Research from the 2024 Verizon Data Breach Investigations Report suggests human error accounts for 74% of data breaches, while up to 50% of attacks use stolen credentials. Credential theft can happen in a variety of ways. One of the most common is when usernames and passwords are gained through phishing emails or social engineering attacks, in which the employee thinks a request is legitimate when it’s malicious. By gaining access to an employee’s credentials, a bad actor also gains access to their account privileges, especially if the same credentials are used across multiple accounts.
Unfortunately, employees are increasingly prone to falling for phishing and social engineering attacks as Artificial Intelligence (AI) makes them more personalized and more challenging to detect. While AI has many positive applications, it presents new security challenges because it allows adversaries and everyday people to create sophisticated attacks easily. In addition to phishing and social engineering attacks, AI can fuel brute-force or dictionary attacks, where tools are used to try different passwords until access is gained systematically.
There is no simple solution to defending against credential theft. If a silver bullet existed, every organization would have implemented it already. Instead, agencies must continuously bolster their defenses against increasingly sophisticated attacks and the risk of credential theft. They can accomplish this by combining increased visibility, layered technical controls, and workforce training. Let’s take a closer look at what that entails.
Taking a Layered Approach to Cybersecurity
Every security technology has both strengths and weaknesses. By layering multiple technologies together, it’s easier to offset the shortcomings of any single solution. User Activity Monitoring (UAM), Content Disarm and Reconstruction (CDR), Multifactor Authentication (MFA), and secure data transfers work best in conjunction with one another. MFA should be the bare minimum and is often best supplemented with biometric verification. In the event of credential theft, UAM will highlight unusual user behavior and account access, while air-gapped networks can minimize the risk of exposure. No single technology is sufficient in the current landscape. Implementing one and thinking you’re protected is foolish.
Another way to minimize the risks associated with credential theft and other insider threats is to implement the principle of least privilege. Ensuring and verifying employees only have access to must-know information can drastically limit the impact of compromised accounts. Unfortunately, this approach often falls through the cracks when employees change roles or leave the organization. Annual reviews of your different technical controls applied to individuals or groups must be the minimum, while strict protocols should be in place for departing employees. In an age where AI is mainstreaming credential theft, a significant risk reduction strategy is shrinking the access a bad actor gains through a single employee.
Implementing Behavioral Analytics
Assuming the occasional credential theft is inevitable, behavioral analytics also becomes non-negotiable. Once inside, bad actors take different approaches. Some lock employees out of their accounts and change their passwords. Others sit and wait and only start stockpiling data long after the initial incident has passed. With behavioral analytics, high-risk behavior can be detected quickly because every employee’s normal behavioral baseline—what data and systems they’re accessing, where and when they log on, and more—is understood.
At the same time, getting a full view of each employee is essential, which requires bringing disparate data sources together. Agencies need to protect against credential theft and employees going rogue. For example, data from critical internal stakeholders like human resources (HR) can help organizations identify which employees are on a performance improvement plan, a potential precursor to animosity that could lead to malicious behavior. Having a complete view of each person makes it easier to spot concerning activity and prevent any insider — whether a rogue employee or a bad actor with stolen credentials — from wreaking havoc on security and your organization’s data, systems, and people.
The Importance of Workforce Training
Finally, having an engaged and informed workforce can go a long way on the security front. Giving employees examples of different kinds of data breaches, particularly high-profile ones that make headlines, can be a great way to hit home the importance of good cyber hygiene. The goal is not to fearmonger but to make the point: it could impact everyone if we do not protect our company and credentials. On average, a data breach costs a whopping $4.88 million.
It can be helpful to measure the impact of training and collect employee feedback to see if they are landing. Sometimes, to tighten security, organizations implement policies that create friction and, inadvertently, additional risk. For instance, let’s say you require every employee to encrypt information sent to vendors or other third parties. Some employees may find this burdensome and opt for a workaround, such as using systems outside of company control. Leveraging shadow, IT negatively impacts an organization’s security posture and can undermine all other security efforts.
Thus, all security policies must be balanced against the friction they cause to ensure they are actually beneficial. The best way to know friction is being created is to foster an environment where employees feel comfortable being honest about which measures they find helpful and which workarounds they are using. Additionally, through education, employees may be more reluctant to use workarounds because they understand the risk it creates.
The Bottom Line
AI makes it easier for adversaries to lure employees into making a mistake that could compromise the entire organization. Credentials are the proverbial keys to the castle and thus will remain in the crosshairs of bad actors. Organizations should proceed as if credential theft is inevitable. Human error cannot be eliminated, while the advanced tools used for attacks will continue to lower the barrier to entry for bad actors.
Still, that doesn’t mean agencies should sit back and do nothing. By minimizing the attack surface, increasing visibility, layering technical controls, and educating employees, it’s possible to increase peace of mind. If credentials are compromised, the breach can be spotted quickly, and the damage can be contained. Phishing and social engineering attacks aren’t going anywhere—but good cyber hygiene can shrink the attack surface and ensure attacks are remediated quickly.
