From the Desk of AUCyber’s General Counsel:
Most organisations do not intentionally ignore cyber risk.
What we see more often is something quieter: Assumption.
Assumption that:
- systems are configured correctly
- visibility exists across the environment
- monitoring is happening consistently
- someone would know if suspicious activity occurred
That assumption is where exposure grows.
Because in many cases, the issue is not whether security tools exist.
It is whether organisations can confidently demonstrate:
- oversight
- visibility
- governance
- ongoing review
From a legal and accountability perspective, that distinction matters.
Cyber risk is no longer just a technical issue
Cybersecurity discussions often focus on attacks, ransomware, or emerging threats.
But from a governance perspective, the issue is broader than technology.
Cyber risk now directly affects:
operational continuity
customer trust
contractual obligations
leadership accountability
organisational resilience
Which means the standard organisations are increasingly being measured against is not:
“Did an incident occur?”
It is:
“Could the organisation demonstrate that risks were being actively identified, reviewed, and managed?”
The problem with perceived security
One of the most common themes across modern environments is perceived security.
Organisations often believe they are secure because:
- controls have been implemented
- platforms have been deployed
- policies exist
- protections were configured previously
But cyber risk does not remain static.
Environments evolve. Access expands. Infrastructure changes. Users behave differently over time.
Without ongoing visibility and review, organisations can quickly move from controlled environments to assumed security without recognising the shift.
That gap between assumption and validation is where many incidents begin.
Visibility is now a governance issue
Visibility is no longer simply an operational concern for technical teams.
It is a governance issue.
Because organisations cannot effectively manage:
- access
- activity
- exposure
- accountability
If they cannot clearly see what is happening within their environment.
Across many environments, common gaps include:
- limited visibility across Microsoft 365 environments
- endpoint activity that is not actively monitored
- infrastructure and connectivity that have not been reviewed recently
- Infrastructure environments left unchanged over extended periods
- controls that exist on paper but are not validated operationally
These are not uncommon failures.
They are normal patterns across otherwise capable organisations.
Which is precisely why regular assessment and review matter.
Why “we thought we were covered” is becoming a risk
Following cyber incidents, one of the most common responses organisations provide is:
“We believed the environment was secure.”
In many cases, that belief is genuine.
However, modern risk expectations increasingly require organisations to move beyond belief and toward demonstrable oversight.
That means being able to answer questions such as:
- What activity is visible today?
- How is endpoint behaviour monitored?
- When were infrastructure configurations last reviewed?
- How is access governed across Microsoft environments?
- How are risks validated over time?
If organisations cannot answer these questions confidently, then exposure may already exist.
Not because security was ignored.
But because visibility was assumed.
Why frameworks like Essential Eight and IRAP matter
Frameworks such a Essential Eight and IRAP are often misunderstood as purely technical or compliance-focused exercises.
In reality, they represent something much broader: organisational maturity.
These frameworks help organisations evaluate whether:
- controls are operating effectively
- visibility exists across critical areas
- governance practices are mature
- oversight can be demonstrated
- risk is being actively managed
Importantly, they help move organisations away from assumption and toward validation.
That shift is increasingly important not only operationally, but also from leadership and governance perspectives.
The operational reality of modern environments
Modern environments are complex.
Users work remotely.
Systems are cloud-connected.
Endpoints operate outside traditional perimeters.
Connectivity environments evolve constantly.
As environments become more distributed, the challenge is no longer simply implementing controls.
The challenge is maintaining visibility and accountability as environments change.
That is why organisations are increasingly reassessing:
- Microsoft 365 visibility
- endpoint monitoring capability
- infrastructure and connectivity exposure
- governance maturity
- control validation processes
Not because incidents are inevitable.
But because unmanaged assumptions create risk over time.
Final insight
Most organisations do not have a technology problem.
They have an oversight problem.
Security gaps rarely appear suddenly.
More often, they develop gradually: through unreviewed environments, limited visibility, and assumptions that controls are still operating as intended.
The organisations best positioned to reduce risk are not necessarily the ones with the most tools.
They are the organisations willing to:
- assess regularly
- validate continuously
- review environments properly
- improve visibility before incidents occur
Because risk is rarely defined by what organisations know.
It is more often defined by what they assume.
Assess your Microsoft 365 + Essential Eight posture
