The year is winding down. It’s a good time to assess where you are and plan where you need to be.

Here’s how I’d think about security priorities heading into 2027.

Assess Your Current State

Before planning improvements, understand where you stand.

Essential Eight self-assessment:

Score yourself honestly against each control:

1. Application Control - How much of your environment is covered?
2. Patch Applications - Are you hitting the 48-hour target for critical patches?
3. Patch OS - Same question
4. Restrict Admin Privileges - How many people have admin access? Is it appropriate?
5. Configure Office Macros - Are macros from internet blocked?
6. User Application Hardening - Are risky features disabled in browsers?
7. MFA - What percentage of accounts have MFA?
8. Backups - Are they tested? Are they protected from ransomware?

If you’re not at Maturity Level One on all controls, that’s priority one.

Insurance readiness:

Review what your insurer required this year. Anticipate tighter requirements. Are you prepared?

Incident history:

What security events did you have this year? Near misses? What would have prevented them?

Priority 1: Close Essential Eight Gaps

For most SMBs, this remains the top priority.

If you’re not at Level One:

Pick the gaps with highest impact:

• MFA if not at 100%
• Patching if significantly delayed
• Backups if not tested or protected

Get to Level One across all controls.

If you’re at Level One:

Consider moving toward Level Two for highest-impact controls:

• Faster patching (48 hours for critical)
• Phishing-resistant MFA for high-risk users
• Application control with proper whitelisting

Priority 2: Insurance Preparation

Start renewal preparation early.

90 days before renewal:

• Review current requirements
• Identify gaps in compliance
• Begin remediation

What to expect:

• MFA everywhere (non-negotiable)
• EDR (not just antivirus)
• Tested backups (evidence required)
• Incident response plan (documented)
• Security awareness training (current)

If you’re not meeting these, address gaps before renewal.

Priority 3: AI Security Basics

AI adoption will continue accelerating. Get basics in place.

Minimum requirements:

• Know what AI tools are in use
• Basic data handling policy
• Enterprise AI where handling sensitive data
• Verification practices for AI outputs

Next level:

• Formal AI governance
• Vendor assessment for AI services
• AI topics in security training

Priority 4: Identity and Access

Identity is the primary attack surface.

Focus areas:

MFA strengthening: If you’re on authenticator apps, consider passkeys or hardware keys for high-risk users.

Conditional access: If not already using it, implement risk-based authentication. Block access from unusual locations or non-compliant devices.

Privileged access: Review who has admin access. Remove unnecessary privileges. Consider just-in-time access.

Lifecycle management: Ensure provisioning and deprovisioning processes work. Orphaned accounts are attack targets.

Priority 5: Third-Party Risk

Your suppliers are part of your attack surface.

What to do:

• Inventory critical suppliers
• Assess security of high-risk vendors
• Include security provisions in contracts
• Monitor for supplier incidents

Supply chain attacks aren’t going away. Know who your critical suppliers are and have some assurance of their security.

Priority 6: Detection and Response

Prevention isn’t sufficient. You need to detect attacks and respond effectively.

EDR: If you don’t have it, deploy it. Microsoft Defender for Business (if on M365 Business Premium) or alternatives like Huntress.

Monitoring: Ensure critical logs are collected. Set up alerts for obvious badness.

Response planning: Have an incident response plan. Know who to call. Practice at least annually.

Priority 7: Staff and Culture

Security is a people problem as much as a technology problem.

Training: Ensure security awareness training is current. Include AI phishing. Focus on verification behaviours.

Culture: Encourage reporting without punishment. Make security part of how you operate, not an obstacle.

Expertise: If you don’t have internal security expertise, ensure you have external partners. AI consultants Brisbane and similar firms can provide ongoing support.

Building the Plan

Framework for prioritisation:

1. Required - What do you need for insurance, compliance, contracts?
2. Critical gaps - What creates the most risk if left unaddressed?
3. Foundation building - What enables future improvement?
4. Nice to have - Improvements that can wait?

Focus resources on the first two categories.

Realistic expectations:

You can’t do everything. Pick the highest-impact improvements. Build incrementally.

Budget considerations:

Most Essential Eight improvements don’t require major tool purchases:

• MFA - included in most platforms
• Patching - mostly process improvement
• Backups - verify what you have works
• Admin privileges - configuration and process

Bigger investments:

• EDR if not included in current licensing
• Password manager for the organisation
• Security awareness training platform
• Managed services if doing it yourself isn’t working

Q4 2026 Actions

November:

• Complete Essential Eight self-assessment
• Identify top 3 gaps
• Begin insurance renewal preparation
• Verify backups are working

December:

• Close quick-win gaps
• Review AI tool usage
• Update incident response contacts
• Plan 2027 security budget

January 2027:

• Implement planned improvements
• Conduct tabletop exercise
• Brief management on security priorities
• Schedule quarterly security reviews

Working with Providers

If you have an IT provider, include them in planning.

Discussion points:

• What’s our Essential Eight maturity?
• What improvements do you recommend?
• What’s included in our current agreement?
• What would additional services cost?

If you’re not getting strategic security guidance from your provider, either address that with them or find supplementary expertise.

Team400 and similar specialists work alongside IT providers to add security depth.

Metrics for 2027

Establish metrics you’ll track throughout the year:

Essential metrics:

• MFA coverage percentage
• Patch latency (critical/high vulnerabilities)
• Backup success rate
• Phishing click rate

Growth metrics:

• Essential Eight maturity score
• Security training completion
• Incident count and severity

Process metrics:

• Access review completion
• Policy review completion
• Time to remediate findings

If you’re not measuring, you can’t improve systematically.

Avoiding Common Traps

The big project trap: Businesses plan major security initiatives then never execute. Better: steady incremental improvement.

The tool trap: Buying tools without implementing properly. Better: fewer tools, fully configured and used.

The compliance trap: Checking boxes without actual security improvement. Better: do it properly, not just documented.

The avoidance trap: Security seems overwhelming so nothing happens. Better: start with one improvement, build from there.

The Simple Version

If all the above seems like too much:

Three things to do by end of year:

1. Enable MFA on any accounts that don’t have it
2. Verify your backups work (actually restore something)
3. Update one person’s access to remove unnecessary privileges

That’s achievable. Start there.

Final Thought

Security improvement is a journey. You won’t get everything done. The goal is steady progress toward a more resilient state.

Focus on fundamentals. Essential Eight provides the roadmap. Insurance requirements provide external pressure. Client expectations provide business motivation.

Use Q4 to assess and plan. Use 2027 to execute and improve.

Working with specialists like AI consultants Sydney can accelerate progress and fill expertise gaps. But the core work is within reach of any business willing to prioritise it.

The businesses that treat security as ongoing practice rather than occasional project are the ones that avoid incidents their peers suffer.

Make 2027 the year you get ahead of the curve rather than behind it.