Identity Attacks: The Silent Killer of UK SMBs (And How to Thwart Them)
When you think of a cyberattack, you might picture ransomware, phishing emails, or even hackers “breaking in” to your systems. But increasingly, attackers don’t need to smash down the door, they just log in.
Identity-based attacks, where malicious actors use stolen, spoofed or default / hard-coded credentials to impersonate legitimate users and services, have become the primary method of compromise for small and medium-sized businesses (SMBs) across the UK.
Why? Because it works, and the ROI is usually significantly better for an attacker than a complex technical siege of your estate.
In this post, we’ll break down how identity attacks happen, why they’re so devastating, and what affordable steps your business can take to stop them in their tracks.
What Are Identity Attacks?
Identity attacks are cyberattacks that focus on compromising accounts, often by stealing or abusing credentials, API tokens, or session cookies.
The most common types include:
- Credential stuffing: Using stolen credentials (often from breaches) to try logging in to different accounts.
- Phishing: Trick users into giving away login details and approving malicious MFA prompts
- Password spraying: Attempting a few common passwords across many accounts to avoid lockouts.
- Session hijacking: Stealing active login sessions via malware, browser exploits, or man-in-the-middle attacks.
According to the Verizon 2024 Data Breach Investigations Report, over 60% of breaches involve stolen or weak credentials, and SMBs are hit the hardest.
What Makes Identity Attacks So Dangerous?
- They bypass traditional defences: Firewalls and antivirus won’t help if the attacker is logging in like a normal user.
- They escalate silently: verify few businesses have a solid grasp of what their ‘normal user baseline’ should be, meaning initially odd user events are rarely identified early on as the significant compromise that they are, often requiring further correlation of multiple bad actions later in the attack lifecycle.
- They exploit trust: A compromised account can send realistic emails to trick suppliers, partners, and employees.
How to Thwart Identity Attacks – A Practical Guide
Here’s how to defend your business, even with limited time or budget:
1. Enforce Strong Multi-Factor Authentication (MFA)
If you only do one thing, do this.
- Require MFA for all users, especially for email, VPN, admin panels, and cloud apps.
- Avoid SMS-based MFA (vulnerable to SIM swapping). Use:
- App-based authenticators (e.g. Microsoft Authenticator, Google Authenticator)
- FIDO2 tokens (e.g. YubiKey) for high-value users
Microsoft states that MFA blocks 99.9% of automated account attacks.
2. Implement Identity Threat Detection and Response (ITDR)
Use tools that alert you to unusual login behaviour:
- Impossible travel (logins from London and Tokyo minutes apart)
- Unusual device logins
- First-time logins from new countries (chaining with the above unusual devices check will help separate actual attacks from the inevitable working abroad process failures)
- Logins outside working hours
3. Adopt a Least Privilege Model
Don’t give every user admin rights or broad system access.
- Review user roles regularly
- Limit access based on actual job function
- Use just-in-time access tools for temporary admin tasks
This minimises damage if a single identity is compromised.
4. Audit and Harden Third-Party Integrations
Many identity attacks target connected services.
- Review which third-party apps have access to your systems
- Remove unused API tokens and OAuth authorisations
- Use IP allowlisting and logging for external access
5. Monitor and Secure Email Channels
Business Email Compromise is one of the most financially damaging forms of identity abuse.
- Deploy SPF, DKIM, and DMARC correctly
- Use email security gateways (e.g. Mimecast, Proofpoint, or Microsoft Defender for Office 365 etc.)
- Enable out-of-band multi-step confirmation for financial approvals
6. Train Staff with Realistic Simulations
People are your first line of defence, and your weakest link.
- Run phishing simulations regularly, but don’t just spam, educate. Walk them through what you did and where they went wrong, explain why you did it, what realistic example you were imitating and show examples of how minor variations could be applied.
- Teach staff to:
- Verify email requests for bank changes, invoices, or requests for personal sensitive data or credential / MFA resets. Implement ‘call back’ against known trusted contact numbers for greater validation.
- Recognise fake MFA prompts (and show them how to report them)
- Report suspicious login alerts or emails (show them how, don’t just say ‘report it’)
7. Use a Password Manager
Reused passwords are a goldmine for attackers.
- Deploy business-grade password managers
- Enforce unique, strong passwords for every login
- Educate staff on credential hygiene
- Sign up to password breach services
8. Use Conditional Access Policies (Where Available)
Block access unless certain conditions are met, e.g.:
- User is in the UK
- Device is a fully managed corporate device
- App is verified
9. Intelligence and awareness
Implement threat intelligence activities.
- What third party compromises might have included external access to your estate?
- What phishing / spam are your users likely to see an increase of?
- What popular sites / services have been breached? Could your staff have had personal accounts on there using the same or similar credentials? Could there be the potential for them to be pressured/coerced into becoming and insider threat?
The Clear Path Security Advantage
Our fractional security packages are built specifically for UK SMBs who need protection against real-world identity threats but don’t have the budget or staff to build an internal SOC.
We help you:
- Audit and secure identity systems (Microsoft, Google, etc.)
- Roll out MFA and conditional access
- Run phishing tests and staff awareness training
- Build an identity-first security roadmap
All delivered through a low-cost, no-fuss monthly subscription model, without long-term contracts or complex exit clauses.
Final Thoughts
Cybersecurity isn’t just about firewalls anymore. Today, your identity is the new perimeter.
Attackers don’t need to break in if they can log in. Protecting user accounts, credentials, and sessions is the frontline of modern security, and it’s especially critical for UK SMBs operating in an increasingly digital world.
You don’t need a massive budget. You just need the right strategy.
Comments are closed