Identity Is Becoming the New Front Line of Cybersecurity | Future Ready with Bechtle

Show Notes

Identity Is Becoming the New Front Line of Cybersecurity | Future Ready with Bechtle 

In this episode of Future Ready with Bechtle, Owen Lashley, Cybersecurity Solutions Expert at Bechtle UK, returns to join host Stephen Harley discussing why identity has become the new frontline of cybersecurity.  

85–90% of modern cyber breaches can be traced back to compromised identities.
This means that cybersecurity landscape has shifted from protecting network perimeters to securing identities across cloud platforms. Technologies like multi-factor authentication (MFA) are only the starting point and organisations must take a broader view of identity governance, access control and lifecycle management.

The conversation goes further into exploring how threat actors are becoming more sophisticated, using AI-driven phishing, voice impersonation and social engineering to target employees and leadership teams alike. 

In this episode, we cover:
Why identity has become the new security perimeter
Why MFA alone is not enough to protect organisations
How attackers exploit SaaS platforms and identity systems
The rise of AI-powered phishing and voice impersonation attacks
Why organisational culture and leadership behaviour can influence cybersecurity risk
How insider threats and identity misuse can impact businesses

Watch the full episode to learn how identity security is shaping the future of cybersecurity. 

👉 Want to assess your organisation’s identity and cybersecurity posture?
Get in touch with the Bechtle UK cybersecurity team:
https://www.bechtle.com/pl-en/about-bechtle/company/locations/bechtle-direct-uk

👉 Explore Bechtle UK’s cybersecurity and identity services
https://www.bechtle.com/gb/bechtle-library/bechtle-pillars/services

#FutureReady #BechtleUK #CyberSecurity #IdentitySecurity #ZeroTrust #CISO #CIO #ITLeadership #CyberThreats #DigitalSecurity

The Bechtle Future Ready Podcast explores how technology is transforming the way we work. Hosted by Bechtle UK, each episode features thought leaders and innovators discussing digital transformation, cybersecurity, sustainability, and the modern workplace.

Discover insights and strategies to help your business stay agile, connected, and ready for what’s next.

🎧 Subscribe now and get future ready with Bechtle UK.

Transcript

SPEAKER_01 0:00

Hi, I'm Steve Harley from BeckCliff. Welcome to the Future Ready Podcast. Today I'll be speaking with Avan Ashley. He's one of our UK cybersecurity solution experts. We're going to be talking about identity and the role that it plays in keeping our organisations safe from cyberattack. We'll also discuss the importance of organisational culture and the impact that has on our cybersecurity posture. And finally, we'll touch on what questions we should be asking in the boardroom in 2026 around our cybersecurity stats. I hope you enjoy the episode and remember to like or subscribe wherever you get your podcasts. Welcome to the Future Ready Podcast with Beckler. I'm Steve Harley. I'm here today with Owen Lashley, uh security solutions expert and rising star within Beckley UK. We're going to talk a little bit today about identity and cybersecurity and the impacts that's having.

SPEAKER_00 1:32

How that is exploited is slightly different, but all of them can be traced back to identity in some form.

SPEAKER_01 1:38

Okay. So that that's something that I've kind of seen over a number of years is that the idea of the traditional network perimeter being that kind of the security point, that that seems to have uh fallen away. Is that effectively dead now, do you think?

SPEAKER_00 1:54

I think having the the perimeter of networking is is still fundamentally important. Um it's still a priority in terms of security. Um it's just the identity is the new parameter that's that everything is being measured from. It's just, you know, if you take a firewall, for example, the the first point of call, traditionally, um, it is the user account on the firewall that's now being exploited rather than the rule sets that are being applied. Um that's what we're seeing. Uh it's it's identity, uh, sorry, identities on the firewalls, the switches, uh, access points, all of those are being exploited in some form.

SPEAKER_01 2:31

And does SaaS make that worse rather than better, do you think?

SPEAKER_00 2:35

That's a great question. Um I like asking great ones. Yeah, that is a very good question. I think in some ways, I think it makes it sometimes worse. Um, if we're looking at a cloud management platform of networking equipment, um, there's quite a few vulnerabilities uh that have been exploited in the past few years, uh, this year especially, um, won't name any vendors, but um, that get exploited and allow that access. And all of that access from a SaaS perspective is exploited from an identity.

SPEAKER_01 3:07

And when we talk about that identity control, Owen, what are organizations getting wrong most often with it?

SPEAKER_00 3:13

Yeah, great question. I think when it comes to identity fundamentals, I think a lot of organizations look to what they can do rather than what they should do. I think sometimes uh I kind of like to think of it as uh kind of like stormtroopers in Star Wars. Um, their kind of accuracy accuracy is a bit everywhere, however they kind of look intimidating. So I think a lot of organizations can kit out with some of the best technologies but not understand how to utilize them. And they don't understand in some ways how to aim in a proactive and reactive way. So when it comes to identity, I think the the first fundamental that organizations need to understand is actually what type of organization are they? What field are they in, and what type of activity are their identities and users uh doing? What activity is quite common, and then working backwards to build security uh procedures and policies around that.

SPEAKER_01 4:13

It's really interesting because as an industry, um, we've been putting out for for many years now uh that you know MFA is where it starts and start and stops. And and I think that message is is is slowly been received by boards um uh and the guys in the C-suite understand that that as inconvenient as it might be, MFA is is absolutely required in this day and age. Um but but I don't think it's yet appreciated the the depth of how how you go about getting identity wider than MFA and getting that right. Yeah. And and you know that that complexity and understanding that's still being built, so so we can kind of I suppose victims of our own success is that people think MFA tick box done. But that that's not necessarily the whole story, is it?

SPEAKER_00 4:58

No, yeah, you're absolutely right. I think um the big thing when it comes to identity management and authentication context is actually most of the time end user education. You have to educate end users on what this technology is and kind of yeah, bring them into the education of utilising that technology. Um, I think sometimes it it has well always it always has to come from board level down. The board has to say, this is what we're implementing, uh, this is what the industry is saying, this is what the the experts are saying. We need to introduce these technologies to make us more secure. Um, and I think there's a responsibility on uh the end users, I think, in some way to uh to appreciate that technology, to utilize it. Um, but then also heavily sorry, the responsibility heavily being on uh IT teams and CISOs uh to implement that effectively. Because I think the last thing an end user wants, and I certainly know this from experience, is I get given a multi-factor authentication app, and I've got to do six different prompts in order to sign in to Payne. I don't want to do it, I need it to be easy, I need it to work, but I need it to be secure.

SPEAKER_01 6:10

Yeah. Otherwise, the risk, of course, is that people will work will work around it or find other systems that aren't in your control to do their work, and that shadow IT becomes a real thing. Exactly. I mean the big thing that strikes me when when I, you know, I often read IT security audits uh uh of prospective clients and existing clients, uh looking at how their systems are configured and uh and even looking at how breaches occurred. One of the things that kind of strikes me is that the importance of managing that identity through the whole life cycle, that that that joiners, movers, leavers piece. I know we've seen it when we've spoken to people uh before. You know, how how how big is that door that you're leaving open if you're not addressing that joiners, movers, leavers thing?

SPEAKER_00 6:54

So yeah, with onboarding, it's it's incredibly important to secure that journey. Someone joins the business, they have a means of identifying themselves, typically through something like a passport, ID card. Um, but from a technical response perspective, how we protect that user is actually more technical than it is end user. Um, and I think that's where something like secure by design comes in. The the IT policies configured by the organization will kind of guide the end users into how they react and respond to the technologies that are in place. Um and that will secure things like they come into the business, they're trying to access files that they shouldn't be able to access, those controls are already in place. And then when it comes to end, uh end users leaving a business, uh, it's one of the biggest threats, especially when it comes to things like data exfiltration, uh, people trying to send information to public domains. It it's a it's a huge risk that people face.

SPEAKER_01 7:54

No, it's really interesting. I mean, that process maturity for me is really important. And and I I think you know, you focused in and spoke a little bit a lot there about onboarding and leaving, which is which has always been key throughout. I think there's that move as things becoming ever more important though. When when I look at things like AI and retrieval assisted uh AI rag, um uh like Copilot, for example, we've seen cases where uh clients have been caught out by the fact that their movers have historic access to files that they would no longer file areas where they would no longer want them to have. So, so am I right in that in in thinking that this is as much about process maturity as it is necessarily the tech stack that you invest in?

SPEAKER_00 8:38

Uh yeah, so with that question, I think uh yeah, the actual process itself is so so fundamental. And when you tie governance into that, the governance will lead how that process uh how that process uh kind of leads. And I think the great thing with that process is it gets you to ask questions. And when it comes to people moving job roles or requiring additional or less permissions, you have to ask questions. And that's a human factor that only an organization, a human, can do is ask those those questions that are needed. So let's just say someone comes in and goes, Oh, I for some reason need a I don't know, I need to be able to see all HR folders. Well, anyway, why do you need those folders? What are you trying to do? What are you trying to achieve? So um, yeah, I think that from a process perspective is is exceptionally important and in some ways more important than the technology itself.

SPEAKER_01 9:34

Yeah, because there's there's loads of different flavors out there, right? You know, whether I whether I use Microsoft stack or I use Okto or a myriad of different tools to be able to deliver that, that controls um it's the process that keeps it safe. Um when we talk about that uh that that identity challenge and that security challenge, you know, what's the impact on businesses when they get that wrong?

SPEAKER_00 9:58

Yeah, it's it's a huge impact. I mean, across, like I said, 2024, 2025, and even now we're going into 2026, almost 80, 90% of breaches are identity focused. So the the impact is ginormous. And if we look at how uh from a cybersecurity perspective, identity moves, identity is the base layer, you then have endpoint, you then have data uh data protection, and then you have the kind of automation of security operations. Identity is the building block of all of those other pieces as well. So if an identity is exploited, you can move up that chain really easily.

SPEAKER_01 10:37

Everything else falls away, exactly. The data becomes really accessible, you can move it out, you can uh uh interpersonate people, all of that becomes it's so key, isn't it? I just thinking about you know boardrooms today, the people sat in them, you know, if you're advising them, what free questions should they be asking their CISO, their IT directors and teams um about identity and cybersecurity today?

SPEAKER_00 11:06

Great question. I think the first question is who has access to what? I think that's a great question to start off with, very simple, but it starts to to map out what how an organization needs to respond. The second question is how do they access what they're able to access? And then the third question would be how do we limit that? How do we secure that? I think from there it allows organizations to first kind of get a huge mapping of everything that's available, where end users are able to go, what they're able to access, etc. And then from there you're able to work backwards. How do we respond? And what that builds within organizations, uh within their mindset is actually in order for me to be reactive to security events, I first have to be proactive. I have to know where I'm weak in order for me to become strong. So I think uh that that would that would be my my biggest advice to organizations.

SPEAKER_01 11:59

I mean, how do those breaches and those failures manifest themselves in the real world though? You know, what's the we've spoken about the impact, but but but what actually happens?

SPEAKER_00 12:07

Yeah, that's a great question. Um what we're seeing most commonly uh is actually exploits through common means of communication. We're seeing uh phishing, which is voice phishing, uh typical phishing, things like QR code phishing, those are the most common means of instigating some form of identity compromise. Uh we demoed this kind of a few months ago now, at the time of recording this uh at a webinar. But uh the the point, the the means of instigating uh that compromise starts with a means of communication. So, how does a threat actor uh start communication with someone they can uh try to compromise? Um, and like I said, email is one of the biggest ones at the minute. Um and that can literally just start off with let's just say, hi, I'm from this company, or you've tried to reset your password, click on this link, type your credentials in.

SPEAKER_01 13:00

The phishing that we've we've seen before. Yeah exactly. How how about the voice? Because you mentioned voice phishing there, because that that that's new, right? You know, that that I mean we're not talking about social engineering, as it were, somebody phoning up and just pretending to be IT. It's it's another level we're ahead of that.

SPEAKER_00 13:16

Yeah, it's uh it's an incredibly big area now. Um and a lot of that is due to uh what's going on in the generative AI space, and people able to replicate and generate voices, um, kind of understand the tone because of the models that are being used, and therefore able to replicate a real human being and sound convincing. Um, and what that looks like practically is I'll get a phone call from someone pretending to be the help desk or senior management. They'll ask for me to maybe go to a website um and and put my credentials in, and then from there, they'll actively try to exploit my account.

SPEAKER_01 13:52

That's really interesting. That that that is going to be something something else when you when your boss phones you and says, could you just go and check this out? Yeah, I absolutely. I mean, the the that how'd you guard against that?

SPEAKER_00 14:05

Great question. I think the the primary thing that I would recommend to organizations is end user training. End users have to be vigilant, help desks have to be vigilant, uh, board members have to be vigilant. And I think as well as that, businesses have to increase communication between uh the board level and people that maybe don't interact with the board boardroom. You have to get to know each other, you have to understand the tone, the context, and I think the human element of business, I think that is one of the biggest mitigators. Um, but from a technology perspective, we're seeing some incredible tools coming out at the minute where you're able to replicate uh vishing and actually simulate that as a proactive service. So it's incredible the amount of technology and how we're using AI in some instances to tackle AI problems.

SPEAKER_01 14:55

That's really interesting. You're right there with the training, because I know before is the classic one that I always know about. There are others available as well. Um, but but using those to be um able to identify who's most susceptible is is always the kind of thing. But you've you've put a really interesting thought there in that it's it's also about the the proximity and closeness of uh uh of senior figures with the people on the ground with the power to execute. So so that will be really interesting, particularly for larger organizations as they as they uh as they expand. You know, that that having that contact is how people know what your typical behaviours are. Exactly. Um so that will be really interesting, particularly when you're thinking about much larger organizations. That that's something that think forwards will probably need to think about. And and I suppose as well, then that he almost leads into leadership style. Yeah you know, if you if you're in a command and control leadership style where you know uh people just you know, I tell you what to do, you do it without thinking. If that's if that's the culture within the organization, then that can lead you to be more susceptible. So now we're actually entering a world where uh the the culture of the organization has an influence on um its uh vulnerability level, it's its prevalence to be um to what's the word I'm looking for, um uh to be the prevalence, the there's a word for it. Yeah, susceptibility. Yeah, having that cult that organizational culture then becomes something that you that's a factor in how susceptible you are to cyber attack.

SPEAKER_00 16:26

Yeah, and this is something that we're seeing so many threat threat actors do. Um part of their process is to profile a business, is to profile the person they're targeting. And they will look at not only what technology do they use, that's quite easy to find now, but actually they're they're looking at the those board members, they're looking at the CTOs, the CISOs, um you know, the CEOs, and they're looking at how do they interact with the business, how present are they, how how does this business respond? Um, because not only do they want to generate technical problems, they want to generate um human resource-related problems and industry uh level problems as well. Um, we see this with uh Jaguar Land Rover, for example. Not only was it some form of uh lateral movement, but as well as that uh their main cause was to disturb the industry. That was one of the biggest um breaches in UK history.

SPEAKER_01 17:23

No, I mean huge impact, right? Yeah, absolutely huge impact. And uh and yeah, I I think that's been a r that's a really interesting angle to think about it. You know, we we talk about technology so much, we talk about process being really important, organizational culture as a weapon to defend against cyber cybersecurity attack attacks is perhaps something that's perhaps underexplored.

SPEAKER_00 17:43

Yeah, uh, I think with that as well, is one of the the big other big threats of identity is such a broad topic, but is actually inside a risk. You know, let's just say there's a disgruntled employee, uh, maybe they're not happy with certain things, um they will try to actively use their account, what they have access to within the business to try and exploit an aspect of the business. So that's something that I think culture and technology and how the business actually operates can actually affect that piece.

SPEAKER_01 18:15

So having had that conversation, we were speaking earlier about if you're in the boardroom, uh, what three questions should you as a board member be asking your CISO and your uh your uh IT department? Are there three questions that we should be asking ourselves and uh as board of board members and organizations when we're thinking about that? I I think that's one to perhaps have a bonder on.

SPEAKER_00 18:38

Yeah, I yeah, I think it's maybe I can't give three exact questions, um, but I think yeah, something that that boards should definitely consider is okay, how are we responding technically, but what is our culture like? How are people in the business feeling about how we're moving? Um, and and just kind of seeing where areas of contention are. I think that's that's quite healthy business-wise, but then also evaluating how to respond from a security side is exceptionally important.

SPEAKER_01 19:08

No, really interesting conversation. Thank you very much, Aren. I think that that that's that's uh opened my eyes a little bit in that in that talk. And suddenly we're thinking about organizational culture being part of our cybersecurity response. Thanks very much for your time. Thank you for having me.