Identity And Access Management

50 Identity And Access Security Stats You Should Know In 2025

We’ve collected the latest identity and access security statistics to help you keep up to date on the most prevalent identity threats of the past year.

Last updated on Jan 03, 2025
Caitlin Harris Written by Caitlin Harris
Laura Iannini Technical review by Laura Iannini
50 Identity And Access Security Stats You Should Know In 2021 - Expert Insights

Your employees’ corporate accounts are the doorways into your organization’s data vault, and your employees’ credentials are the keys. Unfortunately, we as a global workforce aren’t very good at keeping those keys safe, and that leaves those doors wide open to attackers trying to access our data.

But just how common are identity and access attacks, and what does that mean for your organization?

We’ve collated the most recent statistics from around the world to help illustrate the threat of credential theft attacks, which target user identities and access methods. These stats come from third-party surveys and reports, and we’ll be updating them as new research emerges to help you stay on top of the latest figures.

The Frequency Of Identity And Access Breaches

In 68% of breaches, a non-malicious human element, like a person falling victim to a social engineering attack or making an error, was to blame. The use of stolen credentials and phishing are two of the three primary means that cybercriminals access an organization—both of these, notably, are directly linked to users’ identities.

Password-only authentication configurations, exacerbated by archaic expiry and complexity policies, result in more than 99% of identity compromises. This year saw a 20% increase in access broker ads on the dark web, and 75% of attacks to gain access were malware-free.

“With the help of generative AI, adversaries … are using new techniques to break in faster, such as phishing, social engineering, and buying legitimate credentials from access brokers. Tactics like SIM-swapping, MFA bypass, and using stolen API keys to gain initial access are becoming popular.”

The high incident rates in recent years could be attributed to several factors, including the increasing adoption of cloud technologies and the increase in remote and hybrid working. Digital transformation and the adoption of cloud technologies have enabled organizations to structure themselves more flexibly and productively, but they also make it more difficult for IT teams to keep track of who is accessing what data from where.

In a 2024 survey by CyberArk, nearly 50% of respondents expect the number of identities they manage to increase by three times or more, and the most common driver for increases in identity growth is non-human machine identities.Remote and hybrid settings, while productivity-boosting, can also be more prone to identity attacks when not implemented properly, due to the following reasons:

  • Organizations that haven’t invested in strong cloud cybersecurity tools for remote employees (including on personal devices when needed), such as MFA and email security technologies, are more at risk from password-cracking attempts and phishing attacks. 
  • Attackers know that BYOD devices are less likely to be secured by the organization, so they target their attacks toward these workers. 
  • Phishing attacks are often used to distribute malware and, because BYOD devices are less likely to be secured with enterprise-grade antivirus and anti-malware, they’re twice as likely to become infected with malware than their corporate counterparts.

According to Statista, the industry with the highest percentage of employees working remotely is the tech industry at 67.8%. This was followed by the agency / consulting industry at 50.6% and the finance / insurance industry at 48.7%. According to G2, 80% of workers admit to using SaaS applications at work without getting approval from IT.

When more than 95% of orgs allowed the use of personal devices for work even before the pandemic, and 86% of IT managers say mobile attacks are growing more frequent, that adds up to a lot of potential malware infections that could spread to the rest of the corporate network.

Sushila Nair, vice president of security services at NTT Data, told TechTarget that “Research has found that people working from home can be more distracted and they’re more likely to click on suspicious links.”

When an attacker compromises a network, it only takes them 62 minutes to move laterally from the initially compromised host to another host within the victim’s environment (the fastest observed breakout time was only 2 minutes and 7 seconds). With that in mind, think how much damage they could do if the attack wasn’t reported for an entire weekend!

Unfortunately, 35% of employees say they need to work around their company’s security policy to get their job done. And if there is too much friction caused by a security mechanism, it is likely that employees will avoid doing it as much as they can, which is counterproductive.

Organizations need to find more unobtrusive ways to secure themselves and their employees against identity-related breaches. But before they can do that, it is important to understand exactly how businesses are being breached, which brings us to our next topic…

Identity Security Breach Methods

The key detail involved in all identity and access security attacks is the user’s login credentials. Unfortunately, many of us fail to implement strong password practices for the following reasons:

  • Having to manage too many accounts
  • Remembering which password belongs to which account
  • Being unable to remember unique passwords to each account
  • Finding it difficult to create complex passwords

Because of this, a lot of us are notoriously bad at creating and using strong passwords; in fact, “123456”, “123456789” and “password” still consistently top lists of the most used passwords in 2024. And unfortunately, the weaker the password, the easier it is to crack—in fact, these three examples can all be cracked in under one second.

However, creating a strong password alone isn’t enough; just as important are the secure storage and sharing of your passwords, and creating a unique password for each account. The culture of sharing passwords freely via messaging apps or email, and without encryption, makes organizations highly susceptible to social engineering attacks. And if users use one password for multiple accounts, an attacker that breaches one account will quickly be able to gain access to them all. Despite this risk, according to a study from security.org, 18% of respondents reuse their passwords across multiple accounts.

So, we know that credentials are the key to identity and access-related breaches; a 2024 report from Sophos found that over three-quarters (77%) of attacks saw compromised credentials as an initial access method and over half (56%) as a root cause… But how do attackers steal those credentials?

Well, the main ways are brute force attacks and social engineering, or phishing attacks.

Brute Force Attacks

Brute force attacks are when a hacker programs a computer to guess their target’s password. You can read more the different variations of brute force attacks in our guide to preventing password crack attacks. The computer starts with the most common combinations of letters, number and symbols and works through all possible combinations systematically, character by character, until it gains access to the account.

As well as being used to target individual accounts, brute force is being increasingly used against Windows systems, as cybercriminals try to crack the username and password for a Remote Desktop Protocol (RDP) connection. RDP is a protocol that enables remote access to Windows machines. Once cracked, the hacker gains access to the target computer on that network. According to a 2024 report from Sophos, in 65% of cases some sort of remote access technology facilitated the intrusion; be that a VPN device or an exposed Remote Desktop Protocol (RDP) service.

Social Engineering Attacks

Breaches caused by phishing and stolen or compromised credentials were the two most prevalent attack vectors over the past year, responsible for 16% and 15% of all breaches respectively. 

Phishing is a type of social engineering attack that involves a bad actor contacting their target personally (usually via email, phone, or SMS), while posing as a trusted sender. In their message, they ask their victim for sensitive information, such as login credentials, or they encourage them to click on a malicious URL or attachment.

Phishing URLs usually take the target to a credential harvesting site, where they’re encouraged to enter their login information under a pretext set up by the hacker. Clicking a phishing attachment usually installs a form of malware on the user’s machine. This is often a botnet or a trojan. While some of these trojans are used to distribute ransomware or malware, others are used to harvest users’ sensitive data, such as their financial information and login credentials.

Unfortunately, social engineering attacks difficult to detect, which makes them likely to be successful, and highly prevalent. In 2024, Microsoft blocked over 7000 attempted password attacks every second. You can find out more about what BEC attacks are and how to stop them here.

Who The Victims Are

Remote workers have always been more susceptible to identity and access-based attacks. Unfortunately, the nature of the modern workplace means that more of us than ever before are now potential targets. More than two-thirds of cybersecurity and IT professionals belie that employees are putting the organization at risk through the misuse of email, oversharing company information on social media, and careless web browsing.

Despite the risks presented by remote and hybrid work, 80% of US-based companies currently offer some form of remote work. On top of that, according to JumpCloud 70% of BYOD use cases are from employees or third parties using unmanaged devices, and more than one out of five organizations have confirmed that their digital assets have downloaded malware due to unmanaged device connections in the last 12 months. According to JumpCloud, 32% of organizations lack visibility into the applications used by all employees connecting to enterprise assets.

But why is this such a problem? 

Well, remote workers are often less likely to have a “security first” mindset than those working in an office, largely due to their comfortable surroundings. This pain point is particularly concerning when it comes to the lack of good password practice amongst remote employees. According to a study from security.org, over half of surveyed American adults use unsecured methods like memorization, browser storage, and written records to manage their passwords. When asked how they manage their passwords, the most popular methods among respondents were memorization followed by password managers and saving credentials in the browser. 26% of those surveyed admitted to writing passwords in notes on their computer or mobile device, and 25% wrote them down on paper.

To gain access to many of these passwords, an attacker need only breach the cloud storage, computer or cell phone which, without the proper employee training and technical security solutions in place, makes it much easier for them to hack into employee accounts and access sensitive company data.

Another common target area for identity and access-related breaches is privileged accounts. Most organizations order their business systems in tiers according to the severity of the consequences should that system be breached. Privileged accounts provide administrative levels of access to high-tier systems, based on higher levels of permissions. This makes privileged accounts a lucrative target for hackers trying to gain access to critical business data.

Despite the high consequences of a privileged account breach, companies across the globe are not implementing stringent enough security measures to protect them. According to CyberArk, 64% of organizations surveyed either have or will prioritize Identity Threat Detection and Response (ITDR). This survey lists the following as top reasons why identity-related attacks happen:

  • Digital transformation (22%) 
  • Vulnerable IAM infrastructure (21%) 
  • Volume and sophistication of cyberattacks (20%) 

In the same survey, 93% of organizations also expected to face AI-related cybersecurity challenges. According to a 2024 survey by NordPass, the countries with the most breached companies were the United States, India, and the United Kingdom.

The Impact Of An Identity And Access Breach

IBM’s Cost of a Data Breach 2024 report estimates the average cost of a breach as $4.88 million USD, which is a 10% increase from last year. 75% of the increase in average breach costs in this year’s study was due to the cost of lost business and post-breach response activities.

That average cost also reflects a widening gap between the cost of a breach for organizations with more advanced security processes in place, such as incident response teams, and those with fewer processes in place. In other words, the cost of a data breach is much lower for those with a formal security architecture, but dangerously high for organizations without the proper protections.

For the 2nd year in a row, phishing and stolen or compromised credentials were the two most prevalent attack vectors. Both also ranked among the top four costliest incident types. Credential-based attacks also took the longest to identify and contain. Whether credentials were stolen or used by malicious insiders, attack identification, and containment time increased, yielding an average combined time of 292 and 287 days respectively.

However, financial loss isn’t the only consequence of an identity- or access-related breach. As we discussed above, these breaches often start with credential theft via a phishing attack, and that credential theft has a knock-on effect in terms of data loss. The main consequences of successful phishing attacks include:

  • Lost data
  • Compromised accounts or credentials
  • Ransomware infections
  • Malware infections
  • Financial loss

Current Identity And Access Trends

Organizations are becoming more aware of the importance of identity and access security and are looking to invest in Identity and Access Management (IAM) solutions. According to Fortune Business Insights, global identity and access management market size was valued at USD 17.80 billion in 2023.  

This market is projected to grow to USD 61.74 billion by 2032, exhibiting a CAGR of 15.3%. And as we see more examples of threat actors bypassing MFA, we can expect an increase in the number of organizations opting for non-phishable or FIDO-approved authentication methods, such as hardware authenticators, smart cards, and biometrics.

Security Awareness Training (SAT) has been another area for investment in the past year; organizations are increasingly giving their employees extra training on how to be “cyber-safe” when working remotely, with specific training targeting password and credential verification. As more organizations embrace their employees back into the office in a hybrid format, user training will only become more important—particularly when implementing new policies that may be required to secure devices that have been out of the network perimeter for the past two years.

How Can You Protect Your Business Against Identity Threats?

There isn’t a single silver bullet solution to cybersecurity: to protect your corporate, employee, and customer data, you need to implement a stack of human-focused solutions, such as awareness training, which address the problem at an employee level, and technical solutions.

Here are some of the best methods by which you can protect your data:

Create And Enforce A Strong Password Policy

A password policy is a set of rules that aim to improve your company’s security by encouraging the creation of strong passwords, and the secure use, storage and sharing of those passwords. Creating a password policy is relatively easy, and costs nothing. For more information on what rules to include, take a look at our guide to creating a secure password policy.

Use A Password Manager

Password management solutions store each employee’s passwords in a personal, encrypted vault that they access via a single master password. From within the vault, employees can safely access the credentials to all their corporate accounts, share passwords, and update weak or compromised passwords.

Password managers also feature password generation tools which enable employees to create unique, random passwords without having to remember them. They enable employees to access their accounts easily and securely, and they enable security teams to keep tabs on their organizations’ password health.

Enforce Multi-Factor Authentication (MFA)

One of the most common methods of protecting against both brute force and social engineering attacks is by using Multi-Factor Authentication (MFA). MFA is a verification technology that requires users to verify their identity in two or more ways, before they’re granted access to an app or system. This could be something the user knows (e.g., a PIN), something the user does (e.g., taps ‘Yes’ on a push notification sent via an authenticator app), or something the user is (i.e., their biometrics, such as presenting a fingerprint scan).

This means that if an attacker were to compromise a user’s password, they still wouldn’t be able to log in without that user’s second method of verification.

MFA is a highly effective means of preventing account compromise, but unfortunately, many organizations today are yet to adopt this technology. In fact, this 2024 report from Sophos found that in 43% of investigations, MFA was not configured.

It’s important to note that some methods of MFA are stronger than others; in the past year, for example, we’ve seen numerous examples of breaches caused by threat actors “bombing” users with push notifications until they allow access either accidentally, or simply to make the notifications stop. Because of this, organizations are increasingly being recommended to use non-phishable, FIDO-certified MFA, such as hardware authenticators or biometrics. Big tech companies are also encouraging consumers, as well as businesses, to adopt these stronger methods of authentication, and have been developing more user-friendly, frictionless authentication options (such as “passkeys”) to encourage more widespread adoption.

Learn more about passkeys and passwordless authentication in our interview with John Bennett, CEO of Dashlane, on the Expert Insights Podcast.

Invest In Privileged Access Management (PAM)

Privileged accounts are one of the most lucrative targets for hackers, making them some of the most targeted of employee accounts. Privileged Access Management solutions enable organizations to monitor and control the access and activity of their privileged users. This includes who has access to which accounts, as well as what users are allowed to do once logged in. PAM keeps privileged accounts secure by ensuring that only the correct, and verified, users can access accounts based on their roles and responsibilities.

According to Statista survey of 567 IT professionals in organizations with 1,000+ employees, 62% of those in charge of IAM value adaptability to their company’s specific requirements as a top priority when evaluating tools. 55% of respondents also valued connectivity with other applications and infrastructures. Budgets for IAM have also seen increases in 90% of organizations. 

  • You can find out more about how PAM solutions work here, and compare the best solutions that will enable you to reap these benefits by reading our guide to the Top PAM Solutions here.

Install Endpoint Security On Employee Devices

Endpoint security solutions use a combination of firewalls, anti-malware, and device management tools to protect your network against malware and viruses that could be used to harvest your employees’ credentials.

These solutions cover all the endpoints connected to your network, including servers, PCs, mobile devices and IoT devices, and admins can manage the solution centrally, making it easy for them to identify and monitor the health and risk level of all devices connected to the network at once.

Endpoint security solutions tend to be designed for larger organizations and those with a number of remote or BYOD endpoints. If you’re an SMB that doesn’t have a complex network architecture, and you’re looking for a product that will protect your endpoints against viruses and malware, you should look at investing in an antivirus software solution.

Train Your Employees

One of the best ways to cultivate a culture of security is by teaching your employees how to be vigilant and preparing them to identify and respond to threats.

Security Awareness Training solutions combine engaging training materials with active attack simulation campaigns to transform your employees from potential weak links into a robust line of defense against cyberattacks. Most of these solutions focus specifically on phishing awareness training, but some also include modules on a wider range of security topics, such as how to work from home safely.

Invest In A Secure Email Gateway (SEG)

Secure Email Gateways protect your employees against phishing attacks by monitoring their inbound and outbound emails and scanning them for threats. The SEG blocks or quarantines any suspicious communications, so that they’re never delivered to their intended victims.

Email gateway solutions also expose account compromise, helping you to identify and prevent Business Email Compromise (BEC) attacks, which attackers can use to steal credentials by posing as a company insider.

Caitlin Harris
LinkedIn Email

Deputy Head Of Content

Caitlin Harris is Deputy Head of Content at Expert Insights. Caitlin is an experienced writer and journalist, with years of experience producing award-winning technical training materials and journalistic content. Caitlin holds a First Class BA in English Literature and German, and provides our content team with strategic editorial guidance as well as carrying out detailed research to create articles that are accurate, engaging and relevant. Caitlin co-hosts the Expert Insights Podcast, where she interviews world-leading B2B tech experts.
Laura Iannini Laura Iannini
Email

Cybersecurity Analyst

Laura Iannini is an Information Security Engineer. She holds a Bachelor’s degree in Cybersecurity from the University of West Florida. Laura has experience with a variety of cybersecurity platforms and leads technical reviews of leading solutions. She conducts thorough product tests to ensure that Expert Insights’ reviews are definitive and insightful.