If you still think cyber security is mainly about stopping attackers from getting through the firewall, I've got some bad news: you’re looking at the problem the same way cyber criminals did 10 years ago. While attackers may still use methods like “breaking into” a network, they are much more likely to pose as someone the business already trusts.
This is exactly what makes identity security so dangerous. When somebody compromises an employee account, abuses forgotten access, or impersonates a trusted user successfully, the attack often doesn’t look suspicious at all. From the system’s perspective, it can look like completely normal behaviour.
Businesses are increasingly finding themselves exposed without realising it. Permissions build up over time. Old accounts stay active. Temporary admin access becomes permanent. And suddenly, nobody is fully confident about who can get into what anymore.
Over the years, I’ve spent a lot of time helping SMBs understand where those identity gaps exist across their environments: whether that’s around password security, excessive permissions, conditional access or broader access governance. And one thing I’ve consistently seen is that identity risk often grows quietly in the background while businesses are focused on day-to-day operations.
In this article, I’ll break down why identity has become the new perimeter in cyber security, where the biggest access risks typically appear, and the practical controls that make the biggest difference when it comes to reducing exposure.
A big shift we’ve seen in cyber security over the last few years is that identity has become the new perimeter. For a long time, businesses thought about security like a castle. You protected the network perimeter with a firewall, and if somebody was “inside” the business, they were generally trusted.
But modern businesses don’t work like that anymore. Most are now operating in cloud-first environments. People work remotely. Files sit across multiple SaaS (software-as-a-service) platforms. Staff log in from home networks, mobile devices, airports and coffee shops.
In other words, there isn’t one clear “inside” network anymore. That changes everything from a security perspective. Because attackers no longer need to break through a firewall, they can simply log in as somebody your business already trusts. And in many cases, that’s much easier.
One thing I always try to explain to customers is that attackers rarely stop at simply stealing a password. A password is usually just the starting point.
Cyber criminals are incredibly good at profiling people now. They’ll use LinkedIn, social media, company websites and other publicly available information to build a digital identity of who you are, what you do, who you speak to internally and how you behave. Not to be dramatic, but we are the prey.
That’s what makes identity attacks so dangerous: they often don’t look suspicious.
During COVID, I remember getting endless fake text messages pretending to be from Royal Mail or the NHS. Most people in the UK probably experienced the same thing. And to be fair, some of them looked believable. Even my wife (who lives with me, a cyber security professional) clicked one of the links before realising something felt off.
That’s how easy it is when attackers play into urgency, trust, emotions and normal human behaviour.
Check out this article for a deeper dive into why human behaviour remains the easiest way into your business.
Going back to digital identity, once attackers compromise an account, they start to build a profile of the person behind it. They look at communication patterns, systems, permissions and relationships inside the business.
They’re trying to understand:
The uncomfortable truth is that everybody in the business is now a target.
It’s no longer just about protecting the CEO, finance director or IT manager. A receptionist, intern or dormant user account can still be a route into the wider business if governance isn’t tight enough.
In SMB environments, we still see organisations relying heavily on trust instead of visibility. Permissions get granted quickly because people need to get work done, and the tech is a bit too complicated to get into. Temporary access becomes permanent, “just in case”. Shared credentials exist because they feel convenient.
Then six months later, nobody is completely sure who still has access to what. That’s where attackers thrive.
I completely understand why businesses still depend on passwords. People want to log in quickly and get on with their day. No one necessarily wants the hassle of additional authentication prompts slowing them down.
But from what we see in the real world, password-only access is one of the biggest risks SMBs still underestimate. The problem is that humans naturally take shortcuts. We create passwords we can remember easily because they’re linked to our identity in some way. Or we slightly change old ones by adding an extra character at the end, or worse, use the same password for everything.
Here’s the problem: once one account becomes compromised somewhere online, attackers immediately start testing those credentials against business systems. That’s why password theft remains such an effective attack method.
Personally, I’m a huge advocate for passphrases rather than overly complicated passwords people will never realistically remember. If somebody creates a strong passphrase using random words and meaningful structure, they’re far more likely to remember it (and less likely to reuse poor passwords across multiple systems).
Another issue we see all the time is businesses handing out elevated permissions because it’s easier and faster in the moment. Someone may need quick access to fix a problem, or the platform is complicated, or nobody has properly reviewed permissions in over a year.
In the background, admin access starts spreading across the business. I cannot stress enough how dangerous this is because once attackers compromise an overprivileged account, the amount of damage they can cause increases exponentially.
What’s even more concerning is that many employees don’t fully understand how much access they have. I’ve seen situations where low-level users (like the receptionist) unexpectedly had permissions they never should have had in the first place.
I always say admin access should be treated with the utmost care. Not everybody needs elevated rights all the time. And if somebody does need them temporarily, that access should drop back down as soon as they no longer need admin rights.
In my opinion, some of the biggest cyber risks sit in the housekeeping nobody got around to completing. Employees leave businesses. Contractors finish projects. People move departments internally. But their access often stays behind.
These orphaned accounts are a massive issue because they’re easy to forget and difficult to spot without proper governance. It’s surprisingly common to do some digging and to find former employee credentials still working months after somebody left the organisation.
Now imagine that person gets compromised somewhere else later on, and attackers realise those old credentials still work in a previous business environment.
With that said, identity security has to become operational and repeatable. One analogy I like to use when talking about identity management is: “a clean house will always expose when something’s dirty.” Put differently, if your environment is well-governed and properly maintained, suspicious activity becomes far easier to spot. But if permissions, accounts and access are already messy, it becomes almost impossible to identify new risks quickly.
If there’s one thing I’d recommend every SMB prioritise immediately, it’s multi-factor authentication (MFA). I don’t mean turning MFA on just for leadership and IT admins. I mean everybody (even the intern who will leave when the summer break is over).
MFA significantly reduces the value of stolen credentials because passwords alone are no longer enough to gain access. Yes, it can sometimes be a pain to use your biometrics and get an OTP just to open an email. But the inconvenience of MFA pales in comparison to the inconvenience of recovering from a breach.
Conditional access helps balance security with usability. It’s not just about verifying who somebody is.
It’s also about looking at:
For example, if somebody normally logs in from the UK and suddenly attempts access from India, that should immediately sound the alarm.
Conditional access allows businesses to create intelligent rules around authentication instead of blindly trusting credentials alone. It can be configured in different ways. So maybe users inside the office network get fewer prompts, while external access automatically triggers additional verification.
I’m also a big believer in privileged access management (PAM). In simple terms, PAM allows businesses to elevate permissions only when somebody genuinely needs them (rather than leaving elevated access permanently switched on).
That reduces what we call the ‘blast radius’: if someone compromises an account later, they don’t automatically inherit admin-level control over everything.
But there’s an important point people sometimes miss here: the PAM system itself becomes critical infrastructure. So while PAM strengthens security, it also means businesses need to apply even more protection around the systems controlling privileged access in the first place.
When it comes to improving their cyber security posture, many businesses are operating on assumptions. They assume access is controlled properly, permissions are clean, and MFA coverage is complete.
But assumptions aren’t visible, and without visibility, businesses struggle to prove where they’re secure versus where they’re exposed.
Businesses should know things like:
Basically, identity security needs to be measurable. Because if you can’t measure those things properly, it becomes incredibly difficult to improve them consistently over time.
This is where the HIDDEN framework becomes invaluable: it creates visibility, without any added complexity.
The good news is that improving identity security doesn’t mean ripping everything out and starting again. Oftentimes, the biggest improvements come from getting the fundamentals right: tightening access controls, improving visibility and making identity governance a repeatable process, not an afterthought.
Most businesses aren’t struggling because they’ve ignored cyber security completely. They’re struggling because access has evolved quietly over time – across cloud platforms, remote working, temporary permissions and disconnected systems – without a clear view of where the exposure sits.
Cyber criminals are already taking advantage of this by treating identity as the real perimeter. They’re targeting people, not just infrastructure. They’re looking for weak passwords, excessive permissions, forgotten accounts and opportunities to impersonate trusted users.
As somebody who works with SMBs on these challenges every day, I’ve seen how difficult it can be for businesses to separate real risk from noise (especially when teams are stretched, and security is being managed across multiple tools and platforms).
If you’re not fully confident that your business knows who has access to what right now, the first practical step is gaining visibility into where your exposure is.
Our Cyber Security Snapshot helps businesses like yours:
As we always say, you can’t fix what you can’t see.