Operational discipline is needed to overcome one of the most commonly exploited aspects of technology systems.

Against a backdrop of simplification, Australian organisations are on journeys to clean up their existing environments and reduce technical debt. Yet, many have accumulated a different type of debt with far more serious consequences that are playing out in attacks today.

The ASD’s recently-released annual threat report found that compromised accounts and credentials are one of the top three cyber security incident types that critical infrastructure operators experience. Additionally, about 42% of all category 3 incidents for organisations overall involve compromised accounts and credentials. The ASD uses categories 1 to 6 to classify incidents, 1 being the most serious – and so a category 3 rating is of notable – and reportable – severity.

The key risk for organisations is how compromised accounts and credentials are abused by threat actors. The credentials may allow immediate access to one system, but it’s a case of where else in the environment that single point of entry can lead.

Today, every identity, human or non-human, in an organisation has privilege, to some extent. Threat actors have always been keen to use privilege to escalate an attack and broaden their access, all while posing as legitimate traffic.

A positive in this year’s ASD threat report is that this awareness of this risk is resonating. The report cites an example of a utility worker whose personal device was compromised with an infostealer that was then able to extract business credentials from the device’s browser. In this case, there was no evidence of abuse – but noteworthy is that there was some forethought and mitigations in place for this exact scenario: “Had an attempt to exploit the credentials occurred, the risk to the company was partly mitigated through multi-factor authentication (MFA) and internal credential rotation,” the report notes.

Still, the risks in this space remain high. Between 19 November 2024 to 30 June 2025 alone, ASD proactively identified 9587 credential exposure events and alerted “approximately 220 organisations” to them.

On a law of averages, not all of these organisations are likely to be as prepared as the utility to challenge privilege escalation. It is for this reason that privileged credentials are implicated in almost every cybersecurity breach today and have become a silent form of security debt that must be addressed now.

An Outstanding Challenge

One type of privilege to gain considerable attention recently is standing privilege.

Standing privileges refer to user privileges that are enabled indefinitely, regardless of context. Users with standing privileges continuously have privileged access rights—regardless of whether privileged access is required at that point in time—or ever.

Because accounts with standing privileges have constant access, they represent a continuous cyber threat. In the event of a breach where a privileged identity or account is compromised, the attackers gain access to these privileges. In addition, the more accounts with unchecked privileges, and the longer the duration they have access, the more attack vectors exist on the network.

The race to the cloud further exacerbated the privilege problem – so much so that today, the sprawl of standing permissions and privileges is exponentially worse thanks to the expansion of cloud environments.

As organisations moved to the cloud, lots of new roles and privileges were granted just to make things work but then were left there indefinitely. According to one study, 50% of cloud identities are Super Admins – users or workloads that have access to all permissions and resources, while 60% of cloud identities were found to be inactive and haven’t used any of their permissions granted in the last 90 days.

Ultimately, an unused privilege isn’t providing any value to the organisation; it only represents risk. This is why removing standing privilege isn’t a tech mystery anymore. It’s an operational discipline.

A Trifecta of Security Capabilities to Respond

An ideal security state entails the elimination of all standing privileged access. This is referred to as zero standing privileges (ZSP) or just-in-time (JIT) privileged access management (PAM).

Just-in-time (JIT) privileged access management (PAM) is a real-time request strategy for privileged accounts with entitlements, workflow, and appropriate access policies. Companies use this strategy to secure privileged accounts from the flaws of continuous, always-on access via unnecessary standing privileges. JIT enforces time-based restrictions based on behavioural and contextual parameters.

Privileges should come into existence at the very moment they are needed for a legitimate purpose, and they should promptly expire once the purpose has been executed, access context has changed, or after a pre-defined duration of time has lapsed. With JIT access, the “privilege-active” window of opportunity is reduced to a few moments over a long period of time. Standing privileges, on the other hand, are distributed indefinitely, leaving this window wide open and ripe for abuse.

When JIT controls are layered with other identity disciplines, like cloud infrastructure entitlement management (CIEM) and identity threat detection and response (ITDR), organisations have the capability to first shrink their attack surface by removing those standing privileges that have no business being there, and then monitor the entire environment for other privilege pathways or active threats.

By combining JIT, CIEM and ITDR, Australian organisations are drastically minimising their exposure to the risks of stolen credentials, data breaches, and privilege abuse.