Digital identity risk is accelerating across every sector, and is now a leading driver of material cyber incidents. By exploiting weak authentication journeys, misconfigured identity systems and predictable human behaviour, threat actors are bypassing traditional defences altogether.

Recent cyber incidents affecting well-known organisations show that identity compromise is no longer just a technical issue. It is now a strategic operational risk with direct impact on customers, brand reputation and regulatory compliance.

Identity is now the primary entry point for cyber attacks

The majority of material cyber incidents begin with compromised credentials, poor access management or weaknesses in multi-factor authentication (MFA). They succeed because identity controls are often fragmented and inconsistently applied. Underfunding is another common issue when authentication is treated purely as an IT decision and organisations overlook the wider governance and resilience implications.

At the same time, MFA fatigue, social engineering and session token theft are rising rapidly. Attackers don’t need to break the technology if they can exploit the people and processes around it. This is why, regardless of investment in tools, human behaviour remains one of the most consistent attack vectors.

Why is security culture critical to reducing identity risk?

Technology alone cannot compensate for weak culture. Even organisations with strong identity governance experience incidents where workforce awareness is low. A mature security culture enables employees to:

• Recognise suspicious prompts.
• Understand the risks of MFA fatigue.
• Challenge unexpected access requests.
• Report concerns quickly.

Building this maturity goes beyond annual training. It requires continuous reinforcement, clear accountability, visible leadership support and processes that reduce cognitive load for employees. If people understand why identity controls matter and feel confident spotting manipulation attempts, an organisation is significantly harder to breach.

Why is identity risk a strategic leadership issue?

For boards and senior executives, identity risk now sits alongside financial crime, business continuity and supply chain disruption. It has the potential to directly affect an organisation’s ability to operate, recover and maintain trust. Securing identity should be considered a core component of operational resilience – one that needs clear ownership and sustained leadership sponsorship.

This means making investment decisions that reflect the fact that identity modernisation, privileged access management and strong MFA journeys are no longer optional. Instead of a collection of disconnected technical activities, identity should be treated as an enterprise-level risk with measurable outcomes.

At RSM, we consistently see that organisations that treat identity security and security culture as interconnected disciplines experience fewer incidents, recover faster and demonstrate stronger resilience.

Those that separate the two, or delegate identity solely to technical teams, often struggle with fragmented programmes and slow adoption. Identity security and security culture need to evolve together, which requires investment and sustained attention from leadership. This is critical to protecting the organisation in an increasingly hostile threat landscape.

If you’d like to discuss how your organisation can strengthen identity governance, embed security culture, modernise access controls or assess exposure across the identity lifecycle, the RSM Technology and Cyber Risk Assurance team can help. For more information, please contact Richard Curtis or your usual RSM contact.

Latest related insights