Over 600 million identity attacks occur daily, with more than 99% targeting passwords through breach replay, password spray, and phishing tactics, according to the 2024 Microsoft Digital Defense Report. Yet despite this staggering reality, most organizations remain focused on traditional perimeter defenses while attackers simply log in with stolen credentials.
“The most common misconception is that there is one product or one solution to buy and you are protected,” says Brian Kingsley, Director of Managed Services at Net at Work. “Many leaders think of security as a point in time protection—I bought this and thus I’m good. But this is an ongoing, living and breathing concept that requires constant attention and evaluation, much like a business needs to continually update its forecast and budget.”
Breaches do not start with hackers smashing through firewalls anymore; they start with logins that look completely legitimate. This is what makes identity attacks so dangerous, so common, and so difficult to detect.
In this article, you will learn:
- Why identity attacks have become the primary threat vector for modern breaches
- How small and mid-sized businesses have become prime targets for cybercriminals
- Why traditional MSP security models are no longer sufficient
- What Zero Trust really means for SMBs (without enterprise complexity)
- Practical steps you can take now to improve your organization’s security posture
What Is an Identity Attack?
Identity attacks do not break in; they blend in. Unlike traditional cyberattacks that exploit network vulnerabilities, identity-based attacks use legitimate credentials to gain access.
For small and mid-sized businesses (SMBs), identity attacks often look like everyday activities: phishing emails that appear legitimate, multi-factor identification (MFA) prompts employees approve by mistake, former employees who still have access, and admin accounts used for convenience.
One identity-related issue that repeatedly surprises SMB leadership is also one of the oldest scenarios. “A user gets compromised through social engineering or a phishing email,” Kingsley explains. “Effectively, the user has a strong password and may even have multi-factor authentication; however, they accidentally give their credentials away. Multi-factor authentication is an important part, but there are ways to get around it that are becoming more common.” This means users are unknowingly giving their credentials away rather than being hacked in the traditional sense.
In fact, many identity-related attacks are not even attacks in the technical sense. The threat actor simply logs in with the credentials they were given or found. This is one of the hardest methods to detect with traditional security solutions because there is no error message and no attack signature, just a login.
Why do attackers prefer identities? There is no firewall to break through, and once inside, they look like legitimate users. The Identity Theft Resource Center 2024 report revealed that stolen credentials were the leading attack vector among 133 cyberattacks against publicly traded companies. Better cyber practices, including MFA and passkeys, could have prevented at least 196 compromises and more than 860 million victim notices.
Why SMBs Are a Prime Target (Not an Afterthought)
“We are too small to be a target” is one of the most dangerous assumptions in cybersecurity. Small and medium-sized businesses are attractive precisely because they are small. According to recent research, 43% of cyber incidents are directed at SMBs, who are attractive to attackers because they often have fewer security layers, smaller IT teams, more trust with less verification, and the same tools as enterprises, but with fewer controls.
Common SMB realities that create vulnerabilities include:
- Tool sprawl without integration
- Shared admin accounts used for convenience
- Over-permissioned users with excessive access
- Cloud apps added without security review
- Cyber insurance pressure without clarity
Most SMBs did not design insecure systems. Instead, they grew into them as technology needs evolved faster than security practices could adapt.
Why Traditional MSP Security Models Fall Short
Managed Service Providers (MSPs) have traditionally focused on uptime, ticket response times, and patch management. These are important, but they address infrastructure availability, not modern security threats. Net at Work explains the fundamental shift: “We focus on how modern attacks actually happen – through identities, access, cloud misconfigurations, and human behavior.”
Gartner 2024 cybersecurity trends emphasize that as organizations move to an identity-first approach to security, the focus shifts from network security and traditional controls to Identity and Access Management (IAM), making it critical to cybersecurity and business outcomes.
“Protection no longer has a defined edge as in the past traditional perimeter security solutions,” Kingsley explains. “In the past it was like defending a castle: get good walls in place and gate keep what comes in and out for the best defense. Today, there are software and online tools, remote employees, ‘bring your own device’ computers and phones, and multiple vendors that need access into systems. These situations are quite common and make the environment fully distributed.”
Combined with software and devices synchronizing to other systems, your weakest link across your entire estate becomes a potential door into your environment. Having a handle on who has access to what and ensuring you protect that access is one of the best defensive methods today.
Consider a user who reuses the same password across multiple systems. While the internal environment may be fully protected, a compromised user identity on a personal website could use the same credentials that user uses to access sensitive company information. A threat actor who obtains those credentials from the personal account—such as a social media breach—could simply log into the company environment without triggering traditional alarms.
You can have healthy infrastructure and still be wide open to identity abuse. Security must be built into how access is granted, monitored, and removed.
What Zero Trust Actually Means for SMBs
Zero Trust is a security strategy built on a simple principle: trust nothing by default. Every user, device, and request must be verified before gaining access to resources, regardless of whether they are inside or outside your network.
Kingsley offers a practical way to understand the difference: “The traditional method is trust everything behind the perimeter—once it gets in it is okay. Think of this like a traditional office building: you get past the turnstiles and the front desk, and you can choose any floor on the elevator and technically access any office once you are inside. Or you get a physical universal key that opens any door in the office.”
“Zero Trust environments assume everything and everyone is unprotected and a potential risk, requiring more rigorous checks along the entire path,” Kingsley continues. “Think of this like some of the more modern or secure offices that make you check in at the desk and give you a keycard that only allows you to go to the floor it’s programmed for. Even though you are in the building, you have no access to the other offices or floors. Some of these even have individual locks on doors that only allow you to open certain doors, not all.”
The core principles of Zero Trust include:
- Verify explicitly based on all available data points
- Use least-privilege access with just-in-time and just-enough-access policies
- Assume breach by minimizing blast radius and using analytics to detect threats
For SMBs, this translates into practical implementations without enterprise complexity:
- Identity-first security making identity the primary control point,
- MFA plus conditional access based on risk signals,
- Least-privilege access giving users only what they need
- Continuous monitoring for abnormal behavior patterns.
Zero Trust means no user, device, or request is trusted automatically, even if it is already inside your environment. It is a fundamental shift from asking “Are you on our network?” to asking “Can you prove who you are, that your device is secure, and that you need access to this specific resource right now?”
Why Zero Trust Is the Direction the Industry Is Taking
Gartner predicts the Zero Trust Network Access (ZTNA) market will soar from $575.7 million in 2021 to $3.99 billion in 2027, representing a compound annual growth rate of 31.6%. Similarly, Identity Access Management (IAM) is predicted to grow from $4 billion in 2021 to $11.1 billion in 2027.
This rapid growth reflects fundamental shifts: NIST and CISA have published Zero Trust frameworks, major technology vendors are building Zero Trust capabilities directly into their platforms, cyber insurers increasingly require MFA and privileged access management for coverage, and emerging data protection laws align with Zero Trust principles.
What This Looks Like in Practice for SMBs
Zero Trust does not require a complete technology overhaul. For most SMBs, it starts with strategic use of tools you likely already have, combined with better processes and visibility.
- Securing Microsoft 365 Identities
Many SMBs already use Microsoft 365, which includes powerful identity security features that often go unused. Implementation includes enabling MFA for all users, configuring conditional access policies based on risk signals, implementing privileged access management for administrative accounts, and monitoring sign-in logs for suspicious activity. - Shared Admin Accounts
Shared accounts represent one of the biggest identity risks. Zero Trust requires individual accountability through unique credentials for every administrator, time-limited elevation of privileges only when needed, and comprehensive audit trails. - Continuous Monitoring and Incident Response
Continuous monitoring is essential for detecting compromise. This includes establishing baselines for normal behavior, setting alerts for anomalies, and regularly reviewing access logs. Zero Trust assumes breach will happen, so being prepared means having documented procedures for common scenarios.
Security Is About People, Not Just Technology
Identity attacks will continue to rise because they work. But here is the empowering reality: SMBs do not need enterprise-scale tools or massive security budgets to protect themselves. They need clarity, strategy, and managed execution.
The shift to Zero Trust represents a fundamental change in how we think about security. Instead of building higher walls around a defined perimeter, we verify every interaction. Instead of trusting by default, we validate continuously. Instead of reacting to incidents, we assume compromise and minimize its impact.
Net at Work represents this new approach to managed IT services. By focusing on how modern attacks actually happen—through identities, access, cloud misconfigurations, and human behavior—they deliver cybersecurity services built on an identity-first, Zero Trust strategy aligned with NIST, CISA, and Microsoft frameworks. This ensures security is proactive, measurable, and continuously validated.
The question is not whether your organization will face identity-based attacks. The question is whether you will be ready when they come. With the right strategy, partnerships, and commitment, SMBs can build security postures that rival much larger organizations through smart implementation of Zero Trust principles that put identity at the center of everything.
Key Takeaways: Action Items for IT Managers and Executives
Based on the research and best practices outlined in this article, here are the most critical steps you can take now to improve your organization’s cybersecurity posture:
- Conduct an Identity Security Assessment. Audit who has access to what in your organization. Identify shared accounts, overly permissioned users, and former employees who still have active credentials. Many breaches exploit access that should have been revoked months or years earlier.
- Implement MFA Everywhere with Conditional Access. Enable multi-factor authentication for all users, especially for administrative accounts and any systems containing sensitive data. If you are already using Microsoft 365, configure conditional access policies that consider risk signals like location, device compliance, and sign-in behavior.
- Eliminate Shared Administrative Accounts. Create unique credentials for every administrator. Implement privileged access management that provides time-limited, audited elevation of permissions only when needed. This creates accountability and reduces your blast radius if credentials are compromised.
- Deploy Security Awareness Training. Since 88% of breaches involve human error, regular training on phishing recognition, password security, and suspicious behavior is essential. Use simulated phishing campaigns to test and reinforce learning.
- Start Your Zero Trust Journey with an Assessment. You do not need to implement everything at once. Begin with a Zero Trust readiness assessment to understand your current state and prioritize improvements. Evaluate your MSP relationship to ensure they focus on identity security, Zero Trust implementation, and continuous monitoring – not just traditional uptime metrics.
Remember: Security is a journey, not a destination. The organizations that succeed are those that make continuous improvements in their security an integral part of their culture.