Identity: The New Currency in Cybersecurity
Posted: Wednesday, Jul 02

i 3 Table of Contents

Identity: The New Currency in Cybersecurity

Introduction

We live in an era where our digital identity is just as valuable — if not more so — than our physical presence. From the moment we sign up for a new service, subscribe to a newsletter, or tap “accept” on a cookie policy, we begin to create a data footprint. Our names, email addresses, location data, device information, preferences, and behaviours all form a profile — one that can be monetised, manipulated, or maliciously misused.

In cybersecurity, this is referred to as Personally Identifiable Information (PII) — and it is now one of the most sought-after commodities by cybercriminals.

The Rising Threat of Identity Theft

The statistics are staggering:

  • According to the Identity Theft Resource Center (ITRC), data breaches involving personal information increased by 78% in 2023 globally.
  • The Australian Signals Directorate’s 2023 Cyber Threat Report revealed that identity compromise and data breaches are the most reported incidents, with over 94,000 reports of cybercrime, up 23% from the previous year.
  • The average cost of a data breach in Australia rose to $4.03 million, per IBM’s 2023 Cost of a Data Breach report — and identity-related breaches are among the most costly to investigate and remediate.

The motivation for these attacks is clear: identity is a golden key. Once compromised, it can unlock access to bank accounts, internal corporate systems, social media platforms, or even be sold on the dark web. One stolen identity can create a ripple effect of financial loss, reputational damage, and privacy violations — not just for individuals, but for the businesses they’re associated with.

Why Identity & Access Management Matters

We’ve reached a point where digital convenience has outpaced digital safety. As we streamline access to services — single sign-ons, cloud platforms, mobile-first apps — we inadvertently increase the attack surface. Identity and Access Management (IAM) systems are designed to manage this complexity.

IAM isn’t just about logins and passwords. It’s about:

  • Verifying who you are (authentication),
  • Determining what you have access to (authorisation),
  • And ensuring that access is monitored, reviewed, and revoked when no longer needed (governance).

Modern IAM systems incorporate multi-factor authentication (MFA), role-based access control (RBAC), least privilege policies, and real-time behavioural analytics to secure identities at scale. And when combined with Zero Trust Architecture (ZTNA) — where no user or device is trusted by default, even inside the network — it becomes a powerful security control.

These aren’t just “nice-to-haves” anymore. They are foundational requirements across major cybersecurity and privacy frameworks:

  • ISO/IEC 27001: Emphasises access control policies and identity verification.
  • SOC 2: Requires strict controls around logical and physical access.
  • APRA CPS 234: Mandates that Australian financial institutions maintain control over access to sensitive systems and data.

Small Businesses Aren’t Exempt

There’s a common misconception that only large enterprises need to worry about identity security. But the reality is, cybercriminals often target small and medium-sized businesses (SMBs) because they tend to have weaker defences and limited resources.

  • In 2023, 62% of small businesses in Australia reported being victims of a cyber incident (Australian Cyber Security Centre).
  • Yet, only 14% of SMBs have implemented IAM or ZTNA technologies (CyberEdge Group 2023).

The risk is the same — employees, customers, suppliers — all bring identity-based vulnerabilities into the business. The difference is, smaller businesses may not have formal compliance requirements. But they do have something just as important: an ethical obligation to protect the people they employ and serve.

What Is Your Identity Worth?

I’ve spoken with individuals who shrug off the threat: “Why would anyone want my information?” And others who attempt digital invisibility: “I avoid doing anything online.”

But the truth is, we’re all exposed. Every app download, online payment, Zoom meeting, or social post adds to our identity profile. The question is no longer if our data is out there, but how well it’s being protected.

And if you’re an employee of a business — particularly a small or mid-sized one — it’s reasonable to ask:

“How is my digital identity being protected?”

If you’re in leadership, it’s time to assess whether your organisation is truly doing enough. Not just for compliance, but for trust, accountability, and resilience.

Final Thoughts: A Call to Action

The rise of digital identity as a critical security perimeter demands urgent attention. Whether you’re a CEO, IT leader, employee, or consumer — you have a role to play in protecting identity.

Businesses must invest in IAM and ZTNA technologies not only to protect themselves but to uphold their duty of care. And individuals must remain vigilant, ask the right questions, and take control of their own digital safety.

In this digital age, your identity is your most valuable asset.

Protect it like your life depends on it — because in many ways, it does.

Matt Miller
Matt Miller is a seasoned cybersecurity expert and a business-savvy technologist, dedicated to advocating for the critical importance of cybersecurity knowledge in the boardrooms of Australian organisations. With a unique ability to bridge the gap between executive leadership and technical teams, Matt ensures seamless communication across all levels of an organisation. His expertise fosters alignment among diverse teams, functions, and leadership, driving cohesive strategies and solutions. Drawing from over 25 years of industry experience, Matt has served as both a full-time and fractional Chief Information Security Officer (CISO) for large-scale enterprises in sectors such as online retail, financial services, and technology. This extensive hands-on experience informs his deep understanding of ICT service management and delivery, risk management, contract negotiation, data and information security, as well as strategic planning. Additionally, Matt is a seasoned ISO 27001 Lead Auditor, further solidifying his credentials in the field. In 2013, Matt co-founded Insicon with his business partner, Greg Bunt. Together, they have cultivated a culture of cyber awareness, transforming the way executive leadership and board members perceive cybersecurity. Insicon's mission is to provide clear, actionable insights that empower organisations to navigate the complex landscape of cyber threats with confidence and clarity.
Share This