- Queensland reports the highest cybercrime rate of any Australian state (28% of all national reports) and its new Cyber Security Strategy is a direct response to documented, compounding risk that is getting more expensive every year.
- Zero trust is now state policy, but zero trust starts at the access layer: credentials, MFA, and SaaS visibility come before infrastructure transformation.
- Supply chain resilience is a governance mandate, your contractors, vendors, and partners are your extended attack surface, and credential-level control is how you manage it.
- IS18 and the Essential Eight dashboard pilot signal that continuous compliance is the new baseline expectation, not an annual checkbox exercise.
Queensland (QLD) recently released its 2025–2027 Cyber Security Strategy, its first-ever dedicated cyber security strategy, signalling that the state is responding to a problem that has outgrown existing governance.
- Queensland accounts for 28% of all cybercrime reports made nationally, the highest of any Australian state or territory, and disproportionate to its population.
- For small businesses, the average self-reported cost of cybercrime hit $56,600 in 2025, up 14% from the year before.
- For medium businesses, it jumped to $97,200, a 55% increase in a single year.
This strategy applies to any organisation that stores data, relies on third-party systems, or employs people who log into things. At LastPass, we pay close attention to these strategies because the problems they name are the problems we help address: Credential theft, unmanaged access, shadow IT, and supply chain exposure.
The threat is basic
The QLD strategy does not describe a sophisticated, hard-to-defend threat environment. It describes one where "basic attack techniques continue to be effective." Tactics like phishing, credential theft, misconfigured systems, and unpatched software are some of the most common ones in the region and reflect global attacker trends. The organisations losing ground to cybercriminals are not failing because their defences are too simple. They're failing because the basics are not consistently in place.
One new cybercrime report was made to ReportCyber approximately every 6 minutes in Australia last year. In Queensland, one in eight of those reports affected state or local government. The access layer is where most of these incidents began. It is also where they are easiest to stop.
Priority 1: Resilience
The strategy defines resilience as the ability to "absorb, adapt, and respond to the changing threat landscape." It calls on organisations to embed cyber security into the foundations of service delivery, adopt zero trust approaches, and develop supply chain resilience across procurement and vendor relationships.
Zero trust starts at the credential, not the network
Zero trust is often treated as an infrastructure transformation project when it is, at its core, an access management discipline. Most breaches don't start with a sophisticated network intrusion. They start with a credential. For instance, a phishing campaign that harvested a login, a shared account that was never rotated, or an employee who reused a password across a personal and work account. Zero trust does not replace your password manager. It depends on one.
LastPass addresses this at the layer that matters: a password vault with enforced MFA covers the authentication baseline. SaaS Monitoring and Protect add visibility into credential-based access outside your SSO, including the shadow IT and AI tools employees adopt without IT approval. You can operate with zero trust principles without rebuilding your identity infrastructure. You need to control how people actually log in.
Supply chain resilience is a credential problem
47% percent of organisations suffered a supply chain cyber attack in 2024. Supply chain attacks increased 200% between 2022 and 2023. The Queensland strategy responds to this directly, with explicit objectives to "grow risk and governance capability, including in complex supply chains" and to "promote supply chain cyber resilience for government."
The reason supply chain attacks work is straightforward: organisations grant access to trusted third-parties (i.e., vendors, contractors, and partners), and that access is often under-managed. Shared logins. Credentials that persist after a project ends and access is no longer required. Third parties who have more access than they need.
The QLD government depends heavily on industry partners to deliver services to citizens. Its strategy acknowledges that those partners are part of the state's attack surface. The same is true for any organisation with an extended vendor ecosystem.
LastPass addresses this at the credential layer:
- Shared credential vaults let contractors access systems without ever seeing the underlying password
- Role-based access control limits what each person can reach
- Access can be revoked instantly, without waiting for manual password changes across multiple systems
- Every access event is logged, so you know who touched what and when
If a vendor relationship ends today, can you revoke their access across every system before the working day is over? If the answer is "probably not," then the supply chain risk is already live.
Priority 2: Workforce
Australia needs 30,000 more cyber security workers within the next four years. 74% of organisations already report significant skills gaps. Queensland's response is to embed security awareness across all levels of the public sector — not just within dedicated security teams — on the premise that everyone who logs into a system is part of the security posture.
That only works if the tools support it. If a security control requires specialist expertise to operate, it will not reach the people who need it most. LastPass is built for stretched IT teams and non-technical staff. The secure behaviour has to be easier than the insecure alternative, or it will not happen consistently.
For government and public sector organisations, the IMPACT program addresses both constraints the strategy names: limited IT capacity and constrained budgets. Site-wide licensing, included onboarding, and Essential Eight-aligned security uplift without requiring a dedicated security team to run it.
Priority 3: Governance
Queensland's IS18 policy sets mandatory information security requirements for state agencies, and the strategy signals it will expand to a broader range of entities. The Essential Eight dashboard pilot moves compliance measurement from annual reporting to a live view of posture. The direction is clear: the gap between policy on paper and controls in place is where incidents happen, and government intends to close it.
Essential Eight Maturity Level 1 covers MFA, admin privilege control, and secure credential management as the ground floor, not a stretch target. LastPass addresses all three: password policies enforced automatically, MFA applied consistently across every vaulted app, and reporting that surfaces access logs, password health scores, and policy adherence in a format auditors can use. When IS18 requires demonstrated credential hygiene, the evidence is already there.
AI is changing the credential threat
The QLD strategy names AI as both opportunity and threat. 47% percent of respondents in the World Economic Forum's 2025 survey said AI-driven adversarial capabilities are their main concern.
The specific risk to the access layer is infostealers: AI-powered malware that silently harvests credentials from compromised devices, browsers, and unsecured password stores. These tools are getting faster, cheaper, and more accessible to criminal groups. And they are finding their way in through the same channels the QLD strategy describes: shadow SaaS, unapproved AI tools, browser-based work that IT can't see.
The problem is not just the infostealer. It is the blind spot that makes infostealers effective: employees logging into AI tools and SaaS apps that IT has never approved, using unmanaged credentials. Shadow IT is not a new risk, but AI has accelerated it dramatically. Every new AI tool an employee signs up for is another credential outside your control, another login IT cannot monitor, another potential entry point.
SaaS Monitoring and Protect surface exactly this: the approved (and unapproved) apps your team is using, how they're authenticating, and where weak or reused passwords are creating exposure. Secure Access Essentials closes the gap: credentials managed centrally, access visible across the environment, and risky logins flagged before they become incidents. You can't protect access you can't see.
The credential layer is where AI attacks land first. It is also where they are most straightforward to stop.
What this means for you
The three priorities: Resilience, Governance, Workforce, map to three practical questions:
- Resilience: If a contractor's credentials were compromised today, could you revoke their access across every connected system before it escalates?
- Governance: Can you demonstrate your Essential Eight or IS18 compliance posture right now, with evidence, not a policy document?
- Workforce: Are the security controls you have in place something your whole team can actually use, or do they depend on expertise you do not have?
If any of those answers are uncertain, the gap is real. But it is fixable, and it does not require starting from scratch.
Want to learn more?
- Download our eBook, The Complete Guide to AI Access Governance: Enable Innovation, Ensure Security.
- Book a demo to see how LastPass centralises credentials, surfaces shadow SaaS, and enables rapid breach response.
- Start a free trial and see the difference in days, not months.
