In February 2024, Change Healthcare, a major medical billing and insurance processing company, was hit with a ransomware attack caused by stolen credentials and a lack of multifactor authentication. The breach compromised the health records and financial data of over 100 million people.
In a digital marketplace increasingly built on remote work, cloud services and third-party vendors, no organization is too big (or too small) to be a target for hackers, and the attack surface continues to grow. It’s essential for companies to carefully review and, as needed, revamp traditional access security measures. Below, members of Forbes Technology Council share essential lessons in modern access security that every organization, no matter its size or sector, would be wise to learn.
1. Employ A Zero-Standing Privilege Model
Employ a zero-standing privilege model—because most attackers do not break in; they log in. In the shared responsibility model of cloud security, access control is the main lever in the hands of organizations. By eliminating standing access, organizations can limit the otherwise drastic impact of identity compromise, making breaches a SOC event rather than a C-level event. – Atul Tulshibagwale, SGNL.ai
2. Consistently Carry Out Access Control Reviews And Security Tests
A key lesson organizations should learn is that most attacks occur through known vectors and techniques. This enforces the importance of diligently reviewing security hygiene. As it relates to access security, this means being consistent with access control reviews and proactive security testing to identify weaknesses, such as insecure passwords or privilege creep. The best defense is a good offense. – Daniel DeCloss, PlexTrac, Inc.
3. Pay Attention To Supply Chain Vulnerabilities
Recent attacks have showcased the need to pay ongoing attention to supply chain vulnerabilities. Organizations need to start holding software vendors to a higher standard. The software industry must establish a “best practices” framework to ensure they are doing their best for customers. The executive order that followed the attack on the Treasury Department emphasized the need for this. – Poornima DeBolle, Menlo Security
4. Implement Advanced Data Fragmentation
As cybercriminals increasingly target backup repositories, the key lesson is implementing advanced data fragmentation that cryptographically disperses data across multiple locations. This strategy ensures that compromised credentials or breached storage only yield unintelligible fragments that cannot be reassembled without proper authorization and encryption keys. – Greg Salvato, TouchPoint One
5. Automate Employee Access
The complexity and interconnectedness of modern business applications require proactive visibility and continuous controls monitoring, with the ability to automate this process throughout the identity life cycle. As employees join, move within and leave an organization, their access rights must be continuously governed and analyzed for risks. A simple oversight can lead to a major data breach. – Piyush Pandey, Pathlock
6. Move Toward Passwordless Practices
Access is a key ingredient that drives up risk and directly impacts employee satisfaction and enablement. And passwords are the “front door” to access-related challenges. Knowing this, cybersecurity teams should boldly move toward passwordless practices across their environment, leveraging a rare win-win opportunity to reduce multiple high-risk concerns while improving the employee experience. – Kim Bozzella, Protiviti
7. Implement Multichannel Phishing Protection
Phishing attacks have evolved beyond simple email scams into sophisticated multichannel operations targeting collaboration tools (like Teams), mobile devices and Web messaging (for example, LinkedIn). Organizations need real-time protection across all communication channels, as traditional email security alone isn’t enough. AI-powered detection tools that cover all platforms block threats before they succeed. – Patrick Harr, SlashNext
8. Maintain A Balance Of Security, Usability And Scalability
I think the lesson organizations should learn from the cyberattacks that targeted access security is evident: Workforce access management is a challenge for organizations because they need to balance security, usability and scalability. Getting any one of those wrong can either slow down real users or let attackers in. Access solutions built for convenience or created by generalists won’t be enough. – Jim Taylor, RSA Security
9. Adopt A Cloud-Native Platform
Adopting a cloud-native platform to secure data and networks offers the advantage of real-time security updates and comprehensive protection across networks. To further strengthen cybersecurity systems, implement password protection for sensitive files, restrict access to authorized personnel and prioritize consistent cyber hygiene practices across the organization. – Matthew Polega, Mark43
10. Adopt The Least-Privilege Principle
Breaches happen when workforces access company assets, making them vulnerable to attacks. Adopt a principle of least privilege so that employees have access only to the information necessary for their role, reserving confidential assets for only a select few. Additionally, consistently enforcing least privilege allows security teams to better predict patterns of usage and identify anomalies more quickly. – Matthew Peters, CAI
11. Invest In Advanced Visibility And Analytics
A key lesson is the need to focus on access visibility. Organizations can’t protect what they can’t see. Access paths—such as direct, distributed and AI-driven—are not managed by a single system. To tackle evolving threats, companies should invest in advanced visibility, utilize AI for insights and implement graph-based analytics to better protect assets and respond in today’s complex digital landscape. – Jagadeesh Kunda, Oleria Corporation
12. Take Human Nature Into Consideration When Designing Security Systems
Organizations must treat access security as a behavioral challenge, not just a technical one. Instead of adding controls that employees bypass, design security that works with human nature—make secure paths feel faster than workarounds and use AI to suggest natural access levels. When protecting security feels easier than breaking it, compliance follows. – Achraf Golli, Quizard
13. Shift To Dynamic, Context-Aware Access
Recent cyberattacks reveal that static access controls are a liability. Organizations must shift to dynamic, context-aware access—adapting permissions in real time based on user behavior, location and risk signals. Static multifactor authentication isn’t enough; combine it with adaptive authentication and just-in-time access to limit exposure windows. This fluid security is critical to outpace evolving threats. – Deepak Gupta, Cars24 Financial Services
14. Teach Your Team About Social Engineering
Most successful breaches are still caused by human error. Social engineering is operationalized more frequently than exploitation of vulnerabilities or misconfigurations. Access security should start with educating the workforce, followed by robust access control following the principle of least privilege, proper monitoring and segmentation to reduce lateral movement and escalation. – Austin Berglas, at BlueVoyant
15. Implement AI-Based Defenses
Current threats are increasingly sophisticated and can exploit weaknesses in human oversight. Implementing AI-based defenses that analyze large datasets in real time, detect new attack methods like advanced phishing, and learn from each incident helps organizations detect and respond to threats more effectively. – Andrey Kalyuzhnyy, 8allocate
16. Consider CSMA
Cybersecurity mesh architecture can be a key strategy here, as it decentralizes security controls and integrates them across all assets and endpoints, regardless of their location. With CSMA, an organization can ensure access security by applying consistent and contextual policies across its entire infrastructure, ensuring that only authorized users have access to critical systems and data. – Eran Zilberman, Cyclops Security
17. Develop A Holistic Cybersecurity Management Approach
Recent cyberattacks have shown that a lack of visibility into access security leads to vulnerabilities. CISOs with a holistic cybersecurity management approach gain real-time insights into access controls and user behaviors. With continuous monitoring, performance metrics and analytics, leaders can proactively detect risks, enforce least privilege and strengthen their security posture. – Sivan Tehila, Onyxia Cyber
18. Thoroughly Cover The Basics
Basic cyber hygiene was and still is the No. 1 priority for security teams. This includes ensuring all systems are accessed only through a managed SSO/identity provider—not passwords—using authorized browsers and two-factor authentication. Most importantly, these practices must also apply to C-level executives and security teams. That alone is enough to block almost all high-profile attacks. – Arie Abramovici, Exodigo AI
19. Ensure No Single Person Holds ‘The Keys To The Kingdom’
The safest way to secure something is to unplug it from the network. The second-safest way to secure something is to distribute the keys among many responsible individuals so that no single person holds “the keys to the kingdom.” No matter the technology—MFA, scans, encryption—most breaches happen because one person is compromised. The more distributed the keys, the stronger the security. – Shangyan Li, GrubMarket Inc.
Original Story: https://www.forbes.com/councils/forbestechcouncil/2025/02/28/19-essential-access-security-lessons-from-tech-experts/
