Workplace demands and expectations have pushed most companies to make access to their systems faster and easier. But without sufficient access controls, businesses of all sizes face elevated security risks to legacy systems as well as evolving cloud environments.
What’s more, while security controls such as one-time passwords, multifactor authentication (MFA), passkeys and password-less sign on reduce many types of cyber-risk, these technologies can also be evaded or manipulated by innovative cybercriminals and employees acting negligently or maliciously.
As a result, identity-related cyber incidents remain a persistent problem. One study found that 93% of surveyed organizations experienced two or more identity-related breaches over a 12-month period.1 As more resources shift to cloud services — on which users were forecast to spend $679 billion in 20242 — managing and securing identity and access will likely remain an important business objective, particularly for those who must maintain strong protections of sensitive data, files and systems to comply with industry regulations.
Identity and access management (IAM) tools and processes can provide a strong security foundation for most organizations. However, businesses need to take a multifaceted approach to keep ahead of emerging threats. Malicious actors will continue to discover new methods for compromising digital systems that are rapidly evolving.
Businesses need to have a complete picture of their deployments before they can properly implement IAM or other protocols. This can include specific groups of users (including third parties with system access and remote users), existing on-premises and cloud systems and tools regularly used to complete essential tasks.
The global average cost of a data breach peaked at $4.88 million in 2024.3 Organizations that maintain inventory of their most critical data — and set strong identity and privilege access controls to protect it — can reduce the risk of the most damaging data-related cyber incidents.
Privileged access management (PAM) is part of most IAM approaches. It applies additional protections to the most sensitive accounts and processes and gives administrators visibility into who is accessing them and what activity occurs when sessions are in progress.
No matter what access controls you implement, employees play a key role in protecting their identities. If your organization relies on passwords, ensure that all employees are educated in the fundamentals of creating strong passwords and regularly updating them. Conduct training about phishing, credential theft and emerging threats to protections such as MFA (e.g., token and cookie theft, MFA spamming).
Often referred to as “never trust, always verify,” the zero trust model presumes that company networks are already breached or vulnerable, that users must be validated continuously, and that security is enhanced by creating segmentation across company networks. Zero trust architecture typically operates off the principle of least privilege, which states that users should only have access privileges essential to their job function.
To make IAM effective, companies need insight into activity on their networks and logs that contain evidence of who has attempted to access privileged accounts. System administrators should have controls in place to determine the types of users that are requesting account access and what types of information they provide to gain it. Activity logs can also reveal evidence of multiple failed logins, remote logins or other behaviors that may be linked to malicious activity. User and entity behavior analytics can help network administrators understand normal and abnormal usage patterns and potentially reveal activity related to insider threats.
