TL;DR
Your identity perimeter is your real perimeter. Australian businesses can — and should — enforce phishing-resistant MFA, deploy SSO, and clean up dormant accounts this week, not next quarter. With tooling starting at $5–10/user/month and the ASD Essential Eight explicitly mandating MFA, there is no excuse for password-only authentication anywhere in your environment. Here is the playbook.
Why Identity Is Your Weakest Link (And What To Do About It)
Over 80% of breaches involve compromised credentials, according to Verizon's annual DBIR. For Australian SMBs, the attack surface is deceptively simple: reused passwords, shared accounts, dormant users still holding active licenses, and MFA that can be bypassed with adversary-in-the-middle phishing kits. The fix is not one tool — it is a layered identity posture that starts with phishing-resistant authentication and ends with continuous verification.
The Australian Signals Directorate's Essential Eight lists multi-factor authentication as a dedicated control (MFA Control), and the maturity model expects phishing-resistant MFA at Level 3. If you are still using SMS OTP or email-based second factors, you are not meeting the bar. Here is what to do, in order of impact.
Quick-Win Checklist: What To Deploy This Week
1. Enforce phishing-resistant MFA everywhere. Start with your highest-risk surfaces: email, VPN, cloud consoles, and admin portals. Phishing-resistant means FIDO2/WebAuthn security keys (YubiKey 5 Series, ~$55–70 AUD each) or passkeys — not SMS, not authenticator app TOTP, not push notifications. Both are vulnerable to real-time phishing proxies. Microsoft Entra ID and Okta support FIDO2 natively. Google Workspace supports passkeys and security keys. For self-hosted environments, Authentik supports WebAuthn as a second factor at no license cost.
2. Deploy SSO to eliminate standalone passwords. Every SaaS app that supports it should federate through your identity provider. Microsoft Entra ID (included with Microsoft 365 Business Premium, ~$31 AUD/user/month), Okta (Single Sign-On plan from ~$8 AUD/user/month), and Google Workspace (Business Standard ~$14 AUD/user/month) all provide SSO catalogs covering thousands of applications. Authentik is a strong self-hosted alternative for organisations wanting full control — deploy via Docker in under an hour.
3. Audit and disable dormant accounts. Run a report on login activity across Entra ID, Google Workspace Admin, or Okta. Any account with no sign-in for 30+ days should be disabled, not just deprovisioned from individual apps. Dormant accounts are a goldmine for attackers — they often retain permissions long after the employee has moved on. Set a recurring calendar reminder to re-run this audit monthly.
4. Enforce a password manager, not password complexity. NIST SP 800-63-3 explicitly advises against forced periodic password changes and complex composition rules. Instead, require a password manager (1Password Business ~$12 AUD/user/month, Bitwarden Premium ~$14 AUD/year) and set a minimum length of 15 characters. Block credentials found in known breach databases — Entra ID and Okta both support this natively.
5. Implement conditional access policies. Require compliant devices, restrict sign-ins from non-AU regions if your workforce is domestic, and force re-authentication for privileged operations. Entra ID Conditional Access and Okta Sign-On Policies handle this. For zero trust identity, every access decision should evaluate context: who, what device, where from, and how risky.
Tooling and Cost Estimates for Australian SMBs
For a 25-person business, expect these monthly costs:
| Component | Tool | Cost (25 users) |
|---|---|---|
| Identity Provider + SSO | Microsoft Entra ID (M365 BP) | ~$775 AUD |
| Identity Provider + SSO | Okta SSO | ~$200 AUD |
| Self-Hosted IDP | Authentik (Docker) | Server cost only |
| Hardware MFA | YubiKey 5 NFC | ~$1,375 AUD (one-time) |
| Password Manager | 1Password Business | ~$300 AUD |
| Password Manager | Bitwarden Premium | ~$29 AUD |
A pragmatic stack for a 25-person Australian SMB: Entra ID (if you already run Microsoft 365) or Okta, YubiKeys for admins and high-privilege accounts, and Bitwarden for credential management. Total recurring cost: $5–10/user/month depending on your identity provider choice. The YubiKeys are a one-time capital expense.
Essential Eight Assessment Kit — $47
Templates, gap analysis worksheets, and maturity level scorecards built specifically for SMBs. Audit-ready documentation in hours, not weeks.
Get the Assessment Kit →Zero Trust Identity: Beyond The Quick Wins
Zero trust identity is not a product — it is a policy that assumes no user, device, or network is inherently trusted. NIST SP 800-207 defines the architecture; for SMBs, the practical implementation is:
- Continuous verification: Session tokens expire frequently (configure 1-hour re-auth for admin sessions, 8 hours for standard users).
- Least-privilege access: Use role-based access control (RBAC) in Entra ID or Okta. Audit who has Global Admin — it should be fewer than 5 people, ideally 2–3.
- Device trust: Require managed or compliant devices before granting access to sensitive resources. Entra ID Conditional Access can enforce this.
- Segmented access: Not every user needs access to every app. SSO makes federation easy, but access policies must still restrict lateral movement.
CIS Controls v8 (Control 5: Account Management and Control 6: Access Control Management) provide benchmarks for implementing these policies. Map your current state against CIS to identify gaps.
FAQ
Q: Is SMS-based MFA better than nothing? A: Technically yes, but it is not sufficient for compliance with ASD Essential Eight maturity Level 3. SMS is vulnerable to SIM-swap attacks and real-time phishing. Prioritise migration to FIDO2 keys or passkeys for all users, starting with privileged accounts.
Q: Do we need SSO if we only use a few cloud apps? A: Yes. Even with 5 apps, SSO eliminates 5 separate password stores, enforces a single MFA policy, and gives you a central audit log for all sign-ins. The overhead of managing standalone credentials across apps grows faster than most businesses expect.
Q: How do we handle shared accounts or service accounts? A: Shared accounts violate the principle of unique accountability. Replace them with individual accounts wherever possible. For service accounts, use Entra ID Managed Identities or store credentials in a secrets manager (HashiCorp Vault, Azure Key Vault) — never in shared spreadsheets or chat channels.
Q: What if our team resists YubiKeys? A: Start with passkeys (built into modern phones and laptops) as a stepping stone. They use the same FIDO2/WebAuthn standard as YubiKeys but do not require hardware. Once users are comfortable with the flow, migrate high-privilege accounts to hardware keys for tamper resistance.
Conclusion
Identity security is not a future roadmap item — it is a this-week action item. Start with the quick wins: enforce phishing-resistant MFA on all admin and email accounts, audit and disable dormant users, deploy a password manager, and begin SSO federation for your top 5 applications. These four actions close the majority of credential-based attack paths that Australian SMBs face today.
The regulatory direction is clear: ASD Essential Eight, NIST SP 800-63-3, and CIS Controls v8 all converge on the same requirements. The tooling is affordable, the deployment timelines are measured in days, and the risk reduction is immediate.
Visit consult.lil.business for a free cybersecurity assessment — we will map your current identity posture against Essential Eight and give you a prioritised remediation plan.
References
- ASD Essential Eight Maturity Model — MFA Control
- NIST SP 800-63-3 — Digital Identity Guidelines
- CIS Controls v8 — Account Management and Access Control
- Microsoft Entra ID FIDO2 Security Key Documentation
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →ELI10: Hackers Are Logging In, Not Breaking In
Explained Like You're 10 — by lilMONSTER at lil.business
Imagine your business office has a special entry card system. Every employee gets a card that unlocks the door. It's secure — or so you think.
Now imagine a stranger finds a copy of one of your employee's entry cards. They walk right through the front door. They look like a normal person. They walk to the filing cabinet. They copy everything. And they're gone in an hour.
That is how 90% of major cyberattacks work in 2026.
Not Hollywood hacking — just someone with your employee's password, walking right in.
The Speed Problem
A new security report released this week — by a company called Palo Alto Networks, which investigated over 750 major cyberattacks around the world — found something alarming: attackers now move from "got in" to "stole everything" in as little as 72 minutes.
That's four times faster than the year before.
The reason? AI tools. Attackers are using AI to automatically find weaknesses, craft convincing messages, and move through computer systems faster than any human could on their own.
By the time most businesses even realise something is wrong, the attacker is already done.
How Do Attackers Get Your Passwords?
You don't have to do anything obviously wrong. Here's how it happens all the time:
- Fake login page. An employee gets an email that looks like it's from Microsoft, Google, or their bank. They click the link and type in their password — but the page is fake. Password stolen.
- Old breach. Your employee uses the same password on five different services. One of those services got hacked years ago. Attackers try that password on your systems. It works.
- Sneaky software. Someone downloads something dodgy. It quietly records every password they type and sends it to the attacker.
None of this requires the attacker to be a genius. With AI, even someone with no technical skills can run these attacks automatically at massive scale.
The Fix: A Second Lock on the Door
The single most effective thing your business can do right now costs almost nothing: turn on MFA (Multi-Factor Authentication).
MFA is like adding a second lock to your door. Even if someone has your password (the key), they also need your phone (the second lock) to get in. Microsoft found that MFA blocks 99.9% of automated password attacks.
Turn it on for:
- Business email (Gmail, Outlook)
- Cloud storage (Google Drive, Dropbox, OneDrive)
- Banking and finance apps
- Any remote access tools
- Social media accounts
Most apps have a "Security" or "Two-Factor Authentication" setting. Enable it everywhere. Use an authenticator app (Google Authenticator, Microsoft Authenticator, or Authy) — not just SMS, which is slightly less secure.
The Second Fix: Give People Only What They Need
The report found that once attackers get in, they often roam freely because employees have more access than they actually need.
Ask your IT person: does every staff member only have access to the things they need for their job? Your junior receptionist probably doesn't need admin access to the server. Your salesperson probably doesn't need access to payroll files.
This is called the "principle of least privilege" — and it limits how far an attacker can go even if they do get in.
The Third Fix: Have a Plan
The attackers are fast. You need to be faster — and that means thinking about it before something goes wrong.
Three questions to answer today:
- If someone's email account gets hacked, who do we call?
- What do we disconnect first to stop the damage spreading?
- Do we have backups of our important data, and are they recent?
Written answers to these questions — even on a single piece of paper — are worth more than any expensive software if the moment comes.
The Big Picture
You don't need to build a fortress. You need a few strong, smart habits. MFA + reviewed permissions + a response plan covers the majority of what the world's biggest security firms see failing again and again in real attacks.
lil.business helps Australian small businesses get these basics right — quickly and without the jargon. Book a free 30-minute consult and walk away with a clear list of what to do first.
TL;DR
- Explained Like You're 10 — by lilMONSTER at lil.business Imagine your business office has a special entry card syste
- Now imagine a stranger finds a copy of one of your employee's entry cards. They walk right through the front door. The
- Action required — see the post for details
FAQ
Q: What is the main security concern covered in this post? A:
Q: Who is affected by this? A:
Q: What should I do right now? A:
Q: Is there a workaround if I can't patch immediately? A:
Q: Where can I learn more? A:
References
[1] Mandiant, "M-Trends 2026: Identity-Based Attacks and AI-Accelerated Credential Theft," Google Cloud Mandiant, Reston, VA, USA, 2026. [Online]. Available: https://www.mandiant.com/resources/m-trends-2026
[2] CISA, "Identity and Access Management Best Practices Guide: Multi-Factor Authentication and Zero Trust," Cybersecurity and Infrastructure Security Agency, Washington, DC, USA, 2026. [Online]. Available: https://www.cisa.gov/resources-tools/resources/identity-and-access-management-recommended-best-practices
[3] IBM X-Force, "X-Force Threat Intelligence Index 2026: Identity as the New Perimeter — Credential Attacks in the AI Era," IBM Security, Armonk, NY, USA, 2026. [Online]. Available: https://www.ibm.com/reports/threat-intelligence
[4] Verizon, "2026 Data Breach Investigations Report: Stolen Credentials and Identity-Based Intrusion Trends," Verizon Business, Basking Ridge, NJ, USA, 2026. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/
