Even before the final phrases of “Auld Lang Syne” began to dissipate, people started turning their attention to the new year. With everyone’s proclamations of “new year, new me,” organizations may want to consider how they can give their identity programs a makeover without having to upend their operations.
The inability to remain static is one of the few things that time and malicious actors share. As organizations work to prepare themselves for the future, these 2025 predictions can help inform decision-making.
AI May Be the Terminator for Your Credentials
The current AI models may not autonomously say in a deep and accented voice, “I’ll be ba-ack.” However, bad actors increasingly use models like ChatGPT to create deep fakes that improve their social engineering campaigns.
While the old zero trust motto used to be “trust but verify,” the modern adage is “trust nothing and no one.” As malicious actors add AI and Large Language Models (LLMs), the social engineering campaigns become more realistic, enabling attackers to mimic real-world people’s physical and digital presences. For example, cybercriminals can easily feed content from a CEO’s social media profile into an AI then use a prompt to “write in the style of” the individual. With the phishing email sounding more legitimate, people struggle to decipher real messages from fake ones.
With the latest White House Executive order aiming to increase US development opportunities in AI, American companies may be able to outpace some bad actors, but people can no longer trust their eyes and ears. Further with the rise of less expensive yet competitive models like DeepSeek, malicious actors will be even more likely to incorporate these into social engineering campaigns.
As attackers often use social engineering and phishing to steal credentials, organizations need to have identity strategies that identify all users and understand their normal behavior. Without these capabilities, identifying anomalous activity arising from compromised credentials will be nearly impossible.
Who’s Afraid of Little Old Vulnerability?
Malicious actors will continue to focus on vulnerability exploitation as a primary method for gaining initial access. Once bad actors identify a vulnerability to exploit, they can use slightly different attack paths that begin with the initial security weakness.
When zooming out and looking at the cybercriminal ecosystem, the initial access problem makes even more sense. Across the dark web, cybercriminals increasingly focus on their own niche specialties. For example, initial access brokers (IAB) focus on gaining access to target systems then selling the access on the dark web or in Telegram channels. Whether they sell access related to vulnerabilities or stolen credentials, the ecosystem makes it easier for unsophisticated cybercriminals to deploy more sophisticated attacks.
For the medium and large organizations that attackers are more likely to target, risk mitigation strategies may include rotating passwords at a more frequent pace and wider scale.
99 Problems, and They’re All Service Accounts
Identity is now – and will remain – the nucleus of security. While organizations may have insight into their human users and identities, they increasingly struggle with managing non-human identities, like service accounts. Machines talking to machines and the identities used across applications have exploded to ten, or even twenty, times the number of human accounts. Recognizing this, malicious actors increasingly target machine-to-machine and application-to-machine identities as attack vectors.
The problem becomes more complicated as the environment obfuscates where these issues lie. Technology debt, clutter, and unclear access routes create additional opportunities for attackers. Malicious actors know they can take advantage of multiple access routes, especially across multi-cloud and hybrid infrastructures.
Some examples of ways that these service accounts can create risks include:
- Developers building in-house systems who create a security workaround
- Third-party vendors’ systems
- Legacy devices, accounts, and entitlements whose password policies haven’t been updated
Identifying and managing service accounts will be a key security risk mitigation strategy. Organizations need to define what these accounts can and cannot do, then enforce the policies as strictly as they would for a human admin account.
Not Throwin’ Away My (Compliance) Shot
Benjamin Franklin allegedly decreed that nothing in the world is certain except death and taxes. If he were around today, he would probably also include “and data protection regulations.”
Although some deregulation initiatives have appeared on the global landscape, cyber security will still remain a different beast. Many legislative and regulatory bodies will continue to double down and ensure that companies protect consumer and employee information. The private sectors will remain on the front lines, protecting against cyber attacks, and the compliance landscape will continue to require proof of those activities.
Organizations should invest in solutions that enable robust compliance documentation and can map across multiple laws, regulations, and frameworks.
Playing the Corporate Version of the “Not It” Game with Cyber Liability Insurance
At some point in time, most people have put a finger to their nose and said loudly, “not it!” The intent of the Not It Game is to foist responsibility on somebody – anybody – else in the group. In the business world, cyber insurance often acts as the “nose point and shout” to have someone else cover a security incident’s costs.
Over the last few years, cyber insurance providers have become more skeptical about what they should reimburse companies for and have updated their coverages and exclusions to be more aggressive. The requirements to even obtain insurance in the first place have become significantly more stringent. In this game of tug of war over who owns liability, organizations need to implement, maintain, and monitor security controls more effectively.
Insurance companies have become more sophisticated, bringing with them a better understanding of the tools that organizations should use. Where the question used to be “do you have a PAM solution,” it is now “how are you protecting privileged access and accounts from compromise?”
All organizations, but especially smaller companies, will face more difficult liability conversations. To be approved for cyber liability insurance, organizations need to have answers to the increasingly specific questions that insurance underwriters ask and the continuous controls monitoring to support them.
Using a Digital WD-40 to Reduce User Friction
Everyone has that one door that just sticks when they try to open or close it, perhaps because the hinge is a little rusty. When they need to open that door, they pull out the trusty can of WD-40 to loosen the hinges, making the door open more easily.
Securing the identity perimeter is the rusted door hinge of the security world. As organizations need to deploy more security products, create deeper security policies, and monitor their environment with more rigor. However, each time they add a new control they create new friction for the end users.
For example, organizations add new authentication factors before allowing users to sign into corporate devices, networks, and applications. Each system has different levels of granularity and access control. From the users at home to the nurses on the emergency room floor, logging into devices and applications takes more steps and consumes more time. For each new security step, people will look for workarounds that make their lives easier, and often, those workarounds create security weaknesses.
Organizations need to look for solutions that reduce friction. As consumers and customers hold organizations accountable for protecting their sensitive information, companies need to implement solutions that help them strike the delicate balance between security and usability.
SPHERE: A Crystal Ball Built on Identity Hygiene
While no one can really predict the future, the statistical rise of identity-based attacks over the last few years indicates that threat actors will continue to deploy these methodologies. As organizations choose their cybersecurity investments for 2025, they should consider how to implement identity hygiene, processes for implementing, maintaining, and monitoring user access across complex environments, including those consisting of interconnected applications and large numbers of difficult-to-manage users, like service accounts.
With SPHERE, you can uncover identity issues like rampant open access or excessive numbers of privileged accounts. Our platform simplifies the remediation process with virtual workers who can do more in less time, enabling organizations to close known and unknown gaps while identifying and protecting critical data. To continuously manage risk, you can use SPHERE to monitor key controls’ effectiveness continuously and improve identity and access management to sustain a least-privilege state.
