From where I’m standing: 2025 and beyond

With spring finally here, it’s always a good reminder to stop and look at what’s past, what’s happening now, and what’s on the near horizon. And importantly, what we’ve learned along the way.

The last 12 months have been action-packed. I want to say that our clients have commented that “Business is great, and we have spare cash to invest,” however, the reality is that most are talking about how to claw back margin, be more efficient, and do more with what they have. (And as a technology business, we’re obviously in the right place to help with that.)

In the great words of Calum Chace (aka The AI Guy): “The pace of change has never been this fast, yet it will never be this slow again.”

In the IT world, we’ve watched Generative and Agentic AI go mainstream, while cyberattacks and data breaches have become the norm. We also saw most of the Colton family go through a multiparty data breach together.

Mostly, though, we’ve witnessed a massive change in the way business is done.

Well, AI and digital automation are doing for business what bank feeds and Xero did for accounting 10 years ago. And there’s a significant generational shift as Boomers (digital adopters) ready themselves to exit their businesses and retire, leaving ~27% (Griffith Uni) of the workforce made up of Gen Zers (aka our inaugural digital natives).

The upshot of these changes? Businesses are evolving, both in terms of adoption and use of systems, but also from a data governance and change adoption perspective. They’re embracing structured frameworks to deal with risk, recognising that the ‘muscle and feel’ of yesteryear just aren’t cutting it anymore.

I was talking to a colleague at IT Nation Connect (one of our industry conferences) a couple of weeks ago, and Mark said, “Geeze, this game (IT service) was easier when I started out of my garage!” Then we both laughed.

(Bear with me as I reminisce, please – there is a point to it!)

When I started CCT 20 years ago, all businesses really had to worry about was backing their data up to a USB stick, external hard drive, or, if you were fancy, a backup tape. The only other concern was “Do I have antivirus software?” Back then, business email compromise (BEC) and ransomware didn’t exist, and the leading scams featured Nigerian princes randomly asking you to send money. And POP email, physical mail, faxes, and cheques were in everyday use. (Look them up and laugh at our expense if you’re a Gen Zer.)

If we couldn’t sort out a client’s computer issue over the phone, we’d jump in a ute and go and see them. At worst, their server’s power supply would have died, or a hard drive failed, and they couldn’t access their data for a day or so until you replaced a part or restored their data and systems from backup. If a virus stopped a PC in its tracks, and we couldn’t resurrect it in an hour or two, we’d reset it to its original settings.

So, my point?

IT wasn’t simpler back then, but businesses were a lot less reliant on it – so there was less risk. Break-fix IT and set-and-forget were more than adequate for the needs of most businesses.

We all got a wakeup call in 2013 with the arrival of CryptoLocker – a 9-month cyberattack that used a trojan to target computers running Microsoft Windows.

Almost overnight, the design and management of backup systems had to be considerably more robust. They needed to be checked daily to ensure the backup had run, and the tape/hard drive had been changed.

The next big shocker was ransomware. Not only could an attacker lock all your files and hold them to ransom, but they’d also threaten to leak copies to the “dark web,” your clients, or competitors if you didn’t pay up.

The threat to weaponise individuals’ data made the government sit up and take notice, and they introduced the OAIC (Office of the Australian Information Commissioner) and mandatory reporting of breaches.

The other side of the ramp-up was BEC, which, for the past several years, has represented over 80% of all cyber-attacks in Australia. Why so high? Because while we continue to pay threat actors, they continue to attack – it’s as simple as that.

The challenge with BEC is that although you can defend yourself to some extent against ransomware with technical security controls (Next Generation Antivirus, crypto-resilient backups, and firewalls), it often starts as a con. There’s almost always a sense of urgency: “Here’s a ‘high-value’ document on a link – please log in to access it now!” So, you click the link and log in, and hey presto, end up disclosing your credentials or worse, your session token – which allows the baddies to become you, even if you have MFA.

Once the attacker has access to your mailbox, they generally change the bank details on a large invoice. And as many businesses won’t ask a supplier to verify new or updated account details, the attacker gets paid. These attacks are scary – they go through trusted supply chains like a bushfire.

The important takeaway here is you aren’t just responsible for protecting your business, but your clients and suppliers too, and they need to do likewise.

Most other attacks we see come from out-of-date systems. Twenty years ago, you generally patched or updated software for a new feature or when something didn’t work. Today, software vendors push out continuous updates, so we patch daily or weekly to prevent attackers from exploiting holes or vulnerabilities in systems or apps. And it’s worth noting that even the humble static website needs to be kept up to date!

But all these updates only work if they’re installed.

Yes, sometimes updates break things, but patching early and often is far better than explaining to your supply chain why you caused an incident. And if you’re always up to date, it’s a lot easier to identify any faulty patches.

Sadly, we’re still seeing a lot of the same apathy towards IT security today that we saw 15 years ago. “It won’t happen to me, I’m too small – I won’t be a target. When we are bigger, when we get this done, when we make more money, then we will…”. The list goes on.

Waiting to experience data loss to decide if you need a backup plan is too late. Last year, in Australia, over 1,100 incidents of data loss were reported to OAIC. That’s 25% more than 2023. Not having backup is simply an accident waiting to happen – yet it can still be a challenge to get businesses to take it seriously.

One of the problems is that everyone wants “security” all neatly boxed up and ready to use, please.

But unfortunately, security has never been a single product. And the list of security controls now required is just getting longer, and needs to be packaged with system configuration, patching, end-user training – and more. Building a security-first culture inside a business is crucial. It’s more than just a box-ticking exercise for cyber insurance or your compliance framework.

Good IT security is a process (hopefully aligned with a framework like ISO 27001 or SMB1001), not a product.

So, while we’re super passionate about helping all our clients to improve their security posture, we need you to want to improve it first. It’s a commitment. Gone are the days of just applying MFA to your Microsoft solutions as a safety net – many of your other software, all your SaaS and web apps, for example, don’t have MFA enforced, but they hold vast volumes of sensitive or confidential information.

In the last six months, we’ve done two reverse onboardings. This is where we work with new clients who are in the midst of a cyberattack crisis when they contact us, and they need urgent help – so, we perform (Cyber) Incident response first, then onboard them into managed services afterwards. In both cases, neither business had MFA set up on their Microsoft or other line-of-business applications. They’d been subjected to phishing attacks (BEC) and had only discovered it after being contacted by a client asking them to confirm new bank details on an invoice.

And they’re not alone. Right now, we deal with several BEC attacks each week. Twelve to eighteen months ago, it might have been one attack every 4-6 weeks.

Tip: We have a standard process to follow for all reported incidents to ensure that no session tokens or credentials have been stolen or compromised. Please keep reporting these incidents to us so we can make sure that your staff accounts and your business systems aren’t compromised.

While most of our clients have cyber insurance, it scares me how many other businesses generally don’t have it or haven’t even considered it.

As well as providing you with incident response services when you fall victim to a cyber-attack, it will also cover losses from BEC. While Colton’s cyber response covered most of last year’s breach, if the attack hadn’t come through us, our insurance won’t cover your business – so you need your own policy. The first 72 hours of our incident cost $278,000, which I had to sign off on the first day.

My advice: Get cyber insurance.

However, that’s enough big stick waving for now! I know I’ve taken you on a bit of a tiki tour, but spring does that to me. It’s a great time to look at what you are doing with your technology and make sure that it’s up to scratch in terms of security and efficiency.

And as you’ve probably gathered, we love helping solve business problems – so just ask!