If 2024 was the year AI reshaped IT operations, 2025 was the year Autotask brought it all together.

From smarter billing and automated ticketing to a modernized interface designed for the way you work today, this year’s releases delivered some of Autotask’s most impactful improvements yet. And IT teams took notice, with top-tier recognition from G2, Capterra and Software Advice underscoring Autotask’s position as a leader in PSA software.

Here’s a look back at the innovations that made 2025 one of Autotask’s biggest years ever — and how they help teams save time, reduce friction and run more profitable, scalable IT services businesses.

A smarter way to manage client relationships: Umbrella Contracts

Managing multiple agreements for the same client has long been one of the most complex aspects of running an IT services business. In 2025, we changed that.

Umbrella Contracts, introduced in the 2025.5 release, give you one unified container for everything — managed services, time and materials, project work and more — so you can manage client agreements holistically instead of hunting across multiple contract screens.

Why customers love it

• One contract, total clarity: View every service, change and activity in one place. No more jumping between separate agreements.
• Cleaner billing with fewer errors: In-frame drawers, inline editing and advanced table filters turn contract management into a streamlined workflow, not a scavenger hunt.
• Roll out at your pace: Use Umbrella Contracts for new clients immediately while keeping existing agreements intact until you’re ready to migrate.

It’s simpler, more organized and reduces risk — which means more predictable billing and better client conversations.

A modern Autotask experience: The new UI arrives

Autotask’s biggest visual and usability transformation in more than a decade launched in 2025. Built on the Kaseya Design System, the new interface delivers a cleaner, more intuitive experience that reduces clicks, maintains context and helps technicians stay focused.

What changed

• Collapsible left navigation for more screen space and faster access
• Reorganized top navigation with simplified icons
• Improved search, with global search coming soon
• Refreshed dashboards with drag-and-drop widget resizing
• Updated Worklist panel to keep priorities front and center

The new UI eliminates friction and supports how modern service teams work. Whether you’re managing projects, reviewing tickets or billing clients, everything feels faster, clearer and more consistent across the entire IT Complete platform.

This refresh is just the first step — with more streamlined grids, inline editing, enhanced previews and bulk updates coming next.

Source: Datto

As Artificial Intelligence (AI) agents become more autonomous by accessing critical systems and acting without real-time human oversight, they are evolving from productivity tools into active Non-Human Identities (NHIs) like service accounts or API keys that require the same oversight and controls as human users. This shift expands organizational attack surfaces, introducing new security risks related to overprivileged access and lateral movement of NHIs across cloud infrastructure. When AI agents are compromised, cybercriminals may exploit prompt injection to manipulate an agent into executing unauthorized actions, stealing credentials or moving laterally across cloud environments.

To keep up with these challenges, organizations must rethink how zero-trust security applies to autonomous AI agents. The Model Context Protocol (MCP) introduces a context-driven framework for governing how AI agents access tools and data by emphasizing identity, access and intent, helping organizations apply zero-trust principles to the forefront of every machine-driven interaction.

Continue reading to learn more about MCP, how it enables zero-trust principles and how Keeper^® enables zero trust for AI agents.

What is the Model Context Protocol (MCP)?

The Model Context Protocol (MCP), an open standard introduced by Anthropic, is designed to securely govern how AI agents autonomously access tools, data and systems in enterprise environments. Instead of allowing AI agents to operate with static or broad access controls, MCP emphasizes embedding context into every request an AI agent makes. For example, rather than granting an AI agent blanket read access to an entire database, MCP can evaluate whether a specific query, at that moment and for that task, should be permitted, retrieving only the specific access role required. This structure ensures that AI actions are transparent and aligned with organizational policies and security requirements.

MCP plays an important role in contextualizing and controlling AI agent behavior in real time. By embedding context into every interaction, MCP helps organizations continuously verify NHIs with least-privilege access and risk-based decisions, mitigating modern AI-specific attack vectors. A context-aware approach enables security teams to evaluate who or what is requesting access, as well as why and how the request is being made. As a result, MCP helps transform AI agents from high-risk identities into governed entities that work within a zero-trust environment, enabling organizations to scale AI adoption without jeopardizing safety or visibility.

How MCP enables zero-trust principles in AI workflows

Traditional zero-trust security models were made for human users, not autonomous AI agents that compromised workflows can influence. Without continuous identity verification, AI agents may unknowingly act on malicious instructions, reuse exposed credentials or create ideal conditions for privilege escalation and lateral movement. The MCP extends zero-trust principles to AI-driven workflows by ensuring each action is continuously verified, tightly controlled and fully auditable. With MCP, each request an AI agent makes is assessed based on context, including identity, task and environment, to adapt to changing conditions. For example, a DevOps AI agent deploying code may be limited to a specific environment for a set period, while a customer support AI agent may access only the customer records necessary to resolve a ticket. If an agent’s task or scope changes, access can be revalidated or revoked, reinforcing continuous verification.

This approach to real-time authentication limits credential exposure, preventing AI agents from accessing systems beyond their intended purpose. Time-limited access for AI agents reduces credential exposure while enforcing least-privilege access across environments. In addition, MCP enhances visibility and accountability by enabling contextual logging of autonomous actions, which security tools can use to support session recording, auditing and incident response.

Securing AI agent workflows with KeeperPAM

Although MCP defines how context should be applied to AI interactions, organizations still need Privileged Access Management (PAM) solutions to enforce zero-trust principles. KeeperPAM^® secures AI-driven workflows by combining context-aware controls, zero-knowledge encryption and policy-based automation without exposing credentials or disrupting operations.

Building AI systems you can trust

As AI agents become embedded across enterprise environments, zero-trust security is crucial for maintaining secure, autonomous, machine-driven access. The MCP introduces a foundational context layer needed to continuously verify AI agents’ identities, intents and access at scale. To enhance modern security postures, organizations need zero-trust controls within a strong PAM solution that integrates with MCP. With its MCP integration, KeeperPAM delivers the privileged access and secrets management required to securely enable AI-driven workflows without exposing credentials or losing visibility.

Start your free trial of KeeperPAM today to secure AI agents with zero-trust security across your organization.

Source: Keeper

Most IT teams are doing impressive work under difficult conditions. Tickets get closed. Systems stay online. Users are supported. On paper, everything is functioning.

And yet, there’s a persistent feeling that progress is harder than it should be.

As expectations for faster, more consistent and more scalable IT service delivery rise, many teams are starting to feel overwhelmed. Too much time is still spent on manual documentation, repetitive service tasks and disconnected processes that slow response times and pull focus away from higher-impact, proactive work.

The natural assumption is that demand exceeds the team’s ability to keep up. More endpoints, more users, more complexity — surely the answer is more people.

But for many IT organizations, the challenge isn’t just a headcount numbers game. The real limitation is how much of the day is still consumed by manual, repetitive work.

Manual workloads quietly become the bottleneck

Manual, repetitive work rarely shows up as a red flag. It blends into the background of daily IT operations. A technician copies information from one system into another. Someone searches for documentation that exists — just not where they need it.

Each instance may seem minor, or even necessary, on its own. But over time, they accumulate. As IT environments grow more complex, manual tasks multiply, context becomes increasingly fragmented and resolution paths stretch longer than they should.

What used to feel manageable starts to feel overwhelming, simply because every task takes more effort than it should. This is the tipping point where managing manual workloads stops being routine and start becoming a liability.

Why manual repetitive work becomes technical debt

As IT environments evolve, processes built for speed eventually fall behind. Teams compensate by relying on workarounds, institutional knowledge and manual effort instead of consistent systems.

The cost isn’t obvious at first. However, over time, it shows up as:

• Longer resolution times for routine issues
• Inconsistent outcomes between technicians
• Burnout among the people who know the environment best
• Increased risk from missed steps and missing context

Over time, those manual tasks become a form of technical debt that IT teams struggle to escape. Technicians feel the debt first

Technicians are on the front lines, and they feel the burden most. A significant portion of their day is often spent searching for information across fragmented systems or recreating work because documentation is missing or outdated. Instead of resolving issues, they’re stuck navigating disconnected tools and repetitive, manual tasks.

Over time, this erodes momentum. Skilled technicians spend their days executing processes instead of improving them. The job becomes about keeping up rather than moving forward.

This is usually the first signal that manual work has crossed the line from “how things are done” to “what’s holding us back.”

Managers see the impact when scale stops working

For IT operations leaders, the consequences of manual workloads surface differently.

Scaling IT effectively requires more than hiring. Leaders are under pressure to keep pace with growing demand while also giving their teams room to develop skills and improve how work gets done. Organizations must balance workload, automation and upskilling to ensure teams can operate effectively today while preparing for what’s next.

Manual workloads introduce friction at every stage of the ticket lifecycle. When prioritization and triage rely on human review, tickets wait in queues, urgency is misjudged and critical issues are often buried behind lower-impact requests. As volumes grow, teams spend more time sorting and routing work than resolving it.

Why fixing individual tasks won’t solve the problem

When teams start to feel the weight of manual work, the first instinct is usually to automate pieces of it. A script here. A rule there. Maybe a new tool to speed up one step in the process. Those changes can help — but they rarely change how the work actually feels day to day.

That’s because automating isolated tasks inside broken workflows just creates faster fragments. Technicians still have to jump between monitoring alerts, ticket queues and documentation systems to understand what’s happening. Context still lives in multiple places. And work still depends on people stitching everything together by hand.

At that point, the problem isn’t effort or expertise. It’s that service delivery itself is fractured across disconnected systems.

Real progress starts when teams step back and ask a harder question: How should this work flow from start to finish?

Where AI actually changes the equation

That question — how work should flow end to end — is where AI begins to matter in a meaningful way.

Instead of automating individual steps, AI makes it possible to connect them. When service delivery runs through an integrated, AI-driven workflow, alerts flow directly into tickets, relevant context surfaces automatically and repetitive decisions no longer require human intervention.

Issues get resolved faster and service delivery starts to feel more predictable and consistent. Teams spend less time chasing information and more time fixing issues. Processes become consistent. Outcomes become repeatable. And the operation can scale without adding complexity, headcount or burnout.

AI doesn’t solve the problem by working harder. It solves it by changing how the work fits together.

The real shift IT operations need to make

Organizations that take this step reduce operational friction, lower costs and make service delivery easier to manage. It’s time to shift gears and strategically evaluate how AI can transform your IT operations and reduce the technical debt of manual workloads.

Those that wait risk falling behind, constrained by manual processes and fragmented systems that make it harder to respond quickly to evolving market demands and technology change.

IT operations are entering a new phase. Discover how AI is becoming a game changer for IT operations — from automating documentation workflows to accelerating ticket resolution and helping teams work smarter, not harder.

Source: Kaseya

Sophos has been named a 2026 Gartner® Peer Insights™ Customers’ Choice in the 2026 Gartner® Peer Insights™ Voice of the Customer Report for Endpoint Protection Platforms . This marks our first Gartner Peer Insights Customers’ Choice distinction of 2026 and a fifth consecutive Customers’ Choice for Sophos in the EPP category. This recognition comes directly from customer feedback, and we’re truly thankful for the time customers take to share their experiences and for the trust they place in Sophos.

In the 2026 Voice of the Customer report for Endpoint Protection Platforms, Sophos’ rating is based entirely on verified customer feedback based on 286 total reviews as of 30 November 2025:

• Named a Customers’ Choice vendor for the 5th consecutive time
• 4.9 / 5.0 overall rating – the highest rating among vendors in the Customers’ Choice Quadrant
• 4.8 / 5.0 rating for Product Capabilities – the highest among vendors in the Customers’ Choice Quadrant
• 98% Willingness to Recommend – tied for the highest among vendors in the Customers’ Choice Quadrant

We believe these results reflect Sophos’ focus on delivering powerful, easy-to-manage endpoint protection that combines advanced threat prevention, detection, and response across modern work environments.

Built for Modern Workspaces and Evolving Threats

We believe Sophos’ continued recognition in the Gartner® Peer Insights™ Voice of the Customer Reports for Endpoint Protection Platforms aligns with its broader strategy to secure today’s dynamic, hybrid work environments. With capabilities that extend beyond traditional endpoint security, Sophos helps organizations protect users, devices, and data wherever work happens. The recent introduction of Sophos Workspace Protection is the ideal complement to Sophos Endpoint, Sophos MDR, and Sophos Firewall and extends and unifies these great products and services to remote and hybrid workers everywhere they go.

Recognition Driven by Real Customer Experiences

Gartner Peer Insights is a free peer review and ratings platform designed for enterprise software and services decision makers. We feel being named a Customers’ Choice reflects both high overall ratings and strong willingness to recommend, consistently validating Sophos’ commitment to customer success. We are incredibly grateful to our customers worldwide for their continued trust and feedback, which directly contribute to shaping and improving Sophos’ solutions.

Here are some examples of what customers had to say about Sophos Endpoint: 

“Our overall experience with Sophos Endpoint has been exceptionally positive. It delivers enterprise-grade protection without the complexity. The seamless integration and proactive defense against emerging threats have given our IT team complete peace of mind and significantly reduced our management overhead.” – CIO in the Manufacturing Industry, $50M-$250M, Review Link

“Everything about Sophos, from their admin tools to the user experience to the support and sales team, is top-notch. We have been using Sophos Endpoint for almost 13 years now, as Endpoint protection is the bare minimum requirement of our security-minded clients and audits. Every year, we add more and more users to our Endpoint protection, scattered across our five offices located in LA, NY, Austin, London, and Tokyo” – Director, IT Security and Risk Management in the Media Industry, $50M-$250M, Review Link

To learn more about how Sophos Endpoint can help your organization, visit: https://www.sophos.com/en-us/products/endpoint

Source: Sophos  

The World Economic Forum’s Global Cybersecurity Outlook 2026 delivers a clear and uncomfortable truth: cyber risk is accelerating faster than our traditional defenses can keep up. AI-driven attacks, geopolitical volatility, supply-chain fragility, and widening cyber inequity reshape the threat landscape at a systemic level.

What stands out most, however, is not just what is changing—but where defenses are consistently failing.

Across AI misuse, ransomware, fraud, supply-chain compromise, and cloud outages, identity remains the dominant attack path. Whether human or non-human, identities have become the new control plane of modern cybersecurity.

In this blog, I break down five Identity Security lessons we can learn from the research.

Lesson 1: AI has turned identity abuse into a force multiplier

According to the report, 94% of organizations identify AI as the most significant driver of cyber risk, and 87% cite AI-related vulnerabilities as the fastest-growing threat. While much attention is placed on AI models themselves, the more systemic risk lies elsewhere.

AI agents, like other identities, don’t break in—they log in.

Attackers are using AI to:

• Scale phishing and impersonation with unprecedented realism

• Automate credential harvesting and privilege escalation

• Exploit over-privileged service accounts, APIs, bots, and AI agents

The report explicitly highlights that the multiplication of identities—especially AI agents and machine identities—has outpaced governance and security controls. These non-human identities (NHIs) now outnumber human users in most environments, yet remain largely invisible, unmanaged, and implicitly trusted.

Security takeaway:
If organizations continue to protect networks and endpoints while trusting identities by default, AI will simply accelerate compromise.

This is why it’s important to apply Zero Trust principles to Identity Security. If authentication and authorization are where your security controls end, you’re likely not implementing a Zero Trust approach.

Instead, security-first approaches like adaptive MFA and risk-based access controls for all identities – whether it’s humans, service accounts, APIs, AI agents, legacy systems, and more – ensure your strategy is based on continuous validation. Rather than, “Do the credentials/access match the identity?” you should be able to answer questions like “Does this access make sense to allow based on the risk signals?”

Lesson 2: Cyber-enabled fraud is an identity problem, not a financial one

The report reveals that 73% of respondents were personally affected by cyber-enabled fraud, making it the top concern for CEOs—surpassing ransomware.

What’s driving this surge?

• AI-powered impersonation

• Credential reuse

• Lateral movement using legitimate access

• Abuse of trusted identities rather than malware

Fraud today succeeds not because systems are unpatched—but because identity verification stops too early.

Once credentials are obtained, most environments still fail to:

• Continuously validate access

• Detect abnormal identity behavior

• Apply step-up authentication dynamically

Security takeaway:
Fraud prevention and identity security are now inseparable. Fraud begins and end with identity abuse, meaning that real-time, context-aware controls are needed to stop fraudulent activity before material damage is done.

From the report, it’s also clear that CEO and CISO priorities are shifting, yet the foundation for where they can come together remains the same: through strong Identity Security.

Lesson 3: Supply-chain attacks inherit trust—and abuse it

The WEF report identifies third-party and supply-chain vulnerabilities as the top cyber resilience challenge for large organizations. Crucially, the most common supply-chain risk is not malware—it is inherited trust.

When vendors, partners, or managed services connect:

• They often authenticate via service accounts

• Credentials are long-lived and rarely rotated

• Access is broad, persistent, and poorly monitored

Attackers don’t need to breach the perimeter if they can log in through a trusted identity.

Security takeaway:
Supply-chain security failures are identity governance failures. Supply-chain breaches succeed by abusing inherited trust, not by exploiting technology gaps. Organizations should treat third-party access as an identity risk by maintaining a clear inventory of vendor identities, enforcing least-privilege and time-bound access, and eliminating standing permissions wherever possible. Strong authentication should be prioritized for high-risk vendor access, and access reviews must align with contract and business lifecycles. Even without new tools, disciplined governance can significantly reduce supply-chain exposure.

Lesson 4: Cyber resilience depends on identity visibility, not just recovery plans

While 64% of organizations claim they meet minimum cyber resilience requirements, only 19% exceed them. Highly resilient organizations share one defining trait: deep visibility and control across identities.

The report’s Cyber Resilience Compass shows that resilient organizations:

• Continuously assess AI and identity risks

• Monitor access across IT, OT, and cloud

• Reduce standing privileges

• Treat identity as a shared ecosystem risk

Yet identity remains fragmented across directories, clouds, SaaS platforms, legacy systems, and machine workloads.

Security takeaway:
You cannot be resilient if you don’t know who or what is accessing your systems—and why. That’s why it’s so important to retain a living, dynamically-evolving graph visualizing which identities exist and their access paths. This acts as a unified source of truth that can expose exploitable gaps that need closing.

Lesson 5: Cyber inequity makes identity the weakest link

The report highlights a widening cyber inequity gap, driven largely by skills shortages—particularly in identity and access management roles, which are among the top three most understaffed security functions globally.

Complex IAM implementations, agent-based controls, and application rewrites are no longer realistic for many organizations.

Security takeaway:
Identity security must become simpler, not more complex. IAM upskilling needs to happen in tandem with identity-first security solution implementation; this is how we close the gap between IAM and cybersecurity teams while reducing operational burden. Cyber inequity makes identity the most fragile control post – especially where skills are resources are limited.

Implementing security solutions designed with identity teams in mind offers many benefits. By standardizing identity policies (e.g., enforcing MFA on all remote and privileged access), organizations reduce dependency on scarce expertise, lower configuration errors, and achieve consistent risk reduction. For example, you can apply one access standard to employees, contractors, and service accounts, cutting operational overhead while measurably shrinking the attack surface.

The strategic shift: From perimeter security to identity-centric Zero Trust

The Global Cybersecurity Outlook 2026 reinforces a fundamental shift: Cybersecurity is no longer about defending a defined perimeter—it’s about securing infrastructure and access in real-time.

AI, cloud, supply chains, and geopolitics have dissolved the perimeter. Identity is what remains.

Organizations that will succeed in 2026 and beyond are those that:

• Treat identity as critical infrastructure

• Secure non-human identities with the same rigor as human users

• Enforce Zero Trust dynamically, everywhere

• Reduce implicit trust across ecosystems

Silverfort was built precisely for this moment—to secure identities wherever they exist, however they authenticate, and whatever they access.

Silverfort’s platform approach to Identity Security recognizes that identities span cloud, on-prem, legacy systems, service accounts, and non-human workloads—yet they are secured through fragmented controls. By acting as a unified enforcement layer across all authentication paths, the platform enables consistent Zero Trust policies without agents or application changes. This allows organizations to reduce identity risk holistically, rather than incrementally securing identities one system at a time.

Final thought

The WEF report concludes that cyber resilience is a shared responsibility and a strategic imperative. Identity Security is where that responsibility becomes actionable.

In the age of AI-driven threats, every breach is an identity breach first.

The question for organizations is no longer if identity should be central to their security strategy—but how quickly they can make it so.

Source: SIlverfort

Multi-factor authentication (MFA) remains a cornerstone of cybersecurity, but attackers have learned to find workarounds.

As identity-driven attacks continue to rise, organizations must go beyond MFA to build resilience. Sophos experts and recent Gartner research agree: It’s time for an identity-first security strategy backed by continuous detection and response. For many organizations, keeping pace with identity threats feels overwhelming, especially as hybrid environments expand. But there’s a clear path forward.

Identity is now the primary attack surface

Chris Yule, director of threat intelligence for the Sophos X-Ops Counter Threat Unit, notes that more than 60% of incidents his team investigates stem from identity-related weaknesses. Phishing, stolen credentials, and social engineering are common entry points — methods that allow attackers to infiltrate without deploying traditional malware.

“The number one threat facing our customers today continues to be ransomware, both in terms of the number of incidents that we see and the impact that it can have when it hits,” Yule explained during a recent webinar. “Classic ransomware cases consistently show identity compromise as the critical first step.”

As organizations expand across hybrid and cloud environments, each new integration, from software-as-a-service (SaaS) apps to service accounts, becomes another entry point. Yet, as Yule noted, there will often be cyberattacks where there’s “very little malicious code in use.” Rather, they mainly use “privilege and trust to gain access to the environment and cause as much damage with that trust as possible.”

Why MFA alone isn’t enough

MFA is essential, but it’s not enough. Attackers have evolved, and identity-based threats now bypass even strong authentication. Organizations need continuous detection and response to stay ahead. In multiple business email compromise (BEC) cases, adversaries bypassed MFA using adversary-in-the-middle (AiTM) phishing kits.

An AiTM attack goes beyond traditional phishing. Instead of simply stealing credentials, the attacker intercepts and relays the victim’s login session in real time. When a user clicks a phishing link and enters their credentials on a fake site, the attacker forwards those details to the legitimate service and captures the entire authentication flow, including MFA responses, allowing them to hijack the session.

This reality aligns with findings that Gartner outlines in their report “CISOs Must Integrate IAM to Strengthen Cybersecurity Strategy .” This report notes that credential compromise remains the leading cause of breaches and that “sophisticated attackers are now targeting the [identity access management] IAM infrastructure itself.”

Gartner further cautions that while prevention is essential, “there is no such thing as fail-proof prevention.” Security teams must be prepared to detect and respond when identity defenses are bypassed.

Identity-first security: The next evolution

According to Gartner, cybersecurity leaders should “embrace identity threat detection and response (ITDR) and adopt identity-first security to enable zero trust and optimize the organization’s cybersecurity posture.”

Identity-first security reframes protection around who and what is connecting, rather than where they’re connecting from. Instead of static perimeter controls, it focuses on continuous trust assessment and adaptive access. In practice, this means:

• Monitoring identity posture continuously, not just enforcing login controls.
• Detecting and responding to abnormal behaviors like privilege escalation or lateral movement.
• Reducing the attack surface by addressing misconfigurations and overprivileged accounts.

Detection for the identity layer

Yule emphasized that Sophos built our Identity Threat Detection and Response (ITDR) service precisely to fill this gap.

“Historically, identity and access management and security operations have always been largely separate things,” Yule said. “And so, what we’ve tried to do with ITDR is look at the overlap of those.”

By continuously assessing identity posture, Sophos ITDR monitors for:

• Stolen or exposed credentials on the dark web.
• Accounts with excessive or unusual permissions.
• Application misconfigurations that enable privilege abuse.

This proactive approach complements Sophos Managed Detection and Response (MDR) and Extended Detection and Response (XDR), ensuring organizations can detect threats in action while also reducing the risk of identity exploitation before attacks begin.

Identity has become the cornerstone of modern cybersecurity, and building resilience starts with treating it as a core discipline. Together, ITDR, MDR, and XDR create a security fabric that is continuous, adaptive, and resilient.

“As we increase trust in different things, things become more complicated, things become more opaque, and it becomes harder to know and identify these micro vulnerabilities that could be exploited by somebody who is smart enough to figure it out,” Yule said.

Organizations that adopt identity-first security strategies gain the agility to detect and neutralize threats before they escalate.

Explore how Sophos Identity Threat Detection and Response (ITDR) helps organizations preempt and neutralize identity-based threats before they become breaches.

Source: Sophos

Managed Service Providers (MSPs) are third-party companies that typically handle a portfolio of other organizations’ IT operations or day-to-day activities. This puts MSPs on the front lines of cybersecurity for numerous businesses, often in highly regulated industries, handling some of their most sensitive data. Even the most experienced MSPs struggle to securely manage passwords, credentials, sensitive files and privileged access across dozens of client environments.

Many MSPs still manage client passwords using shared spreadsheets, sticky notes or unsecured browsers. This makes it difficult to track access, audit usage or enforce strong password policies across critical systems. Without centralized visibility, MSPs face inconsistent access controls, delayed incident response and increased exposure to credential-based attacks. To stay secure and efficient, MSPs need an easy, centralized way to protect client environments and enforce strong password practices at scale.

The need for MSPs to strengthen security

MSPs are increasingly adopting stronger security and password management practices to protect clients and improve operational efficiency. LEAP Managed IT, a North America-based MSP headquartered in Indiana, serves clients across the Midwest, including government agencies, financial institutions, law firms, nonprofits, healthcare organizations and more. The team needed a way to simplify password sharing among internal staff and managed clients while maintaining compliance with industry standards such as CMMC, PCI, HIPAA, ISO, GovRAMP and FedRAMP.

TeamLogic IT in West Denver, which supports 20 clients and 275 end users, faced similar challenges. Many clients relied on insecure methods, such as spreadsheets or email, to share passwords. The lack of centralized control made it difficult to revoke access or track changes when employees left.

Every second spent resetting passwords or tracking down credentials is time taken away from supporting clients and growing the business. A streamlined, secure approach allows MSPs to deliver faster service, reduce risk and demonstrate value in every client interaction.

What KeeperMSP® delivers

KeeperMSP is a Privileged Access Management platform built specifically for MSPs. Core functionality of the platform includes password and secrets management to prevent password-related data breaches and cyber attacks. It helps MSPs protect their own operations while delivering stronger security for every client they manage.

Designed to meet the unique needs of MSPs, KeeperMSP provides complete visibility into end users’ password habits through robust reporting and auditing tools that help enforce security and compliance requirements. This includes Role-Based Access Control (RBAC), Multi-Factor Authentication (MFA), SIEM event reporting and regulatory and industry compliance with the CCPA, GDPR and other standards.

Purpose-built for MSPs, backed by success

For LEAP Managed IT, integrating KeeperMSP with Microsoft Entra ID enabled the team to quickly roll out the platform to 50 employees and hundreds of client users. The company gained real-time visibility into password security and compliance, while technicians in the field could securely access credentials through Keeper’s browser extension and mobile app.

TeamLogic IT experienced similar benefits. Like many MSPs, the company supports dozens of businesses with diverse IT needs. Using KeeperMSP’s role-based access controls and One-Time Share feature transformed the way the team collaborates with clients. The company can now grant or revoke access instantly and share credentials securely without relying on outdated spreadsheets or PDFs.

Across both organizations, unified password management is delivering measurable results. With KeeperMSP, Leap Managed IT and TeamLogic IT continue to improve compliance reporting, reduce credential-related service tickets, streamline credential management best practices and strengthen client relationships.

Managing credentials at scale

According to a 2025 report by Global Market Insights, the MSP market is projected to increase from $69.68 billion to $115.83 billion by 2034, averaging a Compound Annual Growth Rate (CAGR) of 5.8%. MSPs are expected to continue offering highly compliant cloud services, particularly solutions that streamline necessary business functions while providing stronger protection against cyber threats. According to data compiled from Infrascale, cybersecurity threats remain the leading concern for MSPs, with 59.7% identifying it as their top challenge.

In a multi-client environment, MSPs face unique challenges that traditional password managers can’t solve. A purpose-built solution empowers MSPs to secure every client and maintain trust across industries and regulatory requirements. With the right platform, MSPs can reduce risk, streamline operations and deliver stronger security outcomes for every customer they support. Keeper enables MSPs to secure every client account with zero-trust architecture, intuitive management tools and scalable efficiency.

Start a free trial of KeeperMSP today to secure your clients’ most sensitive data, increase visibility and streamline credential management across your organization. Read the full Keeper + LEAP Managed IT Case Study to learn more.

Source: Keeper

AI has dominated cybersecurity headlines for years, but as we enter 2026, the conversation is shifting from hype to hard realities. Across incident response, threat intelligence, and security operations, Sophos experts see clearer signals of where AI is truly making an impact. For IT teams already stretched thin, this isn’t theoretical — it’s reshaping daily decisions.

Defenders are having to deal with the speed and unpredictability of AI adoption inside their organizations. Sophos survey data shows IT leaders are increasingly worried about unmanaged use, data exposure, and how AI-enabled tools can amplify small mistakes. The question is no longer whether to use AI, but how to apply it responsibly to reduce noise and operational strain.

Industry signals reinforce this shift. The Gartner® Hype Cycle™  for Security Operations, in our assessment,  shows AI-powered capabilities — such as AI SOC agents, predictive modeling, and cybersecurity assistants — moving out of pure experimentation and toward more practical, augmentation-focused use cases. The emphasis is less on “autonomous AI” replacing humans, and more on AI accelerating triage, improving prioritization, and helping overstretched teams act faster and with greater confidence.

Looking ahead, Sophos experts expect AI’s real impact to be measured by outcomes, not novelty — a theme reflected in their predictions for the year ahead.

DPRK IT workers extend the use of AI for fraudulent employment 

“North Korean IT workers could use Agentic AI to enhance the survivability of their fake personas, improve the responsiveness to remote requests, and conduct remote taskings more effectively.” – Rafe Piling, Director of Threat Intelligence, Sophos X-Ops Counter Threat Unit

AI will supercharge threat actor scale and sophistication 

“In 2026, attackers will continue to use AI as a force multiplier. AI will make it easier to weaponize known vulnerabilities, orchestrate attack campaigns, lowering the barrier for basic hacking and enabling broad, rapid exploitation across the internet.

Payloads will be customized faster than ever, and social engineering will become increasingly tailored, including phishing that reflects open-source knowledge of individual targets. Deepfake audio and video will make BEC campaigns more convincing and far more credible, making them easier to succumb to.

AI will shift the balance of power by helping even low-skill threat actors operate with speed and precision once reserved for more experienced threat actors.” – John Peterson, Chief Development Officer

The real attack surface: Your AI application 

“We’re likely to see major breaches from prompt injection attacks within the next year. For years, security teams have worked to shrink their internet footprint, knowing that anything exposed increases risk.

Firewalls, VPNs, and ZTNA all aimed to reduce that exposure. Now, almost overnight, we’ve created a new attack surface: rapidly deployed AI applications. Many are internet-facing, often unauthenticated, and connected to data many businesses would consider sensitive or confidential. Even more concerning, these applications are being granted the ability to take actions on behalf of the organization.

The speed of AI adoption is driving huge efficiency gains, but unless organizations slow down and assess these risks, they’ll reopen exposures we’ve spent decades trying to close.” – Tom Gorup, Vice President of SOC Operations

The next insider is your AI

“Organizations are racing to deploy LLMs and agents, even the ones they approve internally. By feeding these tools massive volumes of corporate data, they’re creating a new class of insider threat. When that data leaks, who’s responsible? Is the AI an ‘employee,’ and who carries the liability when it goes rogue, is compromised, or misconfigured?” – Chris O’Brien, Vice President of Security Operations

Customers will turn to channel partners to resolve the AI vs. Security priority gap

“In 2026, customers will wrestle with the tension between AI investment vs. core security investment vs. broader IT investments. They’ll be asking: ‘How much time, money and resources should I spend on AI?’ ‘Where do AI and security overlap?’ ‘What are the initial use cases that I trust AI to do?’

While SMBs and enterprises will answer those questions very differently, both will rely on vendors and partners as their trusted advisor. With more tools flooding the market and budgets under pressure, partners who help customers make sense of the noise and rationalize their stack will prevail.

The channel’s role is no longer about sourcing tools; it’s about guiding customers through complex decisions around risk, budget, security and AI strategy trade-offs across the entire customer lifecycle.” – Chris Bell, Senior Vice President of Global Channel, Alliances and Corporate Development

Trusting MDR when the analysts are AI 

“In 2026, the Managed Detection and Response (MDR) market will reach an inflection point. The line between a managed detection service and an AI-driven tool will blur until customers can no longer tell which they’re buying. Vendors will market software as full MDR offerings, leaning on AI to compensate for limited human depth.

That shift will create real challenges: customers won’t know where human judgment ends, what’s automated, or who is actually monitoring their environment around the clock. Trust will become harder to calibrate when the ‘team’ behind your security is mostly code. As this ambiguity grows, buyers will struggle to evaluate competence, accountability, and reliability, forcing the industry to confront whether MDR is still a service, a tool, or something in between.” – Tom Gorup, Vice President of SOC Operations, Sophos

Source: Sophos

Sophos introduced Synchronized Security in 2015 with the ability for Sophos Firewall and Sophos Endpoint to share information and work together to automatically respond to threats. This pioneering approach, which transformed cybersecurity from a collection of point products to a security ecosystem, has been successfully reducing cyber risk and elevating security outcomes in the face of real-world threats for over a decade.

We’ve steadily expanded and evolved Synchronized Security since that initial launch, including interconnecting a broad range of products and services, extending response actions, and synchronizing our threat intelligence. Today, Sophos Workspace Protection becomes the latest addition to the Synchronized Security portfolio.

Security Heartbeat

Three key capabilities come together to enable Sophos solutions to work together:

• Security Heartbeat™ is a constantly beating device health status indicator that shows Red, Amber, or Green to reflect its real-time state.
• The Sophos Central platform, which enables Sophos solutions to share threat, health, and security information in real-time, including Security Heartbeat status.
• Sophos solutions are engineered to automatically take actions based on a device’s Security Heartbeat status.

By enabling Sophos solutions to work together, Synchronized Security and the Security Heartbeat capability reduce response time from minutes or hours to just seconds. They also extend the powerful risk reduction capabilities provided by individual Sophos solutions with an additional defense layer only available when security solutions work together.

And it’s free. Synchronized Security is included and enabled automatically at no extra charge for all Sophos customers.

Enabling a coordinated, automated response to threats

Step 1: Detect. If Sophos Endpoint detects a threat on a user’s device, it automatically changes the device’s Security Heartbeat status to Red and shares the new health status with the wider ecosystem.

Step 2: Isolate. Sophos Firewall and Sophos ZTNA immediately limit the Red status device’s access to network resources and applications, preventing data loss. Sophos Firewall can also block traffic from the compromised device to all healthy (Green status) endpoints on the network – including those on the same switch – eliminating the possibility of lateral movement even within the same LAN segment.

Step 3: Restore. Once the affected device is cleaned up, Sophos Endpoint automatically changes the Security Heartbeat status to Green, which instantly triggers Sophos Firewall and Sophos ZTNA to re-enable access.

What about middle-of-the-night attacks?

Synchronized Security is a powerful tool at any time of the day or night, but is particularly helpful outside standard working hours, when in-house resource availability is often reduced. With 88% of ransomware incidents starting during evenings, nights, and weekends, it’s also prime time for adversaries to launch an attack.

So, what happens if an attacker hacks into one of your servers late on a Friday? In a non-Sophos-protected environment, the adversary will have full access to the network over the entire weekend – giving them ample time to exfiltrate data, install backdoors, and deploy ransomware.

But in a Sophos-protected organization, any malicious activity detected on the server by Sophos Endpoint automatically triggers a Red Security Heartbeat health status, causing Sophos Firewall to effectively cut off the server from the rest of the network until it can be cleaned up – without anyone having to do anything.

Once the compromised server has been cleaned up, Sophos Endpoint will return its Security Heartbeat to Green, and full system access and connectivity will be restored automatically.

More than threat response

In addition to automatically responding to threats, Synchronized Security can share application information between Sophos Endpoint and Sophos Firewall. This enables Sophos Firewall to route, prioritize, or block application traffic it might not otherwise be able to identify.

For example, if you have a custom application that needs prioritization, most firewalls won’t recognize it and leave it at the mercy of all the other traffic on your network. With Sophos Firewall and Sophos Endpoint working together, traffic from your custom app can be easily identified and prioritized.

Sophos Endpoint can also share authenticated user information with Sophos Firewall to simplify user-based policy enforcement.

And it doesn’t stop there. For example, if a compromised device starts sending spam or phishing emails, it will trigger a Red health status, causing Sophos Email to automatically block messages before they reach users.

Another great example of Synchronized Security in action is Active Threat Response, which extends Synchronized Security to security operations teams. With Active Threat Response, an analyst working for Sophos as part of our MDR service, or your own analysts working with Sophos XDR, can trigger a Synchronized Security response using the new threat feed capability built into Sophos Firewall. Synchronized Security then acts on this information to identify any compromised host on the network and isolate it automatically until it can be cleaned up. Active Threat Response is also available for Sophos switches and AP6 access points.

The latest addition: Sophos Workspace Protection

Sophos Workspace Protection is an integrated bundle of security solutions that protects apps, data, workers, and guests easily and affordably – wherever they are. It includes Sophos ZTNA, which now supports Security Heartbeat, enabling you to automatically prevent compromised devices from connecting to important networked applications and data. This unique, automated threat response capability greatly limits the ability of a compromised device belonging to a remote worker from becoming an entry point for an attacker to the broader network.

Synchronized Security and Security Heartbeat are key reasons why Sophos ZTNA is a critically important security solution for remote access. Traditional VPN solutions have no way of knowing if a device has been breached and will allow any compromised device full access to the network. Sophos ZTNA, on the other hand, not only enforces multi-factor authentication to prevent breaches from compromised credentials, it also includes Synchronized Security to prevent devices from connecting when in a compromised state.

How to get Synchronized Security

Security Heartbeat is automatically included with Sophos Firewall, Sophos Endpoint, Sophos Email, Sophos Mobile, and now Sophos Workspace Protection. No extra products or solutions are required, no additional subscriptions to purchase.

Sophos Central takes care of all the data sharing. You simply need to set up the Security Heartbeat conditions in your policies to take advantage of it. It’s that easy. It’s one of the reasons many customers choose Sophos for their cybersecurity – you won’t find this anywhere else.

Source: Sophos

Source: Sophos

As we enter 2026, the threat of ransomware remains one of the most pressing security challenges facing enterprise organizations, making this a critical time to reassess exposure, preparedness, and resilience.

Sophos’ inaugural report draws on the real-world experiences of 1,733 enterprises that were hit by ransomware in 2025, providing a clear view of the current threat landscape.

The report explores how the causes and consequences of ransomware attacks have evolved, highlights the operational weaknesses that left enterprises exposed, and brings into focus the human impact of incidents, including the sustained pressure placed on IT and cybersecurity teams.

Download the report to explore the full findings.

Root cause of attacks: Exploited vulnerabilities and critical operational gaps drive ransomware incidents

Enterprises identified exploited vulnerabilities as the most common technical root cause of attacks, used in 29% of incidents. Phishing and compromised credentials followed behind, each cited in 21% of incidents.

Multiple operational factors contribute to enterprises falling victim to ransomware, with no single issue standing out as the dominant cause. An unknown security gap was cited by 40% of victims, closely followed by a lack of people/capacity and a lack of expertise, both contributing to 39% of attacks.

Interestingly, SMBs (sub 250 employee organizations) also identified a lack of people/capacity as a common factor, with 42% citing it as a key reason for falling victim to an attack, highlighting that resource constraints remain a widespread challenge regardless of organization size.

Operational root cause of attacks in enterprises

Data encryption: Rates drop to all-time low while blocked encryption attempts soar

Data encryption in enterprise organizations is at its lowest reported rate in the five years of our survey, with under half (49%) of attacks resulting in data being encrypted down significantly from the 66% reported in 2024. In line with this trend, the percentage of attacks stopped before encryption has more than doubled over the past two years, climbing from 22% in 2023 to 47% in 2025. This suggests that enterprise organizations are becoming far more effective at detecting and stopping attacks before they cause serious damage.

Data encryption in enterprise | 2021 – 2025

Data recovery: Ransom payment rates remain consistent while backup use plummets to a four-year low

In 2025, close to half (48%) of enterprise organizations paid the ransom to recover data, broadly in line with levels seen over the past four years, indicating little overall change in payment behavior. Meanwhile, the use of backups dropped to a four-year low of 53%, down from 73% the previous year. Collectively, these findings point to stronger resistance to demands alongside underlying weaknesses and reduced confidence in backup recovery capabilities.

Recovery of encrypted data enterprise organizations | 2021 – 2025

Ransom economics: Demands, payments, and attack recovery costs fall

In 2025, ransomware economics across enterprise organizations shifted markedly. Median ransom demands fell by 56% year-over-year, dropping to $1.20 million in 2025 from $2.75 million in 2024. Median ransom payments followed a similar downward trend, declining to $1 million compared with $1.26 million the previous year. Recovery costs also eased significantly, with the mean cost of remediation, excluding any ransom paid, falling to a three-year low of $1.84 million, down from $3.12 million in 2024, indicating a broader reduction in the financial impact of attacks.

Human impact: Attacks intensify pressure from senior leaders on IT teams

The survey makes clear that having data encrypted in a ransomware attack has significant repercussions for IT/cybersecurity teams, with increased pressure from senior leaders cited by 40% of enterprise respondents. Other repercussions include (but are not limited to):

• Ongoing increase in workload— cited by 39%.
• Change of team priorities/focus — cited by 37%.
• Feelings of guilt that the attack wasn’t stopped — cited by 35%.

Download the full report for more insights into the human and financial impacts of ransomware on enterprise organizations.

Source: Sophos

Ransomware continues to cripple organizations worldwide, draining budgets and halting operations. For IT teams already stretched thin, a single attack can mean days of downtime and irreversible data loss. While endpoint protection often gets the spotlight, your firewall is one of the most powerful tools for stopping ransomware before it starts — and locking it down if attackers breach the perimeter.

Here’s how to configure your firewall to close the gaps ransomware exploits and strengthen your organization’s resilience.

1. Reduce your attack surface

Every exposed service or open port is an opportunity for attackers. Start by minimizing what’s visible to the outside world:

• Consolidate infrastructure. Reduce standalone gateways or VPN concentrators and upgrade to a firewall that integrates secure remote access and Zero Trust Network Access (ZTNA).
• Patch frequently. Unpatched vulnerabilities remain the leading cause of ransomware attacks. Schedule firmware updates monthly and choose vendors like Sophos that deliver automated, over-the-air hotfixes.
• Enforce strong authentication. Enable multi-factor authentication (MFA) for all administrative access and apply role-based controls to limit exposure.

2. Inspect and protect encrypted traffic

Attackers often hide malicious payloads inside encrypted traffic. With more than 90% of network traffic encrypted today, legacy firewalls leave a dangerous blind spot. To close it:

• Enable TLS inspection to decrypt and inspect traffic without slowing performance. Sophos Firewall’s Xstream DPI engine intelligently inspects only relevant streams.
• Use AI-driven threat detection and sandboxing to stop zero-day ransomware before it executes.
• Apply Intrusion Prevention System (IPS) policies to all network flows — not just inbound traffic — to catch attackers moving laterally.

Once you’ve eliminated blind spots in encrypted traffic, the next step is controlling access. That’s where zero trust principles come in.

3. Apply zero trust principles

Firewalls have evolved beyond simple traffic control — they’re now the backbone of a zero-trust architecture, ensuring every user and device is verified before access is granted:

• Replace remote-access VPNs with ZTNA to verify user identity and device health before granting access.
• Micro-segment applications and use VLANs to isolate users, servers, and IoT devices.
• Integrate with endpoint protection through Security Heartbeat, so compromised devices can be automatically quarantined.

4. Detect and respond automatically

Even the best defenses can be bypassed, so early detection and rapid response are critical:

• Implement Network Detection and Response (NDR) to analyze encrypted metadata and detect anomalies. Sophos Firewall’s integrated NDR Essentials identifies threats hiding in encrypted traffic.
• Use Active Threat Response to automatically isolate compromised hosts across endpoints, switches, and wireless networks.
• For 24/7 protection, integrate with Managed Detection and Response (MDR) so expert analysts can detect and contain ransomware before encryption starts.

5. Harden and monitor continuously

Ransomware thrives on gaps in configuration and visibility. Keep your firewall secure by design:

• Disable unnecessary services and management access from the WAN.
• Use geolocation and reputation-based blocking to deny traffic from high-risk regions.
• Send firewall logs and alerts to Sophos Central or your SIEM to maintain full visibility and automate response actions.

Modern firewalls like Sophos Firewall turn static network security into adaptive defense. By implementing these five practices, IT teams can reduce complexity, close critical gaps, and future-proof their organization against ransomware.

Source: Sophos

In today’s threat landscape, stolen credentials are one of the most common causes of data breaches. A recent report found that 61% of all breaches involve the misuse of credentials. Attackers use tactics like phishing and “push-bombing” (rapid-fire MFA push notifications) to trick users into giving away access. Just one compromised password or an accidentally approved login can let an attacker impersonate a legitimate user and infiltrate an organization’s network.

When I was a CISO with a large firm, I witnessed firsthand how a single stolen password could wreak havoc. In that incident, an attacker phished an employee’s credentials and quietly accessed sensitive systems for weeks before detection. The breach caused significant downtime and compliance headaches. After helping contain the damage, I worked with the company’s IT team to harden their identity controls—rolling out MFA to all users, tightening admin account policies, and implementing continuous monitoring. This experience underscored that strong credential security habits aren’t just best practices on paper, but real safeguards against incidents we hope to never face again.

To defend against credential abuse, organizations should cultivate “healthy habits” in identity security. In this blog, I’ll outline five essential security habits to help prevent credential breaches – and discuss how to evaluate capabilities that support each habit.

1.Implement Muti-factor authentication everywhere

One of the most effective defenses against credential attacks is multi-factor authentication (MFA). Stolen passwords alone are often not enough to breach an account if a second factor (like an authenticator app prompt or token) is required. In fact, Microsoft observed that 99.9% of compromised accounts did not have MFA enabled. The absence of MFA has been a common factor in many high-profile breaches – compromised credentials combined with lack of MFA were a shared denominator in multiple major breaches in 2024/25.

Enabling MFA for all users (especially administrators) can shut down the vast majority of opportunistic attacks that rely on stolen or guessed passwords.

Despite these benefits, many accounts still lack MFA protection. Why? Often there’s a misconception that MFA adds too much friction or that it “isn’t worth it.” Some IT teams face user pushback or lack executive support, and thus aren’t incentivized to enforce universal MFA. In other cases, organizations simply haven’t extended MFA to certain systems or legacy applications, leaving gaps by accident. The reality is that while basic MFA isn’t infallible, it stops the vast majority of automated attacks cold – making it a fundamental habit for credential security.

That said, not all MFA is equal. Attackers increasingly exploit MFA fatigue by bombarding users with repeated push notifications (so-called push-bombing). Given that people receive 60–80 mobile push notifications each day on average, it’s easy for a fatigued user to accidentally tap “Approve” on a fraudulent login prompt. To counter this, organizations should implement phishing-resistant MFA (such as FIDO2 security keys or number-matching push prompts) and educate users to never approve unexpected access requests.

It’s also essential to find solutions that help your team extend MFA protection to every resource and protocol in an environment, including systems that don’t natively support MFA. This means you should enforce MFA not just on web and cloud applications, but even on legacy on-premises systems (databases, file servers, command-line tools, etc.) that traditionally were unable to leverage MFA. By making MFA ubiquitous and difficult to bypass, you dramatically reduce the risk of a single stolen password leading to a breach.

2.Adopt a Zero Trust approach to identity

Implementing a “Zero Trust” mindset for identity is a healthy habit that goes hand-in-hand with MFA. In a Zero Trust model, no login or user session is implicitly trusted – even if the user is on the internal network or already authenticated. Every access attempt is continuously verified based on context (user role, device security, location, time, etc.) before granting access. This is vital because modern enterprises have dissolved perimeters; identity is now the new attack surface in cybersecurity. With users logging in from everywhere and attackers adept at blending in with normal user activity, it’s crucial to “never trust, always verify” each credential use.

Practicing this habit means leveraging conditional access policies and continuous monitoring for all accounts. For example, if a user suddenly logs in from an unusual location or an unmanaged device, additional verification or restrictions should kick in. Many breaches could be prevented by such context-aware controls – one investigation found that hundreds of stolen credentials remained useful to attackers simply because the target systems did not have location-based access policies to block logins from untrusted networks.

Modern identity security platforms continuously monitor every authentication and apply risk-based policies. If a login attempt deviates from normal behavior or occurs under high-risk conditions, the proper approach would be to require step-up authentication (like MFA) or even block the attempt. By treating every access as untrusted until proven otherwise, organizations can contain and thwart attackers who manage to acquire valid credentials.

3. Secure privileged and high-risk accounts with extra care

All user accounts are important to protect, but privileged accounts (administrators, service accounts, executives, etc.) deserve prioritized attention as a healthy security habit. These accounts often have broad access and, if compromised, can inflict serious damage. Unfortunately, I see many incidents where admins or other powerful accounts were left under-protected. In a recent example, a government organization was breached via a former administrator’s account – the account had retained high privileges and did not have MFA enabled. Similarly, the fallout from a 2024 cloud breach (targeting Snowflake customers) revealed that some demo and service accounts lacked SSO or MFA protection, providing an easy target for attackers. The lesson is clear: any account with elevated access should be strongly secured with multiple layers of defense.

As a habit, organizations should enforce strict Privileged Access Security (PAS) practices. This includes using dedicated admin accounts (separate from everyday user accounts), requiring MFA on every privileged login, limiting where and when these accounts can be used, and continuously auditing their activity.

In practice, this looks like ensuring admin-level accounts are always challenged with MFA and policy checks, even when they’re accessing systems like databases or remote servers that don’t normally enforce MFA. You can also implement adaptive policies (for instance, only allow domain admin login from a hardened jump-host, or only during certain hours).

For non-human privileged accounts (like service accounts that can’t do MFA), there is the concept of “virtual fencing” – essentially bounding their usage to expected systems and behaviors. By locking down privileged and sensitive accounts in these ways, you greatly reduce the odds that an attacker with a stolen admin credential can roam freely in your environment.

4. Maintain rigorous credential hygiene

Credential hygiene refers to the regular upkeep of accounts and passwords to eliminate the “low-hanging fruit” that attackers often exploit. A sobering case study from 2024 showed why this habit is so important: investigators found that 79.7% of the accounts used by attackers had been compromised years earlier and never had their passwords changed. In fact, hundreds of credentials stolen as far back as 2020 were still valid in 2024 because they were never rotated or disabled. Neglected credentials – old passwords, shared logins, dormant accounts – are a ticking time bomb. Implementing strong hygiene means regularly rotating passwords, retiring or updating any credential that is known to be exposed, and disabling accounts that are no longer needed.

Another critical aspect of credential hygiene is prompt offboarding of ex-employees. Stale user accounts that linger after someone leaves the company present an easy backdoor. Surveys have found that roughly half of businesses admit ex-employees’ accounts remain active after departure, sometimes for weeks or months. It’s no surprise that a significant number of organizations have suffered breaches due to former employee accounts that weren’t deprovisioned. Make it a habit to immediately deactivate or remove access when staff leave, and routinely audit for any “ghost” accounts in your directory.

A strong method to audit hygiene is to ensure continuous visibility into all accounts (human and non-human) and their usage. Being able to automatically discover accounts in your environment – including service accounts and unused logins – and flag those that have been inactive for a long period as “stale users” helps make sure you have an ongoing inventory of the identities that exist. Security teams can then swiftly review and either remove these accounts or apply policies to block any access attempts using them.

This kind of identity inventory and cleanup is vital: it closes the door on one of the easiest paths attackers use to infiltrate networks. In short, keeping credentials fresh, tightly managed, and cleaned up will drastically limit what an attacker can leverage, even if they do obtain some login secrets.

5. Continuously monitor and respond to identity threats

Even with preventive measures like MFA and good hygiene, organizations should operate under the assumption that credential compromises can still happen. Thus, a “healthy” security posture includes robust detection and response focused on identity.

Traditional security tools like XDRs may struggle to catch an attacker using legitimate credentials – these actions often blend in with normal user behavior and fly under the radar. It’s crucial to habitually monitor authentication logs and user activities across all systems for signs of suspicious behavior, and to retain those logs for long enough to investigate incidents. In fact, maintaining a centralized log collection with a proper retention policy is considered a basic security must-have to discover and analyze credential attacks. Many breaches that went undetected for months (or years) could have been identified much earlier if organizations had been aggregating login audit trails and alerting on anomalies.

To make this habit feasible, leverage tools that provide unified visibility and smart analytics on identity events. Silverfort’s platform, for example, acts as a centralized brain for monitoring all authentication traffic in real time. It uses machine learning and behavioral analytics (UEBA) to detect when a user’s access patterns deviate from the norm, which can indicate a compromised account. If an employee’s account suddenly attempts logins in strange locations or tries to access unusual resources, Silverfort will flag or automatically block that activity, preventing the attacker from escalating further. Moreover, Silverfort’s console gives security teams a live identity inventory and activity feed, so they can quickly spot and investigate any suspicious account usage.

Cultivating this level of awareness – and rehearsing incident response plans for credential breach scenarios – ensures that even if one defensive layer fails, you can promptly detect and contain the threat before it mushrooms into a full-blown breach.

Taking action on the 5 essential habits

Credential breaches continue to be a top cyber threat, but adopting these five security habits can significantly strengthen your organization’s defenses.

By requiring MFA universally, treating every access attempt with Zero Trust, locking down high-impact accounts, keeping your identity store clean, and monitoring continuously, you create multiple layers of protection that attackers must overcome.

None of these habits are “set and forget” – they require ongoing diligence and the right tools to support them.

This is where unified, identity-first security platforms can be a game-changer.

They’re purpose-built to help you embed these healthy security practices into your environment: enforcing MFA and conditional access everywhere, safeguarding privileged and legacy accounts, illuminating blind spots like stale users, and continuously watching for threats.

With strong habits and identity-first security capabilities working in tandem, enterprises can dramatically reduce the risk of credential-based breaches and ensure that a stolen password never easily translates into a successful attack.

To learn more about how to put incorporate these healthy habits into your cybersecurity strategy, download our guide “The Identity Security Playbook.”

Source: Silverfort