Australian firms unprepared for privacy act identity security changes

Following updates to Australia's Privacy Act, businesses need to be aware of significant implications, particularly around identity security. The reforms indicate a shift towards greater accountability in handling personal data, requiring a proactive approach to embedding security by design.

Attorney-General Mark Dreyfus has emphasised that Australians should expect their data to be well-protected. However, according to the 2024 Identity Threat Landscape Report by CyberArk, many Australian organisations appear unprepared for these changes. Data theft and privacy remain leading concerns, suggesting current security practices may not meet the new standards. These gaps could prove costly for companies that rely on outdated or incomplete identity security frameworks.

One critical issue is the definition of "privileged access." Olly Stimpson, Strategic Security Advisor at CyberArk, pointed out, "Only 38% of Australian companies consider all human and machine identities with access to sensitive data as 'privileged'." This leaves nearly two-thirds of organisations considering privileged access as merely a "security thing" pertinent only to human identities. Stimpson warned, "Any organisation using this narrow definition will not keep pace with legislative requirements."

Research reveals that 46% of Australian organisations report more than half of their machine identities access sensitive data, while 37% indicate a similar proportion for human identities. This disparity underscores the necessity for organisations to re-evaluate their security practices comprehensively. Stimpson advised, "Organisations can no longer afford to overlook the risks posed by machine identities and must scrutinise every access point, whether human or machine."

The adoption of AI and automated technologies further complicates the landscape, granting machine identities deeper access to valuable data. This increases the potential for data leakage, a pressing concern for many organisations. Machine identities often lack the robust security controls typical of human identities, making their deployment in advanced processes particularly risky.

Australia's cybersecurity challenges are considerable. Nearly 99% of organisations experienced multiple identity-related breaches last year. These incidents highlight that legacy solutions are inadequate against today's sophisticated cyber threats. Furthermore, the environment is expected to become even more complex. The report indicates that nearly half (48%) of Australian organisations anticipate a threefold increase in the number of identities they manage over the next 12 months.

While some aspects of the expected changes to the Privacy Act – such as the expanded definition of personal information, the fair and reasonable test, and new rules for direct marketing and targeted advertising – have been deferred, these updates to the Act signal only the beginning of more stringent regulations in the future.

Stimpson concluded, "The updated Australian Privacy Act highlights the growing importance of identity security as personal data protection becomes more stringent. Organisations must now go beyond traditional security methods to secure every identity - whether human or machine - that interacts with sensitive information." He elaborated that as businesses face diverse identities accessing data across complex environments, robust privileged controls become paramount. Failure to adapt to these new demands could result in considerable financial and legal repercussions under the new privacy regime.