controls that make it viable for Tier 2 client data. Claude is also available via Amazon Bedrock and Google Cloud, which is the route most regulated Australian businesses take because it keeps data within a known cloud tenancy.

Gemini

Gemini in a personal Google account trains on user data and should be treated as prohibited for anything beyond Tier 1. Gemini for Google Workspace, included with Business and Enterprise Workspace plans, does not train on customer data and respects Workspace permissions in the same way Microsoft 365 Copilot respects SharePoint permissions. Gemini in Google AI Studio with a paid API key has its own data handling terms that need to be read separately. The policy should be explicit that the consumer Gemini at gemini.google.com is a different product from Gemini inside Gmail and Docs at a business domain.

Industry-specific clauses you will need

The base policy works for most professional services businesses. Specific industries need extra clauses, and we add these as numbered addenda rather than rewriting the body of the policy.

Law firms

Solicitors have legal professional privilege obligations that are not negotiable. The addendum should prohibit entering any communication with a client, any document prepared in contemplation of litigation, and any matter file content into any AI tool that is not covered by an enterprise agreement with explicit confidentiality provisions. It should require that any AI-assisted drafting is reviewed by the responsible practitioner before it leaves the firm, and that any use of AI in advice given to the client is disclosed in accordance with the firm’s cost agreement. The Victorian Legal Services Board has not yet mandated AI disclosure, but it has signalled that practitioners remain wholly responsible for AI-assisted work, and firms should not wait for prescriptive guidance before tightening their own rules.

Accountants and bookkeepers

The APES 110 Code of Ethics covers confidentiality of client information without any AI-specific carve-out, which means client financial data going into a consumer AI tool is a Code breach regardless of intent. The addendum should prohibit entering client financial records, BAS data, payroll data, or trust account information into any tool not in the approved enterprise tier. It should also address the AI-generated advice question directly: AI output that materially informs advice given to a client must be reviewed and signed off by a qualified accountant, and the firm’s engagement letters should be updated to disclose the use of AI tools in the engagement.

Healthcare providers

Health information is sensitive information under the Privacy Act and attracts stricter handling. The addendum should prohibit entering any patient-identifying information, clinical notes, imaging, pathology, or Medicare numbers into any AI tool that is not specifically approved for health data — which, in practice, means almost none of the consumer or general-business AI tools qualify. Practices using AI scribing tools (Heidi, Lyrebird, and similar) need to verify the vendor’s data residency, ensure the tool has been assessed against the practice’s privacy obligations, and obtain patient consent in line with RACGP guidance.

How to roll it out without it becoming shelfware

Writing the policy is the easy part. The hard part is getting it adopted, and the failure mode we see most often is a policy that gets emailed to all staff once, signed in a hurry, and never referenced again. The rollout that actually works follows a sequence.

Stakeholder sign-off comes first, and it should involve more people than you think. The owner or managing director signs as the policy sponsor. The person responsible for IT — whether that is an internal IT manager or your managed service provider — signs as the technical owner. Heads of regulated practice areas sign because they will be enforcing the industry addenda. HR signs because policy breaches feed into the disciplinary process. Send a copy to your external auditor or PI broker before publication, because their later approval is much easier than their retrospective objection.

The training session is non-negotiable. A thirty-minute, in-person or video, all-staff session works better than any e-learning module. The session should cover the three or four scenarios staff will actually encounter — drafting an email, summarising a meeting, writing a report — and walk through what is and is not allowed in each. The session should be recorded for new starters and run again, in a different month, for staff who missed it. Sign-on after the training, not before.

Monitoring is where most SMEs hand-wave, and it is also where insurers are increasingly looking. Microsoft 365 and Google Workspace both expose audit logs that show Copilot and Gemini usage, and Defender for Cloud Apps (or its equivalent) can detect personal AI tool usage on managed devices. Endpoint DLP can flag attempts to paste large blocks of text into browser tabs. None of these are perfect; all of them are better than nothing. A quarterly review of the approved tools register, with input from team leaders on what their staff are actually using, catches the drift that always happens between policy and practice.

Breach consequences should be proportionate and documented. We recommend a three-tier framing: a first-time minor breach (using a non-approved tool for low-sensitivity work) results in a refresher conversation and a documented note. A repeat or moderate breach (entering Tier 2 data into a consumer tool, or ignoring the approved tools register after training) results in a formal warning and remedial training. A serious breach (entering Tier 3 data, or any breach involving client personal information) triggers the data breach response process, an incident review, and the disciplinary procedures set out in the staff handbook. The point of writing this down is so the response to a breach is predictable rather than political.

Aligning the policy with broader security frameworks is the step most SMEs skip and most insurers are starting to ask about. Our policies are Essential Eight aligned because that is the baseline the Australian Cyber Security Centre expects of Australian SMEs, and because the application control and user application hardening strategies map directly to the question of which AI tools staff can run. For clients pursuing ISO 27001 certification, the AI AUP slots into the Annex A control set under information security policies and acceptable use. For clients moving toward zero trust, the per-tool tenancy rules in the AI AUP are an expression of the same conditional access principle.

A worked example: rolling out the policy at a Box Hill professional services firm

A forty-seat professional services firm in Box Hill — a mix of consulting and accounting work — engaged us last spring to write and roll out their AI AUP. The starting position was familiar: the principals knew staff were using ChatGPT, had no idea what data was going into it, and had just received a renewal questionnaire from their PI insurer with an AI governance section.

Week one was discovery. We ran a short survey, anonymous, asking staff which AI tools they used at work and for what tasks. Eighty per cent of staff used ChatGPT; about half used the personal Plus tier; one team had standardised on Claude. Nobody used Copilot, despite the firm holding Microsoft 365 Business Premium licences that included Copilot Chat. The discovery surfaced two specific risks: confidential client correspondence being summarised in consumer ChatGPT, and the firm’s internal financial reports being pasted into Claude for variance commentary.

Week two was the policy draft. We started from our template, customised the tools register for the firm’s environment (Microsoft 365, Xero, a practice management system), and added the accounting industry addendum. A working session with the principals and practice manager surfaced three changes: a carve-out for AI use in business development, a stricter rule on AI-generated client deliverables, and a thirty-day transition clause to move off personal AI accounts.

Week three was the rollout. A forty-five minute all-staff session walked through the policy with three worked scenarios. Microsoft 365 Copilot was enabled for a pilot group, and the firm subscribed to ChatGPT Team for the consultants who needed it. Signed acknowledgements were collected through the firm’s HR system.

The first quarterly review, ninety days in, found that two staff had requested additional tools (one approved, one not), one minor breach had occurred and been handled through a refresher conversation, and Copilot adoption had reached seventy per cent of licensed users. The renewal questionnaire was answered honestly, and the broker confirmed the policy met the insurer’s expectations. The principals would tell you the value was less in the document itself and more in the conversation the rollout forced — shadow IT became part of the supported environment, and they got visibility into how the firm was actually working.

What to do this week if you do not have a policy yet

If your business is in the Melbourne CBD, Camberwell, Dandenong, Richmond, or anywhere else in greater Melbourne, and you do not have an AI acceptable use policy, the practical next steps are straightforward. Run an anonymous staff survey to find out what AI tools are actually being used. Audit your existing Microsoft 365 or Google Workspace licences to find out what AI features you are already paying for. Identify the three to five regulated obligations specific to your industry (privacy, professional standards, sector-specific rules) that the policy needs to address. Draft the policy or have it drafted, run a training session, and put a quarterly review in your calendar.

TechAssist has been doing this work for Melbourne SMEs since we started the firm in 2014. We run a thirteen-engineer team out of our offices in Tecoma and the Melbourne CBD at 575 Bourke Street, with our 24/7 network operations centre in Tecoma. Our cybersecurity services include AI governance work as a defined engagement, and our broader managed IT services sit underneath it for clients who want the policy enforcement to be technically backed by their managed environment. We work with construction firms, law practices, accounting partnerships, healthcare clinics, schools, manufacturers, and logistics businesses across Melbourne, and the AI AUP looks different in each of those industries — which is part of the work.

If you want a starting point, the Privacy Act guidance for Australian SMBs is a useful companion read because the AI AUP sits on top of the Privacy Act compliance posture. If you have an internal IT lead and want help on the governance side without handing over the day-to-day, our co-managed IT support arrangement is the right shape. If you want a conversation about where to start, get in touch and we will book a thirty-minute call with one of our senior engineers.

Frequently Asked Questions

Is an AI acceptable use policy legally required in Australia?

There is no specific Australian law that mandates an AI AUP by name. However, the Privacy Act, the OAIC’s generative AI guidance, professional standards in regulated industries (legal, accounting, medical), and increasingly the terms of professional indemnity and cyber insurance policies all create a practical requirement. If you handle personal information and you do not have a documented position on AI tool usage, you are exposed under the existing legal framework.

How long should an AI acceptable use policy be?

Eight to twelve pages is the sweet spot for an SME. Shorter than that and you cannot cover the per-tool guidance and industry addenda that make the policy useful. Longer than that and staff stop reading. The approved tools register and industry addenda are the sections that should grow over time; the body of the policy should stay stable.

Can we just use a generic AI AUP template from the internet?

You can start with one, but you will need to do real customisation work. Generic templates do not know which AI licences you actually hold, which industry you are in, what your data classification scheme looks like, or how your disciplinary process works. The cost of poor customisation is a policy that does not match your environment, which makes enforcement impossible and gives staff a reason to ignore it.

How often should the policy be reviewed?

The body of the policy should be reviewed annually. The approved tools register should be reviewed quarterly, because the AI tool landscape moves fast enough that a six-month-old tools register is already out of date. We bake the quarterly review into our managed services engagements so it does not get forgotten.

What if a staff member breaches the policy?

The policy itself should set out a tiered response: a documented conversation and refresher training for a first-time minor breach, a formal warning for a repeat or moderate breach, and the data breach response process plus disciplinary procedures for a serious breach involving client or personal information. The point is to make the response predictable and proportionate, so that the first breach does not become a political event.

Does the policy cover AI features built into tools we already use?

It should. AI features built into Microsoft 365, Google Workspace, Adobe products, Zoom, Teams, Atlassian tools, and any other SaaS your business uses are all in scope. The approved tools register should list them explicitly, including which features are enabled and which are turned off at the tenancy level. The default position should be that an AI feature is prohibited until it has been assessed and added to the register.

Should we tell our clients we use AI in our work?

For most professional services engagements, yes. The cleanest approach is to update your engagement letters with a short clause disclosing that the firm uses approved AI tools to assist with work, that human review remains with the qualified practitioner, and that no client confidential information is entered into any AI tool that does not meet the firm’s data handling standards. Several professional standards bodies are moving toward this disclosure as an expectation, and it is easier to lead than to be caught out.

Accounting firms in Melbourne hold a richer concentration of attack-worthy data than most law firms or medical practices: TFNs, bank details, payroll files, BAS lodgement credentials, trust account balances, and SMSF records. The real threats are business email compromise during EOFY, ransomware on practice management servers, and departing staff exporting client lists. None of these are theoretical.

This is a security-focused post. If you want the broader operational picture, see our guide on IT support for Melbourne accounting firms. Here we’re staying in the security lane: the controls that actually matter, the regulators that actually audit, and the insurers that actually pay out.

What accounting firm data security actually means in 2026

The phrase gets thrown around loosely. For a Melbourne accounting firm with 5 to 50 staff, accounting firm data security is the set of technical and procedural controls that protect three asset categories: client financial records (tax returns, BAS, financial statements), authentication credentials to lodgement and banking platforms (myGovID, ATO Online Services for Agents, Xero, MYOB, bank portals), and trust account ledger data where applicable.

Three regulators care about how you handle this. The OAIC enforces the Privacy Act and the Australian Privacy Principles (APPs), with mandatory data breach notification under the Notifiable Data Breaches scheme. The Tax Practitioners Board (TPB) sets the Code of Professional Conduct, which includes obligations around confidentiality, conflict management, and reasonable care of client records. The ATO sets technical requirements for Online Services for Agents access, including a hard MFA requirement and operational security controls. If you handle SMSF audits or AFSL-adjacent work, ASIC and APRA obligations layer on top. AML/CTF accountants (tax agents providing designated services) sit under AUSTRAC.

The point: data security is not optional and it’s not just “an IT thing”. It’s a partnership-level risk that determines whether the firm keeps its registration, its PI insurance, and its clients.

Trust account protection: separation of duties at the IT level

Where firms hold trust money (commonly auditors, insolvency practitioners, and some tax practitioners with statutory deposits), the IT controls around the trust account need to mirror the financial controls. This is where most firms slip up. The bookkeeper has the trust account password saved in their browser, the principal “needs” override access, and there’s no audit trail when transfers happen out of hours.

What proper IT-level separation of duties looks like:

• Dedicated identities for trust account access. Not a shared “office@” login. Each authorised person has their own credential.
• Hardware-backed MFA on those identities. SMS codes are not sufficient for trust account roles. We deploy authenticator apps or FIDO2 keys.
• Conditional access policies that restrict trust account portals to managed devices on Australian IP ranges. Travelling staff get a documented exception process, not a permanent bypass.
• Privileged Access Management (PAM) so that the principal’s elevated access requires a second approver and is logged. This is an Essential Eight maturity-level-two control and it stops the most common trust account fraud vector: a single compromised principal account.
• Immutable audit logging retained for seven years to align with TPB record-keeping requirements. Logs sitting on the same server as the data are not audit logs; they’re evidence the attacker will delete.

A Hawthorn accounting firm we onboarded last financial year had a single Office 365 account being used by three partners for trust correspondence. There was no MFA on it because “the partners share the phone code anyway”. Within two months of remediation we’d split it into three identities, deployed conditional access, and pushed audit logs into a separate tenant. Three weeks after that, one of the partner accounts had a credential-stuffing attempt from Eastern Europe. It was blocked at the conditional access policy and we had the full sign-in log to give to their cyber insurer.

Client data classification: not all client data is equal

One of the most useful exercises we run with new accounting firm clients is a data classification workshop. Most firms treat everything the same, which means either everything gets expensive top-tier protection (wasteful), or sensitive data gets the same controls as the office lunch roster (negligent).

A workable three-tier model:

Once classification is in place, the security tooling actually has something to enforce. Microsoft Purview Information Protection (or equivalent) can auto-label documents containing TFNs as Tier 1 and block them from being emailed to external addresses. Without classification, DLP rules are guesswork.

Business Email Compromise: the EOFY scenario

BEC is the dominant fraud threat against Melbourne accounting firms. Not ransomware. Not data theft for sale. Plain old “trick the bookkeeper into changing the bank account number on a supplier payment” fraud, weaponised around tax time when everyone is busy and inboxes are flooded.

The classic EOFY scenario: it’s late June, a senior accountant is finalising a client’s return. An email lands purporting to be from the client, sent from a lookalike domain (the legitimate domain is client-co.com.au, the fake is clientco-com.au). The email says “we’ve changed our bank for the refund — here’s the new account”. The accountant updates the ATO refund nomination. The refund — sometimes $40,000, sometimes $400,000 — lands in the fraudster’s account.

The other variant: the firm itself gets compromised. An attacker phishes a junior accountant, sits in their inbox for two weeks reading client conversations, then sends invoices for “outstanding fees” to clients from the legitimate firm address with the firm’s logo and the partner’s email signature. Clients pay. By the time anyone notices, the money is gone and the firm’s reputation is on the line.

Controls that actually stop this:

• DMARC at policy p=reject. Stops your domain being spoofed. Most accounting firms we audit are still on p=none or have no DMARC record at all.
• External email banners with prominent visual warning. Cheap. Works.
• Mailbox audit logging turned on. Default in newer M365 tenants but not always enabled in older ones. Without it you cannot determine breach scope when the OAIC asks.
• Inbox rule monitoring. Attackers create rules to auto-delete or forward security alerts. Alerting on new rule creation catches this within minutes.
• Out-of-band verification for any bank account change. Written policy: bank detail changes require a phone call to a known number, never the number in the email.
• Impossible-travel and risky-sign-in detection. If a Hawthorn-based accountant signs in from Lagos at 3am, the session should be blocked, not just flagged.

For a deeper look at our broader posture, see our cybersecurity services for Melbourne businesses.

Xero, MYOB and QuickBooks integration security

Accounting software is the single most concentrated point of value in the firm. A compromised Xero Practice Manager session gives an attacker access to potentially hundreds of client files, bank feed credentials, and payroll data. Most firms underprotect this.

Two specific issues we see constantly: third-party app sprawl in Xero (every tool a previous staffer integrated still has API access years later), and ATO RAM permissions never being revoked when staff leave. The RAM one is particularly dangerous because a former employee with active RAM authorisation can still lodge BAS or update bank details on behalf of the firm’s clients.

Secure document portals for engagement letters and signed financials

Emailing signed engagement letters and PDF financial statements is still the default at most Melbourne firms. It shouldn’t be. The risks: email-in-transit interception is rare but possible; mailboxes are persistent attack targets, so signed docs sitting in Sent Items for years are loot for any future breach; and there’s no audit trail of who actually opened the document.

A proper secure portal (FuseDocs, Suralink, FYI Docs, Annature for signing, or Microsoft SharePoint with sensitivity labels) provides:

• Encrypted upload and download with per-client access control
• Audit trail showing who opened what and when
• Document expiry — links don’t live forever
• MFA on client access (not always implemented by default, ask)
• Watermarking for sensitive financial statements

The compliance angle: if a client engagement letter is breached via your unsecured email channel, the OAIC will ask why you didn’t use available technical controls. “It’s how we’ve always done it” is not a defensible answer under APP 11.

Backup strategy: 3-2-1-1-0 for accounting data

Backup for accounting firms isn’t about RTO bragging rights. It’s about whether you can restore a client’s 2024 working papers when the ATO audits them in 2028, and whether you can do that after a ransomware event without paying. We won’t repeat the whole rule here — read our detailed breakdown in why the 3-2-1 backup rule is not enough in 2026.

What’s specific to accounting firms:

• Practice management database backups need to capture the full database, not just user documents. APS, CCH iFirm, Xero Practice Manager (where applicable), HandiSoft — each has its own backup procedure and most need scheduled exports beyond what the vendor provides by default.
• Workpaper retention beyond active client period. A client who leaves in 2026 still needs their 2024–25 records retained until at least 2030 for ATO purposes. That data must be on backup, not just on the departed-clients folder of a single fileserver.
• Immutable backups — the “1” in 3-2-1-1-0. Ransomware variants in 2025 routinely targeted backup repositories first. Immutability prevents the attacker from deleting your last lifeline.
• Tested restores — the “0” errors. We test client restores quarterly for accounting clients. The number of firms that discover their backups have been silently failing for six months is depressing.

For backup and recovery specifically, see our data backup and recovery service page.

Insider threat: departing staff with client data

This is the one nobody wants to talk about. The single most common data loss event at an accounting firm isn’t a hacker — it’s an accountant taking client contact details, working papers, or template documents on their way out the door, often to a competing firm or to set up their own practice.

The controls:

• USB and removable media controls via endpoint policy. Disabled by default, with documented exception process.
• Cloud egress controls — blocking personal OneDrive, Dropbox, Google Drive sign-in from work devices. Microsoft Defender for Cloud Apps does this well.
• Email auto-forwarding rules disabled at tenant level and alerted on creation.
• Print logging — yes, this still matters. Accountants print client lists.
• Formal offboarding checklist — credentials revoked same day, RAM permissions removed, Xero access removed, mobile devices wiped, signed declaration that no firm data is retained.
• UEBA (User and Entity Behaviour Analytics) — detecting unusual download volumes by users in their final two weeks. We’ve caught two departing senior accountants this way in the past 18 months.

Essential Eight non-negotiables for accounting firms

The Essential Eight is the ASD/ACSC’s mitigation strategy framework. For accounting firms, we treat Maturity Level One as table stakes and push toward Maturity Level Two for firms with trust account or SMSF audit exposure. Full breakdown on our Essential Eight compliance page.

You can self-assess to Maturity Level One in a workshop. Maturity Level Two requires technical configuration that most firms don’t have in-house. We help firms close the gap as part of our security and compliance service.

Cyber insurance requirements: what your insurer actually checks

Cyber insurance renewal questionnaires in 2026 are not the box-ticking exercise they were in 2021. Insurers now require evidence — not attestation — for the controls that drive their loss ratios. If you sign the questionnaire claiming you have MFA on all admin accounts and you don’t, you’ve given the insurer grounds to decline the claim. We’ve seen it happen.

What every Australian cyber insurance application we’ve seen in the last 12 months requires:

• MFA evidence — screenshots of MFA enforcement policy, list of accounts covered, exception register
• EDR/endpoint security — name of product, coverage percentage, last quarterly review
• Backup proof — last successful restore test date, immutability configuration, offsite copy verification
• Email security — DMARC policy state, anti-phishing platform, user training cadence
• Privileged access — separation of admin accounts, no shared credentials, just-in-time elevation
• Incident response — documented IR plan, named IR provider on retainer, tabletop exercise within last 12 months
• Vulnerability management — patch cadence, vulnerability scanning evidence

Firms that can’t demonstrate these are either declined or quoted with sub-limits that make the policy near-useless for ransomware (e.g., $50,000 sub-limit on a $5m policy). For accounting firms that means ransomware recovery comes out of partnership cash.

How TechAssist works with Melbourne accounting firms

We’re a Melbourne MSP with 13 Australian-employed engineers, a 24/7 NOC, sub-15-minute response on critical-severity tickets, and Essential Eight-aligned standard builds. We’re ISO 27001 capable, which matters when your professional indemnity insurer or your largest audit clients ask about your supply chain. We work with accounting practices from Hawthorn, Camberwell, Box Hill, South Yarra and across metro Melbourne.

For accounting firms specifically, our standard onboarding includes a security baseline assessment against Essential Eight, MFA rollout across every business-critical system (not just M365), backup architecture review against the 3-2-1-1-0 standard, and a documented cyber insurance evidence pack so renewal is straightforward rather than terrifying.

FAQ

Do we need ISO 27001 certification as an accounting firm?

Almost certainly not — and the cost of full certification (typically $40,000 to $80,000 over two years for a firm your size) is rarely justified unless you’re servicing ASX-listed audit clients or government work that mandates it. What you do need is the substance of an Information Security Management System: documented policies, risk register, access reviews, incident response plan, supplier risk assessments. We deliver that without the certification overhead for most accounting clients. If a tender or major client actually requires ISO 27001, we’ll get you there; otherwise, the Essential Eight at Maturity Level Two delivers more practical security per dollar.

Is MFA enough?

No. MFA is necessary, not sufficient. MFA stops the majority of credential-based attacks but does nothing about endpoint compromise, malicious insider activity, phishing-resistant attacker-in-the-middle attacks (which bypass non-phishing-resistant MFA), or ransomware delivered via supply chain. Treat MFA as the foundation and build EDR, application control, backup immutability, and email authentication (DMARC) on top. For high-risk roles like principals and trust account signatories, move to phishing-resistant MFA — FIDO2 hardware keys or platform passkeys.

What does our cyber insurer actually require?

Each insurer differs, but the consistent minimum is: MFA on all remote access and admin accounts, EDR (not just AV) on all endpoints, immutable or air-gapped backups with documented restore tests, DMARC and email filtering, a written incident response plan, and security awareness training at least annually. The insurer will ask for evidence at renewal and after any claim. Firms that produced evidence pre-incident settled claims significantly faster than firms that scrambled to assemble it post-incident — and several firms in the past two years had claims declined because their stated controls didn’t match reality.

How long should we retain client data after the engagement ends?

The minimum is generally five years from the date the relevant transaction or act was completed, per ATO record-keeping rules, but TPB obligations and Limitations of Actions Act considerations often push this to seven years. For SMSF and audit work, retention can be longer. The IT implication is that “departed client” data still needs to be on protected, backed-up storage — not a USB drive in the partner’s bottom drawer.

What’s the single biggest security gap you see at Melbourne accounting firms?

Shared logins. A senior partner’s M365 credentials shared with two other staff “for convenience”. Trust account portal credentials in a shared password manager folder. ATO Online Services accessed via a colleague’s myGovID because their own setup is “still being sorted”. This is the gap that causes the most regulatory pain when a breach occurs, because you cannot prove who did what. Individual identities with MFA, full audit logging, and a real offboarding process fixes it.

Next steps

If you’re a partner or principal at a Melbourne accounting firm and you want a frank assessment of where your security sits against Essential Eight, TPB expectations, and current cyber insurance requirements, get in touch via our contact page. The first conversation is a security posture review — no obligation, no sales pitch dressed as a free audit. We tell you what’s actually exposed and what to fix first.