Image: © AlenKadr/Stock.adobe.com
Cyber defence requires an identity-first makeover, argues Codec’s Tushar Kumar.
Imagine a castle with towering walls, a deep moat and an army of guards. For centuries, this fortress was impervious to outside threats. But over time, their enemies got smarter and developed new weapons and technologies. They realised they did not need to climb up the walls to defeat their enemy in the castle, but rather, they could take it over in different ways.
This metaphor encapsulates the current state of cybersecurity. Traditional defences such as firewalls and network monitoring, once the gold standard of protection, are no longer enough in the face of increasingly complex cyberattacks. And with threats evolving, it is clear a new approach is needed.
Using zero trust as the base
The growing level of sophistication of cyberthreats, added to the limitations of traditional perimeter-based security, led companies to begin adopting zero trust security models as a response.
Traditional perimeter-based defences, which rely on securing network boundaries, are increasingly ineffective against modern threats such as insider attacks, credential theft and advanced persistent threats (APTs). High-profile breaches such as the 2020 SolarWinds attack highlight how these models fail to protect against threats that bypass or exploit implicit trust.
A number of high-profile breaches further enhanced zero trust adoption across the business world. A report by Cisco in 2023 indicated that almost 90pc of organisations worldwide have begun implementing some aspect of the zero trust security model, reflecting a global recognition of its importance in the face of evolving cyberthreats.
However, zero trust alone is not enough to address the full spectrum of modern security challenges. Its effectiveness hinges on precise identity verification and granular access control, which is where identity-based security becomes essential.
The role of identity in modern cybersecurity
An effective way to explain why identity-first security is essential for any company is with these three statistics: 90pc of organisations experienced at least one identity-related incident in the past year; 86pc of data breaches involve the use of stolen credentials; and the average cost of a data breach reached an all-time high in 2024 of $4.88m, a 10pc increase from 2023.
These high percentages are hard to ignore. If these trends continue in the same direction, the headline reads that almost no organisation will be safe from an identity breach and the consequences are going to be costly.
To counter this threat, businesses that have implemented the zero trust framework need to enhance it from an identity perspective, with tools such as multifactor authentication (MFA), role-based access control (RBAC) and behavioural analytics. This approach will ensure that only the right individuals have access to the right resources under the right circumstances.
By focusing on identity and not just on the verification process, it reduces the risk of credential theft, unauthorised access and insider threats, which have been the cause of some of the most high-profile security breaches in global business.
And since threats are evolving in complexity, so are some of the countermeasures, bringing in practices that will replace others, which we have been accustomed to for many decades.
Goodbye passwords
Now that most companies are operating in the cloud, the urgency to address identity-based security has never been greater. Cloud environments, while essential for scalability and efficiency, are inherently exposed due to their vast attack surface, shared resources and reliance on identity for access control. If businesses do not have an appropriate security framework in place, they remain exposed to data breaches that will compromise customer trust and threaten their very survival.
An identity-first strategy is becoming increasingly critical due to several pivotal trends. One major driver is the widespread adoption of phishing-resistant authentication methods such as passkeys, which are gradually replacing traditional passwords. Yes, we are in the midst of experiencing the slow goodbye of password use. The use of passkeys aims to secure billions of user accounts against phishing attacks by moving away from reliance on easily compromised credentials and towards biometric solutions.
Hello AI
The evolution of AI technology is also a growing cybersecurity threat. Cybercriminals are now deploying advanced techniques, such as AI-generated phishing emails, which can be difficult to distinguish from legitimate communications. With identity-first security in place, you can combat AI-generated phishing threats with advanced tools such as phishing-resistant authentication, behavioural analytics and dynamic access controls.
AI is a double-edged sword: while it powers sophisticated attacks, it also equips defenders with tools to predict and thwart threats proactively. But as AI continues to shape cybersecurity, the implications of keeping your company safe go far beyond mere efficiency and technology.
Business impact
The stakes for cybersecurity extend far beyond IT departments and simple compliance. The financial and reputational costs of failing to secure identities are painfully real. In 2019, Capital One saw its data breached by a hacker who exposed the information of more than 100m customers. The consequences? An $80m fine for negligence and a 15pc drop in their stock market value.
Marriott, Uber, Yahoo and Equifax are just a small sample of the companies that have experienced a costly data breach in the past decade. But this is far from being a problem that solely impacts the world’s leading companies.
Research on identity fraud by Regula in 2023 revealed that 90pc of small and medium enterprises encountered identity fraud incidents in the past year, with an average of 10 per company. Targeting enterprise-level companies can seem like a more rewarding prospect for hackers, but it would be short-sighted to consider identity fraud something only multimillion-dollar companies should be concerned with. With the average cost of a data breach nearing $5m, it is clear data security cannot be ignored.
Ineffective identity controls have repercussions beyond finances, though: they damage customer trust.
Would you place your personal data in the hands of a company that has just experienced a serious data breach?
Trust, once lost, is hard to regain.
Businesses must not gamble with their survival and must prioritise identity-based security measures to protect both their customers and their reputation. The time has come to protect the castle from within.
By Tushar Kumar
Tushar Kumar is cloud security team lead at Codec. He is an Azure certified cloud solutions architect and Microsoft MVP. He specialises in planning, designing and securing applications on Azure, with deep expertise in migrating enterprise architectures from on premises to the cloud.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
