When a client faces a Privacy Act inquiry, a procurement question, or a Board request they can't answer — you refer. We assess. You receive a referral fee and your client gets a result. No overlap with your legal services.
Drawn from a combined GRC and passive OSINT engagement, anonymised. We assess the whole picture — governance, external exposure, controls — then rate each finding, map it to a framework, and hand back who should fix it. No systems are ever accessed.
Two abbreviated extracts from real 2026 engagements, anonymised — a healthcare provider and a supply-chain operator. Each is a selection of findings, not the full report, drawn through a combined GRC and passive OSINT lens. Every finding is rated, mapped to a framework, tied to a real precedent, and pointed at who owns the fix. No systems are ever accessed.
Underinvestment in a high-sensitivity environment — legacy platforms kept alive on a tight budget, in a setting holding some of the most sensitive data there is.
The clinical environment ran on legacy software platforms kept in service well past their supported life. Vendor updates had stopped, and they had been kept running because replacing them was treated as a cost to defer rather than a risk to manage.
Once a vendor stops issuing updates, every newly discovered vulnerability stays open permanently. Essential Eight treats patching applications and operating systems as a baseline; an unsupported platform can never meet it.
The ASD’s ACSC found inadequate patching behind the majority of the significant incidents it responded to. In one Australian case, attackers exploited an unpatched Microsoft Exchange server and reached full encryption in four days. Unsupported legacy systems are the softest target on any network.
Sits with IT, but the call is the board’s. The direction here is to plan for replacing or retiring the platform — and, until then, to make sure someone owns it as a known risk rather than leaving it forgotten. Maps to Essential Eight (patching).
The same legacy systems — and the accounts reaching the client records on them — had no multi-factor authentication. A single username and password was the only barrier.
MFA is the control that stops a stolen password from becoming a breach. Without it, one leaked or guessed credential is enough. APP 11 requires reasonable steps to protect the clinical information held.
In the Medibank breach (2022): one stolen credential, no MFA, 9.7 million records. The gap was known and unremediated. The result was OAIC proceedings, a $250 million APRA capital add-on, and class actions.
A conversation for IT and whoever owns identity. The direction is to bring the systems that can support MFA into line, and to make a conscious decision about anything that cannot. Maps to Essential Eight (MFA) and APP 11.
From public and licensed breach sources only — no systems accessed — valid staff credentials for the provider’s email and remote access were found in breach-corpus and infostealer data. Reused passwords meant one exposure could open several systems.
Exposed, still-valid credentials are the most common way in — attackers log in rather than break in. In a healthcare setting, what those credentials reach is high-harm data.
In HWL Ebsworth (2023), a compromised credential on a staff device led to 2.5 million documents stolen. The ASD’s 2024–25 report found compromised credentials the leading initial-access vector in encryption incidents — 42%, up from 23% — with 9,587 exposure notifications issued in a year.
One to raise with IT and identity. The direction is to treat the exposed accounts as no longer trustworthy, and to lean less on passwords alone as the only barrier. Maps to Essential Eight (MFA) and APP 11.
In shared reception and clinical areas, devices were left unattended and unlocked, with client information visible on screen. Auto-lock was not enforced and there was no clear-screen practice.
The information on those screens is among the most sensitive the organisation holds, and no network control covers a device left open in a waiting room.
No intrusion is needed — a patient, visitor, or contractor reads or photographs a screen. Human error is consistently among the leading causes of notifiable breaches reported to the OAIC, and in healthcare the harm is high. It is reportable regardless of how it happened.
Sits with clinical or office management, alongside HR. The direction is a simple, consistent habit for shared areas — devices that lock themselves, screens that clear — supported by regular, documented awareness training. Maps to APP 11.
Governance for disaster recovery had no owner. A recovery plan and a patchwork of backups existed, but no single role was accountable for them, no recovery-time objective was set, and the plan had never been tested end to end.
This was the finding both engagements shared — a healthcare provider and a supply-chain operator, entirely different in every other respect, with the identical governance blind spot. If either were breached, it would be recovering with no one accountable for how. That is a GRC failure, not a technical one.
After the HWL Ebsworth breach, review and notification ran for months — some individuals were not told for up to six months. Untested, unowned recovery turns a contained incident into a prolonged crisis, and boards are held to account for resilience they cannot demonstrate.
The first fix is ownership itself: someone — business continuity or operations, with the board watching — needs to own the plan, set a recovery target, and confirm it actually works. The direction matters more than the tooling. Maps to Essential Eight (backups) and ASD resilience guidance.
The Healthcare risk profile
Underinvestment concentrates exposure in the top-right — legacy, unpatched, unmonitored. Indicative only: each point is a plausible path to compromise, not a prediction.
Operational-technology sprawl — a web of scanners, SaaS integrations, IoT monitoring and fleet telemetry, with more moving parts than anyone had fully mapped.
The operation ran on a web of connected systems — barcode and scanner technology feeding a chain of SaaS platform integrations. Trust between those systems was largely unmanaged: credentials and API connections were long-lived, broadly scoped, and rarely reviewed.
Every integration is a doorway. When systems trust each other automatically and no one reviews that trust, a compromise of one platform can move laterally into the rest — and the more integrations, the larger the unseen attack surface.
The ASD’s ACSC lists supply-chain and trusted-relationship compromise among the hardest risks to detect, precisely because the access looks legitimate. An over-trusted integration is an open door no alarm treats as suspicious.
A conversation for IT and whoever manages the platform relationships. The direction is to know every integration that exists, keep each to only the access it needs, and review them rather than set-and-forget. Maps to Essential Eight (application hardening).
Networked IoT monitoring devices — essential to operations but unaccounted for — were connected to the environment and absent from the asset inventory. Several were of unverified overseas origin, unmanaged, and not receiving updates.
A device you have not inventoried is an attack surface you cannot see, and unverified provenance adds a supply-chain and sovereignty question on top. Hardware of unknown origin can behave in ways no one has assessed, on a network carrying operational data.
ASD’s ACSC repeatedly warns that edge and operational devices are a favoured route for attackers, and that supply-chain compromise is among the hardest to detect. An unmonitored device of unknown provenance is exactly that blind spot.
Sits with IT and operations, alongside procurement. The direction is to know what is actually connected, keep anything unmanaged or of unclear origin at arm’s length from the rest, and confirm provenance before it stays. Maps to Essential Eight (asset visibility) and ASD edge / supply-chain guidance.
Fleet systems generated a continuous stream of operational and location data — GPS tracking of trucks, fuel and route telemetry, driver activity — with unclear ownership of that data and no defined controls over who could access it or where it was stored.
Location and driver data is personal information, and continuous tracking of employees carries privacy obligations. Data no one owns is data no one protects — and telemetry often flows through third-party platforms without that being assessed.
Unowned, unprotected personal data is exactly what the OAIC’s enforcement priorities target. At a breach, the question is not only what was taken, but whether the organisation could even say who was responsible for it. “No one owned it” is not a defence.
One for operations and the privacy function together. The direction is to decide who owns the fleet and telemetry data, what may be collected, and where it lives — so it is no longer data that no one is responsible for. Maps to APP 11 and APP 8.
Across the integration chain, sensitive operational and personal data flowed to third-party platforms — some hosted or controlled offshore — without assessment of their security or the cross-border accountability APP 8 requires. One vendor’s hosting jurisdiction could not be confirmed.
Under APP 8 you remain accountable for what an overseas recipient does with the data. In a sprawling integration chain that accountability is easy to lose track of — and impossible to demonstrate if it was never mapped.
In the 2Apply / IRE determination (OAIC, 2026), a third-party platform’s handling of personal data drew a landmark ruling — remedied by a mandated independent review. Independent assurance of third parties is now the outcome regulators impose.
Sits with procurement and the privacy function. The direction is to map where the data actually goes, confirm accountability for each recipient, and revisit anything whose location cannot be assured. Maps to APP 8 and APP 11.
Governance for disaster recovery had no owner. A recovery plan and a patchwork of backups existed, but no single role was accountable for them, no recovery-time objective was set, and the plan had never been tested end to end.
This was the finding both engagements shared — a healthcare provider and a supply-chain operator, entirely different in every other respect, with the identical governance blind spot. If either were breached, it would be recovering with no one accountable for how. That is a GRC failure, not a technical one.
After the HWL Ebsworth breach, review and notification ran for months — some individuals were not told for up to six months. Untested, unowned recovery turns a contained incident into a prolonged crisis, and boards are held to account for resilience they cannot demonstrate.
The first fix is ownership itself: someone — business continuity or operations, with the board watching — needs to own the plan, set a recovery target, and confirm it actually works. The direction matters more than the tooling. Maps to Essential Eight (backups) and ASD resilience guidance.
The Supply-Chain risk profile
Sprawl spreads exposure across the estate — many moving parts, high impact, harder to see. Indicative only: each point is a plausible path to compromise, not a prediction.
Governance, risk and compliance is the scaffolding that forces an organisation to know what it owns, who owns each risk, and whether its controls can be demonstrated. A documented policy does not stop an intrusion — knowing what is externally exposed, before an attacker does, is what turns an assessment into a defence.
Every consequence cited above is drawn from public regulatory, court, or government records. The findings themselves are anonymised and illustrative of real 2026 engagements.
Risk ratings are indicative assessments of plausible exposure, not predictions of a certain outcome. No client is named or identifiable.
Your practice covers governance, regulation, and compliance — but not the technical assessment that sits underneath it. That's where we come in.
Your client is responding to an OAIC inquiry or preparing for the 2024 Privacy Act amendments. They need an evidence-based assessment of what's actually exposed — not an opinion.
Pre-acquisition due diligence increasingly includes cyber posture. A passive OSINT assessment gives your client a clear picture of the target's external exposure without alerting the market.
Directors need to demonstrate they've exercised due care on cyber risk. A Board-ready GRC assessment gives them documented evidence of the organisation's external posture.
When APRA, the OAIC, or a sector regulator asks questions, your client needs evidence — not assurances. Our assessments provide sourced, framework-mapped findings.
Government and enterprise procurement increasingly requires GRC evidence. A structured assessment with framework mapping satisfies the requirements your client can't produce internally.
After a breach, your client needs to understand what was visible before the incident. A passive assessment reconstructs the external picture without interfering with forensics.
No technical expertise required from your side. No client confusion. No overlap with your legal services.
The client calls you. You don't provide cyber assessments — and you shouldn't have to. You refer them to BlackFlag Advisory. We deliver a passive OSINT assessment within 7 days. The client gets the evidence their insurer needs. You receive a referral fee. No scope creep, no technical involvement, no conflict.
Directors need to demonstrate due care. Your client has no internal cyber assessment capability. You refer them to us. We produce a Board-ready report — framework-mapped, risk-registered, plain English. The directors have documented evidence. You've added value without stepping outside your practice.