The IT Agency

Menu
Menu
[mobile_menu menu="Mobile Menu" menu-2="Mobile Bottom Menu"]
  • Cyber Security, Compliance

Your biggest cyber risk is already inside your business

Summary

  • Most cyber breaches now originate from compromised credentials, not external system attacks or infrastructure failures
  • Attackers can remain undetected inside business systems for months, extracting sensitive and commercially valuable data
  • SMB data holds significant financial, regulatory and reputational value, making it a consistent target
  • Microsoft environments already include strong security capability, but gaps in implementation create exposure

Identity is now the frontline risk and most businesses are underestimating it

Organisations take an average of 292 days to identify and contain a breach caused by stolen credentials, according to IBM’s 2024 Cost of a Data Breach Report. That’s nearly ten months of an attacker sitting inside your systems, reading your emails, copying your files, watching your accounts – before anyone realises they’re there.

Many leaders may think it’s a technical problem, when in reality its actually a business problem that starts with your people, your processes and who you’ve given access to what rather than with software.

“It’s not just about external threats these days as well. A majority of threats come actually from inside and through credential theft – getting into your accounts, tricking people, using contractor accounts that aren’t properly secured. That’s a big point of entry and attackers can be in your systems for weeks or months collecting your data.”

Joined by fellow experts in the field, Jay Staal and Dan Goffredo, the conversation explored an uncomfortable truth for Australian businesses: the biggest threat isn’t coming from outside – it’s already in.

Most business owners picture a cyberattack as something dramatic – a shadowy hacker halfway around the world, prying at your firewall in the middle of the night. The reality is far less cinematic and potentially far more unsettling.

Compromised credentials and unmanaged access are the primary entry point

For years, cybersecurity conversations focused on perimeter defence – firewalls, antivirus, spam filters. But the perimeter no longer exists in the way it once did. Your team logs in from home, from cafes, on personal devices. Your contractors access your systems remotely. Your data lives in the cloud.

In this environment “identity” is the new perimeter.

According to the OAIC’s July–December 2024 Notifiable Data Breaches report, compromised or stolen credentials were a major cause within cyber incidents, accounting for 27% of notifications in that breakdown. Phishing, which is almost always used to steal credentials, added another 30%.

Three of the most common entry points are identity failures, not sophisticated exploits:

  • Compromised credentials: passwords reused from breached websites, weak passwords, or credentials stolen through phishing
  • Over-permissioned users: staff who have access to far more than their role requires, meaning a single compromised account becomes a master key
  • Unsecured contractor accounts: third-party access that was never properly scoped, monitored, or deactivated when the engagement ended

Your data is the target and its worth more than you think

There’s a persistent misconception in the Australian small business community: “We’re too small to be a target.”

One cyber crime report every six minutes in Australia is recorded, according to the ASD’s Annual Cyber Threat Report 2024–25. The average self-reported financial loss for small businesses was $56,600, but that figure doesn’t capture the full cost of downtime, regulatory exposure, reputational damage and client loss.

The data you hold on your clients, such as names, addresses, financial records, payment details, sensitive personal information, is extraordinarily valuable on the dark web. The OAIC consistently ranks personal information and financial data as the most commonly breached data types in Australia. That data is next in sensitivity only to medical records and there is a thriving criminal economy built around the buying and selling of data.

“Because we’re moving into an era where you’re a lot more powerful to make changes within your own environment – to have it rigorously documented on where the most sensitive information lives would be very, very important moving forward.” shared Stall in his recent Fin365 Symphony discussion.

Being small doesn’t make you invisible. In many cases, it makes you a more attractive target, because attackers assume your defences are weaker.

The barrier to entry for attackers has never been lower

You don’t need to be targeted by a sophisticated attacker to have a serious breach. The majority of incidents affecting small businesses aren’t the work of elite hackers. They’re the work of opportunists using off-the-shelf tools.

As shared by Ron Rosenbaum “You can take a regular criminal – they can be a cybercriminal very easily. They don’t have to have a lot of skill; they can buy kits, they can get into your systems a lot easier.”

Cybercrime kits, which are pre-packaged tools that automate credential theft, phishing and system intrusion, are available for purchase online for a few hundred dollars. Credential stuffing attacks, where stolen username and password combinations from one breach are automatically tested across thousands of other services, require almost no technical skill to execute.

The Verizon 2025 Data Breach Investigations Report found that stolen credentials were involved in over a third of all breaches analysed globally. The ASD’s Annual Cyber Threat Report explains the mechanics of credential stuffing in plain terms and notes that this tactic is now one of the most common methods used against Australian businesses.

What was once the domain of nation-state actors and elite criminals is now accessible to anyone willing to spend money and follow instructions. The attacker doesn’t need to be skilled, they just need you to reuse a password.

There is good news: you already have the tools to protect your business

If your business operates on the Microsoft 365 ecosystem (which the majority of Australian SMBs do) you likely already have access to a suite of enterprise-grade identity and security tools included in your existing licences. The technology to address most of what’s described above is not something you need to buy separately, but rather just needs switching on and proper configuration.

Tools like Microsoft Entra ID (formerly Azure Active Directory), Conditional Access policies and Microsoft Defender for Business provide the ability to enforce multi-factor authentication, restrict access by location or device, monitor for suspicious sign-in behaviour and automatically flag anomalies – capabilities that were once the exclusive domain of large enterprise IT departments.

The gap for most businesses is implementation. These tools exist in the environment but haven’t been configured to do what they’re capable of, often because no one has taken the time to set them up properly.

Dan Goffredo from Microsoft likened cyber security to “brakes on a car – not to stop you, but just to help you go quicker, safely.”

Prioritising identity control and access governance reduces immediate risk

You don’t need a six-month security transformation project to meaningfully reduce your risk. The ASD’s Essential Eight, which is Australia’s benchmark for baseline cyber hygiene, identifies a clear set of priorities that address the most common attack vectors.

The SMB1001 Certification is an ideal framework to improve your cyber security position. It is purpose-built for small to mid-size businesses and it offers a tiered approach to scale as your business grows so you don’t overinvest on unnessessary controls or trying to qualify for more rigorous certifications like ISO 27001. The benefit SMB1001 has over Essential Eight is that it gives you a recognised certification which can reduce your insurance premiums and open up new tender and supply chain opportunities.

For an SMB starting from scratch, four actions will have the greatest immediate impact:

  • Audit who has access to what. Pull a list of every user, contractor and third-party integration with access to your systems. Ask whether each one still needs that access and whether the level of access is appropriate for their role. Contractor accounts from completed engagements should be deactivated immediately.
  • Enable multi-factor authentication – everywhere, no exceptions. MFA is the single most effective control against credential-based attacks. Even if a password is compromised, MFA blocks access without the second factor. It should be mandatory for every account in your business, starting with email, cloud storage and financial systems.
  • Apply the principle of least privilege. No user should have more access than their role requires. A compromised account with limited permissions does far less damage than one with administrative rights. Review permissions regularly and remove access when roles change.
  • Check what your Microsoft licences are actually doing for you. Many businesses are paying for security capabilities they’ve never activated. A review of your current Microsoft 365 configuration against what’s available in your licence tier is often one of the highest-return activities a business can undertake.

Busy business owners don’t need to manage this alone. You can engage specialists like The IT Agency who assess your current environment, identify gaps across identity, security and governance and implement the right controls aligned to frameworks like SMB1001, ISO 27001 or DISP. This gives you a clear, structured path forward without overinvesting time or resources internally.

Frequently asked questions

What is credential theft and how does it affect small businesses?

Credential theft gives an attacker valid login details for your systems. They can then move around inside your business environment without triggering security alerts, accessing emails, files, and financial accounts while appearing to be a legitimate user. Because nothing is visibly broken, breaches caused by stolen credentials often go undetected for months.

How long does it take to detect a cyber breach caused by stolen credentials?

Credential-based breaches take significantly longer to detect than other attack types because the attacker is using legitimate access rather than breaking in. They blend in with normal activity, which means the breach often continues until someone notices unusual behaviour or an external alert flags the account.

Why are small businesses a target for cyber attacks?

Attackers target small businesses because they typically have fewer security controls than larger organisations while still holding valuable client data, financial records, and payment details. Small businesses connected to larger clients or supply chains are particularly attractive because they can serve as a pathway into more valuable targets.

What is the most effective step a small business can take to prevent a breach?

Enabling multi-factor authentication on every account is the highest impact single action a small business can take. It means a stolen password alone is not enough to gain access. An attacker who has obtained valid credentials still cannot get in without completing the second verification step.

What is SMB1001 and how does it help small businesses improve cyber security?

SMB1001 is a cyber security certification standard built specifically for small and medium businesses. Its tiered Bronze, Silver, and Gold levels allow businesses to build their security posture progressively, starting with the most critical controls. Certification demonstrates to insurers, clients, and supply chain partners that the business meets a recognised security standard, which can reduce insurance premiums and support tender and contract opportunities.

References

ASD Annual Cyber Threat Report 2024–25
OAIC Notifiable Data Breaches Report: July–December 2024
OAIC NDB Statistics: January–June 2025
IBM Cost of a Data Breach Report 2024
Verizon 2025 Data Breach Investigations Report
ASD Essential Eight
ASD Cyber Security and Australian Small Businesses Survey