Identity is effectively the new network boundary. It must be protected at all costs.
04 Dec 2025
•
,
4 min. read
What do M&S and Co-op Group have in common? Aside from being among the UK’s most recognizable high street retailers, they were both recently the victims of a major ransomware breach. They were also both targeted by vishing attacks that elicited corporate passwords, providing their extorters with a critical foothold in the network.
These identity-related breaches cost the two retailers over £500 million (US$667 million), not to mention an incalculable reputational damage and impact on end customers. The bad news for organizations operating in various verticals, including critical infrastructure providers, is that they’re just the tip of the iceberg.
Why identity matters
Why has identity become such a popular attack vector? Part of it stems from the way companies work today. There was a time when all corporate resources were safely located behind a network perimeter and security teams defended that perimeter with a “castle-and-moat” strategy. But today’s IT environment is way more distributed. A proliferation of cloud servers, on-premises desktops, home working laptops and mobile devices mean the certainties of old have evaporated.
Identity is effectively the new network perimeter, which makes credentials a highly sought-after commodity. According to Verizon, credential abuse was a factor in nearly a quarter (22%) of data breaches last year. Unfortunately, they’re imperilled in several ways:
- Infostealer malware is reaching epidemic proportions. It can be installed on victims’ devices via phishing, malicious apps, drive-by-downloads, social media scams and more. One estimate claims that 75% (2.1 billion) of the 3.2 billion credentials stolen last year were harvested via infostealers.
- Phishing, smishing and vishing remain a popular way to harvest credentials, especially in more targeted attacks. Often, threat actors research the individual they’re targeting in order to improve their success rates. It’s believed that M&S and Co-op were breached via vishing attacks on their outsourced IT helpdesk.
- Data breaches targeting password databases held by organizations or their outsourcers can be another valuable source of credentials for threat actors. Like infostealers, these end up on cybercrime forums for sale and onward use.
- Brute-force attacks use automated tooling to try large volumes of credentials until one works. Credential stuffing uses lists of previously breached login (username/password) combos against large numbers of accounts. Password spraying does the same with a small list of common passwords. And dictionary attacks use commonly used passwords, phrases and leaked passwords against a single account.
It’s not hard to find examples of catastrophic security incidents stemming from identity-based attacks. Aside from the M&S and Co-op Group cases there’s Colonial Pipeline, where a likely brute-force attack let ransomware actors compromise a single password on a legacy VPN, causing major fuel shortages on America’s East Coast. Also, KNP, the British logistics firm was forced into bankruptcy after hackers simply guessed an employee’s password and encrypted critical systems.
Identity threats at a glance
The risks posed by identity compromise are amplified by several other factors. Least privilege is a critical best practice whereby individuals are given just enough access privileges to perform their role and no more, often for a limited time. Unfortunately, it is often not applied correctly, leading to overprivileged accounts.
The result is that threat actors using compromised credentials can reach further into the breached organization – moving laterally and reaching sensitive systems. It makes for a much larger “blast radius” following a breach, and potentially greater damage. The same issue can also exacerbate the risk posed by malicious or even negligent insiders.
Identity sprawl is another major challenge. If IT doesn’t properly manage the accounts, credentials and privileges of its users and machines, security blind spots inevitably emerge. This increases the attack surface for threat actors, makes brute-force attacks more successful and overprivileged accounts more likely. The advent of AI agents and continued growth of IoT will greatly increase the number of machine identities that must be centrally managed.
Finally, there’s the threat from partners and suppliers to consider. That could mean an MSP or outsourcers with access to your corporate systems, or even a software supplier. The bigger and more complex your physical and digital supply chains are, the greater the risk of identity compromise.
How to enhance identity security
A considered, multi-layered approach to identity security can help mitigate the risk of serious compromise. Consider the following:
- Adopt a principle of least privilege and regularly review/tweak these permissions. This will minimize the blast radius of attacks.
- Enforce least privilege with a policy of strong, unique passwords for all employees stored in a password manager.
- Enhance password security with multifactor authentication (MFA) so that, even if a hacker gets hold of a corporate credential, they will not be able to access that account. Go for authenticator apps or passkey-based approaches over SMS codes, which can be easily intercepted.
- Practice strong identity lifecycle management, where accounts are automatically provisioned and deprovisioned during on- and offboarding of employees. Regular scans should identify and delete dormant accounts which are often hijacked by threat actors.
- Secure privileged accounts with a privileged account management (PAM) approach which includes automatic rotation of credentials and just-in-time access.
- Revisit security training for all employees, from the CEO down, to ensure they know the importance of identity security, and can identify the latest phishing tactics. Simulation exercises can help with the latter.
Most of the above recommendations form a Zero Trust approach to cybersecurity: one posited around the notion of “never trust, always verify.” It means that every access attempt (human and machine) is authenticated, authorized and validated – whether inside or outside the network. And systems and networks are continuously monitored for suspicious activity.
This is where a managed detection and response (MDR) tool can add tremendous value. A 24/7/365 team of experts keep a close eye on your network, flagging any potential intrusion rapidly so it can be contained and managed. Best practice identity security starts with a prevention-first mindset.