For enterprise security leaders in Australia and globally, this report is a benchmark document that places the credential theft threat in quantified, peer-comparable terms that board-level security conversations require.

Credential theft is no longer just an access problem. It is an identity trust problem. When attackers can hijack authenticated sessions, impersonate legitimate users, or exploit stolen credentials without triggering conventional controls, organizations need stronger identity defense strategies. Consltek’s Deepfake to Breach: SMB Playbook for Identity Attacks provides a practical framework for defending against modern identity-driven attacks.

What Infostealer Infections Actually Mean for Enterprise Security Programs

The infostealer threat category has matured significantly over the past several years, and understanding what an active infection represents operationally is essential context for assessing the risk these findings describe.

Modern infostealers, the most prevalent families including Redline, Raccoon, Vidar, and their successors, are credential and session data harvesting tools deployed through phishing campaigns, malicious downloads, and increasingly through AI-assisted social engineering. Once installed on an endpoint, an infostealer harvests browser-stored credentials, session cookies, authentication tokens, VPN credentials, and application passwords from the infected device, exfiltrating everything to attacker-controlled infrastructure where it is packaged into logs and sold on dark web marketplaces.

The critical operational detail is that infostealer logs frequently contain session cookies alongside credentials. Session cookies represent authenticated sessions that remain valid after the cookie is harvested, allowing attackers to bypass multi-factor authentication by presenting a valid session token rather than completing the authentication flow that MFA is designed to protect. An organization that has implemented MFA across its workforce is not protected against an attacker presenting a harvested session cookie from an already-authenticated session.

That session cookie bypass capability is what makes the 10 percent active infection finding so operationally significant. The affected organizations are not simply at risk of credential stuffing attacks against their login portals. They may be facing adversaries with active access to authenticated sessions that their own security monitoring would not flag as suspicious, because the session appears legitimate from the identity provider’s perspective.

The remediation timeline between infostealer infection and organizational discovery has historically been measured in months. Credentials and session tokens harvested from an infected employee endpoint may circulate in dark web logs for weeks before they are purchased, used, and converted into active intrusion attempts. Organizations that rely on periodic security assessments and annual penetration testing to discover credential exposure have a structural gap between the speed at which their exposure accumulates and the speed at which they become aware of it.

The Reactive Security Cycle That Periodic Reviews Entrench

UpGuard’s identification of a trend where security scores remain stagnant until a major global security event triggers a brief spike in remediation, followed by subsidence as organizational priorities shift, describes a pattern that has been observed across enterprise security programs globally and that the ASX 200 data now quantifies in specific terms.

The CrowdStrike outage example is instructive. An event that demonstrated the operational consequence of security infrastructure fragility produced a measurable, if temporary, improvement in remediation activity across affected organizations. That response demonstrates that organizational capacity for security improvement exists. What the subsequent subsidence demonstrates is that capacity allocation, rather than genuine sustained priority change, is what drove the improvement.

This reactive cycle has a specific economic logic that drives it. Security improvements triggered by high-visibility incidents generate executive attention and budget release that makes remediation faster. When the incident recedes from executive attention, competing priorities reassert themselves and the security improvement momentum dissipates before the underlying vulnerability landscape has been systematically addressed.

The organizational consequence of reactive security cycles is an attack surface that improves in spikes but reverts to drift between them. Vulnerabilities that were addressed after a triggering incident return as new exposures accumulate, configurations drift from patched states, and vendor risk profiles change without generating the internal urgency that would trigger review. The 30 percent of ASX 200 companies that ended the measurement period in a worse security position than they started, despite the industry-wide average improvement, reflects that drift in organizations where remediation momentum did not sustain.

Greg Pollock’s framing of the required shift, from periodic security checks to continuous, comprehensive cyber risk posture management, is the correct operational prescription for breaking the reactive cycle. Continuous monitoring that surfaces new exposures as they emerge, rather than discovering accumulated exposure in periodic reviews, changes the organizational dynamic from crisis response to ongoing management. The urgency of addressing a vulnerability discovered this week is different from the urgency of addressing a vulnerability that has been accumulating for six months between review cycles.

The Supply Chain Cascade Risk and Its Systemic Implications

The finding that the majority of ASX 200 companies rely on the same core SaaS platforms, creating cascade potential where a single vendor vulnerability can propagate across hundreds of organizations simultaneously, describes a systemic risk concentration that individual organization security posture management cannot fully address.

Enterprise SaaS platform concentration is not a choice that organizations make for security reasons. They use the same productivity suites, collaboration platforms, CRM systems, and infrastructure services because those platforms are the most capable, most integrated, and most cost-effective options available. The security consequence of that rational procurement decision is a correlation risk: when a vulnerability is discovered in a platform used by most of the ASX 200, the exposure is simultaneous across all of them.

The cascade scenario that concerns security leadership is not simply shared vulnerability exposure. It is the combination of shared vulnerability with shared authentication infrastructure. If a SaaS platform used across the ASX 200 is breached and session tokens or federated authentication credentials are compromised at the vendor level, the downstream impact is not a single organization’s problem. It is a sector-wide credential exposure event that occurs faster than any individual organization’s monitoring and response capability can address.

Vendor risk monitoring that evaluates the security posture of shared SaaS platforms continuously rather than annually provides earlier warning of vendor-level exposure that could cascade to enterprise customers. The transition from periodic vendor security questionnaires to real-time vendor risk monitoring, recommended explicitly in the UpGuard report, addresses the cascade risk at the detection layer. Whether organizations can act on that warning faster than the cascade propagates depends on whether they have pre-established incident response procedures for vendor-level authentication compromises that do not require emergency approval processes before protective action can begin.

Encryption as the Persistent Weakest Link

The identification of encryption as the lowest-scoring technical category for the second consecutive year in the ASX 200 report is a finding that deserves specific attention from enterprise security and technology leadership, because it represents a failure in a security control that is relatively straightforward to implement and that regulators increasingly treat as a baseline expectation rather than a security enhancement.

Encryption weaknesses in the external attack surface context typically manifest as deprecated TLS versions, weak cipher suite configurations, mixed content on web properties, and certificate management failures that create opportunities for interception or man-in-the-middle attacks. These are not novel, complex security challenges. They are configuration management failures in controls that have been standard enterprise security requirements for over a decade.

The persistence of encryption as the lowest-scoring category across two consecutive measurement years suggests that the problem is not awareness or budget. Most organizations know they should maintain current TLS configurations and strong cipher suites. The persistence suggests instead a configuration management and certificate lifecycle management process failure, where encryption standards are not being maintained continuously across the organization’s full external attack surface, including the web properties, API endpoints, and service integrations that sit outside the primary security team’s visibility.

The data privacy implication of persistent encryption weakness is directly relevant to organizations subject to the Privacy Act 1988 and the Australian Privacy Principles, as well as those with operations that fall under GDPR or other data protection frameworks. Encryption weaknesses that create realistic interception risk for data in transit represent a technical compliance failure that regulators in Australia’s evolving regulatory environment, strengthened by the Cyber Security Act 2024, are increasingly positioned to scrutinize.

Cyber Security Act 2024 and What it Means for ASX 200 Companies

The legislation that provides the context in which the recommendations of the UpGuard report were developed is anything but accidental. The Cyber Security Act 2024 in Australia introduces new mandatory requirements in terms of cybersecurity incident reporting, security standards, and accountability mechanisms that have significantly impacted the compliance environment of ASX 200 companies.

The introduction of mandatory cyber incident reporting provisions into the Act has created time pressure on the detection and reporting of breaches that periodic monitoring systems are unable to deal with. The question whether the timeframes of such detection and reporting comply with the mandatory provisions of the Act may be raised regardless of the actual time of discovery of infostealer infections.

The Act’s security standards provisions establish baseline requirements that create regulatory exposure for organizations whose external security posture falls below mandated levels. UpGuard’s finding that a third of ASX 200 companies ended the measurement period in a worse security position than they started, and that encryption remains the lowest-scoring category for the second consecutive year, describes a population of organizations with potential regulatory compliance gaps under the new legislative framework.

For ASX 200 security leadership, the combination of the UpGuard findings and the Cyber Security Act 2024 compliance requirements creates a specific business case structure for continuous monitoring investment that periodic review programs cannot support. Demonstrating to regulators, insurers, and boards that the organization has continuous visibility into its external security posture, active dark web credential monitoring, and real-time vendor risk assessment is no longer simply a security best practice. It is increasingly the minimum evidentiary standard required to demonstrate compliance with Australia’s evolving regulatory framework.

Sectors Analysis and the Meaning of the Risk Profile in the Materials Sector

The sector analysis data from the UpGuard report, where Information Technology has a score of 776 and Utilities ranks second with 769, whereas Materials scores lowest with 673, shows an obvious trend that has clear implications for the approach towards investing in security.

What is important about the Materials sector being lowest on the list does not mean that it invests less money than other sectors. The reason for this is because the security risk profile for the mining, resources, and materials industries includes many factors such as extensive OT infrastructure, geographical distribution across various sites, long and complicated supply chains with multiple contractors and logistics, and poor cybersecurity history compared to the importance of the data and assets managed by them.

The OT security implications for Materials sector organizations are particularly significant given the threat actor interest in critical infrastructure targeting that has been documented across Australian government advisories from the Australian Cyber Security Centre. Materials sector organizations managing mining operations, processing facilities, and export infrastructure represent critical national infrastructure targets where operational technology compromise carries physical and economic consequence well beyond data theft.

The Utilities sector’s second-place ranking at 769 is a positive data point that reflects the sector’s exposure to critical infrastructure designation requirements and the regulatory scrutiny that drives security investment. The proximity of Utilities scores to Information Technology scores, despite very different technology profiles, demonstrates that regulatory pressure and governance accountability are effective drivers of security posture improvement across sectors with different technology characteristics.

The Three Continuous Monitoring Requirements That Break the Reactive Cycle

UpGuard‘s three remediation recommendations, continuous external scanning, real-time vendor risk monitoring, and dedicated dark web monitoring with credential exposure detection, collectively describe the monitoring infrastructure that converts periodic security review programs into continuous risk posture management.

Continuous external scanning addresses the attack surface volatility finding, where a third of organizations ended the measurement period in worse security positions than they started. Attack surface drift occurs because web properties, cloud assets, API endpoints, and service integrations change continuously across organizations with active technology programs. Scanning that captures the attack surface as it exists today rather than as it existed at the last assessment provides the current state visibility needed to identify new exposures as they emerge rather than after they have been in place long enough to be discovered and exploited.

Real-time vendor risk monitoring addresses the supply chain cascade risk by providing continuous visibility into the security posture of the SaaS platforms and third-party services that ASX 200 organizations depend on. A vendor security rating that degrades significantly between annual assessments represents real risk exposure during the assessment gap. Real-time monitoring that surfaces vendor posture changes as they occur gives organizations the option to take protective action, increase monitoring intensity, or escalate vendor engagement before a vendor-level compromise propagates to their environment.

Dark web monitoring with credential exposure detection is the control that directly addresses the 10 percent active infostealer infection finding. Organizations that know their credentials are circulating in dark web logs can force credential rotation, investigate the affected endpoints, invalidate potentially compromised session tokens, and take protective action before harvested credentials are used for unauthorized access. Organizations that discover the same exposure during an annual penetration test or following an active intrusion have lost the window in which protective action could have prevented the breach.

The combined investment in these three continuous monitoring capabilities is the operational expression of the shift from periodic security checks to continuous cyber risk posture management that the UpGuard report identifies as the necessary response to the current threat environment. For ASX 200 organizations building the budget case for that investment, the 10 percent active infection finding and the Cyber Security Act 2024 compliance requirements provide the financial exposure and regulatory accountability framing that executive and board-level investment decisions require.