October Cyber Brief

Jam Cyber Brief

October 2025 Edition

October marks Cyber Security Awareness Month, a reminder that protecting your business doesn’t have to be complicated. Each week of the campaign focuses on a different area, from replacing legacy systems to preparing for the future of quantum computing. For businesses of all sizes, these themes provide practical steps to strengthen client trust and improve resilience. In this Monthly Brief, we break down the government’s key themes and outline how your firm can put them into action. Jump Ahead:

• Happening in October: Cyber Security Awareness Month
• Cyber Threats We’re Seeing Right Now
• AI-Powered Phishing and Scams
• Five Tips for Building a Cyber Safe Culture in Your Business
• Next Steps

Happening in October: Cyber Security Awareness Month

Every October, the national Cyber Security Awareness Month (CAM) focuses on simple, practical actions businesses can take to make security part of their everyday culture. This year’s four weekly themes provide a roadmap that any business owner can follow. Here’s what they mean in practice:

Theme 1: Event Logging: Visibility = Faster Response

IT event logs for your business are like CCTV footage for digital systems. If something suspicious happens, such as an odd login attempt or an email account being misused, logs show you what occurred and help you respond quickly. Without them, you are left guessing and cannot explain or prove what happened after an incident. Logs can be created in many ways. Your email system records when and where accounts are accessed. Servers and cloud platforms log file access and changes. VPNs, firewalls, and practice management systems record connections and sign‑ins. Bringing these together into a central log makes it easier to detect problems early and to investigate if something goes wrong. Why it matters: Logs give you visibility. They shorten the time it takes to notice and respond to suspicious activity, reducing disruption and client impact. Without them, recovery takes longer, and trust can be harder to rebuild. What to check:

• Ask your IT Team or provider to run a logging health check this month and ensure core systems (email, identity) are logging correctly
• Ensure logs are stored in one place and kept long enough to support investigations.
• Assign responsibility for reviewing alerts and responding to suspicious activity.

Theme 2: Legacy Technology: Replace or Protect

Like a rusty door lock, old computers still work, but they are much easier to break into. Legacy technology can include outdated document platforms, operating systems that no longer receive security updates, or business tools that cannot use modern protections such as encryption or multifactor authentication. They may leave known holes unpatched, block integration with new security tools, or make it harder for staff to work securely when connected remotely. For professional services firms, these weak points often involve systems that hold client records, contracts, or financial data. These older systems often remain in use because they are familiar or tied into day to day processes, but they also become easy targets for attackers. Why it matters: Criminals actively look for businesses still using outdated systems. A single unpatched computer or tool could allow unauthorised access to confidential client files. Clients expect their information to be protected, so visible reliance on legacy systems can also impact reputation and trust. What you can do today:

• Create an inventory of all systems, marking which are old or unsupported.
• Prioritise replacing technology that stores or processes client data.
• Where replacement is delayed, apply safeguards such as isolating the system from the network.
• Limit user access to legacy platforms to only those who truly need it.
• Include system lifecycle planning in your IT budget discussions to avoid falling behind.

Need support reviewing your systems? Contact our team for a Cyber Audit

Theme 3: Supply Chain & Third Parties: Who Can Access Client Data and Why

Every supplier you use, from cloud document storage to outsourced payroll, forms part of your overall security chain. If they are weak, your business is exposed. Modern firms rely on a network of vendors, apps, and platforms, which means your client data often sits outside your own systems. This shared responsibility can create blind spots if you do not actively manage it. Why it matters: A breach at one of your vendors can expose your client information, disrupt your services, and damage your reputation. Regulators and clients increasingly expect that you know who has access to your data and how those suppliers are protecting it. Simply assuming your providers are secure is not enough. It is also important that your own firm is not the weak link, as this could put future work or government contracts at risk if you cannot demonstrate strong supplier and data security practices. What you can review:

• Start by reviewing your own protections: is your data secure?
• Identify your top five suppliers who store or process client information.
• Check that contracts include clear security requirements and incident notification clauses.
• Limit vendor access to only the data and systems they genuinely need.
• Review supplier risks regularly at partner or board meetings to keep it on the agenda.

Theme 4: Quantum Readiness: Plan, Don’t Panic

Quantum computing may still feel futuristic, but one day it could break the encryption methods businesses rely on today. The government’s message is simple: start planning now, without panic. Why it matters: Professional services firms often keep contracts, legal records, and archives that must remain secure for decades. If encryption becomes vulnerable in the future, those long term records could be exposed. Actions:

• Catalogue the types of sensitive information that must stay secure long term.
• Ask your IT partner about “crypto agility,” meaning systems can transition to new quantum safe encryption when required.
• Treat this month as an opportunity to raise awareness and begin planning, not to overhaul everything at once.

Cyber Threats We’re Seeing Right Now

Cyber Security Awareness Month highlights that threats are daily risks that can disrupt businesses and erode client trust. The same scams and attacks making headlines at large organisations often filter down to small and medium firms. This means protecting both systems and reputation. Below we highlight key risks that are currently active and outline what you can do now.

Code Repository & Software Supply-Chain Attacks

Attackers are increasingly targeting the software supply chain by breaking into online code repositories and inserting malicious code into open-source packages. Businesses often download and use these packages without realising they have been tampered with. For firms that rely on cloud apps or third-party integrations, this creates a hidden risk because malware can be delivered through updates you trust. Even if your firm does not write code, your suppliers might, and if their systems are compromised yours could be exposed too. A recent example is the “Shai-Hulud” worm (named after the sandworms in Dune), which recently compromised more than 180 npm packages. npm, short for Node Package Manager, is a huge online library of pre built software blocks that many apps depend on. Because it is so widely used, one breach like this can quickly spread to thousands of businesses. What can you do to protect your business:

• Ask your IT Team, MSP or vendors how they verify the integrity of the software they use.
• Monitor logs for unusual activity after updates.
• Where possible, only use software from well maintained repositories and suppliers who provide security assurance.

Kairos Extortion Group Expands Attacks in Australia

Ransomware continues to be one of the most damaging threats facing businesses. Criminal groups break into company systems, encrypt files, and demand payment to restore access. Increasingly, they also threaten to release stolen client data if the ransom is not paid. For professional services firms, the risk is not only downtime but also the potential loss of highly confidential information. Criminals are using more sophisticated tactics to extort businesses, with many simply stealing data without any ransomware being placed on a system. A recent case involved the group Kairos, which on 16 September 2025 claimed responsibility for a breach on a real estate group and threatened to leak sensitive data unless a ransom was paid. What can you do to protect your business:

• Keep offline or cloud based backups of all critical data and test recovery regularly.
• Apply security patches to all applications and systems as they become available.
• Use Jam Cyber’s free Incident Response Plan template to prepare clear steps for responding to an attack.

AI-Powered Phishing and Scams

Each month, new AI powered scams emerge. This means scammers are using artificial intelligence to make highly personalised phishing emails and text messages look professional and convincing. Australians are seeing a surge in AI assisted scams, with criminals able to mimic writing styles and even generate fake documents. What can you do to protect your business:

• Train staff to pause and verify unexpected requests before clicking links or transferring money.
• Use spam filters and antivirus to block many phishing attempts before they reach inboxes.
• Reinforce awareness with visible reminders such as Jam Cyber’s free cyber security posters.

Misconfigured Sharing and Accidental Disclosure

Not every data breach involves a hacker. Sometimes client files are shared by mistake, such as sending a link to the wrong person or leaving folders open to anyone with the link. These accidents are common in cloud document platforms and can go unnoticed until a client raises a concern. This type of error damages trust and may trigger mandatory reporting to the OAIC. For professional services firms, even a small slip can have major reputational and legal consequences. What can you do to protect your business:

• Review your document sharing settings and restrict external access where possible.
• Audit existing shares to check who currently has access to sensitive files.
• Train staff to double check recipients and use secure client portals instead of email for confidential documents.

Monthly Cyber Security Awareness Training for your employees can reduce your risk of a cyber breach.

Find out more about Free Training for your team.

Five Tips for Building a Cyber Safe Culture in Your Business

The core theme for Cyber Security Awareness Month this year is around building a cyber safe culture. The campaign is built on the idea that security works best when it becomes part of everyday habits. A cyber safe culture is not just about technology but also about people and practices. We have outlined five tips you can put into practice today: 1. Lead from the top Owners and managers set the tone. If leadership treats cyber safety as a priority, staff will follow. Simple actions like using multifactor authentication and speaking about cyber risks in team meetings show that it matters. 2. Make training regular and relatable Short, practical training sessions work better than long technical briefings. Use real examples, such as recent scams, to show staff how risks appear in daily work. Free monthly training modules from Jam Cyber are a good way to keep knowledge fresh. Find out more about our free cyber security awareness training. 3. Keep systems up to date Updates and patches close the gaps that criminals exploit. Encourage staff to install updates promptly on both business and personal devices used for work. Automating updates where possible reduces the chance of something being missed. 4. Encourage a “stop and check” habit Mistakes happen when people feel rushed. Remind staff that it is always acceptable to pause before clicking a link or sending out information. Posters, reminders in Slack or Teams, and regular prompts reinforce this behaviour. Download our free cyber security posters here! 5. Make security visible Visible changes, like turning on MFA across key systems or introducing secure portals for client files, remind staff and clients that security is taken seriously. These steps build trust and show progress without heavy cost.

Next Steps

Cyber Security Awareness Month is a chance to take stock of your systems, staff habits, and supplier relationships. The actions outlined above are about building a culture where security is part of everyday work. Whether it’s checking logs, retiring outdated systems, or training staff, small steps now can prevent bigger problems later. If you’d like guidance tailored to your firm, Jam Cyber can help you turn awareness into action.

// Need more help?

Contact our team today.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.