Blog › Cyber Insights

November Cyber Brief

3 November 2025 9 min read By jamcyber
November Cyber Brief

Jam Cyber Brief

November 2025 Edition

This month’s cyber brief focuses on human risk and shared responsibility. Cyber security technology is now a given, which means the real focus must be on people, culture and leadership.

As AI-driven scams grow more sophisticated and cloud responsibilities evolve, the weakest link is often human behaviour, not hardware. At the same time, new compliance standards mean business owners and directors are increasingly being held accountable for protecting sensitive data and client information.

From phishing scams and cloud responsibility to compliance updates and free awareness tools, here’s what’s shaping the cyber landscape right now.

Festive Cyber Scams_4

Top Cyber Trends We’re Seeing This Month

1. Phishing, Vishing, Quishing and Smishing

Phishing is still one of the most common threats to Australian businesses. As security systems strengthen, hackers are increasingly targeting people instead of software. Social engineering has become one of their main tools, using deception to trick staff into revealing credentials or granting access.

The hacker group Scattered Spider has breached companies like Allianz and Qantas by posing as employees and IT staff. These scams exploit human trust, not technical flaws.

Unfortunately, AI has made things worse. Phishing-as-a-Service kits now include session token theft, letting attackers hijack accounts even with MFA. AI tools also create realistic emails, calls and messages that sound authentic.

Once one company is breached, phishing forward often follows. Attackers contact clients and suppliers using the compromised account, spreading the attack rapidly. These campaigns can now escalate within minutes.

To counter this, Microsoft 365 now recommends device binding. This occurs by linking logins to verified devices. It’s currently the only reliable way to stop stolen tokens from being reused and keep access genuinely secure. If your business hasn’t enabled device binding yet, we can help get you set it up safely and quickly.

What to watch out for:
  • Phishing: fake emails imitating trusted senders.
  • Vishing: phone calls/messages pretending to be support staff.
  • Quishing: QR codes that lead to malicious sites.
  • Smishing: scam text messages or links sent by SMS.
How to protect your team:
  1. Run short, practical phishing simulations to help staff spot real threats.
  2. Encourage everyone to confirm unusual requests using trusted contact details.
  3. Remind your team to pause before acting on anything urgent or emotional.
  4. Implement monthly cyber security awareness training for your team.

2. Technology Fatigue is Rising

Across Australia, we’re seeing business owners and employees reporting technology fatigue. The constant stream of new tools, software updates and communication platforms is leaving people drained and distracted. Professionals are finding it harder to switch off, with many saying technology is now creating more stress than it solves.

The latest ALPMA study of nearly 200 law firms shows this clearly. For the first time in three years, the share of firms who say technology improves work-life balance has fallen to 53%, down from 66% in 2024.

The impact isn’t limited to legal and professional services. A national survey found almost three million Australians are considering quitting their jobs due to burnout, with one in five struggling to switch off because of technology.

Burnout not only reduces productivity, but it can also be a security risk. Fatigue increases human error, which is often the entry point for cyber breaches.

How to support your team:
  1. Talk about the pressure: Ask your team what tools cause the most friction or confusion.
  2. Create digital boundaries: Encourage “phones down” or no-email times after hours.
  3. Separate work and personal tech: Remove business apps and email from personal devices.
  4. Audit your tools: Review whether each platform adds value or just adds noise.

Taking small steps to reduce fatigue can strengthen focus, improve morale and reduce the risk of costly mistakes.

3. Cloud Responsibility Back on Businesses

The ACSC recently issued new guidance for small, medium and large businesses, reminding them that while providers like Microsoft Azure, AWS and Google Cloud secure their platforms: you are still responsible for your own data and access.

Cloud computing remains one of the best tools for flexibility and cost efficiency. However, it is also important for business owners to understand their shared responsibility.

This shift matters because many cloud vendors are moving away from taking direct responsibility for customer data breaches. Their role stops at infrastructure security – they can’t protect you from weak passwords, misconfigured systems or missing policies. Yet many SMBs still assume their data is automatically covered once it’s in the cloud.

In 2025, the most common cloud security incidents were caused not by platform flaws, but by human and process gaps. Misunderstandings around who secures what continue to lead to costly breaches.

The key message from the ACSC is simple: you can’t outsource risk.

Practical steps for businesses:
  1. Understand your provider’s policy. Know what they cover and where your responsibility begins.
  2. Implement strong access controls. Use multi-factor authentication and review permissions regularly.
  3. Protect your data. Back up sensitive information and encrypt it where possible.
  4. Set clear policies. Define how cloud data is managed, who has access and how often reviews occur.

Cloud adoption is here to stay, but awareness must grow with it. Businesses that take an active role in securing their cloud environments are far less likely to face disruption or data loss.

Read more here: Cloud shared responsibility model: Guidance for individuals and small and medium businesses

Managed Service Provider

What’s New & Emerging This Month in Cyber

Legacy Systems = End of the Line

Outdated IT systems are now a major risk for small and medium businesses. Microsoft ended support for Windows 10 in October 2025, leaving many companies without critical updates. Systems that no longer receive patches are easy targets for attackers.

Many businesses still rely on old programs linked to active networks, creating weak spots that hackers can exploit in minutes. Recent ransomware cases show that unpatched systems remain one of the fastest paths to compromise.

Insurers are also taking note, with many now asking for proof that software is regularly updated before approving policies. The ACSC’s Essential Eight lists patching as one of the simplest and most effective defences.

What to do:
  1. Check your systems. List all old software or devices and confirm if they still receive updates.
  2. Plan upgrades. Schedule replacements or isolate old systems that can’t be patched.
  3. Stay patched. Apply updates as soon as they’re released and keep a simple tracking log.
  4. Review insurance. Make sure your policy includes patching compliance requirements.

If it’s too old to secure, it’s too old to keep.

Need an audit of your computers and systems?

Contact our experts today

Cyber Insurance Tightens Requirements

More Australian businesses are turning to cyber insurance, but policies are tightening fast. In 2025, insurers began requiring stronger cyber security standards before coverage applies.

Insurers are raising the bar for coverage, expecting stronger cyber security standards from every policyholder. In addition to policies, procedures and training, businesses must prove they are actively managing risk through controls such as MFA, patching, backups and access reviews.

What to get sorted before applying for insurance:
  1. Work with your insurer, not against them. Treat insurance as a shared responsibility — strong security reduces both premiums and risk.
  2. Cover the fundamentals. Enable MFA, keep systems patched and maintain reliable backups.
  3. Know your obligations. Understand exactly what’s required to remain covered under your policy.
  4. Make use of what’s offered. Take advantage of training, tools and support included in your plan.

Remember: cyber insurance complements strong security rather than replaces it.

Hyper vigilance with data management

Globally, businesses are being forced to take data security more seriously. Regulatory reform and client demand are driving stronger cyber security standards particularly across professional services. The 2023–2030 Cyber Security Strategy and the 2024 Cyber Security Act both signal that data protection is now a business essential, not a technical add-on.

Professional services firms, in particular, are leading the way. Many are adopting frameworks such as ISO 27001 to prove to clients and regulators that their systems, data and processes meet international best practice. At the same time, larger clients are asking suppliers to demonstrate strong data controls before signing contracts or renewing engagements.

What can businesses do:

  1. Understand expectations. Review the laws, frameworks and client standards relevant to your industry.
  2. Adopt a recognised framework. ISO 27001 or Essential Eight alignment helps prove compliance and build trust.
  3. Review your partners. Make sure suppliers handle data to the same standard you promise clients.
  4. Document and communicate. Keep simple records of your policies and share them when required.

Firms that can demonstrate strong governance will both win client confidence and stay ahead of new compliance demands.

The Menace of Malware_Safeguarding Small Businesses_3

Cyber Threats We’re Watching Right Now

In October, the ACSC released their Annual Cyber Threat Report 2024–25 highlighting the growing risks facing small and professional service firms across Australia.

Each year this report covers both key statistics and insights into that state of cyber risks in Australia. At Jam Cyber, we have reviewed the report and here are the most relevant stats and insights for Australian SMEs”

  • $56,600: The average cost of cybercrime for small businesses, up 14% year-on-year. Even small firms now face financial losses once seen only in large organisations.
  • 84,700+ cybercrime reports were lodged with the ACSC in FY2024–25, averaging one every six minutes. With government agencies holding the top two spots for incidents, professional services firms ranked among the most targeted sectors outside government.
  • 1,200+ security incidents were handled by the ACSC, an 11% rise from the previous year, showing that malicious activity is becoming more frequent and more sophisticated.
  • Email compromise and identity fraud remain the most common crimes affecting businesses. These often begin with phishing or social engineering, which can lead to major financial and reputational damage.

What This Means for Professional Services Firms

Law, accounting, and consulting firms are especially exposed. They hold highly confidential client data and rely on interconnected systems, shared drives, and cloud platforms: all prime targets for attackers. The message from the ACSC is consistent: prevention, detection, and response must operate as one.

Actions to Take Now

  1. Review your safeguards: Identify your most valuable data, where it’s stored, and how it’s protected.
  2. Strengthen your defences: Prioritise essentials such as MFA, timely patching, data backups, and access controls.
  3. Prepare your response: Ensure everyone knows what to do if an incident occurs and who leads the response.

Get expert guidance:

If you don’t have dedicated internal IT or cyber staff, Jam Cyber can help assess risks, close security gaps, and improve compliance readiness.

Contact our experts today

Some Freebies From Jam Cyber!

Cyber security awareness starts with people, not just policies. Jam Cyber has created a series of free cybersecurity awareness posters designed to help Australian SMEs keep security top of mind in the workplace.

Cyber-Month-Poster

Each poster focuses on simple, practical behaviours such as spotting phishing attempts, protecting passwords and reporting suspicious activity. They’re ideal for offices, break rooms or onboarding packs to spark everyday security conversations.

Regular visual reminders help staff build habits that reduce risk, especially in busy professional service environments where client data moves quickly between systems.

Final thoughts

More and more, cyber security is becoming about people, accountability and everyday habits. Not just technology and systems. Businesses that prioritise awareness, regular audits and proactive governance don’t just reduce risk; they build trust and resilience.

The organisations leading the way are those treating cyber security as a shared responsibility across leadership, staff and suppliers. With the right training, clear processes and modern controls, firms can protect their data, their clients and their reputation.  all while meeting growing compliance expectations.

If your business needs guidance to strengthen its foundations or align with recognised frameworks, let us help you take the next step toward smarter, safer operations.

// Need more help?

Contact our team today.



    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    Protect your business from cyber threats.

    Jam Cyber helps Australian businesses stay secure with practical, expert-led guidance and managed security services.

    Book a Free Strategy Session