Vera de Chauvigny, Analyst Relations and Alliances Leader at WALLIX tells SJUK that as cyber-attacks increasingly exploit legitimate credentials, identity has become the primary attack surface for UK organisations.
Cyber-attacks against organisations have undergone a fundamental shift, outpacing the growth of security budgets.
While businesses continue to invest heavily in perimeter and endpoint protection, attackers have largely moved away from breaching network boundaries and now exploit legitimate credentials instead.
Today, credential-based attacks account for 77% of initial breaches and in more than half of cases, stolen credentials remain the root cause.
This shift represents more than just a change in attacker tactics.
It reflects the reality that traditional network perimeters have all but disappeared in any meaningful sense.
Remote work has become a permanent feature of British business, with applications increasingly hosted in cloud environments that IT departments do not directly control and third-party integrations outpace audit processes.
Identity has emerged as the single control point across the enterprise.
For UK businesses, the regulatory implications are significant.
The Information Commissioner’s Office has made clear through enforcement actions that organisations must demonstrate appropriate technical measures to protect personal data under the UK GDPR.
When breaches stem from compromised credentials, regulators examine both incident response and whether adequate identity controls existed.
The following five trends are redefining how businesses secure access, manage risk and maintain trust in an increasingly perimeter-less world.
While rapid detection remains vital, the real measure of resilience lies in limiting the damage a compromised account can inflict.
Modern attacks challenge the assumption that fast detection prevents serious damage: lateral movement across compromised networks can occur in as little as 27 minutes and Gartner notes that ransomware propagation via lateral movement is now the most common attack vector.
Even the best tools cannot guarantee containment. Least-privilege access is the new frontline defence.
By restricting accounts and tokens to what they genuinely need, organisations shrink the blast radius of any breach.
Regular privilege reviews and just-in-time access add safeguards, ensuring that if attackers break in, their ability to pivot and escalate is severely curtailed.
Leading organisations score every identity across systems and reduce privileges to the minimum required when risk thresholds are breached.
The recent Salesloft–Drift breach is a stark reminder, attackers exploited legitimate tokens carrying excessive permissions. Had those scopes been minimised and monitored, lateral movement could have been stopped.
Organisations now manage between 40 and 82 machine identities for every human user, a ratio accelerating as infrastructure becomes more distributed.
Every microservice deployment requires credentials, every API integration needs authentication keys and the expansion of IoT devices, CI/CD pipelines and AI agents means machine identities are constantly created across infrastructure that traditional privileged access management systems were never designed to handle.
Legacy PAM systems assume identities are stable and long-lived.
In contrast, machine identities in cloud-native environments may exist for minutes or seconds.
Industry research shows that 50% of organisations experienced breaches tied to compromised machine identities in the past year.
For British businesses delivering services into the EU, the stakes are higher: Those within NIS2’s scope must meet stringent supply chain security requirements, where unmanaged machine identities remain a blind spot.
Multi-factor authentication is now standard across British enterprises.
Yet its limitations are increasingly apparent as attackers bypass it using phishing, prompt-bombing and session hijacking.
Traditional authentication only verifies identity at a single point in time.
Some UK organisations are implementing behavioural authentication that continuously verifies identity throughout a session based on context and behaviour rather than relying solely on login credentials.
These systems analyse typing patterns, device characteristics, access times and application interaction.
When behaviour deviates from baselines, the system can require additional authentication or restrict access to sensitive resources.
Employees are deploying AI tools without IT approval, creating identity risks invisible to traditional IAM systems. The EY AI Sentiment Index (April 2025) revealed that 44% of respondents use AI professionally.
Personal ChatGPT accounts, autonomous agents and AI-powered browser extensions access corporate data through legitimate credentials in ways invisible to conventional monitoring.
These tools represent new identities operating in the environment, authenticating via user credentials and accessing sensitive systems.
Yet they do not appear as distinct entities in directories or logs.
For organisations managing personal data under GDPR, this creates compliance risk, as AI tools may inadvertently leak information through training or responses, exposing firms to regulatory and reputational harm.
The immediate priority must be achieving comprehensive visibility across their identity landscape.
Most organisations genuinely do not know how many identities exist in their environment or what those identities can access across different systems.
Comprehensive discovery should span all environments, cataloguing every human user account, service account, API key, application identity and device identity.
Implementing continuous monitoring rather than relying on periodic reviews is equally critical.
In an environment where attackers can move laterally through compromised networks in under 30 minutes, quarterly access reviews are fundamentally inadequate.
Identity security requires real-time visibility into who and what is accessing systems, with automated responses to suspicious activity.
Integrating fragmented identity security tools should also be prioritised, even without full consolidation.
The goal is connecting PAM, IAM, ITDR and data security platforms so they share data and coordinate responses when threats emerge.
As an identity security specialist at WALLIX, I’ve observed identity security’s evolution from a niche technical discipline to the cornerstone of enterprise defence.
For UK businesses facing increasingly stringent regulatory requirements and sophisticated threat actors, the question is no longer whether to prioritise identity security but whether organisations will address these emerging trends proactively before a breach occurs.
The urgency is underscored by the eye-watering sums paid for acquisitions such as CyberArk, clear evidence that identity security is now viewed as strategic, not optional.
The trends outlined are not theoretical, they are already shaping enterprise environments.
Security teams that address these trends now will be far better positioned to contain breaches when they inevitably occur.
Those organisations that delay will face broader compromise, longer recovery times and spiralling costs, not to mention reputational harm and regulatory penalties.
This article was originally published in the February edition of Security Journal UK. To read your FREE digital edition, click here.
