The Australian Government’s Cyber Security Strategy lists actions that should be taken by all businesses to manage security. Unsurprisingly, identity management is a key focus. Here we suggest some focus areas to help guide identity investments for Australian organisations.

1. Improve and uplift baseline security
   
   Have standing agenda items at board level to track key identity metrics, mapped to appropriate risks. Organisations need to truly understand their identity management maturity and be able to provide assurance, often directly to the board, around how the lifecycles of identities are managed by the organisation. We’ve created a template to help you assess how far along the digital identity transition journey you are against your competitors and disruptors across the seven key transition areas. Organisations would be well served to verify identity maturity independently and periodically by an appropriately qualified, independent organisation and map deficiencies to a properly maintained risk register with appropriate ownership and treatment plans. Every organisation also needs to effectively use privileged access management solutions to help protect the organisations “crown jewels”.
   
   
2. Uplift the cyber security of SMEs
   
   Leadership need to ensure SMEs have constant access to best practice identity management software, training, and resources. Identity teams need to understand what the skills gaps are and understand where the key focus areas will need to be in the future in order to address them and ensure the right people within the organisation are involved with relevant identity working groups and forums.  Managers should also provide regular support and training to all staff to foster a culture of cyber awareness.
   
   
3. Create a more secure Internet of Things
   
   Ensure there is a current, accurate view of all IoT devices within your organisation and apply industry leading identity management principles to properly understand the identity and security requirements of your IoT devices. Identity management systems and processes should be used to properly identify and secure your IoT devices and securely manage IoT devices from deployment through to decommission.
   
   
4. Block threats automatically
   
   Use emerging access control standards and technologies to keep out unwanted attackers and use identity management as part of a zero-trust toolset to reduce reliance on perimeter defences and help prevent a data breach. A trusted, centralised record should be maintained of who did what, where, when, and why at every point within your organisation.
   
   
5. Centralised identity schemes
   
   We recommend the Government continues to support the Trusted Digital Identity Framework (TDIF) as a mechanism for providing trusted digital identities for citizens as a mechanism for minimising cybercrime and fraud in reliant services.  In November 2017, the introduction of the Consumer Data Right (CDR) was announced by the Federal Government. The intent of the CDR is to provide people with greater control over their personal data, including how it is used. Initiatives such as this should continue to be regularly monitored by OAIC and enforced. We also recommend the government and private sector to collaborate via working groups to implement and improve trusted identity sharing frameworks.