A managing director put this question to me last quarter, and it captures the shift Australian boards still have not fully absorbed.
“How worried should we be about hackers breaking into our network?“
The honest answer is: less worried than you should be about an attacker logging in as your CFO with a password they bought for $15.
Australian businesses have spent the last decade building stronger walls. Better firewalls. Better detection. Better patching. The walls still matter. But the attackers stopped trying to climb them years ago.
They are walking through the front door, holding the keys, looking exactly like your staff.
The shift your board has not been briefed on
SecurityBrief Australia reported in April 2026, citing research from Cohesity, that nine out of ten cyberattacks now begin with identity. Compromised credentials. Misused logins. Stolen sessions. Not zero-day exploits. Not novel malware. Just an attacker logging in as someone trusted.
The Office of the Australian Information Commissioner backs this up with hard data. Its Notifiable Data Breaches Report for July to December 2024, published in May 2025, recorded 595 breach notifications for the half. The majority of malicious or criminal attacks involved compromised credentials – phishing, stolen logins, or brute-force.
The Australian Signals Directorate’s Annual Cyber Threat Report 2025, published in October 2025, names identity fraud as the top reported cybercrime in Australia, up 8% year on year.
Read those three sources together. The breach pattern is consistent. The dominant cyber risk in Australia today is identity, not infrastructure.
Why your password and SMS code are no longer a strategy
Two attack methods now bypass standard multi-factor authentication routinely, and neither requires technical skill.
The first is SIM swapping. An attacker calls your mobile carrier, claims to be you, and has your number transferred to their device. Every SMS code sent to your number now goes directly to them. Your MFA is still active. It is just protecting the wrong person.
The second is MFA fatigue. Your CFO receives dozens of approval prompts on their phone in quick succession. Eventually, frustration or distraction wins. They tap approve to make it stop. One tap. Access granted.
These are not theoretical. They are happening to Australian businesses every week. SMS-based MFA, which most organisations still rely on, is the weakest link in their security setup. Not the strongest.
What actually happens when credentials are compromised
Most boards picture a breach as a sudden event. Alarms trigger. The IT team scrambles. Action follows.
That is not how identity-based attacks unfold.
When an attacker logs in with stolen credentials, no alarms trigger because the login looks legitimate. They take their time. They read your emails. They map your finance approvals. They study how your CFO writes. They wait for the right moment.
The financial impact lands later, but the damage starts immediately. Cohesity’s research, reported in SecurityBrief Australia in April 2026, found that 85% of Australian enterprise businesses experienced a materially impactful cyberattack in the past year. 90% suffered revenue loss. More than 30% lost more than 10% of their revenue. 41% lost customers directly as a result.
These are not edge cases. This is what identity compromise costs Australian organisations now.
The New Legal Mandate for Identity Governance
Australia’s Cyber Security Act 2024 made identity-related incidents reportable in tight windows. If your business turns over more than $3 million a year and a ransom is paid following a credential compromise, you have 72 hours to report it to the Australian Signals Directorate.
The Australian Signals Directorate’s Modern Defencible Architecture, first published in February 2025 and last updated in October 2025, steers Australian organisations toward identity-first, Zero Trust principles by design. The direction of travel is clear.
APRA CPS 234 requires APRA-regulated boards to maintain information security capability commensurate with their risk profile. Identity governance is no longer something a board can leave with the IT team.
What boards keep getting wrong about identity security
Three misconceptions worth naming directly.
- The first: that MFA is enough. It is not, when SMS-based MFA can be bypassed by a phone call to a telco.
- The second: that small organisations are too small to target. They are not. Attackers do not pick targets by size. They pick them by weakness, and identity weakness scales with no extra effort on their part.
- The third: that identity is an IT problem. It is not. It is a governance problem with technology underneath. The boards that get this wrong end up funding tools without a strategy.
Three questions for your next board meeting
1) If a single staff password were stolen tomorrow, how much of our business could the attacker reach before being detected, and how would we know?
2) Is our MFA phishing-resistant, or are we still relying on SMS codes that can be bypassed by a phone call?
3) Who in our executive team owns identity governance as a board-level discipline, and when did the board last hear from them?
These are governance questions. They belong on your board agenda this quarter.
The Mission Behind Cyber Ethos
I am Dr Kiran Kewalramani, CEO of Cyber Ethos. I was named Cybersecurity Entrepreneur of the Year 2025, and Cyber Ethos was recognised as Cybersecurity Business of the Year, Australia 2024. I recently won Fluxx Boardroom Cyber Leadership Award in 2026.
We work with Australian boards and executive teams to translate identity threats from a vendor pitch into a board-level architecture decision. Plain English. Practical. Aligned to the Cyber Security Act 2024, Essential Eight, SOCI Act, and Privacy Act obligations.
The Invisible Threat: Why Identity is the New Perimeter
Your attacker is not breaking down the door. They are already inside, holding the keys, and looking exactly like your staff.
The boards that recover well are the ones that treated identity as a governance discipline before something forced them to.
Walls protect a network. Identity protects a business.
Book a Cyber Security Assessment and find out where your identity risk actually sits.
Or read our one-page Cyber Security Action Plan – four controls most Australian businesses can act on today.
