Identity and Access Management

Access to systems and information naturally accumulates over time. Employees move between roles, suppliers are onboarded for projects, permissions are extended to meet operational requirements and not revisited. Each individual decision is usually reasonable in context, the difficulty is that the cumulative result, across an organisation and over time, is often an access environment that no longer reflects what people need, or who remains legitimately part of the organisation. Managing that is one of the more practical things an organisation can do to reduce its exposure.

Dormant accounts are a frequently overlooked risk

Accounts belonging to former employees, lapsed suppliers, or concluded projects can remain active long after they are required. Because dormant accounts are rarely used in the normal course of business, they often attract less scrutiny, while still providing a functioning route into systems and information for anyone who manages to obtain or guess the credentials. Compromised dormant accounts are a consistent feature of incident investigations precisely because they fall outside active monitoring.

Offboarding processes that promptly disable or remove accounts, and regular reviews that identify accounts with no recent activity, are among the most practical steps an organisation can take to reduce this exposure.

Shared credentials make accountability impossible

Where multiple people use the same login, the ability to understand what happened in a given situation effectively disappears. Investigating unusual activity, identifying inappropriate behaviour, or establishing a timeline of access all depend on being able to tie actions to individual identities. Shared accounts remove that capability entirely. The inconvenience of maintaining individual accounts is usually far smaller than the operational and investigative cost of not having them.

Permissions should reflect current requirements

Users frequently retain access that was granted for temporary reasons, previous responsibilities, or systems they no longer use. Without deliberate review, permissions accumulate through operational convenience rather than through decisions anyone would consciously make today. The principle of least privilege — providing access to what is genuinely needed and removing it when circumstances change — is straightforward in theory but requires active maintenance in practice. Reviews that ask what access is needed now, rather than auditing what exists against original requests, typically produce more useful results.

MFA matters, but not all MFA is equal

Multi-factor authentication has become an important baseline control, and applying it consistently matters. This includes cloud services, collaboration platforms, remote access systems, and external supplier accounts. Not just corporate desktops. Older systems, legacy accounts, and temporary or guest accounts are sometimes excluded from MFA policies, creating weaker points within otherwise well-managed environments.

The method used also matters. SMS-based codes are better than nothing but are vulnerable to SIM-swapping attacks. Authenticator apps are more resilient. Hardware security keys and passkeys are stronger still and are resistant to phishing by design. Current guidance from both the NCSC and NIST points towards phishing-resistant authentication as the more durable long-term standard. Where the choice exists, the method is worth considering alongside whether MFA is enabled at all.

External access needs the same discipline as internal access

Suppliers and contractors operating within regulated programmes often have legitimate requirements to access systems and shared environments. Managing that access well means ensuring it is proportionate to the operational requirement, that it doesn’t persist beyond the project or engagement that justified it, and that it is subject to the same review processes as internal accounts. Supply chain access is a consistent feature of incident reports and regulatory findings and not because it is inherently riskier, but because it frequently receives less governance attention than internal access does.

Good identity and access management isn’t primarily about restriction. Overly cumbersome processes and subsequent frustrations frequently lead to workarounds such as shared credentials, informal access arrangements, the bypassing of systems that create too much friction. The aim is an environment where access reflects genuine operational requirements, where accountability is clear, and where the organisation has enough visibility to understand what is happening and respond effectively when something goes wrong.

Further reading: