Is your MSP protecting your identity or just your network? What every CEO should ask in 2026
The identity threat landscape: what the data tells us
Identity-based attacks have overtaken network intrusions as the leading cause of data breaches, not just globally, but right here in Australia. According to the Australian Signals Directorate (ASD) Cyber Threat Report 2024–25, Australians lodged 84,700 cybercrime reports in the 2024–25 financial year – the equivalent of one report every six minutes. For small and medium-sized businesses (SMBs), the average financial impact per incident exceeded $46,000.
Globally, the picture is equally stark. The IBM Cost of a Data Breach Report 2024 identifies stolen or compromised credentials as the single most common initial attack vector, accounting for nearly one in five breaches analysed across industries worldwide.
Yet despite this shift, many organisations are still asking their Managed Service Provider (MSP) the wrong questions – focusing on firewall rules and network perimeters, while attackers walk straight through the front door using legitimate credentials. This post gives you five direct questions to ask your MSP in 2026 and shows you exactly what a strong answer looks like versus a red flag.
Why identity is the new perimeter, and why Perth businesses need to take notice
The mechanics of a modern identity attack
Modern credential theft rarely involves brute force or dramatic hacking scenes. Today’s attackers deploy infostealer malware that silently harvests saved passwords, browser cookies, and active session tokens from a device, often without triggering a single security alert. According to the CrowdStrike 2025 Global Threat Report, infostealer malware grew significantly in volume throughout 2024, with stolen credentials sold on dark-web marketplaces within hours of compromise.
Once an attacker has a valid session token, they can authenticate to cloud services, email platforms, and financial systems without ever needing to know your password – bypassing multi-factor authentication (MFA) entirely.
MFA is necessary – but no longer sufficient
MFA remains a critical control and is mandated under the Australian Cyber Security Centre’s (ACSC) Essential Eight framework. However, according to the Microsoft Digital Defence Report 2024, identity-based attacks have evolved to circumvent standard MFA through techniques including:
- MFA fatigue attacks: flooding a user with repeated authentication push notifications until they approve one out of frustration
- Push bombing: a high-volume variant of MFA fatigue targeting executive and privileged accounts
- Session token hijacking: stealing authenticated browser sessions to bypass MFA requirements entirely
This is not a reason to remove MFA, it is a reason to move beyond it to Identity Threat Detection and Response (ITDR): continuous monitoring and automated response capabilities that detect anomalous identity behaviour in real time.
The remote workforce risk – a particular concern for Perth businesses
Perth organisations that rely on remote workers, interstate staff, or offshore teams face a materially wider identity perimeter than those operating from a single location. Each additional user – regardless of where they are based – represents a credential that can be compromised, a session that can be hijacked, and a pathway into your organisation’s systems. Without consistent identity governance applied equally across all staff, that risk compounds every time your team grows.
5 questions every CEO should ask their MSP in 2026
Use these questions in your next MSP review, board meeting, or technology briefing. Each one is designed to surface whether your provider is managing identity risk – or just network perimeter security.
Question 1: “Can you show me every identity in our environment – and flag the ones that shouldn’t be there?”
Most organisations have far more active identities than they realise. Former employees with accounts that were never deactivated, service accounts with excessive permissions, and administrator credentials that no one can trace back to a person — these are all common findings in identity audits. Attackers specifically seek out these dormant or over-privileged accounts because they tend to receive less monitoring.
Question 2: “What happens the moment a credential is stolen – not after the breach, but in real time?”
Detection speed is everything in identity security. The longer a stolen credential goes undetected, the deeper an attacker moves through your systems. The question is not whether your MSP has security tools – it is whether those tools are actively monitoring identity behaviour and triggering automated responses the moment something anomalous is detected.
Question 3: “Are our remote and offshore team members held to the same identity standards as our on-site staff?”
This is one of the most overlooked questions in Australian boardrooms. As businesses expand their teams across state lines, time zones, and international borders – whether through direct employment, staff augmentation, or offshore staffing arrangements – the identity perimeter grows with every new team member. A security policy that applies only to staff physically present in a Perth office offers little protection when half your team is working remotely.
At SupportHub360, we see this first-hand. Our offshore staffing and remote team solutions are built with identity governance embedded from day one – conditional access policies, device compliance requirements, and consistent MFA enforcement regardless of where a team member logs in from.
Question 4: “Is our MFA actually stopping attacks – or just creating a false sense of security?”
MFA is no longer a silver bullet. As noted in the Microsoft Digital Defence Report 2024, attackers have adapted to circumvent standard MFA implementations through push bombing and session token theft. The right question is not whether you have MFA enabled – it is whether your MFA implementation is resistant to modern bypass techniques and whether your MSP monitors for signs that it is being attacked.
Question 5: “What does your SOC do at 2am on a Sunday when our identity system flags anomalous behaviour?”
Attackers do not work business hours. Many of the most damaging breaches begin late at night, over weekends, or during public holidays – precisely because they know monitoring and response capacity often drops during these windows. If your MSP’s SOC is staffed 9–5 Monday to Friday, there is a predictable window of reduced visibility that sophisticated attackers will actively target.
What identity-first security looks like in practice
At SupportHub360,we believe identity security is not an add-on to managed services offering – it is foundational to how we protect Australian SMBs and MSPs. Our NOC and SOC monitoring services, includes identity threat detection integrated directly into our monitoring stack. We do not wait for a breach notification to tell us something has gone wrong.
Our approach to IT security consulting is built around the principle that your identity environment should be fully mapped, continuously monitored, and capable of automated response – not reviewed quarterly in a spreadsheet.
Critically, we also recognise that the businesses we support are not static. Many of our clients grow their teams through offshore staffing and remote augmentation – which is why our security frameworks are designed to scale with your workforce. Every team member we help bring onboard, whether locally or internationally, is provisioned with consistent identity controls from day one. That means the same conditional access policies, the same MFA enforcement, and the same monitoring coverage – regardless of where in the world they are logging in from.
SupportHub360 services referenced in this article
The bottom line
The threat landscape has shifted. Attackers are no longer trying to break through your firewall, instead, they are logging in through your front door using stolen credentials, compromised sessions, and exploited identity gaps.
If your MSP or MSSP is still primarily focused on network perimeter security without a clear, demonstrable identity threat detection capability, there is a gap that needs to be addressed.
The five questions in this article are a starting point. They are designed to give you, as a CEO or business leader, the language to have an informed conversation with your provider and the confidence to recognise whether the answers you receive reflect a mature, identity-first security posture or a legacy approach that has not kept pace with the threat environment.
Not sure whether your current MSP is covering your identities?
Book a free 30-minute identity security review with our Perth team. We’ll walk you through your current exposure and what a stronger identity posture looks like for your organisation.
Sources
All statistics and claims in this article are drawn from the following primary sources:
- ASD Cyber Threat Report 2024–25 – cyber.gov.au
- IBM Cost of a Data Breach Report 2024 – ibm.com/reports/data-breach
- CrowdStrike 2025 Global Threat Report – crowdstrike.com/global-threat-report
- Microsoft Digital Defence Report 2024 – https://www.microsoft.com/en-au/security/security-insider/intelligence-reports
- ACSC Essential Eight – cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight
