Identity is now the foundation of modern cyber security, and Australian businesses have a clear opportunity to lead by adopting the controls that genuinely protect it. 

The current landscape 

The Australian Signals Directorate’s Annual Cyber Threat Report for 2024-25 records that the average self-reported cost of cybercrime per small-business report rose 14 per cent to $56,600, and that 22 per cent of small and medium enterprise owners said their business was impacted by cybercrime in 2024. Within that landscape, identity sits at the centre. The Office of the Australian Information Commissioner’s most recent Notifiable Data Breaches reporting confirms that malicious and criminal attacks remain the largest source of breach notifications, and that stolen or compromised credentials were responsible for 20 per cent of cyber incident breaches in the most recent full reporting period. 

The point was reinforced in April 2025, when several major Australian superannuation funds, including AustralianSuper, Rest, Hostplus, Australian Retirement Trust and Insignia Financial, were targeted by credential stuffing attacks. Around $500,000 was lost from a small number of AustralianSuper member accounts. Each of those incidents began with a valid username and password. 

The encouraging news is that the controls needed to prevent this category of attack are well understood, widely available, and within reach for businesses of any size. 

Why traditional MFA needs an upgrade 

Standard multifactor authentication has served Australian businesses well for many years. It remains a meaningful improvement over passwords alone, and any team that has it switched on is in a stronger position than one that does not. 

The threat landscape has, however, evolved. Adversary-in-the-middle (AiTM) phishing kits such as Tycoon 2FA can sit between a user and a legitimate Microsoft 365 sign-in page, capturing both the password and the session token after a valid MFA prompt is completed. In these scenarios, SMS codes, authenticator app codes and push approvals can all be relayed by the attacker in real time. 

This is a sign that the security baseline has moved, and the leading organisations are moving with it. 

What modern identity protection looks like 

Phishing-resistant MFA, built on the FIDO2 standard, is the new benchmark. Passkeys, Windows Hello for Business and physical security keys use cryptography that is bound to the genuine sign-in domain. If a user is directed to a lookalike page, the credential simply will not authenticate, which removes the human judgement step that phishing relies upon. 

This direction is reflected in the Australian Signals Directorate’s Essential Eight Maturity Model, which was updated in November 2023 to require phishing-resistant MFA at higher maturity levels. The framework is the recognised national benchmark for cyber security uplift in Australia, and the inclusion of phishing-resistant MFA signals where the standard of good practice now sits. 

For a 10 to 100 user business operating on Microsoft 365, a strong identity programme typically includes: 

• Phishing-resistant sign-in methods, such as passkeys in Microsoft Authenticator or Windows Hello for Business, made available to every user. 

• Microsoft Entra Conditional Access policies that require phishing-resistant authentication for administrator accounts and sensitive applications. 

• Sign-in risk policies that automatically respond to unusual or high-risk login activity. 

• A quarterly review of privileged accounts to confirm that elevated access is still appropriate. 

These controls work best as part of a continuous, managed practice rather than a single configuration exercise. Microsoft releases new identity capabilities regularly, threat patterns shift, and staff and roles change. A well-run managed service keeps pace with all three. 

Three constructive questions to bring to your IT provider this quarter 

A short, focused conversation with your provider is one of the most valuable steps you can take this year. Three questions are usually enough to gauge the maturity of your current programme: 

1. What is our roadmap for moving users from SMS or app-based codes to phishing-resistant methods such as passkeys or security keys? 
2. Which Conditional Access and sign-in risk policies are currently active, and how are they tuned for our business? 
3. When did we last review our administrator and privileged accounts, and what was the outcome? 

The answers will give you a clear view of where your business sits today and where the next improvements should be focused. 

Reef IT works with Australian businesses to build identity protection into an ongoing, managed practice. Straightforward advice, the right controls in place, and a team that continues to refine them as the environment evolves.

Talk to the team at Reef IT