This month’s stories share a common thread: the consequences of adopting and deploying technology without governing it are becoming specific, documented, and in some cases legally enforced.
A trusted research platform used by Australian legal firms was breached, and the data damage flowed downstream to those firms through no fault of their own. Courts are now confirming that business email compromise is a liability question, with consequences that can see a business pay the same invoice twice.
There is genuine good news as well. Australia became one of the first countries in the world to mandate minimum security standards for connected devices. Passkeys, the technology that replaces passwords with biometrics, are gaining real traction through Australian banks and government platforms. And the latest Commonwealth Cyber Security Posture Report shows that 92 per cent of Commonwealth entities now achieve effective compliance.
The common thread through the threats and the opportunities alike is governance. The businesses navigating this environment well are not necessarily those with the biggest budgets. They are those that have decided to treat security as a discipline: governing their tools, vetting their vendors, and staying ahead of the obligations heading their way. The pattern among businesses doing this well is consistent: security decisions sit at the same level as financial and legal ones, not waiting in an IT queue.
The password is dying: passkeys are going mainstream in Australia
The shift away from passwords is no longer a future-tense conversation. Australia’s myGov platform saw 170,000 passkey enrolments within weeks of launch.
Passkeys use biometrics or a device PIN in place of a password. Because they rely on cryptographic keys rather than a shared secret, there is nothing to phish, steal, or leak.
The 2026 State of Passwordless Identity Assurance report found that 64 per cent of security professionals now correctly identify passkeys as phishing-resistant, up from 40 per cent in 2025. Despite growing awareness, 76 per cent of organisations still rely on legacy passwords.
What to do next:
Review which systems support passkey or FIDO2 authentication and prioritise enabling it for email, cloud storage and financial platforms first.
Ask your IT provider to confirm phishing-resistant authentication is enabled across Microsoft 365 or Google Workspace, and request a timeline if it is not yet active.
Run a short internal briefing for staff on how passkeys work. User confidence is one of the most commonly cited adoption barrier.
The rules introduce three baseline requirements for all consumer smart devices manufactured or supplied in Australia: unique passwords must be set for each device, manufacturers must publish a vulnerability disclosure process, and products must disclose how long security updates will be provided.
This matters for offices as much as households. Smart TVs, IP cameras, routers, printers and networked sensors are standard fixtures in professional services environments, and historically have been among the most easily exploited entry points for attackers.
A voluntary security labelling scheme is also planned to pilot in October 2026, giving businesses and consumers a clear signal of a device’s security credentials at the point of purchase.
What to do next:
Audit smart and connected devices in your office and check whether each is still receiving current firmware updates from the manufacturer.
When purchasing new connected devices, confirm each ships with a unique default password and a published support end-date.
Segment IoT devices onto a separate network from your core business systems to contain any damage if a device is compromised.
Replace or isolate any device that is past its manufacturer support period and is no longer receiving security updates.
Copilot read your confidential emails for weeks
In late January 2026, a confirmed software bug in Microsoft 365 Copilot allowed the AI assistant to read and summarise emails explicitly marked as confidential. The bug bypassed Data Loss Prevention policies and sensitivity labels that organisations had put in place to prevent exactly this.
Emails in Sent Items and Drafts folders were affected, including legal memos, business agreements and protected health information. Microsoft confirmed the issue to TechCrunch and began rolling out a fix in early February. It did not disclose how many organisations were affected.
Many Australian firms have structured their information security models around the assumption that labelled emails are protected from automated processing. This incident demonstrated that AI tools can undermine those controls in ways traditional security frameworks were not built to catch.
The World Economic Forum’s 2026 Global Cybersecurity Outlook found that AI vulnerabilities have joined cyber-enabled fraud at the top of CEO concerns globally. The share of organisations actively assessing the security of their AI tools has nearly doubled in the past year, from 37 per cent to 64 per cent.
What to do next:
Confirm with your IT provider that the CW1226324 configuration fix has been deployed to your Microsoft 365 tenant.
Test the fix by checking whether Copilot can still summarise a confidentially labelled email. If it can, the control is not working as intended.
Apply least-privilege access to all AI tools. AI assistants should only access the data they genuinely need for their intended function.
Create or update your AI usage policy to specify which tools are approved, what data they may access, and how staff should handle sensitive information.
The advisory confirmed at least 11 Australian organisations were compromised between July 2024 and December 2025. Healthcare and professional services are the primary targets. A Queensland law firm was specifically listed on INC Ransom’s dark web leak site, with more than 400 gigabytes of data claimed to have been stolen.
INC Ransom operates a Ransomware-as-a-Service model. Affiliated criminals gain initial access through spear-phishing, exploiting unpatched systems, or purchasing stolen credentials. Once inside, they use legitimate tools to blend into normal network activity while exfiltrating data before deploying ransomware.
Double-extortion tactics mean that even after systems are restored, the threat of publishing stolen data continues. Paying the ransom does not guarantee data will not be released.
What to do next:
Enforce multi-factor authentication on all internet-facing systems: email, remote access tools, file-sharing platforms and cloud portals.
Bring your patch management current. Unpatched internet-facing systems are one of INC Ransom’s confirmed entry points.
Review and test your incident response plan now. Knowing what to isolate and who to call in the first hour significantly affects recovery outcomes.
Take a free Cyber Health Check to understand your current exposure to ransomware groups like INC Ransom.
The supply chain trap: when your most trusted tools become the threat
In March 2026, global legal intelligence provider LexisNexis confirmed a significant cloud breach that exposed sensitive data from multiple Australian law firms and federal government agencies.
A threat actor exploited an unpatched vulnerability in LexisNexis’s cloud environment. For the affected firms, the breach was entirely outside their control. Their own systems were not compromised. But the data they had shared with a trusted third-party provider was.
Group-IB’s 2026 High-Tech Crime Trends Report found 263 instances of corporate network access sold on dark web marketplaces in the past year alone. This is the raw material that enables supply chain intrusions. The report is clear: organisations must now treat vendor security posture as an extension of their own risk.
What to do next:
List every third-party tool or platform with access to your client data or business systems. Most firms find they have more vendors in this category than they initially expect.
Ask key vendors whether they hold ISO 27001 certification, conduct regular independent security testing, and have a published incident response process.
Review what data you share with each vendor and cut access to anything no longer genuinely necessary.
Speak to the Jam Cyber team about Cyber Guard and how a structured security review can identify vendor risk across your environment.
Invoice fraud is now a court matter
Australian businesses self-reported nearly $84 million in Business Email Compromise (BEC) losses during 2023-24, according to the Australian Signals Directorate’s Annual Cyber Threat Report. The majority of reports were lodged by small businesses.
BEC attacks involve a threat actor compromising or impersonating a business email account to redirect legitimate payments to a fraudulent account. Invoices are altered, bank details quietly changed, and the fraud is usually only discovered weeks later when the real supplier follows up on a missed payment.
The stakes have shifted significantly following a WA District Court ruling in Mobius Group Pty Ltd v Inoteq Pty Ltd. Legal analysis of the case makes clear that the court did not rule out that a business whose email is compromised and used to defraud others could itself face liability, if its cybersecurity was inadequate.
In that case, a threat actor compromised a contractor’s email and sent fraudulent banking details to Inoteq. Inoteq paid the fraudulent invoice and was then ordered by the court to also pay the legitimate one. It paid twice and could not recover the fraudulent payment.
What to do next:
Introduce verbal verification for any payment request involving a change of bank account details. Staff should call the supplier using a number sourced independently, not from the email or invoice itself.
Enable multi-factor authentication on all email accounts. A compromised inbox is the starting point for almost every BEC attack.
Implement DMARC, DKIM and SPF records to prevent your domain from being spoofed against your clients and suppliers. Ask your IT provider to confirm these are in place.
Train staff who handle payments to recognise spoofed email addresses, urgency-based pressure tactics, and account change requests made outside normal processes.
Things to Keep on the Radar
Privacy Act reform: around 100,000 Australian SMEs are about to enter the compliance frame
A little-known amendment to the Privacy Act 1988 means that from 1 July 2026, the $3 million turnover exemption will be removed for a significant number of Australian SMEs. An estimated 100,000 small businesses will come under the Act’s obligations for the first time.
A second tranche of broader reforms is also progressing. New transparency requirements for automated decision-making and a Children’s Online Privacy Code are both scheduled for December 2026.
For professional services firms, the incoming obligations include implementing technical measures to protect personal information, notifying the OAIC within 72 hours of an eligible data breach, and updating privacy policies to accurately reflect data handling practices.
What this means for your business:
If your annual turnover is approaching or above the $3 million threshold, now is the right time to review your privacy policy and incident response plan. Waiting until July will leave very little time to address gaps. A conversation with a cyber security adviser about your current practices against the incoming requirements is a practical first step.
Australia’s cyber posture is improving, and the next challenge is already in view
Technology security, including cyber security, remains the area requiring the most work, with 79 per cent of entities reporting effective compliance in that specific category. The improving trend is real, but so is the distance still to travel.
The same report flagged the next significant challenge on the horizon: post-quantum cryptography. The ACSC is urging organisations to begin identifying which encryption algorithms in their current systems will need to transition as quantum computing advances. This is not an immediate operational risk for most SMEs, but early awareness is considerably less disruptive than a reactive scramble later.
What this means for your business:
The improving government posture represents a rising baseline that is flowing into the private sector through insurance requirements, procurement standards and client expectations. Businesses that align with the Essential Eight at Maturity Level 2 now will find those expectations considerably easier to meet as they become more formally embedded in regulation and commercial practice.
What’s New at Jam Cyber
Device binding is now live for Jam Cyber clients
We are pleased to share that device binding is now available for Jam Cyber clients. Device binding ties account access to a specific, verified device. Even if a threat actor obtains valid login credentials, they cannot use them from an unregistered device.
It is one of the most effective implementations of phishing-resistant authentication available to businesses today, and aligns directly with ACSC guidance on MFA uplift and identity security.
As the stories in this brief make clear, credential theft and account compromise are the entry points behind the majority of serious incidents affecting Australian professional services firms right now. Device binding closes one of the most consistently exploited gaps.
Get in touch with the Jam Cyber team to find out more.
April’s brief captures a cyber landscape moving in two directions at once. The threats are specific and documented: ransomware groups naming Australian firms publicly, supply chain breaches landing through no fault of the affected business, invoice fraud with court-enforced financial consequences, and AI tools introducing data governance risks that traditional controls were not designed to catch.
At the same time, the foundations of a more resilient environment are being laid. Mandatory device security standards are in force. Passkeys are gaining mainstream traction. And the data shows that businesses approaching security with structure and consistency are measurably better positioned than those treating it as a background concern.
The businesses that manage these challenges well treat security decisions with the same seriousness as financial and legal ones. They ask the right questions of their vendors, govern their tools rather than simply deploying them, and keep their people informed and prepared.
If you would like an objective view of where your business stands across these areas, get in touch with the Jam Cyber team to start the conversation.
Jam Cyber Brief
April 2026 Edition
This month’s stories share a common thread: the consequences of adopting and deploying technology without governing it are becoming specific, documented, and in some cases legally enforced.
A trusted research platform used by Australian legal firms was breached, and the data damage flowed downstream to those firms through no fault of their own. Courts are now confirming that business email compromise is a liability question, with consequences that can see a business pay the same invoice twice.
There is genuine good news as well. Australia became one of the first countries in the world to mandate minimum security standards for connected devices. Passkeys, the technology that replaces passwords with biometrics, are gaining real traction through Australian banks and government platforms. And the latest Commonwealth Cyber Security Posture Report shows that 92 per cent of Commonwealth entities now achieve effective compliance.
The common thread through the threats and the opportunities alike is governance. The businesses navigating this environment well are not necessarily those with the biggest budgets. They are those that have decided to treat security as a discipline: governing their tools, vetting their vendors, and staying ahead of the obligations heading their way. The pattern among businesses doing this well is consistent: security decisions sit at the same level as financial and legal ones, not waiting in an IT queue.
IT & Cyber Trends We’re Seeing Right Now
The password is dying: passkeys are going mainstream in Australia
The shift away from passwords is no longer a future-tense conversation. Australia’s myGov platform saw 170,000 passkey enrolments within weeks of launch.
National Australia Bank has publicly described passwords as “terrible” and on the way out, and its digital subsidiary ubank has already extended passkey capabilities to customers.
Passkeys use biometrics or a device PIN in place of a password. Because they rely on cryptographic keys rather than a shared secret, there is nothing to phish, steal, or leak.
The 2026 State of Passwordless Identity Assurance report found that 64 per cent of security professionals now correctly identify passkeys as phishing-resistant, up from 40 per cent in 2025. Despite growing awareness, 76 per cent of organisations still rely on legacy passwords.
What to do next:
Australia’s new mandatory smart device security rules are now in force
On 4 March 2026, the Cyber Security (Security Standards for Smart Devices) Rules 2025 came into effect under the Cyber Security Act 2024.
The rules introduce three baseline requirements for all consumer smart devices manufactured or supplied in Australia: unique passwords must be set for each device, manufacturers must publish a vulnerability disclosure process, and products must disclose how long security updates will be provided.
This matters for offices as much as households. Smart TVs, IP cameras, routers, printers and networked sensors are standard fixtures in professional services environments, and historically have been among the most easily exploited entry points for attackers.
A voluntary security labelling scheme is also planned to pilot in October 2026, giving businesses and consumers a clear signal of a device’s security credentials at the point of purchase.
What to do next:
Copilot read your confidential emails for weeks
In late January 2026, a confirmed software bug in Microsoft 365 Copilot allowed the AI assistant to read and summarise emails explicitly marked as confidential. The bug bypassed Data Loss Prevention policies and sensitivity labels that organisations had put in place to prevent exactly this.
Emails in Sent Items and Drafts folders were affected, including legal memos, business agreements and protected health information. Microsoft confirmed the issue to TechCrunch and began rolling out a fix in early February. It did not disclose how many organisations were affected.
Many Australian firms have structured their information security models around the assumption that labelled emails are protected from automated processing. This incident demonstrated that AI tools can undermine those controls in ways traditional security frameworks were not built to catch.
The World Economic Forum’s 2026 Global Cybersecurity Outlook found that AI vulnerabilities have joined cyber-enabled fraud at the top of CEO concerns globally. The share of organisations actively assessing the security of their AI tools has nearly doubled in the past year, from 37 per cent to 64 per cent.
What to do next:
Current Cyber Threats for Australian SMEs
INC Ransom is here: ACSC names a direct threat to Australian professional services
On 6 March 2026, the ACSC published a joint advisory with New Zealand’s National Cyber Security Centre and CERT Tonga about the ransomware group INC Ransom.
The advisory confirmed at least 11 Australian organisations were compromised between July 2024 and December 2025. Healthcare and professional services are the primary targets. A Queensland law firm was specifically listed on INC Ransom’s dark web leak site, with more than 400 gigabytes of data claimed to have been stolen.
INC Ransom operates a Ransomware-as-a-Service model. Affiliated criminals gain initial access through spear-phishing, exploiting unpatched systems, or purchasing stolen credentials. Once inside, they use legitimate tools to blend into normal network activity while exfiltrating data before deploying ransomware.
Double-extortion tactics mean that even after systems are restored, the threat of publishing stolen data continues. Paying the ransom does not guarantee data will not be released.
What to do next:
The supply chain trap: when your most trusted tools become the threat
In March 2026, global legal intelligence provider LexisNexis confirmed a significant cloud breach that exposed sensitive data from multiple Australian law firms and federal government agencies.
A threat actor exploited an unpatched vulnerability in LexisNexis’s cloud environment. For the affected firms, the breach was entirely outside their control. Their own systems were not compromised. But the data they had shared with a trusted third-party provider was.
Group-IB’s 2026 High-Tech Crime Trends Report found 263 instances of corporate network access sold on dark web marketplaces in the past year alone. This is the raw material that enables supply chain intrusions. The report is clear: organisations must now treat vendor security posture as an extension of their own risk.
What to do next:
Invoice fraud is now a court matter
Australian businesses self-reported nearly $84 million in Business Email Compromise (BEC) losses during 2023-24, according to the Australian Signals Directorate’s Annual Cyber Threat Report. The majority of reports were lodged by small businesses.
BEC attacks involve a threat actor compromising or impersonating a business email account to redirect legitimate payments to a fraudulent account. Invoices are altered, bank details quietly changed, and the fraud is usually only discovered weeks later when the real supplier follows up on a missed payment.
The stakes have shifted significantly following a WA District Court ruling in Mobius Group Pty Ltd v Inoteq Pty Ltd. Legal analysis of the case makes clear that the court did not rule out that a business whose email is compromised and used to defraud others could itself face liability, if its cybersecurity was inadequate.
In that case, a threat actor compromised a contractor’s email and sent fraudulent banking details to Inoteq. Inoteq paid the fraudulent invoice and was then ordered by the court to also pay the legitimate one. It paid twice and could not recover the fraudulent payment.
What to do next:
Things to Keep on the Radar
Privacy Act reform: around 100,000 Australian SMEs are about to enter the compliance frame
A little-known amendment to the Privacy Act 1988 means that from 1 July 2026, the $3 million turnover exemption will be removed for a significant number of Australian SMEs. An estimated 100,000 small businesses will come under the Act’s obligations for the first time.
A second tranche of broader reforms is also progressing. New transparency requirements for automated decision-making and a Children’s Online Privacy Code are both scheduled for December 2026.
For professional services firms, the incoming obligations include implementing technical measures to protect personal information, notifying the OAIC within 72 hours of an eligible data breach, and updating privacy policies to accurately reflect data handling practices.
What this means for your business:
If your annual turnover is approaching or above the $3 million threshold, now is the right time to review your privacy policy and incident response plan. Waiting until July will leave very little time to address gaps. A conversation with a cyber security adviser about your current practices against the incoming requirements is a practical first step.
Australia’s cyber posture is improving, and the next challenge is already in view
The February 2026 Commonwealth Cyber Security Posture Report delivered a genuinely positive headline: 92 per cent of Commonwealth entities now achieve effective compliance under the Protective Security Policy Framework.
Technology security, including cyber security, remains the area requiring the most work, with 79 per cent of entities reporting effective compliance in that specific category. The improving trend is real, but so is the distance still to travel.
The same report flagged the next significant challenge on the horizon: post-quantum cryptography. The ACSC is urging organisations to begin identifying which encryption algorithms in their current systems will need to transition as quantum computing advances. This is not an immediate operational risk for most SMEs, but early awareness is considerably less disruptive than a reactive scramble later.
What this means for your business:
The improving government posture represents a rising baseline that is flowing into the private sector through insurance requirements, procurement standards and client expectations. Businesses that align with the Essential Eight at Maturity Level 2 now will find those expectations considerably easier to meet as they become more formally embedded in regulation and commercial practice.
What’s New at Jam Cyber
Device binding is now live for Jam Cyber clients
We are pleased to share that device binding is now available for Jam Cyber clients. Device binding ties account access to a specific, verified device. Even if a threat actor obtains valid login credentials, they cannot use them from an unregistered device.
It is one of the most effective implementations of phishing-resistant authentication available to businesses today, and aligns directly with ACSC guidance on MFA uplift and identity security.
As the stories in this brief make clear, credential theft and account compromise are the entry points behind the majority of serious incidents affecting Australian professional services firms right now. Device binding closes one of the most consistently exploited gaps.
Get in touch with the Jam Cyber team to find out more.
Final Thoughts
April’s brief captures a cyber landscape moving in two directions at once. The threats are specific and documented: ransomware groups naming Australian firms publicly, supply chain breaches landing through no fault of the affected business, invoice fraud with court-enforced financial consequences, and AI tools introducing data governance risks that traditional controls were not designed to catch.
At the same time, the foundations of a more resilient environment are being laid. Mandatory device security standards are in force. Passkeys are gaining mainstream traction. And the data shows that businesses approaching security with structure and consistency are measurably better positioned than those treating it as a background concern.
The businesses that manage these challenges well treat security decisions with the same seriousness as financial and legal ones. They ask the right questions of their vendors, govern their tools rather than simply deploying them, and keep their people informed and prepared.
If you would like an objective view of where your business stands across these areas, get in touch with the Jam Cyber team to start the conversation.
// Need more help?
Contact our team today.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Recent Posts
Categories