Jam Cyber Monthly Cyber Brief | March 2026

March is a good moment to take stock of two things that have quietly shifted over the past few months: the compliance baseline and the threat landscape. Australia's mandatory ransomware payment reporting regime is now in full enforcement, and the privacy regulator has launched its first-ever active compliance sweep. These are meaningful changes to the environment Australian SMEs operate in, and this edition covers what they mean in practice, what is actually required, and how to get ahead of both without overcomplicating things.

On the threat side, AI-powered voice cloning and deepfake impersonation are becoming more common in payment fraud attempts targeting Australian businesses. Attackers no longer need a compromised email account to attempt payment fraud — a short audio clip from a public video can be enough to generate a convincing imitation of someone's voice. The good news is that the most effective defence is a straightforward procedural one, not a technical overhaul. Device binding is also worth understanding this month: it is one of the most practical steps a business can take to close the most common credential-based attack path, and it is more accessible than many people assume.

What the businesses managing these challenges well tend to have in common is deliberate, documented processes and a leadership team that treats security as a business decision, not just an IT function. This month's brief covers what has changed, what is worth acting on, and what is coming further down the track.

In this edition:

• IT & Cyber Trends We're Seeing Right Now
• Current Cyber Threats for Australian SMEs
• Things to Keep on the Radar
• What's New at Jam Cyber
• Final Thoughts

IT & Cyber Trends We're Seeing Right Now

Australia's ransomware reporting law is now in full enforcement

Australia's mandatory ransomware payment reporting obligation commenced on 30 May 2025 under the Cyber Security Act 2024, with an initial education-first phase to help businesses understand their obligations. From 1 January 2026, that phase gave way to active compliance and enforcement. If your business turns over more than $3 million a year and a ransom is paid, whether by you or on your behalf, you have 72 hours to report it to the Australian Signals Directorate (ASD).

This law has received limited coverage in mainstream business media, and many businesses are only now becoming aware of it. The civil penalty for failing to report sits at 60 penalty units, currently $19,800, but the more useful framing is what the legislation signals about government expectations: ransomware is now a board-level compliance matter, not just an IT incident. Businesses with a documented incident response plan, tested backups, and a clear escalation path are well-placed to meet the 72-hour window comfortably. The window starts the moment you become aware of an attack, so having that plan in place before anything happens is what makes it manageable.

What to do next:

• Confirm whether your business turnover exceeds the $3 million threshold and formally document your obligations under the Cyber Security Act 2024
• Review or create your incident response plan so it includes a named person responsible for ASD notification and a clear 72-hour escalation path. Jam Cyber has a free incident response plan template you can download and adapt
• Test your backup and recovery procedures before an incident occurs, so your team knows exactly what to do
• Brief your leadership team on the reporting obligation. This is a decision that cannot sit with IT alone

Contact the Jam Cyber team if you need help building or reviewing your incident response plan.

Device binding: the straightforward control that stops the attacks making headlines

A common thread runs through almost every major credential-based attack in the past year — from the coordinated credential stuffing attack on major Australian super funds to AI-powered phishing and business email compromise. In most cases, the attacker had a valid username and password, and standard multi-factor authentication (MFA) was either absent or bypassed using real-time phishing proxies that steal one-time codes as they are entered. This is the gap that device binding closes.

Device binding, sometimes called phishing-resistant MFA, works by tying authentication to a specific registered device. When you log in, your device confirms it is the registered device for that account. Therefore, a fake login page or a stolen one-time code cannot replicate this. Australia's Essential Eight framework now requires phishing-resistant MFA at Maturity Levels Two and Three, and this technology is now accessible and practical for businesses of any size, through passkeys, hardware security keys such as a YubiKey, and platform authenticators built into Windows Hello and modern mobile devices. One of the most effective controls available right now is also one of the most achievable.

What to do next:

• Review your current MFA setup. SMS codes and push notifications are a reasonable starting point, but they can be bypassed by more sophisticated phishing attacks. Device binding removes that risk entirely
• Prioritise device binding or passkeys for any accounts with access to financial systems, client data, or cloud administration
• Ask your IT provider or Microsoft 365 administrator about enabling phishing-resistant MFA through Windows Hello for Business or hardware security keys. Many businesses already have the infrastructure to do this
• Frame this as a productivity win as well as a security win: device-bound authentication is faster and reduces password reset requests

Jam Cyber can assess your current authentication setup and recommend the right approach — explore Cyber Guard for ongoing monitoring and protection.

AI voice cloning and the new face of payment fraud

Business email compromise has been the dominant fraud vector for years. Attackers have now added a layer that can get past standard email filters: voice cloning. Using a short audio clip sourced from a LinkedIn video, a podcast, a public Teams recording, or a conference presentation, AI tools can generate a convincing imitation of a person's voice. The attack typically begins with a plausible email and is then reinforced by a phone call from what sounds like your director, your managing partner, or your CFO, requesting an urgent payment or a change to banking details. Research from CommBank found that Australians correctly identify AI-generated content only 42% of the time, and that figure barely changes with age.

Australian accounting and law firms are specifically flagged in threat intelligence reporting as primary targets for payment redirection fraud via AI impersonation, given that they handle high-value transactions on behalf of clients and operate on relationships of trust. The reassuring part of this story is that the most effective defence is procedural rather than technical: a clear policy of verifying any request to change payment details through a contact channel that was established before the request arrived. That one process, consistently followed, is enough to stop this category of attack.

What to do next:

• Establish a firm policy that no change to payment or banking details is ever actioned based on a phone call or email alone. All changes require verification via a separately stored contact number. Jam Cyber's Policies & Procedures service can help you put this in writing
• Create a verbal or written safe-word system for your team to verify out-of-character requests from senior staff or known contacts
• Update your staff awareness training to explicitly cover voice cloning and deepfake video. Most legacy training still focuses on email phishing only
• Run a simple tabletop exercise: what would your team do right now if they received an urgent call from "you" asking for a wire transfer?

Current Cyber Threats for Australian SMEs

Ransomware incidents affecting Australian professional services firms

A number of ransomware incidents involving Australian professional services firms have been publicly reported in recent months. A Victorian accounting firm was listed as a Qilin ransomware victim with internal documents posted to the dark web. The Legal Practice Board of Western Australia confirmed a Dire Wolf ransomware attack that took its online services offline.

A major accounting firm operating across Australia and New Zealand was also affected in a separate incident, with clients warned of potential phishing attempts.

Cyble's 2025 Australia and New Zealand threat landscape report identifies Professional Services as one of the three most targeted sectors, alongside retail and financial services — largely because professional services firms hold privileged access to client environments. When an accounting firm is affected, the incident can have implications for the clients that firm manages. Law firms face a similar dynamic through client matter files, trust account access, and counterparty communications. Understanding that supply chain dimension is useful context for how to prioritise controls including least-privilege access, isolated backups, and clear staff communication about their role in the chain.

What to do next:

• Review who in your firm has administrative access to client systems or portals, and apply the principle of least privilege so staff only have the access their role requires
• Ensure your backups are tested, stored offsite, and isolated from your main network. Isolated backups are one of the most effective recovery options available if an incident does occur
• Check whether your cyber insurance policy covers ransomware, what the claims process requires, and whether your current security posture meets the insurer's conditions
• Brief your team on the supply chain dimension of these incidents so staff understand that good security practice protects your clients as well as your own business
• A Cyber Health Check is a practical starting point for understanding where your firm sits against the controls most relevant to these types of incidents

Security patches available now for two widely used business products

The Australian Cyber Security Centre (ACSC) has issued advisories on security vulnerabilities in two products used by many Australian businesses. The first affects WatchGuard Firebox devices, which are firewall and network security appliances common in small and mid-sized business environments. A newly disclosed vulnerability in these devices could allow an unauthorised person to access files or interfere with the device remotely. The second affects MongoDB, a database platform used in many business applications. Both advisories note that the vulnerabilities are being actively exploited and that security patches are available to fix them.

The ASD's 2024-25 Annual Cyber Threat Report found that 30% of vulnerability exploits observed in incidents were due to a failure to patch. Keeping systems patched closes the most common entry point, and a consistent patching process with a named person accountable for it is one of the most straightforward ways to stay ahead of these advisories.

What to do next:

• If you use WatchGuard Firebox devices or MongoDB, confirm with your IT provider that the latest patches have been applied. Check the ACSC advisories page for the specific guidance
• Ask your IT provider to confirm which network devices and software your business is running, when they were last updated, and whether any are end-of-life. Jam Cyber's Managed IT service includes patching management as a core part of what we do
• Establish a regular patching schedule with a named person responsible for it. Critical patches should be applied promptly after release, not left to accumulate
• Subscribe to ACSC alerts so your business receives advisories as they are published
• For businesses that want continuous monitoring rather than periodic check-ins, Cyber Guard provides ongoing visibility across your environment

Things to Keep on the Radar

OpenClaw security incidents: a useful prompt to review your AI tool policy

OpenClaw, the open-source AI agent with over 247,000 GitHub stars, had a significant security month in February. A vulnerability dubbed "ClawJacked" was disclosed in late February, allowing a malicious website to access a locally running OpenClaw agent without user interaction. Separately, 71 malicious skills uploaded to the ClawHub marketplace found delivering malware and credential-stealing software to users who had installed them. Internet scanning firm Censys identified over 21,000 OpenClaw instances publicly reachable online, a number of which were found to be exposing API keys, chat histories, and account credentials.

We covered OpenClaw last month as an emerging agentic AI consideration. The February incidents are a practical illustration of why AI tool governance matters, even for businesses that have never used OpenClaw specifically. Employees across many organisations are installing AI tools on work machines without IT visibility, and those tools often connect to email, calendars, file systems, and cloud platforms. A clear, workable AI tool policy — one that defines which tools are approved, how they should be configured, and who is responsible for keeping them updated — is a straightforward way to stay on top of this as AI adoption continues to grow.

What this means for your business: If you do not yet have a policy covering which AI tools staff are permitted to install and connect to business systems, the OpenClaw incidents are a useful prompt to create one. The goal is not to restrict innovation, but to ensure the tools employees use are visible, configured appropriately, and kept up to date. Jam Cyber's Policies & Procedures service can help you put a practical AI use policy in place.

The privacy regulator has started enforcing, and the second wave of reforms is on its way

In January 2026, the Office of the Australian Information Commissioner (OAIC) launched Australia's first-ever privacy compliance sweep, reviewing the privacy policies of approximately 60 businesses across six sectors: real estate agencies, pharmacies, licensed venues, car rental companies, car dealerships, and pawnbrokers. Entities found to be non-compliant face infringement notices and penalties of up to $66,000 per contravention under the expanded powers introduced by the Privacy and Other Legislation Amendment Act 2024. The OAIC has described this sweep as a signal of its shift from guidance to active enforcement.

Two additional obligations are approaching. From December 2026, businesses that use automated processes, including AI tools, to make decisions affecting individuals will be required to disclose this in their privacy policies. A second, more comprehensive tranche of Privacy Act reforms is also being prepared for Cabinet, with proposals including expanded obligations for businesses under the $3 million turnover threshold that have historically been exempt. Privacy compliance in Australia is evolving, with the regulator moving toward a more active oversight role and the scope of obligations gradually expanding across the economy.

What this means for your business: Now is a sensible time to review whether your privacy policy accurately reflects how you collect, use, and store personal information, particularly if you are using AI tools in client-facing workflows. Even if your business is not in one of the six sectors targeted by the January sweep, the OAIC has flagged that further sweeps are planned. Addressing any gaps now is considerably easier than responding to an enforcement notice.

What's New at Jam Cyber

This year marks a significant milestone for us: Jam Cyber turns 20. Two decades ago, when we were just getting started, "cyber security" was not a term most Australian small businesses had heard. Today it is one of the most pressing business challenges our clients face, and we are proud to still be here helping them navigate it, with the same commitment to plain-English advice, practical outcomes, and genuine care for the businesses we work with.

We will have more to share about our 20th year as we go through 2026. In the meantime, we want to say a genuine thank you to every client, partner, and team member who has been part of the journey. The trust you place in us does not go unnoticed, and it continues to drive everything we do.

If you are a new client or just exploring what we do, we would love to meet you. Get in touch here, or browse our services at jamcyber.com.

Final Thoughts

This month's brief covers a mix of things that are new, things that have shifted, and things that are coming. The ransomware reporting obligation is in full enforcement. The privacy regulator is actively sweeping. AI-powered fraud is more accessible to attackers than it was twelve months ago. None of that needs to be alarming. It is simply useful context for making good decisions about where to focus.

The businesses getting this right are not necessarily the ones with the largest security budgets. They tend to have documented processes their team actually follows, tested backups, clear ownership of security decisions at a leadership level, and a trusted partner to call when something does not look right. That combination is achievable for any professional services firm, regardless of size.

If you would like an objective view of where your business stands against current obligations and threats, we are here to help. Get in touch with the Jam Cyber team and let's start the conversation.