The lead up to 30 June is when most Australian business owners look closely at budgets, contracts and compliance. It is also one of the most practical windows of the year to bring the same discipline to IT. 

The Australian Signals Directorate’s most recent Annual Cyber Threat Report logged more than 84,700 cybercrime reports in 2024-25, an average of one every six minutes. New privacy obligations also take effect on 10 December 2026, requiring businesses to be clearer about how they use technology to make decisions about customers. 

EOFY is a natural checkpoint for confirming the right controls are in place before the new financial year begins. Seven plain checks cover most of what matters for a business with 1 to 50 staff. 

1. Software and licence audit

Review every paid subscription and seat across the business. Cancel what is no longer used, consolidate where it makes sense, and rebudget the rest. Most businesses find unused tools and licences that can be reclaimed. 

2. Backuprestore test 

A backup is only useful if you can restore from it. Pick a few important files and a key system, and have them recovered end to end, within a time you would accept if something went wrong tomorrow. Restore testing should be a routine, not a one-off. 

3. MFA coverage review

Confirm multifactor authentication is switched on for every staff member and every business account, with no exceptions. If your team is still using SMS codes, EOFY is the right time to plan an upgrade. Our recent post on phishing-resistant MFA covers what to move to and why. 

4. Leavers and joiners access review

Match your staff list against everyone who currently has access to your systems, email, file storage and key apps. Remove access for people who have left, and confirm that current staff have only what their role requires. This is one of the highest-value reviews for the time involved. 

5. Patching status report

Every computer, phone and server in the business runs software that needs regular security updates. Ask for a clear summary of how up to date your devices are, with any gaps flagged. The goal is near-complete coverage on critical updates within agreed timeframes. 

6. Privacy policy refresh

From 10 December 2026, the updated Privacy Act requires businesses to explain in their privacy policy whenever they use software or AI tools to make decisions that meaningfully affect customers, employees or applicants. Examples include automated screening of job applicants or AI-driven recommendations to customers. EOFY is the right time to check whether any of your systems fall into this category and to get the policy updated. 

7. Cyber insurance posture review

Most cyber insurance policies now ask detailed questions at renewal: is MFA switched on for everyone, are backups tested, how quickly are updates applied, and what would you do in the first 24 hours of an incident. Walk through the questionnaire alongside whoever supports your IT, so the answers reflect reality and the supporting evidence is on hand if needed. 

Bringing it together 

The checks work best when they are run together rather than handled separately, with the findings translated into a clear picture of where the business sits and a costed plan for the new financial year. That is the kind of structured, advisory work Reef IT runs alongside Australian small businesses as part of an ongoing partnership. 

Looking for an IT partner who puts your business first? Talk to the team at Reef IT today