Cutting through Cyber - newsletter 6

KSIB’s purpose is to cut through complexity.  

In the era of AI, cyber security is one of the most complex areas to cut through. Cyber risks are even more prevalent now with threat actors having access to AI-enabled tooling, and with the acceleration of agentic enterprise implementations. Each month, our newsletters will focus on topical developments and updates in the cyber world.   

Steve Brown is one of Australia’s most experienced technologists and cyber security experts. His strategic perspectives on the latest developments will help Board members, executives and technology leaders understand the “so what” of cyber security. Cyber is a risk everyone needs to be managing, and to manage something, you need to understand it. We have pitched this newsletter at both business leaders (Boards and Executives) and technology leaders to fill this need. 

If you have any questions or would like to discuss this further, please contact us at kristin@ksib.com.au or steve@ksib.com.au. 

Regards 

Kristin 

1. ShinyHunters' phone scam campaign compromises Crunchbase and others 

A well-known cybercriminal group called ShinyHunters has been calling IT help desks, impersonating internal staff, and talking their way into corporate login systems - no hacking tools required. By convincing help desk operators to hand over access, they've breached dozens of organisations. Crunchbase, the business intelligence platform, confirmed over 2 million records were stolen after it refused to pay a ransom. Match Group (the parent company of Hinge and Tinder) has also been named as a victim, though the specific entry point remains under investigation. 

So what for business leaders: This illustrates a familiar pattern: sophisticated threat groups are bypassing technology and cybersecurity controls by targeting people and processes instead. Boards and senior leaders should ask how robust identity verification procedures are at the help desk, whether escalation protocols exist for social engineering attempts, and whether there is clear visibility into the access third-party vendors have. These are governance and control questions, not IT questions. 

So what for tech and cyber leaders: This is a reminder that your identity stack is only as strong as the human processes wrapped around it. If your help desk can reset MFA or grant SSO access based on a phone call, that's your new defence perimeter. Review your identity verification workflows end-to-end, pressure-test them with simulated social engineering, and ensure SSO/FID/MFA environment has conditional access policies that limit what a single compromised session can do. 

2. Nike investigating claimed 1.4TB data theft: extortion without disruption 

An extortion group called WorldLeaks claims to have stolen and published around 1.4 terabytes of Nike's internal data. The roughly 188,000 files reportedly cover product designs, manufacturing processes, and documentation for factory partners. Nike has confirmed it is investigating. Notably, the attackers didn't lock Nike out of its own systems or demand a ransom to restore access. They simply took the data and published it. 

So what for business leaders: The extortion model is evolving. When threat actors go straight to publishing trade secrets, "we have backups" is not an adequate corporate control. Boards and management should understand where their crown jewels sit, who has access to them, and whether the controls reflect the value at stake if the data is exposed. 

 So what for tech and cyber leaders: Data Loss Prevention (DLP) should consider the latest exfiltration patterns. If 1.4TB can leave the building without triggering a meaningful alert, the monitoring and classification controls aren't calibrated to the threat. High-value unstructured data should be catalogued, and smart egress monitoring implemented – together with access segmentation, and data classification. 

3. AI agents are accumulating privileged access, and many organisations aren't governing them

As organisations rapidly deploy AI tools that can act autonomously - accessing databases, calling APIs, and making decisions without human involvement - a new risk is emerging. Research from CyberArk found that these machine identities now outnumber human users by roughly 82 to 1, with many holding the same level of access as senior employees, yet without the same oversight or controls. Meanwhile, security researchers have demonstrated that autonomous AI systems can already discover and exploit weaknesses with minimal human direction, leading to forecasts that largely automated hacking-for-hire services could emerge this year. 

So what for business leaders: Every AI agent with access to corporate systems is effectively a privileged user, yet most aren't subject to the same access controls, monitoring, or periodic review as a human employee. The risk of an attacker manipulating a trusted AI agent into acting as an autonomous insider is a plausible and growing scenario. This is the kind of emerging risk that sits between IT, risk, and the business, requiring cross-functional attention and clear governance before it becomes a board-level crisis. 

So what for tech and cyber leaders: Treat every AI agent as you would a privileged service account. That means inclusion in your identity governance controls, such as access reviews, least-privilege scoping, time limits, automatic removal of unused access, logging, and meaningful monitoring plus alerting.  

4. WEF cybersecurity outlook 2026: fraud overtakes ransomware as the top CEO concern

The World Economic Forum's Global Cybersecurity Outlook 2026, drawing on 804 leaders across 92 countries, reports that cyber-enabled fraud has overtaken ransomware as the primary cyber concern for CEOs. 77% of respondents reported an increase in fraud and phishing attacks, with 73% saying they or someone in their network had been personally affected. 87% identified AI-driven threats as the fastest-growing risk, and 94% expect AI to be the most significant force shaping cybersecurity this year. The report also highlights geopolitical instability as a major accelerant, with 91% of the largest enterprises adjusting their cybersecurity posture in response.

So what for business leaders: The threat landscape is shifting faster than most governance frameworks. AI-powered deepfakes and synthetic identities are enabling fraud at a scale and sophistication that traditional controls weren't designed for. The geopolitical dimension means cyber risk is no longer a contained technology conversation, as it intersects with supply chain strategy, market exposure, and regulatory compliance. Boards and NEDs should be asking whether their organisation's risk appetite and oversight mechanisms have genuinely kept pace with these shifts. 

So what for tech and cyber leaders: AI-enabled fraud may target business processes rather than infrastructure. Security teams should work closely with finance, procurement, and operations to understand where fraud workflows intersect with technical controls, and whether they are keeping pace with the sophistication of current fraud threats, together with the broader implications for “insider threat” detection. 

5. The tools that protect you are being targeted: critical flaws in widely-used security products 

In late January, Ivanti disclosed two actively exploited vulnerabilities in its mobile device management platform, both of which allow attackers to gain full remote access without credentials. In February, Beyond Trust,  whose remote access tools are widely used by IT teams to manage systems securely,  patched a similarly severe flaw that was confirmed to be under active attack within days of public disclosure. The US Cybersecurity and Infrastructure Security Agency (CISA) added it to its mandatory remediation list with a three-day deadline for federal agencies. The flaw lies in the same part of the product that Chinese state actors exploited to breach the US Treasury in late 2024, as the original fix missed this variant.

So what for business leaders: There's an uncomfortable paradox: the tools organisations invest in to reduce risk are themselves becoming high-value targets. When your remote access platform has a critical flaw, and the government gives you three days to fix it, the assumption that these products are "secure by default" has collapsed. For boards, the question is straightforward: do we understand our dependency on a small number of security vendors, how quickly critical vulnerabilities are being addressed, and what happens when one of those vendors is compromised? This is a concentration risk and vendor oversight conversation - not just a patching conversation. 

So what for tech and cyber leaders: Unfortunately, it’s not uncommon to discover that security tooling meant to reduce overall cyber risk has its own vulnerabilities. Therefore, it’s critical for security tooling to be managed with best-practice controls too: a real-time inventory of the infrastructure, comprehensive vulnerability scanning, processes and deadlines for patching, network segmentation, etc.  

This is a complex and evolving world. AI creates new cyber risks, and vigilance at all levels of the organisation is critical. Contact steve@ksib.com.au if you need help or wish to discuss this further.