Jam Cyber Monthly Cyber Brief | February 2026

This month, we're seeing businesses feeling the weight of the "AI balancing act". AI tools are becoming more powerful and accessible, yet adoption is racing ahead of governance across most sectors. At the same time, cyber threats continue to evolve, not just through direct attacks, but through vulnerabilities introduced when businesses offshore functions without adequate security oversight.

We're also seeing positive momentum. The government has released targeted guidance for small businesses on managing AI risks. There's growing adoption of ISO 27001 certification as firms look to demonstrate robust security controls. And the push toward making Australia the most cyber-secure nation by 2030 is translating into tangible resources and support for SMEs.

What's becoming clear is that the firms managing these challenges successfully are treating security as a strategic business priority, not just an IT function.

IT & Cyber Trends We're Seeing Right Now

AI Adoption Is Outpacing AI Governance

Recent research from Agile Market Intelligence shows that 77% of Australian law firms are using AI tools, but only 52% have clear policies governing what their teams can and cannot use.

This gap presents real risk. Without formal policies, staff may upload sensitive client information to public AI platforms, share confidential documents with unapproved tools, or inadvertently expose privileged communications.

The reality is clear: AI implementation is moving faster than AI governance. Firms operating without formal AI usage policies are in a regulatory grey zone that could expose them to professional liability, privacy breaches, and damaged client trust.

What to do next:

• Develop a written AI policy that defines approved tools, permitted data sharing, and review processes for AI-generated content
• Train staff on the policy and ensure acknowledgment during onboarding
• Review client engagement terms to confirm they address AI use where relevant
• Conduct regular audits of which AI tools are being used across the business

If your firm hasn't established an AI policy yet, now is the time to act. Jam Cyber has a free AI Policy example — contact our team today to get yours.

Clawdbot (Now OpenClaw): What It Is and Why to Be Cautious

Clawdbot, recently renamed OpenClaw following a trademark dispute, has become one of the most discussed AI tools in recent months. Positioned as a "digital Chief of Staff," it's an open-source AI assistant capable of managing emails, booking meetings, screening calls, and handling various automated tasks.

What distinguishes OpenClaw is its agentic nature. Rather than simply responding to queries, it actively monitors data, anticipates user needs, and executes multi-step workflows autonomously. It integrates with messaging platforms like WhatsApp and Telegram and is designed to run on self-hosted hardware.

The appeal is clear. However, the risks are substantial.

Security researchers have identified serious vulnerabilities. Hundreds of instances were found exposed to the public internet with no authentication protecting API keys, conversation histories, OAuth credentials, and months of private messages. In documented cases, attackers could execute arbitrary commands with full system privileges.

The project has also been affected by crypto scams and account hijacking during its rebrand, raising concerns about data exposure and unpredictable agent behaviour.

What this means for your business: OpenClaw represents an emerging class of AI tool that is powerful and potentially transformative. However, it currently carries significant risk. For professional services firms handling confidential client information, the risks outweigh the benefits at this stage. We strongly recommend avoiding self-hosted, open-source AI agents unless your firm has dedicated cybersecurity resources and a comprehensive risk management framework in place.

Read our full analysis: OpenClaw and Australian Professional Services: The Risks You Need to Know.

The Rise of the Intelligent Assistant

While tools like OpenClaw push the boundaries of autonomous AI, mainstream AI assistants are becoming substantially more capable and embedded in everyday business operations.

According to industry analysis, 2026 marks a shift from individual AI productivity tools to team and workflow orchestration. AI is no longer limited to helping individuals draft emails. It's coordinating entire workflows, connecting data across departments, and moving projects from concept to execution.

Gartner predicts that 40% of enterprise applications will integrate task-specific AI agents by year end, up from less than 5% in 2025.

For Australian SMEs, this trend is already visible:

• Microsoft 365 Copilot is now pinned by default in Teams
• Google Gemini offers real-time data access across Workspace applications
• AI-powered scheduling, email triage, and meeting summaries are becoming standard features

Businesses implementing these tools strategically are seeing measurable time savings, often 10 to 12 hours per week per person.

What this means for your business: The question is no longer whether to adopt AI, but how to implement it securely and strategically. Start by identifying high-volume, lower-risk tasks that could benefit from automation. Introduce AI tools gradually, with clear policies, structured training, and appropriate oversight.

Current Cyber Threats for Australian SMEs

Offshoring: An Increasing Cyber Risk for Australian Businesses

Recently, ASIC released a review that found significant governance gaps in how Australian businesses manage offshore service providers. The review examined financial services firms but the findings apply to any professional services business using offshore resources.

The key finding? Many firms lack proper risk management frameworks for offshore arrangements. ASIC Commissioner Alan Kirkland noted that "cyber-attacks are more prevalent and growing in sophistication," with offshore arrangements creating additional exposure through:

• Loss of direct control over sensitive data and who can access it
• Increased attack surface when offshore environments aren't adequately secured
• Conflicting data protection obligations under foreign laws
• Operational disruptions when offshore providers experience security incidents

What your business can do:

• Establish a risk management framework specifically for offshore providers
• Implement incident response protocols that include your offshore partners
• Regularly test disaster recovery arrangements

The bottom line: offshoring requires heightened cyber security measures. If you're employing an offshore workforce, contact our experts to ensure your systems are keeping everyone safe.

New Government Guidance: Managing AI Cyber Security Risks for Small Businesses

In January, the ACSC released guidance on managing cybersecurity risks when adopting AI, developed in collaboration with New Zealand's NCSC and the Council of Small Business Organisations Australia (COSBOA).

The guidance focuses specifically on the risks small businesses face when using cloud-based AI tools like ChatGPT, Google Gemini, Claude, and Microsoft Copilot. It highlights three key risk areas:

• Data leaks and privacy breaches: Some AI providers may use customer-submitted data to train or refine their models, depending on configuration settings. The guidance cites a real 2025 incident where a contractor uploaded personal information including names, contact details, and health records to an AI system, resulting in a notifiable data breach.
• Unreliable AI outputs: The guidance references a case where a lawyer used AI to prepare a court document, but it generated false legal cases. The lawyer failed to verify the output before submission and was subsequently barred from practice.
• Third-party AI provider risks: Due to limited resources and technical expertise, small businesses may lack strong data governance frameworks, making them vulnerable to accidental data leaks, unauthorised access, and potential misuse of data by third-party providers.

What you should do next:

• Review the ACSC guidance and share it with your team
• Review the data handling and privacy policies of any AI tools you use
• Establish an internal AI use policy defining what data cannot be uploaded to AI platforms
• Train staff on responsible AI use, especially regarding sensitive and proprietary information
• Verify AI outputs before relying on them for critical decisions

Things to Keep on the Radar

Rising Demand for Security Certifications

More businesses are finding that security certifications like ISO 27001 and SOC 2 are becoming essential, not optional.

Clients and customers are increasingly wary of working with suppliers who can't demonstrate proper security controls. What was once a nice-to-have for winning enterprise contracts is now becoming a baseline expectation across the board.

We're seeing this shift across professional services:

• Clients including security certification requirements in RFPs and tender processes
• Insurance providers offering better premiums for certified businesses
• Large organisations conducting more rigorous vendor security assessments
• Procurement teams requiring evidence of formal security frameworks before onboarding new suppliers

Businesses that can demonstrate certified security controls will have a competitive advantage. Those that can't may find themselves excluded from opportunities.

If security certification is on your radar for 2026, now is the time to start planning. The process typically takes 6–12 months from initial gap analysis to certification, so early preparation matters.

What's New at Jam Cyber

Based on increasing demand, we're actively supporting Australian professional services firms through the ISO 27001, SOC 2, and DOC2 certification process.

We handle the gap analysis, policy development, implementation, and audit readiness — so you can focus on running your business while we get you certified.

If you're planning to pursue certification in 2026, get in touch early. Lead times are growing as demand increases.

Final Thoughts

February 2026 demonstrates a pattern we've been observing: technology is advancing faster than governance frameworks, and risk is evolving faster than organisational awareness.

AI tools continue to increase in capability. Offshore providers offer cost savings that are difficult to ignore. Cyber threats are becoming more sophisticated and convincing.

The question for SMEs becomes about how to engage with the new tools in a manner that is secure, compliant, and aligned with obligations to clients and stakeholders.

The firms that will succeed are those treating cyber security and governance as core business priorities rather than IT issues. They establish clear policies before adopting new technologies. They assess third-party risk before offshoring critical functions. They ensure their teams can recognise threats and respond appropriately.

If you want an objective assessment of where your business stands, or if you're considering new technology but uncertain how to implement it securely, Jam Cyber can help. Contact our team today.