Cyber and technology insights for Australian firms and small to medium businesses
The Jam Cyber Brief delivers focused, practical updates on cyber security and technology, tailored to the unique operating environment of Australia’s professional service firms. This brief is written with senior leaders and business owners in mind, recognising that technology risks and opportunities are business-critical—not just issues for the IT team. Our aim is to give you clear context, timely alerts, and practical guidance to help you navigate ongoing regulatory changes, evolving threats, and the new tools shaping your day-to-day operations and client service.
For June 2025, we’re seeing major momentum on privacy reforms, a new wave of clever invoice and deepfake scams, and an acceleration of AI-powered tools made with professional service workflows in mind. These trends are reshaping the way daily work, client relationships, and compliance checks get done. Here’s what matters for your teams right now, with the kind of practical focus that helps you stay ahead without needing a PhD in cyber security.
Jump Ahead
Top 3 IT Trends Shaping Professional Service Firms
1. Privacy Act Overhaul: The Shift From “Best Practice” To “Do It Now”
After a lengthy review, the Australian Government is moving forward with some of the biggest updates to the Privacy Act since the legislation was first introduced. These changes are being implemented in stages over the coming months. Notably, some reforms, such as new rights for individuals in relation to serious invasions of privacy, are currently scheduled to come into effect on 10 June 2025, while other elements, including breach notification and updated consent requirements, are expected to follow in due course as further details are formalised.
Some of the key areas of focus include:
Shorter timeframes for breach notifications
A stronger focus on how client consent is managed and documented
Expanded rights for individuals to request the deletion of their data (“right to be forgotten”)
What this really means for professional services firms:
If you store or process client data, such as client folders, payroll spreadsheets, architectural plans, even annotated PDFs, these reforms will affect how you collect, store, and delete personal information.
It’s about practical stuff like locking down who can access cloud folders, making sure old contracts aren’t just sitting in someone’s Outlook, and having a simple, reliable plan to notify stakeholders if something does go wrong.
Typical questions we’re hearing from firms:
“Does this apply to my small practice?” Yes. The proposed changes lower the threshold so most professional service SMBs will be in scope.
“Are email and meeting transcripts included?” If they contain client names, numbers, or private notes, then absolutely.
“Who’s responsible for this?” In many firms, office managers or practice administrators are suddenly wearing the privacy hat.
Next steps you can take today:
Map your client data: Write down where client data lives (email, SharePoint, Xero, job folders—all of it).
Test consent and deletion workflows: If a client asks for all their information gone, can you do it? Time your response.
Get ahead with templates: Review or draft those breach notice and consent templates. Even if they won’t be legally required until later this year, you’ll be well prepared.
Need help with getting started on any of the above?
2. AI in Your Everyday Tools—Big Gains and Some Quiet Risks
Whether staff are billing hours, reviewing documents, or sending draft reports, AI is showing up in everything from Microsoft 365 to specialist legal and accounting platforms. The new Copilot updates, in particular, are making it easier to tidy up client files, summarise proposals, and automate meeting notes. According to recent research from McKinsey, more than half of Australian SMB leaders say AI is already improving productivity and day-to-day efficiency across their professional teams—particularly for document handling, task management, and basic compliance workflows
Daily impact for professional service firms:
Faster document review: Tools are now summarising 20-page contracts or technical reports for your team, highlighting key clauses or missing information—freeing up billable hours for higher-value work.
Automated time entry: Consultants told us that AI is now suggesting timesheet entries based on calendars and email activity. Handy for compliance, and helps reduce lost revenue, but definitely worth validating every entry before sending off to the client.
Drafting and responding faster: Legal and engineering teams both reported using AI tools to draft first versions of client emails, project updates, and even RFP answers.
Cautions to keep in mind:
Data location: Confirm if the AI feature keeps your documents or emails in Australia—some default to overseas servers, which could conflict with privacy obligations.
Controls: Set rules for which folders/data types are “AI safe,” and limit early trials to non-sensitive workloads until security is clear.
Training: Coach your team: If you’re pasting data in, ask “If this showed up on a billboard, would it be a problem?” If so, check with IT before using AI features.
3. MFA Fatigue: Why Too Many Notifications Can Hurt Your Defences
We are all use to approving “Are you logging in?” prompts on our phones. But now, attackers are taking advantage by bombarding staff with MFA requests hoping someone will get annoyed and just hit “approve.” This new scam technique is referred to as MFA fatigue or MFA Bombing. This method has been increasing as more user credentials are leaked on the black market, making it easier for scammers to push real MFA notifications.
How this looks on the ground:
After a round of phishing emails, attackers try repeatedly to log in using real usernames, triggering a stream of notification prompts.
Someone working late or under pressure wants to clear the nagging pop-ups and ends up granting access.
How are leading firms responding?
Swapping to “number matching” to protect key data: Instead of just hitting “approve,” users type in a number that only matches if they’re actually logging in, making it much trickier for attackers to succeed.
Training and prompt reporting: Make sure staff know: You won’t get in trouble for flagging suspicious MFA activity—in fact, it’s encouraged. Add this to your “red flag” training.
MFA remains a strong defence, but it is no longer enough on its own. Most major attack campaigns targeting Microsoft 365 now involve session token theft, which can bypass MFA entirely. That’s why leading firms are implementing 24/7 monitoring of mailbox and file access using AI-based tools. These systems detect unusual login behaviour and data access in real time, and they are more accessible and affordable than many businesses expect. While training and strong password practices are still important, continuous monitoring is now essential.
What’s New: Tools that can help your business.
1. Microsoft 365 Copilot New Features
Recent updates to Microsoft 365, including Copilot integration, make it easier for teams to search, summarise, and organise documents like contracts, reports, and client files. These features can assist with spotting sensitive information (like tax file numbers) and flagging contracts that may need policy review. When combined with Microsoft Purview, compliance settings can be configured to align with Australian data protection standards, including support for “Australian records” modes.
More professional service firms are now piloting their own private/internal AI projects, rather than relying solely on public, off-the-shelf AI solutions. These can include GPT-powered chatbots, custom document summarisation, or workflow automation tools, all running in a firm’s own secure environment.
Why this matters:
Greater control over sensitive client and business data: Your client and business information stays on your chosen systems, supporting both privacy obligations and Australian data residency requirements.
More relevance for your team: You can tailor AI models to your firm’s specific language, workflows, and document types—reducing irrelevant or inaccurate results.
Easier compliance: You decide which staff can access AI tools, and keep clear logs for local regulatory and auditing needs.
Tips for getting started with your own AI-bot:
Engage your IT or compliance team early to confirm security, data storage, and record-keeping meet your firm’s standards.
Start with a small pilot—a defined workflow like automating meeting summaries or helping staff find policies is a practical place to begin.
Collect feedback from early users, adapt quickly, and “train” your AI on your best-practice documents. Always set limits before rolling out more widely.
Here at Jam Cyber, we use our own internal AI bot to help us deliver IT and cyber security solutions faster to our clients. Interested in setting up something similar for your firm or business?
3. NEW: Jam Cyber Knowledge Hub—A Practical Resource for Your Firm
Here at Jam Cyber, we have launched a client Knowledge Hub aimed at supporting Australian businesses with clear, jargon-free resources covering cyber security, privacy, and technology best practice.
How the Hub helps your business:
Leverage the Jam Cyber policies and procedures, or upload/add your own, ensuring every staff member can read, acknowledge, and revisit key documents as needed.
Access monthly cyber security awareness training for your team and track course completion.
Update your best practice manuals and training—covering everything from privacy through to HR, brand guidelines, and sector-specific compliance.
Easily deliver and track staff inductions, including digital sign-offs on essential topics, supporting better (and provable) onboarding.
Brand the Hub as your own, so all resources reflect your firm’s culture and requirements.
Adapt content—add, edit, or develop bespoke modules to keep training relevant and up to date as your business evolves.
Include role-specific training options to ensure your team is equipped with the skills tailored to their responsibilities.
Additionally, Jam Cyber assists with the curation of training materials, ensuring content is both effective and aligned with your firm’s needs.
End-of-financial-year always brings a rise in payment fraud, but the scams are getting more personal. Attackers are using information from real projects, LinkedIn, and even old bid documents to make fake invoices that actually sound legitimate.
What that looks like for teams:
Emails arrive “from” known suppliers, referencing recent projects or even team members by name.
Language is convincing. Sometimes, scammers use hijacked email threads showing real correspondence.
Payment instructions swap to a new bank account, adding pressure: “This needs to be sorted before audit.”
What to do now:
Confirm any requested payment changes—phone the supplier using details you have on file, not the ones given in the email.
Banks now have “account name checking”—use it before approving transfers.
Train teams on warning signs and escalate anything fishy to a named internal contact—make this part of your EOFY process checklist, not an optional extra.
Review incident plans: If a scam slips through, being ready with a response can minimise damage and meet OAIC/ACCC obligations quickly.
We’re seeing attacks where scammers use convincing AI-generated voices (think partners or directors) to trick staff into moving funds or sharing sensitive login details. These calls sound eerily genuine and are often urgent in tone. It’s worth remembering that while inbound calls can easily be spoofed to appear as though they’re coming from a trusted source, outbound calls remain far more secure—you control where they end up, making it significantly harder for criminals to manipulate them.
How to stay ahead:
Build in “dual sign-off” for big moves—never let one person move large sums based solely on a call.
Train admin and finance staff: “If you get a call that feels urgent and is out-of-the-blue, do not act on it until you verify—preferably with a secondary contact method, like a direct mobile or Slack message.”
Where possible, use caller verification or logging for sensitive requests.
3. AI-Powered Phishing
Phishing kits now use AI to create tailored, professional-looking scam messages that closely match actual ATO, APRA, or client email formats. Some even include real details scraped from your website or industry directories. Additionally, new phishing methods can steal session tokens, rendering MFA ineffective, which makes implementing SOC24 monitoring critical to catch and respond to these threats in real time.
How to protect your business:
Regular phishing awareness training with real examples.
Use upgraded email filtering tools that spot both unusual content and strange sender behaviour.
Set up “Report phishing” buttons in Outlook or Gmail—make it easy for anyone to flag suspicious stuff.
Ask your IT partner to check DMARC, SPF, and DKIM are set up for your domains (this stops your firm’s identity being spoofed).
With so much happening across with cyber security and technology, it’s important to focus on what’s genuinely relevant to your business.
That’s what we do at Jam Cyber—providing clear, practical guidance to help you make informed decisions and manage day-to-day risks with confidence.
If you have questions about any of this month’s updates or would like to discuss a specific challenge your business is facing, please get in touch with the Jam Cyber team.
Stay safe, stay informed, and we’ll return next month with more sector-focused insights.
Jam Cyber Brief
June 2025 Edition
Cyber and technology insights for Australian firms and small to medium businesses
The Jam Cyber Brief delivers focused, practical updates on cyber security and technology, tailored to the unique operating environment of Australia’s professional service firms. This brief is written with senior leaders and business owners in mind, recognising that technology risks and opportunities are business-critical—not just issues for the IT team. Our aim is to give you clear context, timely alerts, and practical guidance to help you navigate ongoing regulatory changes, evolving threats, and the new tools shaping your day-to-day operations and client service.
For June 2025, we’re seeing major momentum on privacy reforms, a new wave of clever invoice and deepfake scams, and an acceleration of AI-powered tools made with professional service workflows in mind. These trends are reshaping the way daily work, client relationships, and compliance checks get done. Here’s what matters for your teams right now, with the kind of practical focus that helps you stay ahead without needing a PhD in cyber security.
Jump Ahead
Top 3 IT Trends Shaping Professional Service Firms
1. Privacy Act Overhaul: The Shift From “Best Practice” To “Do It Now”
After a lengthy review, the Australian Government is moving forward with some of the biggest updates to the Privacy Act since the legislation was first introduced. These changes are being implemented in stages over the coming months. Notably, some reforms, such as new rights for individuals in relation to serious invasions of privacy, are currently scheduled to come into effect on 10 June 2025, while other elements, including breach notification and updated consent requirements, are expected to follow in due course as further details are formalised.
Some of the key areas of focus include:
The specifics on timing and requirements may continue to evolve. For an overview of what’s coming, you can refer to the Attorney-General’s Privacy Act Review Report or the OAIC’s 2024–25 Corporate Plan.
What this really means for professional services firms:
If you store or process client data, such as client folders, payroll spreadsheets, architectural plans, even annotated PDFs, these reforms will affect how you collect, store, and delete personal information.
It’s about practical stuff like locking down who can access cloud folders, making sure old contracts aren’t just sitting in someone’s Outlook, and having a simple, reliable plan to notify stakeholders if something does go wrong.
Typical questions we’re hearing from firms:
Next steps you can take today:
Need help with getting started on any of the above?
2. AI in Your Everyday Tools—Big Gains and Some Quiet Risks
Whether staff are billing hours, reviewing documents, or sending draft reports, AI is showing up in everything from Microsoft 365 to specialist legal and accounting platforms. The new Copilot updates, in particular, are making it easier to tidy up client files, summarise proposals, and automate meeting notes. According to recent research from McKinsey, more than half of Australian SMB leaders say AI is already improving productivity and day-to-day efficiency across their professional teams—particularly for document handling, task management, and basic compliance workflows
Daily impact for professional service firms:
Cautions to keep in mind:
Need a free AI Policy for your business?
3. MFA Fatigue: Why Too Many Notifications Can Hurt Your Defences
We are all use to approving “Are you logging in?” prompts on our phones. But now, attackers are taking advantage by bombarding staff with MFA requests hoping someone will get annoyed and just hit “approve.” This new scam technique is referred to as MFA fatigue or MFA Bombing. This method has been increasing as more user credentials are leaked on the black market, making it easier for scammers to push real MFA notifications.
How this looks on the ground:
How are leading firms responding?
MFA remains a strong defence, but it is no longer enough on its own. Most major attack campaigns targeting Microsoft 365 now involve session token theft, which can bypass MFA entirely. That’s why leading firms are implementing 24/7 monitoring of mailbox and file access using AI-based tools. These systems detect unusual login behaviour and data access in real time, and they are more accessible and affordable than many businesses expect. While training and strong password practices are still important, continuous monitoring is now essential.
What’s New: Tools that can help your business.
1. Microsoft 365 Copilot New Features
Recent updates to Microsoft 365, including Copilot integration, make it easier for teams to search, summarise, and organise documents like contracts, reports, and client files. These features can assist with spotting sensitive information (like tax file numbers) and flagging contracts that may need policy review. When combined with Microsoft Purview, compliance settings can be configured to align with Australian data protection standards, including support for “Australian records” modes.
Explore more Microsoft Copilot for legal professionals and Australian compliance blueprint.
How it may help your business:
Want to start using Copilot for your business?
Need help? Reach out to our team today to get started on Copilot!
2. AI Pilots Moving In-House
More professional service firms are now piloting their own private/internal AI projects, rather than relying solely on public, off-the-shelf AI solutions. These can include GPT-powered chatbots, custom document summarisation, or workflow automation tools, all running in a firm’s own secure environment.
Why this matters:
Tips for getting started with your own AI-bot:
Here at Jam Cyber, we use our own internal AI bot to help us deliver IT and cyber security solutions faster to our clients. Interested in setting up something similar for your firm or business?
3. NEW: Jam Cyber Knowledge Hub—A Practical Resource for Your Firm
Here at Jam Cyber, we have launched a client Knowledge Hub aimed at supporting Australian businesses with clear, jargon-free resources covering cyber security, privacy, and technology best practice.
How the Hub helps your business:
Additionally, Jam Cyber assists with the curation of training materials, ensuring content is both effective and aligned with your firm’s needs.
Keen to learn more?
Explore the Knowledge Hub: Jam Cyber offers free training for Australian SMEs to support businesses. Want a full demo? Contact us!
Cyber Threats to Watch
1. EOFY Invoice Scams Surge
End-of-financial-year always brings a rise in payment fraud, but the scams are getting more personal. Attackers are using information from real projects, LinkedIn, and even old bid documents to make fake invoices that actually sound legitimate.
What that looks like for teams:
What to do now:
Read more about scams and see if you can spot a scam!
2. Deepfake Phone Scams
We’re seeing attacks where scammers use convincing AI-generated voices (think partners or directors) to trick staff into moving funds or sharing sensitive login details. These calls sound eerily genuine and are often urgent in tone. It’s worth remembering that while inbound calls can easily be spoofed to appear as though they’re coming from a trusted source, outbound calls remain far more secure—you control where they end up, making it significantly harder for criminals to manipulate them.
How to stay ahead:
3. AI-Powered Phishing
Phishing kits now use AI to create tailored, professional-looking scam messages that closely match actual ATO, APRA, or client email formats. Some even include real details scraped from your website or industry directories. Additionally, new phishing methods can steal session tokens, rendering MFA ineffective, which makes implementing SOC24 monitoring critical to catch and respond to these threats in real time.
How to protect your business:
Have you checked your DMARC yet?
Let’s Talk About Your Business
With so much happening across with cyber security and technology, it’s important to focus on what’s genuinely relevant to your business.
That’s what we do at Jam Cyber—providing clear, practical guidance to help you make informed decisions and manage day-to-day risks with confidence.
If you have questions about any of this month’s updates or would like to discuss a specific challenge your business is facing, please get in touch with the Jam Cyber team.
Stay safe, stay informed, and we’ll return next month with more sector-focused insights.
// Need more help?
Contact our team today.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Recent Posts
Categories