ChannelLife Australia - Industry insider news for technology resellers
Australia

Guides

#
cloud services
#
cybersecurity
#
distributors
#
microsoft
#
partner programmes

Search

Ps scott hesford beyondtrust
#
MFA
#
Advanced Persistent Threat Protection
#
Cybersecurity

Identity-related security remains a core challenge for Australia’s finance sector

Fri, 28th Nov 2025
By Scott Hesford, Director of Solutions Engineering Asia Pacific and Japan, BeyondTrust

Analysis of six years of information security incident notifications lodged under CPS 234 shows there are clear "repeatable patterns" in the data.

Cyber resilience remains a key concern for the finance sector heading into the new year. While entities have had to take measures to be resilient against information security incidents now for six years under Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 234, it's apparent from mandatory incident reports that resilience remains a work in progress.

"Six years after APRA's first prudential standard on information security, CPS 234, took effect, all APRA-regulated entities take cyber security with the seriousness you'd expect," APRA member Suzanne Smith said in a recent speech. "However, looking across the financial system, the level of cyber resilience remains uneven and persistent gaps remain."

The centrepiece of Smith's comments on CPS 234 highlight four "repeatable patterns" that regularly feature in the detailed reports it receives from institutions that experience security incidents.

Two of the four "repeatable patterns" are identity security-related.

This is a clear indication of where Australia's finance sector should be prioritising investment in security strategies, controls and solutions to support their efforts.

The first regularly observed pattern is "credential compromise and a lack of strong authentication". This is perhaps unsurprising given the spate of credential stuffing attacks against Australian superannuation funds earlier this year. But CPS 234 pre-dates that threat activity, and for APRA to call it out, it's likely that the issue runs deeper than the superannuation sector alone. 

In Smith's words, credential stuffing and spraying type of attacks are "more effective than they should be" in this day and age. Password spraying targets multiple accounts within an organisation with a few common passwords. In contrast, credential stuffing involves using a large set of username-password pairs obtained from previous data breaches to gain unauthorised access to various online services.

Defending against these attacks requires a proactive, multi-layered cybersecurity approach and robust identity-based security, including the removal of admin privileges on workstations, password vaults, multi-factor authentication, monitoring and auditing of user activity, and account lockout mechanisms, to name a few. Additionally, implementing controls that enforce the Principle of Least Privilege ensure that should an account be hijacked by an attacker the ability to inflict damage is limited. This also extends to the ability to report on the privileges associated with identities, whether human or machine, including AI agents.

The second identity security-related pattern regularly seen by APRA relates to "service provider incidents. These include exposures in service providers spilling into regulated entities, underscoring third-party assurance gaps as well as the effectiveness of techniques to limit contagion," Smith said. 

Third parties - including vendors, service providers, independent consultants, contractors, and partners - often need access to an organisation's network to conduct essential business and IT operations. Previous research has found that, on average, 182 users from various third parties, including vendors, log into the systems of the typical enterprise each week.

Best practice dictates that access shouldn't be as simple as "on" or "off". Rather, to conduct business safely, IT organisations must be in control of centralised vendor access pathways that allow them to enforce access control policies and record and monitor all third-party activity. By using a just-in-time control mechanism, specific users are given precisely the right level of access to applications, sessions, and protocols - and only for the duration that access is needed. 

Privileged password management and multi-factor authentication provides additional layers of protection, by managing vendor and remote employee passwords, injecting credentials directly into remote access sessions without ever revealing them to the user, and rotating them regularly. Such systems are also capable of recording all user activity, which can be played back on-demand or provide an opportunity to terminate access when suspected malicious activity is detected.

The end goal is adaptive security

A key theme in these best-practice approaches to identity-related security is to get organisations to a point where their security and access controls become adaptive - dynamically adjusting based on the circumstances in which system access is being sought.

This is the pinnacle of cybersecurity maturity in the identity-related security space. While many organisations may never achieve this, it remains a desirable end goal. 

In this state, information security capability is fully integrated, adaptive, and self-improving. The organisation not only meets the requirements of CPS 234 but exceeds them, using pre-emptive technology and processes to continually enhance its security posture.

Reaching such a state is important given recent context. In a separate speech, APRA's Executive Director Carmen Beverley-Smith was unambiguous that exceeding CPS 234 requirements should be the end goal. 

While acknowledging the constantly changing nature of the threat environment, Beverley-Smith made it clear that organisations are expected not just to keep pace, but to exceed expectations. "It is important to remember that CPS 234 articulates compliance obligations or minimum requirements. It by no means represents the level of information security governance that well managed funds should aspire to," she said.

Now, more than ever, Australia's finance industry needs to update its information security approach, and prioritise investments in identity-related security. 

By implementing a holistic, multi-level approach to the way privileges are managed across their organisation, including all local users and third parties, cybersecurity leaders afford themselves the opportunity to not only get ahead of evolving CPS 234 baseline requirements, but also to make their environments more adaptive to whatever the security landscape throws at them in the coming years.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Radware warns 2026 will mark rise of ‘Internet of Agents’
Exclusive: SAS says trust gap slows ANZ AI rollout
BLUETTI unveils Elite 300 in Australia: Most compact 3kWh portable power station for homes & caravans
Ingram Micro flags key pressures on Australian MSPs
GitHub tips AI agents to surge in Australia’s public sector

Top stories

Australian CIOs brace for labour, cloud ‘bill shock’ by 2026
Proving human identity is essential to defending Australia’s financial services sector
What holiday trading strength means for modern retail cyber readiness
Five technology trends that will shape 2026
PEP & sanctions screening in Australia: Strengthening compliance with better data