Identity breaches are costly. While the financial impact can reach hundreds of thousands or even millions of dollars, the reputational damage often lasts longer, eroding trust and credibility that may have taken years to build. Today, identity theft risk is unfolding rapidly and at scale. Federal agencies recently warned about the Akira ransomware group, which has collected more than $244 million in ransom payments since March 2023. The Akira threat reflects a broader shift in how identity-based attacks occur. Rather than forcing their way through infrastructure, threat actors increasingly rely on compromised credentials to gain legitimate access to systems and data. Once inside, they move laterally, escalate privileges, and cause widespread disruption.
While today’s identity threats are large-scale and evolving, organizations are not without options. A series of practical measures can reduce the likelihood of an identity breach and support a quick, effective response if one happens. As part of our observance of Identity Theft Awareness Week 2026, the following strategies outline how organizations can protect against identity-based cyberattacks, from prevention through response.
Before a Breach: Prevention Strategies
The best approach is a proactive one. Organizations that thoroughly understand their risk profile, test their controls, and prepare their teams are better positioned to prevent breaches or limit their impact.
The following steps form the foundation of a stronger defense:
1. Conduct risk assessments: Risk assessments provide visibility into vulnerabilities and help organizations make more informed decisions about what investments should be made. A comprehensive review examines authentication practices, access governance, incident readiness and how personally identifiable information flows through the organization.
2. Modernize identity and access management: Multifactor authentication, conditional access policies, and privileged access management verify identity throughout each session, not just at login. Organizations should pay close attention to non-human identities, such as service accounts and API credentials.
3. Strengthen incident response preparedness: Incident response plans should be developed and tested before they are needed. Tabletop exercises can help clarify roles and key decision-making.
4. Reduce human error through employee training: Ongoing training should be implemented to help staff recognize phishing, social engineering, and AI-enabled impersonation attempts. Just as important, organizations should reinforce a culture that encourages reporting suspicious activity, even when concerns turn out to be false alarms.
5. Invest in detection and backup infrastructure: Detection tools and reliable backups play a critical role in limiting damage. Backups should be tested in advance to ensure they can be restored quickly and seamlessly.
Prevention reduces risk, but it does not guarantee immunity. When a breach occurs, speed, coordination and clarity determine the outcome. Working with experienced advisors can help establish baseline security practices, identify gaps and prioritize improvements based on real-world risk.
After a Breach: Contain the Threat Quickly and Effectively
A disorganized response compounds damage. A structured one helps contain the threat, preserve options and support faster recovery. With a clear plan and experienced support, organizations can work to restore operations with minimal disruption.
1. Activate the response plan immediately: Once an incident is suspected, declare it and bring the response team together. Establish clear leadership early so technical, legal, communications and executive teams know who is responsible for decisions and next steps.
2. Identify all access points: Assume more than one account or system may be affected. Reset credentials, revoke access where needed, enforce multifactor authentication and isolate impacted systems to prevent the issue from spreading.
3. Preserve evidence and understand what happened: Carefully preserve logs, access records, and other key evidence. This evidence is critical for understanding what happened, meeting regulatory and insurance requirements, and informing how controls should be strengthened moving forward.
4. Address legal, regulatory, and notification requirements: Determine what notifications are required based on the type of data involved and who was affected. Having clear workflows and draft communications in place helps teams respond accurately under time pressure.
5. Restore systems: Begin restoring systems only after confirming backups are clean and the root cause has been addressed. Bringing systems back online in phases, with additional monitoring, helps stabilize operations and reduce the risk of reinfection.
6. Restore and review: Once operations are stable, review what happened and how the response unfolded. Use those lessons to build a focused 30-, 60- and 90-day plan that addresses gaps and improves preparedness for the next incident.
Handled through a structured, timely approach, a breach response restores operations and highlights where processes, controls, and decision-making need improvement.
Identity Theft Awareness: More Secure, Today and Tomorrow
Sustainable identity theft defense is about creating a culture of awareness where security is part of daily work, employees understand their role in protecting information, and leadership treats prevention and preparedness as ongoing priorities. Working with advisors throughout this process helps organizations build and maintain resilience without developing all the expertise in-house.
This Identity Theft Awareness Week, visit the FTC website for more resources, guidance, and educational materials to help protect your organization from identity theft.
How Grassi Can Help
Grassi’s Technology Consulting advisors work with organizations to conduct enterprise-wide risk assessments and develop tailored prevention and response plans to emerging cybersecurity threats.
For more information about how Grassi can help protect your organization, reach out to Hassan Khan, Technology Consulting Practice Leader and Partner, or a Grassi Advisor today.
Frequently Asked Questions
Q: Why has identity become the primary entry point for cyberattacks?
A: As organizations adopt cloud platforms and remote work models, traditional network boundaries have dissolved. Attackers now focus on stealing or abusing credentials to gain legitimate access to systems, making identity a more common starting point for modern cyberattacks.
Q: What are the most effective ways to reduce identity-based cyber risk?
A: Reducing identity risk starts with strong access controls, including multifactor authentication, least-privilege access and continuous monitoring. Just as important are employee training and clear processes that help teams recognize and respond to suspicious activity early.
Q: How should organizations prepare for an identity breach before one occurs?
A: Preparation includes understanding where sensitive data resides, testing incident response plans, and ensuring roles and decision authority are clearly defined. Organizations that rehearse breach scenarios and review controls regularly are better positioned to act quickly when an incident occurs.
Q: What should organizations focus on after recovering from a breach?
A: Recovery should include a clear review of how access was gained, how the response unfolded and where controls need improvement. Using those lessons to strengthen identity controls and response processes helps reduce the likelihood and impact of future incidents.
