If you work in a highly-regulated industry like finance, legal, or healthcare, you’ve probably spent time and money making sure you meet security and privacy obligations. That’s important work.
But does being compliant actually mean your practice is secure?
For many organisations, the honest answer is ‘not entirely’. Compliance frameworks set a baseline. They tell you the minimum you need to do to satisfy a regulator. Genuine security, on the other hand, is about what happens day to day – how your team handles emails, who can access customer data, and whether your backups would actually work if you needed them.
Let’s look at why the gap between compliance and security matters, where the everyday risks really hide, and how organisations and medical practices can close those gaps without drowning in jargon or panic.
Why does ‘compliant’ not always mean ‘secure’?
Think of compliance like a roadworthy certificate for your car. Passing the inspection confirms your vehicle met certain standards on the day it was checked, but it doesn’t guarantee you’ll drive safely next week.
Compliance is a point-in-time assessment against a checklist. Once you’ve ticked the boxes, the certificate stays valid for months, even as your staff, devices, and threats change.
But security never stops. New phishing emails arrive daily, staff come and go, and software needs patching. A business can be compliant on paper while carrying risks no audit picked up.
This distinction is critical in regulated industries where the stakes are higher. A breach in a medical practice, for instance, isn’t just a technical hiccup – it can compromise patient data, trigger penalties, and damage the trust between a doctor and patient.
What are the most common security gaps in practices?
Most breaches don’t come from Hollywood-style hacking. They come from everyday behaviours and small oversights. The Australian Signals Directorate’s Annual Cyber Threat Report 2024–25 shows that healthcare, for example, remains a heavily targeted sector, and that attackers consistently look for the easiest way in.
Here are the gaps we see most often:
- People and everyday habits
Your team is your first line of defence, and also the most common entry point for attackers. A rushed staff member clicking a convincing phishing link can hand over login details in seconds. Microsoft’s research into the email threat landscape shows email remains one of the most popular attack methods, precisely because it targets human behaviour rather than software flaws.
Regular, practical training – how to spot a suspicious email, how to verify an invoice – is one of the most cost-effective protections available.
- Devices and access
Every laptop, tablet, and phone that touches your data is a potential doorway. If a device isn’t updated or properly secured, it becomes an easy target. The same goes for access: when too many people can reach sensitive records, or when accounts aren’t protected with multi-factor authentication (MFA), the risk multiplies.
Enabling MFA on email and remote access is a simple step that stops most stolen passwords from becoming full-blown breaches.
- Policies that exist only on paper
A privacy policy in a folder doesn’t protect anyone if nobody follows it. Compliance often rewards having the right documents – security depends on those documents being lived out every day. As Microsoft notes in its overview of data security, protecting information is an active, ongoing process – not a one-off task.
How does the ‘shared responsibility’ myth create risk?
Many leadership teams assume that because their software lives ‘in the cloud’, security is fully handled by the vendor. This is one of the most common misconceptions.
Most cloud services run on a shared responsibility model. Your vendor secures the infrastructure (the servers, the code). But you remain responsible for what happens inside your account: who has access, whether staff use MFA, and which devices connect to your systems.
We cover this in more detail in our post on why Australian healthcare is a prime target for cybercrime. The short version: even the most secure cloud platform can’t stop a breach if a staff member willingly hands over their credentials.
Timing is everything in cybersecurity
Modern attacks are often slow and patient. Attackers break in and then sit quietly for weeks or months, watching traffic and locating backups before they strike. This waiting period is called dwell time.
Dwell time is where compliance checklists and security reality diverge. If your monitoring tools only keep logs for 30 days but an attacker has been inside for 120, the evidence of their entry is gone. You might detect the attack, but you’ll struggle to understand its scope.
This is why longer data retention is crucial. Keeping a full year of security history, as we explain in our article on why 365-day data retention matters, lets you trace an attack back to its origin. The Australian Cyber Security Centre’s guidelines also reinforce why robust logging and monitoring are key to good security.
You can close the gap between compliance and security
The good news: you don’t need to become an IT expert. You just need to treat security as an ongoing practice rather than a box to tick. Here’s where to start:
- Enable MFA everywhere – on email, remote access, and any system holding sensitive data.
- Train your team regularly so spotting phishing becomes second nature.
- Test your backups to confirm they’d actually restore your systems after an incident.
- Review access rights so staff can only reach the data they genuinely need.
- Extend your data retention to give you visibility across a full year, not just a few weeks.
- Keep devices and software updated to close known vulnerabilities.
None of these steps are dramatic. That’s the point. Strong security is built from consistent, sensible habits – not heroic one-off efforts.
Security is a journey, not a certificate
Compliance gives you a valuable foundation, and meeting your obligations matters. But a certificate on the wall isn’t the same as protection in practice. The biggest risks usually live in the small, everyday gaps – an untrained team member, a forgotten device, a policy nobody follows.
By treating security as a continuous practice, you protect more than your data. You protect your customers and patients, your reputation, and the trust your practice has worked hard to earn.





