Queensland has Australia's highest cybercrime rate: Its new strategy points straight at the access layer

Queensland recently released its 2025–2027 Cyber Security Strategy, its first-ever dedicated cybersecurity strategy, signalling that the state is responding to a problem that has outgrown existing governance, in that:

• Queensland accounts for 28% of all cybercrime reports made nationally, the highest of any Australian state or territory, and disproportionate to its population.
• the average self-reported cost of cybercrime for small businesses hit $56,600 in 2025, up 14% from the year before.
• for medium businesses, cybercrime cost jumped to $97,200, a 55% increase in a single year.
   

This strategy applies to any organisation that stores data, relies on third-party systems, or employs people who log into things. At LastPass, we pay close attention to these strategies because the problems they name are the problems we help address: credential theft, unmanaged access, shadow IT and supply chain exposure.

The threat is basic

The Queensland strategy does not describe a sophisticated, hard-to-defend threat environment. It describes one where “basic attack techniques continue to be effective”. Tactics like phishing, credential theft, misconfigured systems, and unpatched software are some of the most common ones in the region and reflect global attacker trends. The organisations losing ground to cybercriminals are not failing because their defences are too simple. They are failing because the basics are not consistently in place.

One new cybercrime report was made to ReportCyber approximately every six minutes in Australia last year. In Queensland, one in eight of those reports affected state or local government. The access layer is where most of these incidents began. It is also where they are easiest to stop.

Priority 1: Resilience

The strategy defines resilience as the ability to “absorb, adapt, and respond to the changing threat landscape”. It calls on organisations to embed cybersecurity into the foundations of service delivery, adopt zero trust approaches, and develop supply chain resilience across procurement and vendor relationships.

Zero trust starts at the credential, not the network

Zero trust is often treated as an infrastructure transformation project when it is, at its core, an access management discipline. Most breaches do not start with a sophisticated network intrusion; they start with a credential. For instance, a phishing campaign that harvested a login, a shared account that was never rotated, or an employee who reused a password across a personal and work account. Zero trust does not replace your password manager; it depends on one.

LastPass addresses this at the layer that matters: a password vault with enforced MFA covers the authentication baseline. SaaS Monitoring and Protect adds visibility into credential-based access outside your SSO, including the shadow IT and AI tools employees adopt without IT approval. You can operate with zero trust principles without rebuilding your identity infrastructure. You need to control how people actually log in.

Supply chain resilience is a credential problem

47% percent of organisations suffered a supply chain cyber-attack in 2024. Supply chain attacks increased 200% between 2022 and 2023. The Queensland strategy responds to this directly, with explicit objectives to “grow risk and governance capability, including in complex supply chains” and to “promote supply chain cyber resilience for government”.

The reason supply chain attacks work is straightforward: organisations grant access to trusted third-parties (i.e. vendors, contractors, and partners), and that access is often under-managed. Often there are shared logins; credentials that persist after a project ends and access is no longer required; and third parties who have more access than they need.

The Queensland Government depends heavily on industry partners to deliver services to citizens. Its strategy acknowledges that those partners are part of the state’s attack surface. The same is true for any organisation with an extended vendor ecosystem.

LastPass addresses this at the credential layer:

• Shared credential vaults let contractors access systems without ever seeing the underlying password.
• Role-based access control limits what each person can reach.
• Access can be revoked instantly, without waiting for manual password changes across multiple systems.
• Every access event is logged, so you know who touched what and when.
   

If a vendor relationship ends today, can you revoke their access across every system before the working day is over? If the answer is “probably not”, then the supply chain risk is already live.

Priority 2: Workforce

Australia needs 30,000 more cybersecurity workers within the next four years, and 74% of organisations already report significant skills gaps. Queensland’s response is to embed security awareness across all levels of the public sector — not just within dedicated security teams — on the premise that everyone who logs into a system is part of the security posture.

That only works if the tools support it. If a security control requires specialist expertise to operate, it will not reach the people who need it most. LastPass is built for stretched IT teams and non-technical staff. The secure behaviour has to be easier than the insecure alternative, or it will not happen consistently.

For government and public sector organisations, the IMPACT program addresses both constraints the strategy names: limited IT capacity and constrained budgets. Site-wide licensing, included onboarding, and Essential Eight-aligned security uplift without requiring a dedicated security team to run it.

Priority 3: Governance

Queensland’s IS18 policy sets mandatory information security requirements for state agencies, and the strategy signals it will expand to a broader range of entities. The Essential Eight dashboard pilot moves compliance measurement from annual reporting to a live view of posture. The direction is clear: the gap between policy on paper and controls in place is where incidents happen, and government intends to close it.

Essential Eight Maturity Level 1 covers MFA, admin privilege control, and secure credential management as the ground floor, not a stretch target. LastPass addresses all three: password policies enforced automatically, MFA applied consistently across every vaulted app, and reporting that surfaces access logs, password health scores, and policy adherence in a format auditors can use. When IS18 requires demonstrated credential hygiene, the evidence is already there.

AI is changing the credential threat

The Qld strategy names AI as both opportunity and threat. 47% percent of respondents in the World Economic Forum’s 2025 survey said AI-driven adversarial capabilities are their main concern.

The specific risk to the access layer is infostealers: AI-powered malware that silently harvests credentials from compromised devices, browsers, and unsecured password stores. These tools are getting faster, cheaper, and more accessible to criminal groups. And they are finding their way in through the same channels the Queensland strategy describes: shadow SaaS, unapproved AI tools, browser-based work that IT cannot see.

The problem is not just the infostealer. It is the blind spot that makes infostealers effective: employees logging into AI tools and SaaS apps that IT has never approved, using unmanaged credentials. Shadow IT is not a new risk, but AI has accelerated it dramatically. Every new AI tool an employee signs up for is another credential outside your control, another login IT cannot monitor, another potential entry point.

SaaS Monitoring and Protect surfaces exactly this: the approved (and unapproved) apps your team is using, how they are authenticating, and where weak or reused passwords are creating exposure. Secure Access Essentials closes the gap: credentials managed centrally, access visible across the environment, and risky logins flagged before they become incidents. You cannot protect access you cannot see.

The credential layer is where AI attacks land first. It is also where they are most straightforward to stop.

What all this means

The three priorities — Resilience, Governance and Workforce — map to three practical questions:

• Resilience: If a contractor’s credentials were compromised today, could you revoke their access across every connected system before it escalates?
• Governance: Can you demonstrate your Essential Eight or IS18 compliance posture right now, with evidence, not a policy document?
• Workforce: Are the security controls you have in place something your whole team can actually use, or do they depend on expertise you do not have?
   

If any of those answers are uncertain, the gap is real. But it is fixable, and it does not require starting from scratch.

• Download The Complete Guide to AI Access Governance: Enable Innovation, Ensure Security.
• Book a demo to see how LastPass centralises credentials, surfaces shadow SaaS, and enables rapid breach response.
• Start a free trial and see the difference in days, not months.
   

Image credit: iStock.com/MF3d