Jam Cyber Monthly Cyber Brief | April 2026

This month's stories share a common thread: the consequences of adopting and deploying technology without governing it are becoming specific, documented, and in some cases legally enforced.

A trusted research platform used by Australian legal firms was breached, and the data damage flowed downstream to those firms through no fault of their own. Courts are now confirming that business email compromise is a liability question, with consequences that can see a business pay the same invoice twice.

In this edition:

• IT & Cyber Trends We're Seeing Right Now
• Current Cyber Threats for Australian SMEs
• Things to Keep on the Radar
• What's New at Jam Cyber
• Final Thoughts

IT & Cyber Trends We're Seeing Right Now

The password is dying: passkeys are going mainstream in Australia

The shift away from passwords is no longer a future-tense conversation. Australia's myGov platform saw 170,000 passkey enrolments within weeks of launch. National Australia Bank has publicly described passwords as problematic and on the way out, with its digital subsidiary ubank already extending passkey capabilities to customers.

Passkeys use biometrics or device PIN instead of passwords, relying on cryptographic keys rather than shared secrets — meaning nothing can be phished, stolen, or leaked.

Australia's new mandatory smart device security rules are now in force

On 4 March 2026, the Cyber Security (Security Standards for Smart Devices) Rules 2025 came into effect under the Cyber Security Act 2024. The rules introduce three baseline requirements: unique passwords for each device, published vulnerability disclosure processes, and disclosure of security update timelines.

Copilot read your confidential emails for weeks

In late January 2026, a confirmed software bug in Microsoft 365 Copilot allowed the AI assistant to read and summarize emails marked as confidential. The bug bypassed Data Loss Prevention policies and sensitivity labels. Emails in Sent Items and Drafts folders were affected, including legal memos, business agreements, and protected health information.

Current Cyber Threats for Australian SMEs

INC Ransom is here: ACSC names a direct threat to Australian professional services

On 6 March 2026, the ACSC published a joint advisory about the ransomware group INC Ransom. At least 11 Australian organisations were compromised between July 2024 and December 2025, with healthcare and professional services as primary targets. A Queensland law firm was specifically listed on INC Ransom's dark web leak site, with over 400 gigabytes of data claimed stolen.

INC Ransom operates a Ransomware-as-a-Service model, using spear-phishing, unpatched systems, or stolen credentials for initial access. Double-extortion tactics mean paying ransom doesn't guarantee data won't be released.

The supply chain trap: when your most trusted tools become the threat

In March 2026, global legal intelligence provider LexisNexis confirmed a significant cloud breach exposing sensitive data from multiple Australian law firms and federal government agencies. A threat actor exploited an unpatched vulnerability in LexisNexis's cloud environment.

Invoice fraud is now a court matter

Australian businesses self-reported nearly $84 million in Business Email Compromise losses during 2023–24. A WA District Court ruling in Mobius Group Pty Ltd v Inoteq Pty Ltd clarified that businesses whose emails are compromised could face liability if cybersecurity was inadequate. In that case, a threat actor compromised a contractor's email and sent fraudulent banking details to Inoteq, which paid twice.

Things to Keep on the Radar

Privacy Act reform: around 100,000 Australian SMEs are about to enter the compliance frame

From 1 July 2026, the $3 million turnover exemption will be removed for numerous Australian SMEs. An estimated 100,000 small businesses will come under Privacy Act obligations for the first time.

Australia's cyber posture is improving, and the next challenge is already in view

The February 2026 Commonwealth Cyber Security Posture Report showed that 92 per cent of Commonwealth entities now achieve effective compliance under the Protective Security Policy Framework. The report flagged post-quantum cryptography as the next significant challenge.

What's New at Jam Cyber

Device binding is now live for Jam Cyber clients

Device binding ties account access to a specific, verified device. Even if a threat actor obtains valid login credentials, they cannot use them from an unregistered device. This aligns directly with ACSC guidance on multi-factor authentication uplift and identity security.

Final Thoughts

The cyber landscape moves in two directions simultaneously. Threats are specific and documented, while foundations of a more resilient environment are being laid through mandatory device security standards and mainstream passkey adoption. Businesses managing these challenges well treat security decisions with the same seriousness as financial and legal ones.