It happens every year, and technology leaders across Australia know exactly what it feels like. The calendar flips to May and suddenly the inbox fills with vendor calls. Finance wants a forecast. Hardware refresh projects that drifted through Q3 get urgent. Software renewal notices arrive in batches. The procurement team is under pressure to clear budget before June 30, and everyone is moving faster than they were three months ago.
This is the EOFY crunch, and for most organisations it is simply the annual rhythm of getting things done. But here is the argument this article is making plainly, because it deserves to be made plainly: the conditions that define EOFY procurement are precisely the conditions under which organisations make their worst technology decisions. And those decisions are not just expensive. They are security risks that persist long after the financial year closes.
Rushed Procurement Is Unvetted Procurement
Speed and rigour are in direct tension. When a procurement decision needs to close before June 30 and the approval process is already compressed, vendor due diligence is the first thing to give way.
In practice, this means vendors who would not survive a standard security evaluation get approved because there is no time for one. Hardware arrives from suppliers who have not been assessed against the organisation’s supply chain risk requirements. Contracts get signed with security clauses that have not been properly reviewed by anyone who understands what those clauses actually mean. The legal team waves it through. The procurement team hits submit. The CIO signs the PO.
None of this is malicious. It is structural. The system is not designed to slow down at EOFY; it is designed to accelerate. And acceleration, by definition, removes the friction that security review depends on. The result is a cohort of technology assets entering the environment with unknown provenance, unverified configuration, and no clear accountability for ongoing security management.
This is not a theoretical risk. The Australian Signals Directorate explicitly names third-party risk management as one of four priority actions for Australian organisations in its most recent Annual Cyber Threat Report — because third-party procurement is where the exposure begins.
Budget-Clearing Behaviour Produces Shadow IT
The EOFY pressure to spend remaining budget creates a second, quieter problem. When operational teams — marketing, finance, sales, HR — realise budget is available and time is short, they acquire software. Sometimes through IT, often not.
These tools land in the environment without proper security assessment. They are not integrated into the organisation’s identity governance framework. Nobody owns them after the person who purchased them moves on. They sit quietly, connected to production systems and data stores, without monitoring or management.
This is the shadow IT problem, and it does not emerge from negligence so much as from opportunity. EOFY creates the opportunity. Research from IBM consistently finds that data stored in unmanaged environments contributes to a meaningful share of breaches — and the average global cost of a data breach has risen significantly in recent years, reaching USD $4.44 million in 2025. Unmanaged tools purchased outside normal governance processes are a direct contributor to that exposure.
The particularly uncomfortable reality is that EOFY is the window when shadow IT creation is highest. Budget availability, deadline pressure, and reduced IT bandwidth — because IT is simultaneously managing infrastructure refreshes, contract renewals, and vendor negotiations — create the conditions for procurement decisions that bypass governance entirely.
Multi-Year Licensing Lock-In Is an Architecture Decision in Disguise
Perhaps the most consequential EOFY decision is one that rarely gets treated as a security decision at all: signing a multi-year licensing agreement.
Three-year licensing deals are commercially attractive and procurement teams love them. They clear budget cleanly, they usually carry a discount, and they reduce the renewal noise in future financial years. What they also do is commit the organisation to a technology position for the next three years, regardless of how its architecture, its threat model, or its regulatory environment changes in that time.
A licensing agreement signed in June 2026 under EOFY pressure will still be in force in June 2028. That is three years of vendor relationship management, three years of contractual entanglement, and three years of using a technology that may not fit the environment it was purchased for by the time the contract expires. In fast-moving areas — cloud platforms, security tooling, identity management, network architecture — three years is a long time to be locked into a decision that was made in a hurry.
The problem is not the length of the agreement. Multi-year contracts can be excellent commercial decisions when they are made deliberately. The problem is that EOFY is not a deliberate decision-making environment. It is a clearance environment. And clearance decisions should not be driving architecture.
Evidence Snapshot
Third-party vendor and supply chain compromises are the second most common cause of data breaches globally, costing organisations an average of USD $4.91 million per incident and taking 267 days to detect and contain — the longest resolution time of any attack vector. (2025, IBM Cost of a Data Breach Report)
The average self-reported cost of cybercrime per Australian business report rose 50% to $80,850 in FY2024–25, as the Australian Signals Directorate recorded more than 1,200 cyber security incidents — an 11% year-on-year increase. (2025, ASD Annual Cyber Threat Report 2024–25)
More than one in three data breaches involve shadow data — information stored in unmanaged data sources outside normal governance and monitoring processes. (2024, IBM Cost of a Data Breach Report)
The Australian Signals Directorate identifies managing third-party risk as one of four critical actions for Australian organisations — explicitly linking procurement relationships to cyber exposure. (2025, ASD Annual Cyber Threat Report 2024–25)
The Security Team Is Rarely in the Room
EOFY procurement is driven by finance, IT operations, and procurement teams working against a deadline. Security review, where it happens at all, is typically cursory, reactive, or conducted after the purchase order has been approved. The CISO learns about the acquisition when someone needs a firewall rule changed or a new application added to the SSO configuration.
This is not a governance failure unique to any particular organisation. It is a structural feature of how most procurement processes are designed. Procurement governance is optimised for commercial outcomes: value for money, vendor management, contract terms. Security governance requires a different set of questions. What data does this system access? Who controls it? What happens if the vendor is compromised? How is this decommissioned when it is no longer needed?
These questions are not typically on the EOFY procurement checklist. They should be. Not as a compliance exercise, but because the answers directly determine the organisation’s risk exposure going into the next financial year.
The worst version of this pattern is when a procurement decision enables vendor access to the organisation’s environment — network access, data integration, API connectivity — and that access is established in a hurry, without a proper security review, and then never re-evaluated. That vendor relationship, and its associated access rights, persist long after EOFY. The risk does too.
What Disciplined Procurement Actually Looks Like
This is not an argument against spending at EOFY. Budget cycles are real, vendor timelines are real, and hardware refresh programmes have legitimate urgency. The argument is that EOFY procurement can be done well or done badly, and the difference is not speed — it is discipline.
Organisations that manage EOFY procurement well treat security review as a non-negotiable step, not an optional extra. This means maintaining a lightweight but real vendor security assessment process that can operate at EOFY velocity — not the twelve-week deep-dive of a major platform decision, but not nothing either. It means having an approved vendor list that has been security-assessed in advance, so that EOFY procurement can draw from a known-safe catalogue rather than introducing new, unvetted suppliers under time pressure.
It also means treating multi-year licensing decisions as architecture decisions, not commercial ones, and routing them through the appropriate governance. A three-year commitment to a cloud platform or a security tooling vendor should require sign-off from someone who understands the organisation’s technology roadmap — not just its budget position.
The organisations that get this right enter each new financial year with technology that is right-sized, properly evaluated, and not carrying undiscovered risk from rushed decisions. Those that do not carry that risk forward — sometimes for years — and discover it at the worst possible moment.
What I see in customer environments every EOFY is the same pattern: procurement moves faster than governance, and security review doesn’t catch up until something breaks. The organisations that have figured this out haven’t slowed procurement down — they’ve built the security check into the procurement process itself, so it runs in parallel rather than as a gate. That shift is mostly a process change, not a technology one, and it makes a material difference to what enters the environment in June and what still has to be managed in September.
If the argument in this article resonates, the logical next step is to run your own audit before committing to any significant spend this EOFY. We’ve produced The EOFY Technology Audit Checklist: 40 Questions to Ask Before You Sign Anything as a hands-on companion to this edition — covering procurement validation, licensing, cloud waste, deferred decisions, and strategic investment criteria. Download it and work through it with your procurement and security leads before June 30.
Download The EOFY Technology Audit Checklist →
Orro helps Australian organisations navigate complex technology decisions with confidence — from procurement validation and licensing review through to managed security, connectivity, and infrastructure. To speak with our team about your FY26 close-out or FY27 planning, visit [orro.group/contact] or reach out to your Orro account manager directly.
Have a specific hardware or software quote on the table before June 30? Submit it for independent validation at ValidPro® — and make sure every dollar is well spent before you sign.
Further Reading
- Are You Overpaying for Your Microsoft Licensing? — How to audit your Microsoft licensing position before renewal, and what to look for in a multi-year agreement.
- Vulnerability Backlogs: Why Exposure, Not Volume, Should Drive Security Priorities — The case for exposure-led security governance — directly relevant to the risks introduced by unvetted procurement decisions.
- How to Reduce Your Business’ Telco Costs — Reviewing connectivity contracts before EOFY: where Australian organisations commonly overspend and how to identify it.
- Orro Trust & Security — Orro’s security certifications and operational standards — relevant context for organisations evaluating a managed technology partner.
