At least one password hash was successfully cracked in 46% of environments, according to a study released Aug. 11 by Picus Security.The study also found that data exfiltration attempts were only stopped 3% of the time, down from 9% in 2024.These trends combined show how quickly a single compromised credential can open the door to lateral movement and large-scale data theft. With infostealer malware tripling in prevalence and attackers increasingly bypassing defenses using valid logins, the Picus researchers said organizations face escalating risk from persistent and nearly invisible threats.“We must operate under the assumption that adversaries already have access,” said Süleyman Ozarslan, co-founder of Picus Security and vice president of Picus Labs. “An ‘assume breach’ mindset pushes organizations to detect the misuse of valid credentials faster, contain threats quickly and limit lateral movement — which requires continuous validation of identity controls and stronger behavioral detection.”Darren Guccione, co-founder and CEO at Keeper Security, said the Picus Security report offers strong evidence that poor credential hygiene remains a persistent and deeply entrenched weakness in organizational cybersecurity. Guccione said the data suggests both attacker capability and organizational vulnerability are moving in the wrong direction.“The corresponding drop in the success rate of stopping data exfiltration attempts points to gaps not just at the perimeter, but in lateral movement detection and response,” said Guccione. “Protecting identity today requires an organizational shift towards a zero-trust mindset, continuous validation and proactive mitigation of credential-related risk. Failure to do so by organizations will put them at risk.”Jason Soroko, senior fellow at Sectigo, said the next frontier of identity security is about code that acts with human level autonomy. Soroko said identity sprawl now pivots on configuration changes rather than deliberate policy, with Entra service principals and GitHub personal accounts turning into unexpected bridges for lateral movement.“This shifts defenders from chasing users toward continuously mapping machine-to-machine handshakes that form without direct human intent,” said Soroko.Soroko added that Agentic AI will soon generate infrastructure in seconds and every line of that automation will plant new secrets that age faster than governance can keep up."Vendors that still treat secrets management as a developer convenience risk becoming irrelevant once privilege intelligence becomes the default telemetry for risk scoring," said Soroko.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds