“You are the weakest link, goodbye!” is one of those game show catchphrases that sticks in your mind, whether you’ve seen the TV show or not.
On the show, eight strangers must work together to answer trivia questions that build a chain of correct answers to increase the team’s prize. A wrong answer breaks the chain, resets the prize amount, and leads to a vote to eliminate the “weakest link.”
Just as an incorrect answer breaks the chain, cyberattacks exploit weak points in the identity chain—trusted systems and users that lack strong protection. Stolen credentials continue to be a primary factor in data breaches, appearing in almost a third (32%) of breaches last year, according to the 2025 Verizon Data Breach Investigations Report. Why? Because it’s easier to exploit human weaknesses than to bypass hardened security systems.
Attackers use tactics like phishing emails and fake websites to trick workforce identities into revealing credentials or downloading malware, and these tactics are growing more sophisticated.
For example, the 2024 Snowflake data breach affected major companies including AT&T, Santander, and Ticketmaster, impacting hundreds of millions of downstream customers. In this breach, the attackers used infostealer malware to harvest employee credentials that had not been rotated and lacked MFA—multi-factor authentication—allowing them to gain access to sensitive personal and financial records.
More recently, Marks & Spencer was breached after hackers phished employees of a third-party contractor and stole login credentials. Once they gained access with the contractor’s credentials, attackers used advanced techniques to impersonate employees and reset their passwords.
Historically, attackers focused their efforts on IT admins with direct access to servers. But data breaches like Snowflake and Marks & Spencer show that privileged access isn’t limited to IT teams. Every employee, contractor, and third-party supplier is a potential entry point if not properly secured.
What are workforce identities?
Workforce identities include employees, contractors, third parties and vendors who have access to workstations, applications, and data within an organization to perform their jobs.
- General business users: The largest group of workforce identities are general business users: roles that are important to company operations—like HR managers, accountants, and customer service reps.
- Elevated business users: There are also some elevated business users that post a higher risk because they require access to sensitive systems and data—like a finance manager responsible for transferring funds from the organization’s corporate account.
- Third parties and vendors: As organizations grow, they rely more on outsourcing things that are not core to their business, which means working with more third parties and contractors. These third parties and vendors are not part of the organization, but need access to corporate applications and data.
IT admins hold the keys to the kingdom, hence the importance of Privileged Access Management (PAM). However, users of critical business applications, such as ERP, HR, and CRM systems, can easily become “Shadow IT” as SaaS tools are increasingly licensed and managed by application owners rather than IT. Business applications have a wide variety of security roles and structures that are often quite broad and don’t easily align with your other identity management processes.
Challenges with protecting workforce identities
The users who make up your workforce and the applications they need access to are broad and diverse, making it difficult to protect workforce identities effectively from compromise. Plus, in addition to external threats, you need to protect your organization against internal fraud risk. Here are a few of the challenges organizations face with protecting workforce identities:
- Sprawling workforce credentials: According to NordPass, the average employee uses 87 passwords to access work-related accounts. That’s a lot to remember! As a result, many employees use browsers like Chrome to save their passwords. But, these password managers are only as good as the user’s password hygiene. If employees reuse passwords or create weak passwords, a consumer-grade password manager can’t fully protect them.
- Lack of control over workstations: User workstations are a primary target for attackers looking to gain a foothold in your network and move laterally to get to your servers. If employees can download whatever they want, that’s a risk as malware can be bundled with other software.
- Orphaned accounts: Think of how many employees leave your company each year. If all of their access isn’t revoked properly, you get orphaned accounts, credentials that are still active without a user. These are low-hanging fruit for account takeover. Smaller organizations can often operate by provisioning and governing access manually, but as your organization grows and adopts more applications, inefficiencies in provisioning and governing access can lead to overlooked risk.
- Privilege creep: Organizations lose 5% of their revenue to fraud each year, and the average fraud loss per case is $1.7M, according to the Association of Certified Fraud Examiners in Occupational Fraud 2024: A Report to the Nations. Those numbers are staggering, but how does this happen?
When employees get promoted or change roles, they often accumulate excessive privileges that they no longer need. When was the last time an employee raised their hand and asked that you remove their access to something? On top of that, many organizations have 10-15 business applications that manage critical functions like financial transactions, and managing security within ERP systems is no simple task.
Here are 6 ways you can secure workforce identities:
1. Vault business user credentials
Use an enterprise-grade vault to securely store, rotate, and supply credentials to applications. This gives your IT admins oversight over workforce passwords so they can make sure they meet requirements for complexity and length, and takes the burden off business users to remember and manage them.
2. Enable MFA
Once you’ve vaulted business user credentials, you can put those credentials behind an MFA wall. Now you can enforce MFA for your elevated business users when they are logging in to applications with sensitive information, putting another layer of defense in front of potential attackers.
3. Lock down workstations
Remove local admin rights from workstations to prevent lateral movement and ransomware attacks. Instead, you can implement just-in-time access to sensitive applications or systems.
4. Automate lifecycle management
Rather than manually provisioning access for workforce identities, adopt an automated Identity Lifecycle Management solution that integrates with your HR system. When employees change roles or leave the organization, this ensures that access that is no longer needed is revoked seamlessly.
5. Enforce the Principle of Least Privilege
Periodic User Access Reviews (UAR) prevent users from accumulating more privilege than is required to perform their job. Segregation of Duties (SoD) is another vital internal control that helps prevent fraud resulting from any one individual from having too much access within a single process—like being able to create a vendor and pay a vendor. Automating access certification campaigns and Segregation of Duties (SoD) analysis helps you to more efficiently close gaps and address compliance requirements.
6. Continuously monitor identity posture
Run checks for anomalous behavior. By continuously auditing and monitoring workforce identity access, you can identify suspicious activities that could be related to compromised accounts so you can remediate threats in real time.
Reinforce the weak points in your identity chain
By taking these recommended measures, you can reduce the risk of compromised accounts by expanding protection beyond your PAM approach to workforce identities with access to sensitive systems and data.
Read more about emerging AI threats impacting workforce identities in Delinea’s 2025 Cybersecurity and the AI Threat Landscape report.
Ensure all your identities are secure: Securing IT admin, workforce, machine, and developer identities
