Report: 99% of Australian firms faced identity breaches in 2023

A recent report by CyberArk has revealed that 99% of Australian organisations have experienced two or more identity-related breaches in the past 12 months. This makes Australia one of the most cyberattacked nations globally, second only in occurrences such as credential theft, third-party, and supply chain breaches.

The CyberArk 2024 Identity Security Threat Landscape Report underscores the urgent need for changes in cybersecurity strategies to prevent further data breaches. According to the report, digital transformation is identified as the primary external cause of breaches, ahead of geopolitical or state actors.

One of the notable findings of the report is that 99% of Australian organisations anticipate that the use of AI-powered tools will negatively impact their cybersecurity within the next year. Despite this concern, every surveyed organisation has already adopted AI as a part of their cyber defence initiatives. However, such tools are often seen as a double-edged sword, with 100% of respondents predicting a rise in sophisticated AI-driven identity-related attacks.

Thomas Fikentscher, Area Vice President for ANZ at CyberArk, commented on the challenges facing Australian organisations. He noted that, despite increased investment in cybersecurity driven by legislation, there are still significant hurdles. These include compliance and risk management, a shortage of skilled staff, and insufficient support from developers and engineers. Fikentscher stressed the importance of addressing risks associated with AI and machine IDs while highlighting the need for enhanced collaboration between CIOs, CTOs, developers, and security teams.

The report reveals that nearly nine out of ten Australian organisations had identity-related breaches stemming from third parties, placing the country second highest globally in this regard. Additionally, 79% of organisations experienced breaches related to their supply chain. Respondents indicated that machine IDs are considered the riskiest identity type, with about half holding high levels of access to sensitive data. Business customers and third parties were also identified as significant risks.

The study also found that Australian businesses are major users of cloud services, ranking among the top three countries globally for the use of multiple cloud providers. Within the next 12 months, 93% of businesses plan to use three or more cloud service providers, with 70% expecting to use four or more. The adoption of Software as a Service (SaaS) is set to rise dramatically, with 24% of organisations currently using over 100 SaaS providers, projected to increase to 75% within a year.

While organisations are rapidly creating both human and machine identities, the report highlights a concerning disparity in security measures. Unlike human identities, machine identities often lack sufficient identity security controls. This oversight makes machine IDs a potent threat vector that can be easily exploited.

Despite the advancements in AI and cybersecurity measures, the report shows that 91% of organisations have fallen victim to successful identity-related breaches due to phishing or vishing attacks. Although over 70% of security professionals are confident that their employees can identify deepfake videos of their organisational leadership, this confidence drops to 65% for audio-based deepfakes.

Matt Cohen, CEO of CyberArk, emphasised that current siloed and legacy solutions are ineffective against the sophisticated cyber threats of today. He called for a paradigm shift towards a cybersecurity model that prioritises identity security, to successfully guard against the growing number of identity-centric breaches.