Identity as the Perimeter: Training Employees in the Age of Preventable Breaches
For security awareness and training professionals, the statistics surrounding identity-related breaches are a sobering call to action. With 79% of organizations experiencing an identity-based security incident in the last two years—and a staggering 99% of those deemed preventable—our mission is clear: we must move beyond compliance and foster a deep, behavioral understanding of identity management.
According to the Verizon Data Breach Investigations Report, roughly 81% of hacking-related breaches leverage weak or compromised passwords. As we navigate an increasingly interconnected digital world, our training programs must empower employees to treat their digital identities with the same physical security mindset they use for their own homes.
Guidance to Encourage in Your Security Awareness and Training Programs
To build a resilient workforce, prioritize these five identity security “basics” in your curriculum, ensuring employees understand the why behind the controls:
-
The “Zero Reuse” Password Policy: Complexity is important, but uniqueness is critical. Teach employees that a stolen password from one minor site shouldn’t open the door to their corporate or banking accounts. Advice: Encourage a minimum of 12 characters and a mix of types, while strictly forbidding the reuse of common personal info like birthdays.
-
The “Report, Don’t Just Delete” Phishing Protocol: Phishing is the primary delivery mechanism for credential theft. While deleting is safe, reporting the malicious URL helps security teams take down infrastructure. Advice: Train users to spot the “urgency trap” and grammatical errors, and ensure they know exactly how to flag suspicious messages in every app they use (Slack, Teams, etc.).
-
A Multi-Device Update Habit: Updates aren’t just for PCs. Attackers target the “quiet” vulnerabilities in browsers, email clients, and home IoT devices. Advice: Remind staff to enable automatic updates across their entire digital ecosystem to patch vulnerabilities before they can be exploited.
-
MFA as the “Double Lock”: Frame Multi-Factor Authentication not as a hurdle, but as a secondary bolt on the door. Advice: Encourage the use of authenticator apps or hardware keys over SMS codes where possible, and emphasize that a legitimate service will never ask for an MFA code over the phone.
-
Password Managers as Personal Assistants: We cannot expect humans to remember 100+ unique, 12-character passphrases. Advice: Promote the use of enterprise and personal password managers (like NordPass or Keeper) to automate security and remove the friction of being safe.
-
Proactive Identity Cleanup: The less data that exists about an employee online, the harder they are to target. Advice: Share resources on removing personal information from data brokers using tools like Incogni or PrivacyHawk.
By integrating these identity-first habits into your culture, you transform your employees from potential targets into active defenders of the organizational perimeter.
 | Read the full breakdown of identity security basics here:Identity Management: Top 5 Identity Security Basics for Online Security |
No responses yet