Identity is still the weakest link in cyber defence, according to Euan Carswell, SOC Team Lead, Barrier Networks.
Identity attacks could never be described as novel or new cyber crime techniques. They have been around for years, yet they remain the biggest threat organisations face. Over the last year, security teams have faced an increase in attacks targeting corporate identities, and if defences are not prioritised, these attacks are likely to result in full-scale compromises with devastating impacts.
If a criminal wanted to break into a house using the most discreet route possible, they would focus on stealing the homeowner’s keys. The keys would grant clean, straightforward entry. There would be no broken windows, no
forced doors, no unwanted attention. The access would be simple. Identity attacks operate in the same way, but instead of stealing keys, criminals steal credentials.
By compromising an employee’s username and password, an attacker is granted network access, bypassing security controls and often offering them privileged access to highly sensitive data. Because this entry appears legitimate, there are often no alarms to alert security teams to a potential threat.
However, the key difference between credentials and house keys is scale. Most home owners have one or two keys to protect, while organisations may have thousands of identities to manage and secure. Whether through phishing, eavesdropping on online activity, purchasing credentials on the dark web or poor password hygiene, there are multiple ways attackers obtain access. Once inside, they blend in with everyday activity, making breaches far harder to detect. There is no unusual exploit, no malware signature and no brute-force attempt.
Instead, systems see a valid login from a recognised account. From a monitoring perspective, everything appears normal.
The visibility challenge
This problem is intensified by the growing number of third-party applications organisations now rely on. These platforms require access credentials, yet frequently limit visibility through restricted logging, poor export options or inconsistent integration with security information and event management systems.
In many cases, security teams can see only that a user logged in successfully, with little insight into what happened next. As a result, identity-driven breaches are often discovered only after secondary damage has occurred, whether through financial fraud, data theft, ransomware deployment or operational disruption.
Single sign-on solutions
Centralised identity systems such as single sign-on (SSO) platforms are often promoted as solutions to password overload, which can help counter identity attacks. Using these solutions, employees no longer juggle dozens of credentials, while IT teams benefit from streamlined access management. However, this convenience can also creates a new concentration of risk.
When multiple applications rely on a single identity provider, one compromised account can unlock an entire digital ecosystem. Email, collaboration tools, finance systems, HR platforms and cloud services may all sit behind the same login. For attackers, this means by compromising one password, they can be granted with full access to the kingdom.
However, this does not mean organisations should avoid SSO. Without it, users are more likely to reuse passwords, which further increases identity risks. The solution is therefore to secure these platforms properly. Ultimately, SSO platforms must be protected with the same controls as other critical organisational assets. But, what other steps can be taken to improve defences against identity attacks?
Strengthening defences against identity attacks
To counter the rise in identity attacks, organisations must adopt a layered approach to identity security. First, foundational hygiene is essential. This includes strong password policies, restricted administrative privileges, regular access reviews and prompt account deprovisioning.
Multi-factor authentication remains one of the most effective defences, but it must be deployed comprehensively and monitored carefully. Attackers increasingly attempt to bypass MFA through social engineering, token theft or device compromise. MFA alone is not a silver bullet. Least-privilege access is equally vital through approaches such as Zero Trust. Users should only have permissions aligned with their role, and elevated access should be temporary wherever possible.
Privileged and administrative accounts present the greatest risks. These identities often have broad permissions, deep system visibility and the ability to modify configurations or create new users. Adopting Zero Trust principles also helps ensure access is granted and revoked based on specific needs.
Visibility must also improve. Security teams need consistent insight across cloud platforms, SaaS tools and identity providers. Without centralised monitoring and behavioural analytics, subtle signs of compromise are easily missed.
Another growing risk lies in third-party integrations and consent-based applications. Many tools request extensive access to user profiles and data. Malicious or poorly governed applications can exploit this trust to harvest information or escalate privileges. Regular audits of connected apps and permissions are essential. Finally, organisations must understand their “identity blast radius”. This means mapping which systems are accessible from each account and assessing the potential impact if credentials are compromised.
However for most organisations, these security controls can be difficult to manage internally. Organisations often don’t have the resources or in house skills to manage security effectively across these environments, which means partnering with cyber security service providers can enhance defences. Cyber security service providers not only have the skills to ensure organisations adopt the best processes and defence mechanisms to counter identity attacks, but the round the clock monitoring they offer also ensure any malicious or anomalous behaviour is detected quickly, before it escalates into a full scale attack.
Conclusion
Identity attacks are not new, yet they continue to cause chaos for organisations every year. The problem is intensifying as enterprise environments expand through the onboarding of third-party applications. The traditional moat-and-castle approach to security is now outdated. It is no longer possible to stop all threats at the perimeter.
Instead, security must be woven deep into digital environments, where nothing is inherently trusted and strong cyber hygiene is applied across all assets and applications. Without these steps, identity-based attacks will rise, and the very identities organisations create to support their operations will continue to be used against them in the most dangerous way, time and time again.
