Strengthen Identity & Access: Why Attackers Log In Instead of Hack In — and What Irish Businesses Must Do Now

NCSC Cyber Resilience Series • Step 5 of 12

If your April vulnerability assessment was thorough, identity-related findings sat near the top: overprivileged accounts, gaps in MFA coverage, stale credentials that nobody has rotated in years, service accounts with domain-level permissions nobody remembers creating. That’s not a coincidence.

Attackers have known for years that the easiest route into a network is through a valid username and password — not through an elaborate zero-day exploit. In 2026, the data confirms it at a scale that should concentrate minds in every boardroom and IT team in Ireland.

This month’s step in our NCSC-aligned resilience series focuses on one of the most effective, highest-return areas of cyber security: governing who gets access to what, and making sure that’s enforced, documented, and reviewed.

The Numbers: Why Identity Is Where Attacks Start

Before diving into what to fix, it’s worth understanding the scale of the problem. The figures below come from the most credible, independently verified sources available in 2025–2026.

22%

of all breaches in 2025 began with credential abuse — the single most common initial access vector across 22,052 incidents and 12,195 confirmed breaches.

Verizon Data Breach Investigations Report 2025

88%

of Basic Web Application attacks involved stolen credentials. Attackers aren’t hacking in — they’re logging in with credentials they already have.

Verizon DBIR 2025

~34%

of small businesses (26–100 employees) enforce MFA — while large enterprises adopt it at 87%. Smaller organisations remain the weakest link in any supply chain.

JumpCloud 2024 IT Trends Report; Cyber Readiness Institute 2024 Global MFA Survey

292 days

mean time to identify and contain a breach caused by compromised credentials — the longest of any attack vector, and nearly 10 months of exposure.

IBM Cost of a Data Breach Report 2024

The compliance dimension

IAM was named the most frequently required control to qualify for cyber insurance — ahead of endpoint detection, vulnerability scanning, and incident response. For Irish organisations under NIS2, NCSC Ireland’s Risk Management Measures are explicit: Measure 9 requires access control policies and asset management; Measure 10 requires multi-factor authentication — both mandatory for essential and important entities.

Five Identity Priorities for May — Where to Focus First

Not all identity work has equal return. These five areas consistently deliver the highest risk reduction for Irish organisations, based on Newtec’s experience running IAM programmes across the SMB and mid-market.

01 — MFA: Cover Every Access Point, Not Just Email

MFA is the single highest-return identity control available today. The problem is coverage. Most organisations have MFA on Microsoft 365 and consider the job done. Your April assessment will have revealed whether it’s enforced on VPN access, cloud consoles, privileged admin accounts, remote desktop, and third-party SaaS tools.

Every uncovered access point is one valid credential away from a breach. Standard push-notification MFA can be bypassed using adversary-in-the-middle techniques — for privileged accounts, phishing-resistant MFA (FIDO2/passkeys, hardware keys) is the correct standard.

02 — Privileged Account Review

Domain admins, local admins, service accounts with elevated rights, break-glass accounts created for an incident and never decommissioned. NCSC Ireland’s Risk Management Measures explicitly require access control policies and asset management — least privilege and regular access review are the stated baseline expectation.

Document this review. Most organisations find accounts in this process they didn’t know existed. Regulators and cyber insurers will ask for the paper trail.

03 — Stale and Orphaned Accounts

Employees leave. Contractors finish. Systems get decommissioned. The accounts don’t always follow. Run a full review of every account inactive for 90 days or more. Disable before deleting — confirm nothing breaks, then remove. Orphaned accounts with elevated rights are a consistently exploited attack path.

04 — Service Accounts and Non-Human Identities

Service accounts, API tokens, automation credentials, and system-to-system integrations are often configured with broad permissions, shared credentials, and no rotation policy. This is the area most organisations underestimate — and the one attackers exploit most efficiently.

Audit every service account: what does it need access to, does it have more than that, when were credentials last rotated, and who owns it?

05 — Active Directory Health

For most Irish organisations running Microsoft environments, Active Directory is the backbone of identity. Common weaknesses: Kerberoastable accounts (service accounts with SPNs and weak passwords crackable offline), accounts with ‘password never expires’ set, excessive group membership, and legacy authentication protocols (NTLM) still enabled.

An AD health assessment is a contained, focused piece of work that produces a prioritised remediation list. It’s one of the highest-value engagements available for a Microsoft environment.

The 4-Phase IAM Framework: A Practical Approach for Irish Businesses

This is not an overnight transformation. It’s a methodical programme that builds durable governance — not a one-time project.

PHASE 1

Inventory All Identities

Human accounts, service accounts, API tokens, automation credentials, and external identities (contractors, MSPs, integrations). You cannot govern what you haven’t catalogued. Build the inventory first.

PHASE 2

Apply Least Privilege

Review what each identity actually needs versus what it has. Remove excess permissions. Document every exception with a business justification and a review date — regulators and insurers will ask for this.

PHASE 3

Enforce MFA Universally

Not just email and VPN — cloud consoles, admin portals, privileged access workstations, remote desktop, and every external-facing application. Phishing-resistant MFA (FIDO2/passkeys) for privileged accounts.

PHASE 4

Establish Recurring Access Reviews

A quarterly process, documented, assigned to an owner, with evidence of completion. NCSC Ireland’s RMM Measure 9 and NIS2 Article 21 both require organisations to manage and evidence access governance — a recurring review is how you demonstrate that to Irish regulators and cyber insurers.

5 IAM Mistakes That Leave You Exposed

These are the failure modes Newtec sees most frequently across Irish organisations. Each one creates a gap that is well documented in attack post-mortems.

  • MFA on email only. Treating Microsoft 365 MFA as full coverage while VPN, cloud consoles, and admin portals remain unprotected. Each uncovered access point is a valid credential away from environment compromise.
  • No service account inventory. You cannot govern what you haven’t catalogued. Ungoverned service accounts — particularly those with domain-level permissions that were never scoped down — are a persistent exploited gap.
  • Access reviews as a one-time event. A review done at implementation doesn’t reflect an environment that changes every week. Without a recurring process, access creep is guaranteed.
  • Removing MFA for difficult users. Security exemptions for senior executives or remote workers create the highest-value targets in your environment — exactly the accounts attackers prioritise.
  • Ignoring legacy authentication. NTLM, basic auth, and other legacy protocols bypass modern MFA entirely. Disabling them is one of the highest-value remediations available for a Microsoft environment.

⚠️ NIS2 & Compliance Note

NIS2 Article 21 requires organisations to implement access control policies and asset management. NCSC Ireland’s Risk Management Measures (published June 2025) translate this into Irish practice: Measure 9 mandates access control policies and asset management; Measure 10 mandates multi-factor authentication. Both are minimum requirements for essential and important entities, and both require documented evidence — not just technical enforcement. Ireland remains subject to EU infringement proceedings for late NIS2 transposition as of early 2026. The obligation exists regardless of the domestic legislative timeline.

What ‘Good’ Looks Like at the End of May

By the time you close out this month’s resilience work, your organisation should be able to answer these questions with evidence — not guesswork.

  • Is MFA enforced on every external-facing access point — not just email?
  • Have all privileged accounts been reviewed and documented in the last 90 days?
  • Is there a documented process for disabling accounts when employees or contractors leave?
  • Have service accounts been inventoried, with ownership and rotation policies assigned?
  • Have accounts inactive for 90+ days been identified and disabled?
  • Has Active Directory health been assessed and Kerberoastable accounts addressed?
  • Is there a recurring, documented access review process with an assigned owner?

NCSC Ireland’s Risk Management Measures require documented evidence of access governance — not just technical controls. A recurring quarterly review with an assigned owner is the minimum expected by Irish regulators, auditors, and increasingly by cyber insurers.

Need Help With Your Identity Programme?

Newtec works with Irish businesses to deliver MFA rollout, Active Directory hardening, privileged access reviews, and full IAM programmes — aligned to the NCSC framework and NIS2 obligations. Our engagements are scoped to your size and risk profile, not enterprise defaults.

🔒 Identity & Access Management

Full IAM programme: MFA rollout, AD hardening, privileged access review.

🔍 Penetration Testing

Includes Active Directory and identity-layer assessment.

🛡️ Threat Detection & Response

24/7/365 SOC: detects credential abuse and lateral movement in real time.

☁️ Ransomware Protection & Recovery

Multi-layer defence and tested backup recovery.

Book a Free Consultation

Dublin: (01) 531-3777  │  Limerick: (061) 708-821  │  Shannon: (061) 708-820

Get In Touch

Coming in June — Step 6: Protect Data & Privacy. With access governed, June focuses on what that access protects — your data. Classification, encryption, GDPR obligations, and the controls that prevent data leaving the organisation through authorised but abused channels.

References & Verified Sources

  1. Verizon — 2025 Data Breach Investigations Report (18th edition — 22,052 incidents, 12,195 confirmed breaches)
  2. IBM — Cost of a Data Breach Report 2024 (292-day credential breach containment figure)
  3. JumpCloud — 2024 IT Trends Report — MFA adoption by company size
  4. Cyber Readiness Institute — 2024 Global Multifactor Authentication (MFA) Survey
  5. Delinea — State of Cyber Insurance 2024 — IAM as most-required control
  6. NCSC Ireland — NIS2 Risk Management Measures (June 2025) — Measure 9: Access Control Policies; Measure 10: MFA
  7. NCSC Ireland — 2025 National Cyber Risk Assessment
  8. William Fry — NIS2 Ireland and Draft Guidance (August 2025)
  9. Newtec Services — Cyber Threats Facing Irish Businesses in 2026 (March 2026)