The defence sector contributes billions to the UK economy, and directly employs tens of thousands of people. That alone would make it an attractive target for financially motivated threat actors. But it doesn’t take into account the huge target the industry also represents to nation-states. Against the backdrop of a threat landscape that continues to evolve at breakneck speed, defence organisations must accelerate cyber resilience plans, says Michael Downs, pictured, VP, global sales at SecurEnvoy .
This doesn’t just make good business sense; it’s now required for all contractors and suppliers according to the Defence Cyber Certification (DCC) scheme. Identity must sit at the heart of these plans.
Compromise is getting easier
The cybercrime economy has been growing, professionalising and maturing relentlessly for the past three decades. Ransomware-as-a-service (RaaS) has lowered the barriers to entry for a new breed of threat actor. Initial access brokers (IABs) further simplify attacks by taking care of the crucial early stages of the kill chain. Pre-packaged phishing kits do yet more heavy lifting by offering readymade suites of tools to harvest credentials and session tokens.
Then there are infostealers. Today, you can find billions of compromised credentials for sale, thanks to an explosion in infostealer activity. According to one study, 1.8 billion credentials were stolen in the first half of 2025 alone, an 800 per cent increase on the previous six months. And if it’s not infostealers, IT helpdesks are being blitzed by vishing calls designed to trick staff into resetting passwords.
All of which makes identity and access management (IAM) more important than ever, as a foundational pillar of good cybersecurity strategy. Defence organisations face adversaries from both hostile nations and the cybercrime groups that they shelter. Both are increasingly emboldened. In 2024 the Ministry of Defence (MoD) revealed a catastrophic data breach which exposed the payroll records of nearly all members of the armed forces to Chinese hackers.
Apart from the sheer scale of the breach, which exposed an estimated 270,000 service members, what’s noticeable about this attack is that it targeted an MoD supplier. Increasingly threat actors will focus their efforts not on the primary target but on a less well-secured partner in the supply chain. More recent incidents have involved sub-contractor The Jet Centre and maintenance contractor Dodd Group.
Securing the supply chain
This is partly why the DCC was created. Developed by the MoD and certification body IASME, it’s designed to enhance the resilience of the defence sector supply chain. Participating suppliers are required to achieve certification to one of four levels depending on the risk profile of their contract. The first two (Level 0 and Level 1) use Cyber Essentials as a mandatory baseline, while the second two (Level 2 and Level 3) require Cyber Essentials Plus. The number of required controls rises to 144 in Level 3.
Identity and access controls feature heavily, ranging from simple multifactor authentication (MFA) for all cloud services (Level 0), to zero trust principles such as privileged access management (PAM), continuous monitoring and least privilege policies (Level 3). MFA is an increasingly important bulwark against infostealers and phishing and should be considered a fundamental best practice. PAM takes things to another level by enforcing least privilege, session monitoring, just-in-time access and more.
The road to DCC accreditation
However, not all MFA and identity management solutions are created equal. Organisations looking to navigate the DCC and enhance their cyber resilience would be advised to look for flexible platforms that offer enhanced security features. They may want to consider on-premises MFA, for example, to mitigate any risks associated with cloud outages and interruptions. Such disruption is increasingly common. Data sovereignty might also be important, as it often is in the defence sector — which is where on-premises options come into their own.
For high-security environments, some contractors may want to combine on-premises deployments with air-gapped MFA to remove the risk of remote attacks on the IAM infrastructure itself. Hardware token-based MFA can add yet another layer of protection, especially against advanced phishing attacks designed to bypass certain authentication methods.
Next should come access management that follows zero trust principles without adding extra friction for the user or IT team. Think: single sign-on (SSO) and passwordless options for secure, streamlined authentication. And conditional access, which limits access only to users that need it to do their job, according to least privilege rules and their specific roles (RBAC). This is particularly important for high-risk contractors and remote workers, who can be isolated in specific network zones to reduce the attack surface and contain the blast radius of any attempted intrusions.
Finally, businesses aspiring to DCC accreditation may also want to think about layering on contextual access management capabilities. These dynamically and continually assess the risk of an access request before deciding whether to approve, block or challenge. Continuous monitoring of suspicious login behaviour can also help, by generating intelligence with which to make more accurate access decisions.
A matter of national security
DCC accreditation isn’t just vital for business. It will ultimately drive improvements that raise the bar on cyber best practice. Because in this industry, cybersecurity means national security.
