50 Identity And Access Security Stats You Should Know In 2024
We’ve collected the latest identity and access security statistics to help you keep up to date on the most prevalent identity threats of the past year.
Your employees’ corporate accounts are the doorways into your organization’s data vault, and your employees’ credentials are the keys. Unfortunately, we as a global workforce aren’t very good at keeping those keys safe, and that leaves those doors wide open to attackers trying to access our data.
But just how common are identity and access attacks, and what does that mean for your organization?
We’ve collated the most recent statistics from around the world to help illustrate the threat of credential theft attacks, which target user identities and access methods. These stats come from third-party surveys and reports, and we’ll be updating them as new research emerges to help you stay on top of the latest figures.
The Frequency Of Identity And Access Breaches
The use of stolen credentials and phishing are two of the three primary means that cybercriminals access an organization. In fact, 74% of all breaches include the human element, with people being involved either via privilege misuse, use of stolen credentials, social engineering, or error—note that three of those four methods are directly linked to users’ identities.
And this is a trend that is only likely to continue, as password attacks are still on the rise. In fact, this year saw a more than tenfold increase in attempted password attacks, compared with the same period from a year ago.
According to further research from Crowdstrike, this year has also seen a 112% year-over-year increase in advertisements for access-broker services identified in the criminal underground (e.g., on the dark web), which tells us that threat actors are ramping up credential-based attacks.
The high incident rates in recent years could be attributed to several factors, including the increasing adoption of cloud technologies and the increase in remote and hybrid working. Digital transformation and the adoption of cloud technologies have enabled organizations to structure themselves more flexibly and productively, but they also make it more difficult for IT teams to keep track of who is accessing what data from where; in fact, 62% of security teams operate with limited visibility across their environment. And remote and hybrid settings, while productivity-boosting, can also be more prone to identity attacks when not implemented properly, due to the following reasons:
Firstly, organizations that haven’t invested in strong cloud cybersecurity tools for remote employees (including on personal devices when needed), such as MFA and email security technologies, are more at risk from password-cracking attempts and phishing attacks. Attackers know that BYOD devices are less likely to be secured by the organization, so they target their attacks toward these workers; 55% of remote workers using BYOD devices receive more phishing or spam emails than they used to. This one is a double-edged sword—phishing attacks are often used to distribute malware and, because BYOD devices are less likely to be secured with enterprise-grade antivirus and anti-malware, they’re twice as likely to become infected with malware than their corporate counterparts. And when 92% of remote employees perform work tasks on their personal tablets or smartphones, that adds up to a lot of potential malware infections that could spread to the rest of the corporate network.
Additionally, it’s more difficult to maintain a “security first” mindset at home than in the office. In one recent survey, 80% of employees admitted to being more relaxed and distracted when working from home on a Friday in the summer months, and 13% admitted to falling for a phishing attack whilst working from home. Even more alarmingly, 21% said that they’d continue working as usual in the event they fell victim to a phishing attack while working remotely on a Friday, and 9% indicated that they’d wait until after the weekend to report the attack. When an attacker compromises a network, it only takes them 84 minutes to move laterally from the initially compromised host to another host within the victim’s environment. With that in mind, think how much damage they could do if the attack wasn’t reported for an entire weekend!
However, 65% of remote users would leave their job if their company’s rules around remote work changed, so stopping employees from working remotely isn’t a viable option for most employers—and many wouldn’t want to ban remote work outright anyway, due to its proven productivity benefits.
So, organizations need to find another way to secure themselves and their employees against identity-related breaches. But before we can do that, we first need to understand exactly how businesses are being breached, which brings us to our next topic…
Identity Security Breach Methods
The key detail involved in all identity and access security attacks is the user’s login credentials. Unfortunately, many of us fail to implement strong password practices for the following reasons:
- Having to manage too many accounts
- Remembering which password belongs to which account
- Being unable to remember unique passwords to each account
- Finding it difficult to create complex passwords
Because of this, a lot of us are notoriously bad at creating and using strong passwords; in fact, “123456”, “admin” and “password” still consistently top lists of the most commonly used passwords. And unfortunately, the weaker the password, the easier it is to crack—in fact, these three examples can all be cracked in under one second.
However, creating a strong password alone isn’t enough: just as important are the secure storage and sharing of your passwords, and the need to create a unique password for each account. The culture of sharing passwords freely via messaging apps or email, and without encryption, makes organizations highly susceptible to social engineering attacks. And if users use one password for multiple accounts, an attacker that breaches one account will quickly be able to gain access to them all. Despite this risk, 45% of remote users use the same password for both work and personal accounts.
So, we know that credentials are the key to identity and access-related breaches; in over half (54%) of all attacks studied by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in the past year, initial access was obtained via compromised credentials… But how do attackers steal those credentials?
Well, the two main ways are brute force attacks and social engineering, or phishing, attacks.
Brute Force Attacks
There are a number of variations on brute force attacks, which you can read more about in our guide to preventing password crack attacks but, fundamentally, brute force attacks are when a hacker programs a computer to guess their target’s password. The computer starts with the most common combinations of letters, number and symbols and works through all possible combinations systematically, character by character, until it gains access to the account.
As well as being used to target individual accounts, brute force is being increasingly used against Windows systems, as cybercriminals try to crack the username and password for a Remote Desktop Protocol (RDP) connection. RDP is a protocol that enables remote access to Windows machines. Once cracked, the hacker gains access to the target computer on that network. According to a recent report from Sophos, threat actors leveraged RDP in a staggering 95% of attacks during the first half of 2023—an increase from 88% in 2022. The same study found that compromised credentials accounted for 50% of RDP attacks.
Social Engineering Attacks
Breaches caused by phishing and stolen or compromised credentials were the two most prevalent attack vectors over the past year, responsible for 16% and 15% of all breacheds resepectively. Phishing is a type os social engineering attack that involves the bad actor contacting their target personally (usually via email, phone or SMS), while posing as a trusted sender. In their message, they ask their victim for sensitive information, such as login credentials, or they encourage them to click on a malicious URL or attachment.
Phishing URLs usually take the target to a credential harvesting site, where they’re encouraged to enter their login information under a pretext set up by the hacker. Clicking a phishing attachment usually installs a form of malware on the user’s machine. This is often a botnet or a trojan. While some of these trojans are used to distribute ransomware or malware, others are used to harvest users’ sensitive data, such as their financial information and login credentials.
Unfortunately, social engineering attacks difficult to detect, which makes them likely to be successful, and highly prevalent; between April 2022 and April 2023, Microsoft detected 156,000 business email compromise (BEC) attacks every single day, which are just one type of account compromise attack involving social engineering. You can find out more about what BEC attacks are and how to stop them here.
Who The Victims Are
Remote workers have always been more susceptible to identity and access-based attacks. Unfortunately, the nature of the modern workplace means that more of us than ever before are now potential targets, with 92% of remote employees using a personal computer or smartphone to work from home.
Despite the risks presented by remote and hybrid work, a concerning 50% of organizations don’t have a policy on the security requirements for their remote workers. On top of that, only half of companies with BYOD policies also have a policy in place to regulate the use of personal devices, only a third provide antivirus software for personal devices, and a third again do not require their remote workers to use a method of authentication. Of those that do require that their employees use authentication, only 35% require multi-factor authentication (MFA).
But why is this such a problem? Well, remote workers are often less likely to have a “security first” mindset than those working in an office, largely due to their comfortable surroundings. This pain point is particularly concerning when it comes to the lack of good password practice amongst remote employees: two-thirds of workers are more likely to write down work-related passwords when working from home than they are while working in the office, and many of those storing their passwords digitally are doing so in an unsecure way: 49% save work passwords in the cloud, 51% save them in a document on their computer, and 55% save them on their phone. To gain access to these passwords, an attacker need only breach the cloud storage, computer or cell phone which, without the proper employee training and technical security solutions in place, makes it much easier for them to hack into employee accounts and access sensitive company data.
The second common target area for identity and access-related breaches is privileged accounts. Most organizations order their business systems in tiers according to the severity of the consequences should that system be breached. Privileged accounts provide administrative levels of access to high-tier systems, based on higher levels of permissions. This makes privileged accounts a lucrative target for hackers trying to gain access to critical business data.
Despite the high consequences of a privileged account breach, companies across the globe are not implementing stringent enough security measures to protect them. 63% of security decision-makers say that high-sensitivity access for users in their organization, such as IT admins and other privileged users, is not adequately secured. Additionally, 77% of developers have too many privileges—most liekly due to the fact that they need quick, on-demand access to be able to innovate effectively, and some IT teams don’t have the resource to process continuous access requests. Because of this, 38% of security decision-makers say that development teams are where unknown, unmanaged identites create the most risk.
It comes as little surprise, then, that a quarter of all cybercrime victims in the US and UK have managerial positions or own a business and that 34% of identity-related breaches involve the compromise of privileged user accounts.
The Impact Of An Identity And Access Breach
The average cost of a data breach is 4.45 million US dollars, showing a 15% increase over the past three years. That average, however, also reflects a widening gap between the cost of a breach for organizations with more advanced security processes in place, such as incident response teams, and those with fewer processes in place. In other words, the cost of a data breach is much lower for those with a formal security architecture, but dangerously high for organizations without the proper protections.
Breaches caused by phishing and stolen or compromised credentials—the two most prevalent attack vectors over the past year—were ranked among the top four costliest incident types, costing an average of 4.76 million USD and 4.62 million USD respectively. They also took the longest to resolve, with it taking security teams an average of almost 11 months (328 days) to identify and contain breaches caused by stolen or compromised credentials, compared to the overall mean time of just over nine months (277 days) to identify and contain a data breach.
However, financial loss isn’t the only consequence of an identity- or access-related breach. As we discussed above, these breaches often start with credential theft via a phishing attack, and that credential theft has a knock-on effect in terms of data loss. The main consequences of successful phishing attacks include:
- Lost data
- Compromised accounts or credentials
- Ransomware infections
- Malware infections
- Financial loss
Current Identity And Access Trends
Organizations are becoming more aware of the importance of identity and access security, and are looking to invest in identity and access management (IAM) solutions. According to a survey by Cybersecurity Insiders, when looking to invest in an IAM solution, organizations prioritize ease of integration (72%), followed by end user experience (62%), and product performance and effectiveness (61%). Further features that security teams look for include:
- Ease of administration (59%)
- Product features/functionality (57%)
- Cost (57%)
- Vendor support (55%)
And as we see more exaples of threat actors bypassing MFA, we can expect an increase in the number of organiztions opting for non-phishable or FIDO-approved authentication methods, such as hardware authenticators, smart cards, and biometrics.
Security awareness training has been another area for investment in the past year; organizations are incresingly giving their employees extra training on how to be “cyber-safe” when working remotely, with specific training targeting password and credential verification. And as increasingly more organizations embrace their employees back into the office in a hybrid format, user training will only become more important—particularly when implementing new policies that may be required to secure devices that have been out of the network perimeter for the past two years.
How Can You Protect Your Business Against Identity Threats?
There isn’t a single silver bullet solution to cybersecurity: in order to protect your corporate, employee and customer data, you need to implement a stack of human-focussed solutions, such as awareness training, which address the problem at an employee level, and technical solutions.
Here are some of the best methods by which you can protect your data:
Create And Enforce A Strong Password Policy
A password policy is a set of rules that aim to improve your company’s security by encouraging the creation of strong passwords, and the secure use, storage and sharing of those passwords. Creating a password policy is relatively easy, and costs nothing. For more information on what rules to include, take a look at our guide to creating a secure password policy.
Use A Password Manager
Password management solutions store each employee’s passwords in a personal, encrypted vault that they access via a single master password. From within the vault, employees can safely access the credentials to all of their corporate accounts, share passwords, and update weak or compromised passwords.
Password managers also feature password generation tools, which enable employees to create unique, random passwords without having to remember them.
They enable employees to access their accounts easily and securely, and they enable security teams to keep tabs on their organizations’ password health.
Enforce Multi-Factor Authentication (MFA)
One of the most common methods of protecting against both brute force and social engineering attacks is by using multi-factor authentication (MFA). MFA is a verification technology that requires users to provide two or more proofs of ID before they’re granted access to an app or system—meaning that, if an attacker were to compromise a user’s password, they still wouldn’t be able to log in without that user’s second method of verification, which could be something the user knows (e.g., a PIN), something the user does (e.g., taps ‘Yes’ on a push notification sent via an authenticator app), or something the user is (i.e., their biometrics, such as presenting a finger print scan).
MFA is a highly effective means of preventing account compromise, but unfortunately, many organizations today are still yet to adopt this technology. In fact, a recent report from Sophos found that MFA was not configured in 39% of cases they investigated in 2023.
It’s important to note that some methods of MFA are stronger than others; in the past year, for example, we’ve seen numerous examples of breaches caused by threat actors “bombing” users with push notifications until they allow access either accidentally, or simply to make the notificaitons stop. Because of this, organizations are increasingly being recommended to use non-phishable, FIDO-certified MFA, such as hardware authenticators or biometrics. Big tech companies are also encouraging consumers, as well as businesses, to adopt these stronger methods of authentication, and have been developing more user-friendly, frictionless authentication options (such as “passkeys”) to encourage more widespread adoption.
Learn more about passkeys and passwordless authentication in our interview with John Bennett, CEO of Dashlane, on the Expert Insights Podcast.
Invest In Privileged Access Management (PAM)
As we discussed above, privileged accounts are one of the most lucrative targets for hackers, thus the most commonly targeted of employee accounts. Privileged access management solutions enable organizations to monitor and control the access and activity of their privileged users. This includes who has access to which accounts, as well as what users are allowed to do once logged in. PAM keeps privileged accounts secure by ensuring that only the correct, and verified, users can access accounts based on their roles and responsibilities.
The top benefits that users look for in a PAM solution are protecting against the compromise of privileged credentials by external threat actors (58%), managing and monitoring privileged user access (58%), and preventing data breaches (48%). You can find out more about how PAM solutions work here, and compare the best solutions that will enable you to reap these benefits by reading our guide to the top PAM solutions here.
Install Endpoint Security On Employee Devices
Endpoint security solutions use a combination of firewalls, anti-malware and device management tools to protect your network against malware and viruses that could be used to harvest your employees’ credentials.
These solutions covers all of the endpoints connected to your network, including servers, PCs, mobile devices and IoT devices, and admins can manage the solution centrally, making it easy for them to identify and monitor the health and risk level of all devices connected to the network at once.
Endpoint security solutions tend to be designed for larger organizations and those with a number of remote or BYOD endpoints; if you’re an SMB that doesn’t have a complex network architecture, and you’re looking for a product that will protect your endpoints against viruses and malware, you should look at investing in an antivirus software solution.
Train Your Employees
One of the best ways to cultivate a culture of security is by teaching your employees how to be vigilant and preparing them to identify and respond to threats.
Security awareness training solutions combine engaging training materials with active attack simulation campaigns in order to transform your employees from potential weak links into a robust line of defense against cyberattacks. The majority of these solutions focus specifically on phishing awareness training, but some also include modules on a wider range of security topics, such as how to work from home safely.
Invest In A Secure Email Gateway (SEG)
Secure email gateways protect your employees against phishing attacks by monitoring their inbound and outbound emails and scanning them for threats. The SEG blocks or quarantines any suspicious communications, so that they’re never delivered to their intended victims.
Email gateway solutions also expose account compromise, helping you to identify and prevent business email compromise (BEC) attacks, which attackers can use to steal credentials by posing as a company insider.
Want to find out more about how you can protect your data against identity and access threats? Check out our buyers’ guide to the top identity and access management solutions that will help you defend against credential theft.