July marks the start of a new financial year, and for most Australian businesses it is the most natural moment of the year to take stock. The technology landscape is shifting quickly, the compliance calendar has moved forward, and the threat environment has its own seasonal rhythms worth knowing about.
There is good news across all three. Australian SMEs using AI are growing at nearly three times the rate of those that are not, the government's cyber security framework is being redesigned to be more accessible for smaller organisations, and the steps that make the most difference in this period are practical ones, not expensive ones.
This edition suggests what is worth acting on now, what is worth watching through the rest of the year, and what the Jam Cyber team is offering Australian businesses this month.
MYOB's analysis across hundreds of thousands of Australian SMEs found that businesses actively using AI are growing 2.8 times faster than those that are not. Among AI users surveyed, 54% reported time savings and 34% reported productivity improvements.
Deloitte's research into more than 1,000 Australian small and medium businesses identifies what separates the businesses getting results from those still experimenting: the right systems, data infrastructure, and employee capability working together. The businesses ahead of the curve tend to focus on a small number of high-value workflows rather than deploying broadly.
What to do next
Identify one or two workflows in your business where technology could save meaningful time, and explore those specifically.
Ask your IT or technology adviser what tools your competitors in professional services are getting genuine value from right now.
Consider whether your current technology investments are matched to how your team actually works, rather than how you expected them to work when you signed up.
The start of the financial year is a good moment to review what your business is paying for
Research from Zylo's 2026 SaaS Management Index found that organisations on average leave 36% of their software licences unused. For many businesses, the new financial year is the first time in 12 months anyone has looked at the full list.
Organisations on average hold 305 software applications in their portfolio and spend a median of $9,455 per employee annually on software tools. Thirty-six percent of those licences go unused, a figure that compounds year on year as software-as-a-service (SaaS) pricing continues to rise well above general inflation.
There is a security dimension here too. Applications that are active but no longer monitored can represent access points that fall outside routine IT oversight, particularly if former staff accounts have not been fully deprovisioned. A technology audit is both a cost exercise and a housekeeping one.
What to do next
Ask your IT provider for a full list of active software subscriptions alongside usage data.
Consolidate or cancel tools that duplicate a function already covered elsewhere in your stack.
Confirm that deprovisioning procedures are in place for departing staff, so access is removed across all platforms at the point of departure.
Flag any tools that were set up by individual staff members rather than through a central IT process.
Australia's cyber security baseline is being redesigned to work better for smaller businesses
The Australian Signals Directorate launched consultation on June 15 on a new "Essentials for Enterprise IT" framework that evolves the Essential Eight. The new approach is explicitly more flexible and cost-conscious, and businesses with existing Essential Eight investments will find their work maps directly across. Consultation closes July 12.
The Australian Signals Directorate (ASD) opened consultation on evolving the Essential Eight cyber security framework on June 15. The proposed Essentials series introduces a new first chapter covering enterprise IT, designed to give organisations greater flexibility in how they implement cyber security while still providing a clear path to resilience.
ASD has been explicit that existing Essential Eight investments remain relevant and will map into the new framework. The new guidance is described as cost-conscious and designed to accommodate the technology environments most smaller businesses already use, including cloud tools and modern software platforms.
If your business has started Essential Eight work, ask your IT provider to confirm your progress will carry across to the new framework.
If your business has not started, ask your IT provider to walk you through what Maturity Level 1 looks like for your specific environment under the new guidance.
Tax time scam activity, a critical ACSC advisory on Fortinet hardware, and a ransomware group with Australian professional services firms in its victim list
Tax time brings a predictable spike in ATO impersonation scams: here is what is circulating now
Scamwatch and the ATO issued a joint warning on June 26, 2026. Last July, the ATO received 7,500 impersonation scam reports in a single month. Reports in May 2026 were already running 11% above April.
7,500ATO impersonation scam reports in July last year (ATO scam data)
1,386Reports in May 2026, up 11% from April (ATO scam data)
$0Cost of checking whether an ATO message is genuine before acting on it
The new financial year is consistently the highest-risk period for scammers impersonating the Australian Taxation Office (ATO). With BAS lodgements, payroll obligations, and tax returns all active simultaneously, staff are more likely to be expecting ATO-related communications and more likely to act quickly when one arrives.
The Scamwatch and ATO joint warning from June 26 confirms myGov login-link scams are active right now. The ATO's own scam alerts page also documents fake DocuSign notices that claim a tax refund is pending signature, a variant circulating ahead of this tax season. The ATO does not send unsolicited emails or SMS messages with links to login pages for its online services.
What to do next
Let your team know before July is out: the ATO never sends unsolicited links to login pages via email or SMS.
Direct staff to access myGov only through the official website or app, not via any link in a message.
Report suspicious ATO-related messages at ato.gov.au or by calling the ATO on 1800 008 540.
Enable multi-factor authentication (MFA) on myGovID and all ATO-linked business accounts.
FortiBleed: the ACSC has issued a critical advisory for businesses using Fortinet firewalls or VPNs
Login credentials for tens of thousands of Fortinet firewall and VPN devices across 194 countries were harvested by attackers in a campaign relevant to any Australian business using Fortinet hardware. The ACSC first published an advisory on June 18, updating it on June 22. If your business uses Fortinet hardware, your IT provider needs to act on this.
The campaign, referred to in security reporting as FortiBleed, involved attackers extracting and cracking credentials from Fortinet FortiGate firewalls and SSL virtual private network (SSL VPN) gateways. The ACSC advisory recommends three immediate steps: rotate all admin and VPN credentials, ensure devices are patched to current firmware, and restrict management interfaces from internet access.
Fortinet's FortiGate product is widely deployed at the small and medium business level because it delivers capable perimeter security at an accessible price point. If your business runs a dedicated firewall appliance or staff connect remotely via VPN, it is worth confirming with your IT provider whether Fortinet hardware is involved.
What to do next
Ask your IT provider whether your business uses Fortinet hardware for its firewall or VPN access.
Confirm all Fortinet admin and VPN credentials have been rotated since June 22, 2026.
Verify the firmware on any Fortinet devices is current.
Qilin: an active ransomware group with Australian professional services firms among its claimed victims
Qilin is currently the most active ransomware operation in the world, averaging 100 victim listings globally every month. Australian accounting firms, financial services businesses, and legal practices have featured consistently in its 2026 victim list.
Qilin operates as a ransomware-as-a-service group, providing attack infrastructure to affiliates who choose their own targets. Professional services firms hold high-value client data including financial records, tax information, and superannuation details, making them attractive targets.
Qilin's pattern is to exfiltrate data before encrypting systems, then publish it publicly if a ransom is not paid. A response plan needs to account for both system recovery and data exposure.
The ACSC's ransomware guidance is clear on the question of payment: there is no guarantee it restores access or prevents data being sold or leaked regardless of whether demands are met.
What to do next
Confirm your business has tested, working backups stored separately from your main systems.
Restrict access to sensitive client files to staff who actively need them for their current role.
Ask your IT provider whether endpoint detection and response (EDR) is in place to identify unusual access patterns early.
Two Privacy Act changes arriving before the end of the year, and an update to what the OAIC considers personal information
Using AI tools to assist with client decisions? A new disclosure obligation arrives in December 2026.
From December 10, 2026, APP entities, and other organisations covered by the Privacy Act, that use automated systems or AI tools to make decisions that could significantly affect an individual's rights or interests will need to disclose this in their privacy policy.
The obligation was introduced by the Privacy and Other Legislation Amendment Act 2024. It requires organisations to include specific information in their privacy policy about the kinds of personal information used in automated decision-making, and the kinds of decisions those processes produce.
The OAIC's updated APP 1 guidance confirms it applies to decisions made from December 10 regardless of when the relevant tool was first deployed. Generative AI tools, chatbots, automated intake forms, AI-assisted pricing systems, and scheduling tools may all fall within scope depending on how they are used.
What this means for your business
Organisations covered by the Privacy Act that use AI or automated tools to assist with client decisions, applications, pricing, or eligibility assessments will need to review their privacy policy before December 10. The practical starting point is to map which tools contribute to decisions that could significantly affect a client's rights or interests, then speak with your solicitor or privacy adviser well ahead of the deadline. The OAIC's full guidance is available at oaic.gov.au.
The OAIC has updated its guidance on what counts as personal information
Updated OAIC guidance published in May 2026 confirms that tracking pixels, IP addresses, and digital identifiers can be personal information under the Privacy Act. Most modern websites collect at least some of this data, and the guidance is worth checking against your current privacy policy.
The OAIC's updated APP 3 guidance now includes specific examples covering AI tools, tracking pixels, facial recognition technology, and data scraping. The guidance confirms that information does not need to directly identify an individual to be personal information: the test is whether the individual is "reasonably identifiable" from the data, including through cross-referencing with other data held by a third-party platform.
Tools like Google Analytics, Meta Pixel, and similar website analytics and advertising platforms can collect information that may be personal information where an individual is reasonably identifiable, particularly when that data is combined with information held by third-party platforms. This is not new liability so much as a clearer statement of what has always been the intent of the law, supported now by specific worked examples.
What this means for your business
If your website uses analytics, advertising, or tracking tools, it is worth confirming that your privacy policy accurately describes what is collected, why, and which third-party platforms receive it. A review of data processing agreements with those platforms is also worthwhile. The OAIC's guidance on tracking pixels and updated APP 3 guidance provide practical worked examples relevant to any business with a website.
More from Jam Cyber...
Does your business need a tech audit: find out what your business is running and what it is spending
Most growing businesses accumulate software over time, often faster than anyone is keeping track. Staff sign up for platforms independently, subscriptions purchased for one project stay active, and what one team uses often overlaps with something another team is already paying for.
None of this is unusual. The Jam Cyber team conducts technology audits for Australian businesses, mapping every active subscription, identifying what is genuinely in use, flagging tools that duplicate each other, and surfacing anything that represents an unmonitored security risk.
🔍
Full visibility
A complete picture of your active subscriptions, including tools that were set up outside the usual IT process.
✂
Cost review
A clear view of what is being used versus what is being paid for, with specific consolidation recommendations.
🔒
Security housekeeping
Identification of any inactive tools still holding open access, and any accounts tied to staff who have since left.
📋
A clear next step
A prioritised action list, not a long report.
Research from Zylo's 2026 SaaS Management Index found organisations on average leave 36% of software licences unused. For a professional services firm spending $30,000 a year on technology, recovering even a portion of that figure is meaningful.
The Jam Cyber team works with accounting firms, law practices, consulting businesses, and other professional services organisations across Australia. The audit comes with no commitment and no hard sell.
July is a good time for clear thinking. The financial year has reset, the compliance calendar has moved forward, and the tools and threats worth paying attention to are well-defined.
The businesses that manage this period well are rarely the ones doing the most. They are the ones making deliberate decisions: about what technology to invest in, what to put down, and what risks are worth addressing now rather than later.
Ready to take the next step?
Let's talk about where your business stands
No jargon, no hard sell. Just a clear, honest picture of your cyber security and IT, and what to do about it.
More than 20 years protecting Australian businesses
Not a single fully protected client has been breached since 2017
Jam Cyber Brief
July 2026 Edition
July marks the start of a new financial year, and for most Australian businesses it is the most natural moment of the year to take stock. The technology landscape is shifting quickly, the compliance calendar has moved forward, and the threat environment has its own seasonal rhythms worth knowing about.
There is good news across all three. Australian SMEs using AI are growing at nearly three times the rate of those that are not, the government's cyber security framework is being redesigned to be more accessible for smaller organisations, and the steps that make the most difference in this period are practical ones, not expensive ones.
This edition suggests what is worth acting on now, what is worth watching through the rest of the year, and what the Jam Cyber team is offering Australian businesses this month.
In this edition
IT & cyber trends we are seeing right now
The technology opportunity for Australian SMEs, the case for a mid-year software review, and good news on the cyber security framework
Australian SMEs using AI are growing 2.8 times faster than those that are not
MYOB's analysis across hundreds of thousands of Australian SMEs found that businesses actively using AI are growing 2.8 times faster than those that are not. Among AI users surveyed, 54% reported time savings and 34% reported productivity improvements.
Deloitte's research into more than 1,000 Australian small and medium businesses identifies what separates the businesses getting results from those still experimenting: the right systems, data infrastructure, and employee capability working together. The businesses ahead of the curve tend to focus on a small number of high-value workflows rather than deploying broadly.
What to do next
The start of the financial year is a good moment to review what your business is paying for
Organisations on average hold 305 software applications in their portfolio and spend a median of $9,455 per employee annually on software tools. Thirty-six percent of those licences go unused, a figure that compounds year on year as software-as-a-service (SaaS) pricing continues to rise well above general inflation.
There is a security dimension here too. Applications that are active but no longer monitored can represent access points that fall outside routine IT oversight, particularly if former staff accounts have not been fully deprovisioned. A technology audit is both a cost exercise and a housekeeping one.
What to do next
Australia's cyber security baseline is being redesigned to work better for smaller businesses
The Australian Signals Directorate (ASD) opened consultation on evolving the Essential Eight cyber security framework on June 15. The proposed Essentials series introduces a new first chapter covering enterprise IT, designed to give organisations greater flexibility in how they implement cyber security while still providing a clear path to resilience.
ASD has been explicit that existing Essential Eight investments remain relevant and will map into the new framework. The new guidance is described as cost-conscious and designed to accommodate the technology environments most smaller businesses already use, including cloud tools and modern software platforms.
What to do next
Current cyber threats for Australian SMEs
Tax time scam activity, a critical ACSC advisory on Fortinet hardware, and a ransomware group with Australian professional services firms in its victim list
Tax time brings a predictable spike in ATO impersonation scams: here is what is circulating now
The new financial year is consistently the highest-risk period for scammers impersonating the Australian Taxation Office (ATO). With BAS lodgements, payroll obligations, and tax returns all active simultaneously, staff are more likely to be expecting ATO-related communications and more likely to act quickly when one arrives.
The Scamwatch and ATO joint warning from June 26 confirms myGov login-link scams are active right now. The ATO's own scam alerts page also documents fake DocuSign notices that claim a tax refund is pending signature, a variant circulating ahead of this tax season. The ATO does not send unsolicited emails or SMS messages with links to login pages for its online services.
What to do next
FortiBleed: the ACSC has issued a critical advisory for businesses using Fortinet firewalls or VPNs
The campaign, referred to in security reporting as FortiBleed, involved attackers extracting and cracking credentials from Fortinet FortiGate firewalls and SSL virtual private network (SSL VPN) gateways. The ACSC advisory recommends three immediate steps: rotate all admin and VPN credentials, ensure devices are patched to current firmware, and restrict management interfaces from internet access.
Fortinet's FortiGate product is widely deployed at the small and medium business level because it delivers capable perimeter security at an accessible price point. If your business runs a dedicated firewall appliance or staff connect remotely via VPN, it is worth confirming with your IT provider whether Fortinet hardware is involved.
What to do next
Qilin: an active ransomware group with Australian professional services firms among its claimed victims
Qilin operates as a ransomware-as-a-service group, providing attack infrastructure to affiliates who choose their own targets. Professional services firms hold high-value client data including financial records, tax information, and superannuation details, making them attractive targets.
Qilin's pattern is to exfiltrate data before encrypting systems, then publish it publicly if a ransom is not paid. A response plan needs to account for both system recovery and data exposure.
The ACSC's ransomware guidance is clear on the question of payment: there is no guarantee it restores access or prevents data being sold or leaked regardless of whether demands are met.
What to do next
Things to keep on the radar
Two Privacy Act changes arriving before the end of the year, and an update to what the OAIC considers personal information
Using AI tools to assist with client decisions? A new disclosure obligation arrives in December 2026.
The obligation was introduced by the Privacy and Other Legislation Amendment Act 2024. It requires organisations to include specific information in their privacy policy about the kinds of personal information used in automated decision-making, and the kinds of decisions those processes produce.
The OAIC's updated APP 1 guidance confirms it applies to decisions made from December 10 regardless of when the relevant tool was first deployed. Generative AI tools, chatbots, automated intake forms, AI-assisted pricing systems, and scheduling tools may all fall within scope depending on how they are used.
What this means for your business
Organisations covered by the Privacy Act that use AI or automated tools to assist with client decisions, applications, pricing, or eligibility assessments will need to review their privacy policy before December 10. The practical starting point is to map which tools contribute to decisions that could significantly affect a client's rights or interests, then speak with your solicitor or privacy adviser well ahead of the deadline. The OAIC's full guidance is available at oaic.gov.au.
The OAIC has updated its guidance on what counts as personal information
The OAIC's updated APP 3 guidance now includes specific examples covering AI tools, tracking pixels, facial recognition technology, and data scraping. The guidance confirms that information does not need to directly identify an individual to be personal information: the test is whether the individual is "reasonably identifiable" from the data, including through cross-referencing with other data held by a third-party platform.
Tools like Google Analytics, Meta Pixel, and similar website analytics and advertising platforms can collect information that may be personal information where an individual is reasonably identifiable, particularly when that data is combined with information held by third-party platforms. This is not new liability so much as a clearer statement of what has always been the intent of the law, supported now by specific worked examples.
What this means for your business
If your website uses analytics, advertising, or tracking tools, it is worth confirming that your privacy policy accurately describes what is collected, why, and which third-party platforms receive it. A review of data processing agreements with those platforms is also worthwhile. The OAIC's guidance on tracking pixels and updated APP 3 guidance provide practical worked examples relevant to any business with a website.
More from Jam Cyber...
Does your business need a tech audit: find out what your business is running and what it is spending
Most growing businesses accumulate software over time, often faster than anyone is keeping track. Staff sign up for platforms independently, subscriptions purchased for one project stay active, and what one team uses often overlaps with something another team is already paying for.
None of this is unusual. The Jam Cyber team conducts technology audits for Australian businesses, mapping every active subscription, identifying what is genuinely in use, flagging tools that duplicate each other, and surfacing anything that represents an unmonitored security risk.
Full visibility
A complete picture of your active subscriptions, including tools that were set up outside the usual IT process.
Cost review
A clear view of what is being used versus what is being paid for, with specific consolidation recommendations.
Security housekeeping
Identification of any inactive tools still holding open access, and any accounts tied to staff who have since left.
A clear next step
A prioritised action list, not a long report.
Research from Zylo's 2026 SaaS Management Index found organisations on average leave 36% of software licences unused. For a professional services firm spending $30,000 a year on technology, recovering even a portion of that figure is meaningful.
The Jam Cyber team works with accounting firms, law practices, consulting businesses, and other professional services organisations across Australia. The audit comes with no commitment and no hard sell.
Book your tech audit →
Final thoughts
July is a good time for clear thinking. The financial year has reset, the compliance calendar has moved forward, and the tools and threats worth paying attention to are well-defined.
The businesses that manage this period well are rarely the ones doing the most. They are the ones making deliberate decisions: about what technology to invest in, what to put down, and what risks are worth addressing now rather than later.
Ready to take the next step?
Let's talk about where your business stands
No jargon, no hard sell. Just a clear, honest picture of your cyber security and IT, and what to do about it.
Recent Posts
Categories