Nearly half of the security incidents reported to Australia’s cyber authority last financial year involved a compromised account or credential. That number helps explain why PwC is now flagging identity as the entry point criminals prefer over breaking through the front door.
According to the Australian Signals Directorate’s Annual Cyber Threat Report for 2024-25, compromised accounts or credentials were involved in 42% of the most cyber incidents it responded to. Identity fraud remained the most reported type of cybercrime among individuals.
That backdrop lines up closely with new global research from PwC, whose Annual Threat Dynamics 2026: Cyber Threats in Motion report found that identity-centric attacks have overtaken traditional network intrusion as the preferred route into corporate systems.
For Australian enterprises, the findings land at an awkward moment. The country’s enterprise sector is among the most digitized in the APAC region, with banking, healthcare, mining, and government services all running deep into cloud and API-connected infrastructure.
That level of digitization is exactly what makes identity attacks more valuable to criminals: every additional connected system, vendor integration, or remote login is another identity that can be stolen, impersonated, or resold.
AI is fueling identity attacks
PwC’s Global Threat Intelligence lead, Kris McConkey, said in the report that adversaries are now choosing to “log in rather than break in,” using AI to probe for weak points across identity, cloud, and edge layers with what he described as “unprecedented precision.”
Generative tools are being used to automate phishing campaigns, produce convincing deepfakes, impersonate IT helpdesk staff, and run multi-stage social engineering operations against both human and machine identities.
That last point matters specifically for Australian organizations because AI adoption is expanding the identity footprint that attackers can target. Every AI agent, automated workflow, or machine-to-machine integration a business deploys creates a new non-human identity that needs credentials, access permissions, and monitoring.
PwC’s data suggests these are exactly the kinds of identities slipping through the cracks. There are already documented cases of Australian organizations being compromised by information-stealer malware that harvested corporate credentials from employee devices.
Edge devices are a related pressure point for a market like Australia’s, where a large share of the workforce operates from regional offices, mine sites, hospitals, and hybrid or remote setups rather than a single corporate campus.
Routers, VPN appliances, and other internet-facing hardware sitting at the edge of that distributed footprint tend to draw far less scrutiny than core enterprise systems. Critical infrastructure operators should treat this as a direct warning rather than a general industry trend, given how often such technology sits outside standard IT security coverage.
More Australia coverage
Supply chains and defense strategy
Supply-chain exposure makes the problem even bigger. PwC’s report says attackers are no longer focusing on a single entry point. They’re targeting executives, developers, vendors, hiring processes, and financial workflows simultaneously.
That creates a particular challenge for Australian enterprises, as many rely on a broad network of managed service providers. The risk this brings is a major reason identity governance is increasingly appearing on Australian board agendas rather than remaining within the security team.
The catch for Australian organizations is capacity. ISACA’s 2025 State of Cybersecurity report found 55% of Australian security teams are understaffed, even as AI-driven attacks accelerate in speed and volume. That shortage turns AI from a nice-to-have into something closer to a necessity. Businesses that cannot hire their way to a fully staffed security team are increasingly relying on AI-enabled detection and automated containment simply to keep pace with automated attackers, rather than as a competitive edge.
McConkey’s framing of the trade-off is blunt: AI represents defenders’ best chance to match attackers’ speed through faster detection, automated containment, and intelligence-led response at scale. For Australian security leaders already stretched thin, that’s less an opportunity than an operational requirement.
Action items for Australian enterprises
PwC’s practical recommendations translate into a short list for local security and IT leaders:
- Extend zero-trust principles to non-human and machine identities, not just staff logins;
- Bring edge devices and remote infrastructure into the same monitoring regime as core systems;
- Map which suppliers and contractors have access to critical systems;
- Give identity governance a standing seat at the board level rather than folding it into an occasional security briefing.
None of this suggests Australian enterprises are uniquely at fault. PwC’s findings describe a global shift in attacker behavior. But a highly digitized economy with a highly distributed workforce, a deep supply chain footprint, and a well-documented security skills gap, as in Australia, has less room to treat this problem as someone else’s.
Read the full article here