The identity security game has changed, and we’ve made it easier for attackers to win. Not because they’re smarter or more sophisticated (though many are), but because we’ve handed them the keys. Through unchecked identity sprawl, we’ve given cybercriminals a golden ticket to infiltrate what is arguably an organisation’s most valuable asset: its identities.
It wasn’t always this chaotic. Not long ago, employees needed just one login and a short list of permissions to do their jobs. Today, identities aren’t just users. They are contractors, service accounts, and even IoT devices, tangled across multiple identity providers (IDPs) like Microsoft Active Directory, Entra ID, Okta, cloud platforms, SaaS apps, and remote tools.
Every connection adds complexity. Every permission adds risk.
And attackers know it.
Why brute-force your way in when you can walk through the front door using valid credentials? Why drop malware when a phishing email can get you inside undetected?
In the 2023–24 financial year alone, Australians reported over 87,400 cybercrime incidents, with identity fraud accounting for a staggering 26% of those cases, according to Cyber.gov.au. That’s more than one in four incidents linked directly to compromised or misused identities.
This isn’t a scare tactic. It’s today’s reality.
Identities: The Path of Least Resistance
Credential theft and privilege escalation are now the foundation of modern cyberattacks. Once an attacker gets in, often via phishing, stolen credentials, or reused passwords, they move laterally through systems, escalating privileges and expanding their reach. It looks like normal activity, which is why it’s so hard to detect.
So why are identities being targeted so aggressively?
-
Persistence – Once attackers compromise an identity, they can linger undetected for weeks or months.
-
Stealth – Using legitimate credentials flies under the radar.
-
Escalation – One low-privilege account is often just the first domino.
These aren’t isolated incidents. The Latitude Financial breach, which exposed 14 million records, including 7.9 million driver’s licence numbers, was identity-driven. The Western Sydney University cyberattack, which went undetected for eight months, began when a global administrator account was compromised. In both cases, attackers didn’t “hack in”, they logged in.
The Identity Explosion and the False Sense of Security
Many organisations assume their IDP handles identity security. That’s a dangerous myth. IDPs are designed for authentication and access, not detection, governance, or remediation.
Each new tool or cloud provider adds more identities, permissions, and potential backdoors. The result is a sprawling, opaque identity landscape in which no one has a clear picture of who has access to what and whether they should.
Let’s not forget that most IDP technologies weren’t built for the modern enterprise. Active Directory was released in 1999. Entra ID, while built for the cloud era, still requires layering of multiple tools to get close to full visibility. Add in third-party SaaS applications, remote work policies, and unmanaged service accounts, and you’re staring down a security nightmare.
Cybercriminals Are Using AI. Are You?
Attackers aren’t just getting in; they’re getting better. They’re leveraging AI to automate credential stuffing, escalate privileges, and map identity relationships at scale using tools like BloodHound. And they’re not waiting for vulnerabilities—they’re exploiting what we’ve left exposed.
The Australian Signals Directorate’s Annual Cyber Threat Report 2023–24 highlights the rapidly evolving cyber threat landscape, emphasising that cybercriminals are continually adapting their tactics, techniques, and procedures to exploit emerging technologies, including artificial intelligence. Despite these advancements, many Australian organisations remain reactive, addressing identity threats only after significant damage has occurred.
We need to flip the script. Fast.
A Proactive Identity Strategy Is Non-Negotiable
It’s time to move from passive identity hygiene to active, risk-based contextual security. That means:
-
Eliminating Blind Spots: Unify on-prem and cloud identity data into a single view. You can’t secure what you can’t see.
-
Using AI Against AI: Adopt AI-powered risk assessment that evaluates identities based on entitlements, device behaviour, misconfigurations, and privilege levels.
-
Making Remediation Actionable: Visibility is only valuable if it leads to action. Security and IAM teams must speak the same language, with clarity on which identity exposures are urgent, which can wait, and how to fix them.
IAM, IGA, PAM, ITDR—acronyms alone won’t save us. The tools are fragmented. The attack surface is massive. And the adversary is evolving. Identity is the new perimeter, and it’s under siege.
Until organisations treat identity risk as a top-tier security threat, breaches will continue quietly, stealthily, and at scale. Cybercriminals have figured out how to blend in. Now it’s time for defenders to get ahead.
The question isn’t whether your identities will be targeted. It’s whether you’ll notice in time to stop them.
