It was the data-driven finding from our initial Cybersecurity Investment Priorities program in 2023 that really hit the home run on the importance of visibility for us. We’d just run a large survey to gauge investment priorities among CISOs and CIOs over the coming year, which had included a deep dive into four specific cybersecurity topics. During the data analysis phase of the research, we correlated the data on how visibility affected prioritization, and the relationship was clear (“self-evident” / “stark” / choose your “oh wow!” word): the better the visibility, the higher the priority. This was one of those post-survey data analysis moments where you see “A-ha!” written all across the spreadsheet and you want to fist-bump the data. The importance of visibility has been a recurring theme throughout our cybersecurity research ever since.

Sometimes, though, visibility is more than just a recurring theme within the research … and takes a starring role in the program itself. That’s the case for our latest report into identity security – with a focus on visibility, governance, and autonomous remediation. Last year we took on the question of MFA posture – which included a visibility angle – but this year the intent was to look much wider than just MFA. This research project has been on the wish list for a long time, and it’s a delight to make it available. Please see Strengthening Identity Security: Visibility, Governance, and Autonomous Remediation, sponsored by Abnormal AI, Constella Intelligence, Enzoic, NinjaOne, and Silverfort.

What’s the big idea underlying this research? IAM – identity and access management – is an established control for managing which identities can access what resources. Few organizations don’t have an IAM system in place in 2025, but even with a mature IAM system, organizations continue to suffer from identity-led and identity-implicated attacks and breaches. IAM was not designed to protect against:

• A threat actor using credentials they compromised through a phishing attack. An IAM system will see the credential pair as valid and give access.
• A threat actor using credentials they purchased from the dark web. Ditto.
• A threat actor bypassing strong IAM controls like MFA through various means, including MFA bombing attacks. An IAM system can’t see whether the MFA approval is from the intended user or a malicious one.
• A threat actor accessing data after compromising a credential because the IAM system is out of date, thereby allowing the employee’s now compromised credential to access data that was validly needed one or two job roles before but that has never been revoked. An IAM system effectively shrugs its shoulders saying “looks fine to me.”
• Malicious changes to identity configurations in order to engineer greater access than what should be allowed.
• … and many others.

Identity-led and identity-implicated attacks are front-and-center across most cyberattacks. Snowflake – check. Colonial Pipeline – check. There’s often an identity component in 80% to 90% of breaches, depending on which study you read.

The lesson … is that IAM is no longer enough. In response to the changing and challenging threat landscape, startups and established vendors alike have been building new layers of identity protections – some to beef up underlying IAM processes directly, and some to create ways of protecting identity protections. Our report looks at identity security solutions in three groupings – visibility (think identity security posture management and the detection of compromised credentials), governance (think identity governance and administration), and autonomous remediation (think identity threat detection and response; and identity platform backup and recovery).

It’s not a light read nor a short report. It’s 25 pages of hard data and analysis. We’re all about crafting insightful research that impacts organizations, and this program is no different. We want to facilitate the discussions internally within organizations that need to happen about strengthening identity security protections and approaches. If that sounds like your bailiwick, please get a copy.

The Office of the Comptroller of the Currency (OCC), part of the US Treasury Department, recently disclosed a breach of its Microsoft 365 tenant, with 103 email accounts caught up in the compromise. After carrying out an investigation, the OCC notified the US Congress, stating the breach met the criteria for a “major information security incident.”

In recent years, organizations facing such incidents usually sheepishly say in effect, “mea culpa; now we’ll implement multi-factor authentication to prevent this type of incident in the future.” While a lack of multi-factor authentication is part of this story, it’s much more nuanced than a blanket oversight.

Key details:

• In May 2023, hackers compromised a service account in its Microsoft 365 tenant that had administrative-level privileges.
• Multi-factor authentication was not enabled on the breached service account.
• Microsoft discovered the breach in early February 2025 (some 20 months later) and alerted the OCC. The discovery was based on observing unexpected behavior.
• The OCC made an initial disclosure on February 26, 2025. At that point, the extent of the incident was noted as “an administrative account in the OCC email system” and that “a limited number of affected email accounts that have since been disabled.”
• The OCC engaged Mandiant and CrowdStrike to investigate.
• Over the course of the 20 months of access, the hackers appear to have leveraged their initial foothold to gain access to other Microsoft 365 mailboxes, including those of senior deputy comptrollers, international banking supervisors, and other staff. This provided access to around 150,000 emails – although “access to” is different to “they actively read.” Quantifying the latter remains under investigation.
• On April 8, 2025, the OCC notified Congress of the incident. In its public notice of doing so, the OCC said: “The OCC discovered that the unauthorized access to a number of its executives’ and employees’ emails included highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes.”

As a result of its investigation, the OCC asserts that “there is no evidence of impact on the financial sector,” (per SecurityWeek), although in its letter to Congress, the OCC said it is likely to “result in demonstrable harm to public confidence” (per Bloomberg).

What appears particularly galling about this breach is that the OCC has for years talked the talk and walked the walk on multi-factor authentication and embracing strong authentication. As a matter of policy, it has required the use of multi-factor authentication for two decades – since 2005. It has championed for wider adoption of multi-factor authentication in the financial sector. For example, in an August 2022 speech to the joint meeting of the Financial and Banking Information Infrastructure Committee and the Financial Services Sector Coordinating Council, the then Acting Comptroller of the Currency (Michael Hsu) said:

The first line of defense against malicious cyber actors is the implementation of strong preventative controls to protect against unauthorized access. Last August [2021], through the FFIEC, we updated our authentication guidance to highlight how the base layer security approach of multifactor authentication, or controls of equivalent strength, can significantly strengthen controls to mitigate unauthorized access to systems and data. All financial institutions should implement effective multifactor authentication controls for access to all nonpublic systems, as even basic network systems can be entry points for malicious activity.

With a policy framework of using MFA and public statements to spread that policy more broadly, why would a critical Microsoft 365 account not have MFA enabled? In its coverage of the incident, Bloomberg spoke with an ex-special counsel for enforcement at OCC. His response – “it is shocking that they did not have it [MFA] enabled for this administrative account.”

The OCC is not a client of Osterman Research. We do not have access to inside information. We can only see what is being reported in key media outlets. Our hypothesis, on the evidence we’ve seen, is that this was a shocking blindsided incident to the OCC that was completely unexpected. The initial administrative’s account was overlooked or not seen by the IT and security teams when MFA controls were put in place, and the OCC did not have the optics, visibility, or reporting to highlight where their policy was not being followed – initially, or subsequently. Newer identity security solutions, especially in the identity security posture management area, could have prevented this incident at the OCC. Such solutions add an independent assessment and enforcement engine for authentication policies, highlighting, for example, where accounts – service and user – don’t have MFA enabled.

Last month we published CISO and CIO Investment Priorities for Cybersecurity in 2025, which includes a deep dive on investment priorities for identities. See pages 24-27 for more. Non-human identities (which includes service accounts) gets a specific call out on page 27:

Protecting against identity attacks that seek to compromise non-human identities is the only issue across all four areas where the security priority in 2025 is higher among those not managing risks well compared to those who are. This is an unaddressed issue for too many organizations, and the warning bells are sounding.

Don’t be the next OCC.

The data comes from a survey of 268 CISOs and CIOs in the United States, at organizations with more than 1,000 employees. This is the second time we’ve run this research program. The first program was run in 2023, and this program builds on and extends our earlier research.

The key takeaways from this research are:

• Cybersecurity driven by changing threat response calculus
  Increasing prices for cybersecurity insurance, the growing use of AI in cyberattacks, software supply chain compromise, and return-to-office mandates for employees are the top trends and challenges driving how CISOs and CIOs approach cybersecurity in 2025. All force a reevaluation of how best to address current and emerging threats.
• Cloud infrastructure security, cybersecurity talent availability, and control and
  ethical processing of data top the priority stack
  Out of 24 potential investment areas for cybersecurity, two thirds of organizations assigned the highest priority to cloud infrastructure, internal cybersecurity talent, and compliant data processing. They see weaknesses in their current posture that are misaligned with where they want to be and are investing the resources to do something about it.
• Budgets continue to rise, showing resilience across economic cycles
  Almost all organizations have received a higher budget for cybersecurity over the previous two years, and most believe they could put even more budget to productive and effective use.
• Strong risk management disciplines make a significant difference
  Organizations with higher efficacy in managing the business risks associated with key cybersecurity areas such as applications, cloud, and identities show much higher commitment to address security weaknesses and are spending accordingly. Being able to see what is and isn’t happening drives change.
• Organizations must do the work to understand their priorities
  Investment priorities for any given organization must be set within the context of their current posture, real-world threat data, and known areas of concern (and unknown areas of weakness). This is the fundamental work that cybersecurity decision-makers and influencers must coordinate.

This research was sponsored by BIO-key International, OpenText, and Salt Security.

If your firm provides cybersecurity solutions AND you would like to spread this research to your customers and prospects, please get in contact to talk about licensing options.

On Tuesday December 10, we will be talking with John Gunn (CEO at Token) about securing user identities. You can attend the webinar with us – How to Unlock the Future of Identity Security by Stopping Phishing and Ransomware.

The key topics for our conversation include:

• Identity Security in Crisis: 79% of organizations have suffered from identity attacks in the last year. Discover why traditional MFA is no longer enough to stop phishing and ransomware.
• Phishing-Resistant MFA: Learn about cutting-edge innovations like biometric and hardware token-based MFA that block even the most sophisticated attacks.
• Real-World Solutions: Practical steps for upgrading your identity security, stopping account takeovers, and ensuring compliance with the latest standards.

We hope to see you on Tuesday December 10.

MFA is a critical security defense. We encourage everyone to use it, and to use the strongest versions of it that they can, as often as they can, in as many places as they can. There are multiple “however” statements about MFA, though, such as “not all forms of MFA are created equal” and “MFA bypass has become a thing.” Here’s a paragraph re MFA from one of our reports in March 2021:

MFA was rated as the most effective mitigation against both phishing and ransomware in our research. Without MFA protections in place, phishing attacks that result in credential compromise hand a threat actor the key to the door. It is an open invitation to walk in, take whatever they want, and stay or leave at their whim. MFA increases the difficulty level in successfully leveraging compromised credentials, because a compromised username and password are no longer enough on their own. It is similar to having an alarm system just inside the door, a guard dog patrolling the premises, or a security guard performing additional checks on whomever walks in the door. In the same way that there are options for how physical premises are safeguarded beyond a lock, there are options for MFA too …

The report then talks about phone and email-based MFA, authenticator apps, and hardware security keys and biometrics – commenting on strengths and weaknesses of the respective approaches.

Almost a year earlier we’d said this in our report on Cybersecurity in Financial Services (April 2020):

Approaches for MFA are available on a good-better-best continuum, with good (SMS code, email notification) and better (Authenticator app) approaches still being vulnerable to carefully designed phishing attacks. At present, the best approach, which ideally would be provisioned for all employees who have access to sensitive, data, is to use modern hardware security keys based on FIDO2/WebAuthn that use public-key cryptography.

There’s a very similar paragraph in our Cybersecurity in Government report (December 2019), too.

Net-net: this has been on our radar for a long time, and the purpose of the new research was to dive as deeply as possible into where organizations are at with MFA and identity security. The current research went through several design concepts before we found the right shape and format. More on that later.

Cisco Talos on frequency of MFA attacks in 2024

During the first quarter of 2024, Cisco Talos’s incident response teams saw MFA attacks in almost half of all security incidents they worked on, with fraudulent MFA push notifications in one quarter of attacks.

Using another data set from Cisco Duo deployments, Cisco also said that many MFA push notification attacks are timed for pre-work hours (e.g., 8-9am) in the hope that distracted workers will let something slip through.

See Cybersecurity Dive.

Design flaw in Microsoft Authenticator

Microsoft Authenticator, an app for safeguarding accounts with time-based tokens for MFA, has a long-standing design flaw that Microsoft doesn’t seem keen to fix. When a user scans a QR code to add a new account, but their user name is the same as one that already exists in the app, Authenticator will overwrite the most recent one. Oops. The user may not realize their loss until some time later, at which point they are most likely to blame the issuer of the code, not Authenticator. This flaw does not apply to Microsoft-issued codes.

See CSO Online.

OTP Agency founders plead guilty to charges

The three founders of the OTP Agency in the United Kingdom, a service that enabled the theft of one-time codes used for authentication, plead guilty to charges of making and supplying articles for use in fraud and money laundering. When the OTP Agency was operational, it sold a weekly subscription for bypassing multi-factor authentication safeguards and had around 2,200 members on its Telegram group.

See Forbes.

Here’s some notes on our briefing with Priyadarshi (PD) Prasad (co-founder and CPO), Himanshu Shukla (co-founder and CEO), and Jimmy Phipps (Regional VP of Sales, East) of LightBeam. The briefing was organized by the LightBeam team. 

Key takeaways from the briefing:

• LightBeam was founded in 2020. Its co-founders worked at Nutanix before starting LightBeam together. The company recently had an oversubscribed Series A funding round which netted $17.8 million for expanding go-to-market initiatives and continued investment in building out the product.
• LightBeam is focused on shining light / discovering / making visible the sensitive data held within organizations. In our research programs, lack of awareness of what data exists is a common theme (e.g., see Figure 16 in our report Privacy Compliance in North America: Status and Progress in 2023), so this is a massive area of concern in a world increasingly denoted by data privacy and data protection regulations.
• LightBeam sees data security, privacy, and governance as a coherent / unified play, not a disconnected one. Its platform addresses all three areas in a unified way, which means that organizations have the opportunity to reduce the number of disparate systems for each of these areas. For example, when sensitive data is found (discovered), the platform also includes compensating controls to address data security risks, such as redaction and anonymization. For authorized individuals, redaction can be temporarily reversed on demand.
• The LightBeam product is offered as an on-premises or private cloud solution, not a public cloud service. This is important within highly regulated industries, such as financial services and healthcare, that want control over where their data is stored, indexed, analyzed, processed, etc. Many of LightBeam’s current clients are in these and related industries, and the company has seen nearly 300% growth over the past year in customers led by these industries.
• LightBeam includes capabilities for customers / consumers to initiate a data subject access request (DSAR) from a portal. LightBeam pulls together the requested data, based on its previous data discovery for any given person, using entity matching and correlation to differentiate between individuals. The DSAR is completed using automation, not manual effort, and is therefore both less costly to perform and much more responsive to consumer requests.
• Another automation enabled by LightBeam is reporting on who has access to sensitive data in any given system. This helps with ensuring access rights are correctly defined and implemented, and trimming access rights wherever possible to reduce inadvertent data leaks.
• LightBeam’s first use case is for the detection of sensitive data. Building on this base are additional use cases, such as the detection of intellectual property – and the establishment of appropriate controls to stop malicious and unauthorized access. The business value, therefore, is measured as the value of the reduction of data breaches due to proactive corrective action flowing from deep visibility.

For more, see LightBeam.

Here’s some notes on our briefing with Bob Bobel (CEO and founder) and Dmitry Sotnikov (Chief Product Officer) at Cayosoft. The briefing was organized by Jacob Manchester of Scratch Marketing + Media.

Our notes:

• Bob Bobel has a background in Active Directory and Microsoft Exchange, through stints at Quest, Dell, NetWrix, and others.
• Cayosoft offers tools for managing Active Directory and other Microsoft tools (e.g., Exchange, SharePoint, Teams). With many organizations moving to a hybrid / multi-cloud posture, tools for managing Active Directory are essential. Enterprises have felt left out as Microsoft diverted its attention to the cloud and cloud identity, e.g., Azure AD / Entra ID.
• To safeguard an Active Directory deployment, one of Cayosoft’s tools enables customers to create a daily snapshot of their AD forest for use if/when recovery is needed. This is created as a fully-functional standby AD forest in Azure. This is called Guardian Forest Recovery.
• If Active Directory is compromised by human error, technical malfunction, or a cyberattack, the latest snapshot of their AD forest enables fast recovery.
• Cayosoft talks about “instant” recovery. This seems to be 10-15 minutes, which while not “instant,” is MUCH faster than the multiple days or weeks it would otherwise take to recreate a corrupted or compromised AD without such tools.
• Guardian Forest Recovery also continually monitors for changes in AD / Azure AD. This visibility and oversight enables rollback of accidental and malicious changes.
• A customer using Cayosoft tools but not its AD forest recovery offering ran a proof-of-concept with the AD forest recovery solution but hadn’t decided whether to purchase the solution. A month later, something happened (it wasn’t a ransomware attack) which resulted in all group memberships for 5,000 employees being wiped out. Because the proof-of-concept was still running, they were able to use the standby AD forest in Azure to rollback all group memberships within an hour. And they signed up for ongoing use, too. 
• Guardian Forest Recovery is one of the solutions available from Cayosoft to add resiliency to Microsoft-centric identity environments. 

For more, see Cayosoft.

We’ve come a long way in three months, apparently, since a successful and costly incident happened a couple of weeks back that seamlessly merged video and voice of multiple deepfakes in an online meeting meeting to trick a finance employee into transferring a large sum of money. This happened at the Hong Kong office of an unnamed multinational company, resulted in losses of US$25.6 million, and saw the scammers “convincingly replicat[ing] the appearances and voices of targeted individuals using publicly available video and audio footage.”

A couple of thoughts on the above:

1. There is speculation in the comments section of the ArsTechnica article that the finance employee in Hong Kong was complicit. Yes, that’s possible, but voicing such speculations is fraught with danger, because irrespective of whether it proves to be true or false, such actions have smeared many an individual and resulted in some taking their own life out of a sense of public shaming. If the Hong Kong employee was duped, he or she should be supported, not shamed. It points to a significant area of weakness in organizational processes and systems that the multinational company will need to address, along with everyone else.
2. Requests for secret transfers of money to new bank accounts should be an immediate red flag, irrespective of the person asking for this to happen. For any organization that doesn’t have a policy on this type of request, along a strong authorization process that applies in such cases, fraud and other types of questionable behavior will only continue to succeed.
3. From a tech perspective, this highlights the need for using authorized apps only, enforcing strong identity security controls, and recording and archiving online meeting content for subsequent review.

One of the findings from this year’s DBIR that made Verizon’s top three highlights is that 74% of breaches involve the human element, which includes social engineering attacks, errors or misuse. A search for the phrase “human element” in the report returns hits on three pages:

Page 8 – an expanded version of the highlight above, with the additional context after the comma saying “with people being involved either via Error, Privilege Misuse, Use of stolen credentials or Social Engineering.”

Page 14 – an explanation of the “social” action category, defined as “employ[ing] deception, manipulation, intimidation, etc., to exploit the human element, or users, of information assets.” There’s also a definition of the Error category (“incorrectly or inadvertently”) and Misuse (“any purpose or manner contrary to that which was intended”).

Page 34 – on the final page of the four page deep dive into social engineering incidents (pages 31-34), there’s this line – “Due to the strong human element associated with this pattern, many of the controls pertain to helping users detect and report attacks as well as protecting their user accounts in the event that they fall victim to a phishing lure.”

What does this mean for organizations?

1. Having controls in place to protect your users from compromise is essential. Creating opportunities for manipulating human weakness is the most common pathway by which external threat actors score a successful breach. Many of the controls listed on page 34 link to strong identity security solutions and processes.

2. The DBIR says there were 1,700 social engineering incidents in this year’s data set (page 31), 928 of which had confirmed data disclosure (breaches). That’s a breach rate of 54.5% (my data analysis). That means 45.5% of attempted incidents did not lead to successful breaches … hopefully because of the strength of detection and prevention solutions deployed at organizations. Improvement is needed here.

3. By contrast, the DBIR says there were 602 miscellaneous errors (misdelivery, misconfiguration, publishing errors) caused by insiders (in 99% of cases), 512 of which had confirmed data disclosure. See page 40. That’s a breach rate of 85.0% (my data analysis) – significantly higher than the social engineering type driven by external threat actors. By implication, controls to detect and prevent such incidents and breaches are significantly less effective than for the social engineering type. Even more improvement is needed here.