ID Breaches Surge, Help Desks Targeted: RSA Report

Identity-related system breaches are on the rise, and organizational help desks are emerging as a popular target for threat actors, according to a new report by RSA.

The report, based on a global survey of 2,100 cybersecurity, identity, access management, and IT professionals, found that more than two-thirds of the organizations participating in the project (69%) had experienced an identity-related breach in the last three years, a 27% increase from last year’s RSA ID IQ Report.

“There’s an increase in identity-related breaches because the threat actors are getting more and more skilled at bypassing typical security measures,” said RSA Chief Marketing and Growth Officer Laura Marx.

“There is a plethora of information about individuals that is accessible, which fuels threat actors’ intelligence and allows them to assume the role of somebody who has enough knowledge to get past a typical security measure,” she told TechNewsWorld.

Several converging factors are driving the surge in identity-related breaches, added David Bellini, CEO of CyberFOX, an identity management company, in Tampa, Fla. “The expansion of remote work and cloud-based services has dramatically increased the attack surface,” he told TechNewsWorld.

He also pointed out that many organizations still rely on legacy identity systems lacking modern protections like multi-factor authentication (MFA) or behavioral analytics. Attackers are increasingly leveraging social engineering and help desk bypass tactics to exploit human, rather than technical, vulnerabilities.

Identity Becomes the New Perimeter

“The 27% YOY increase in identity breaches doesn’t surprise me, and I think it will continue for a while,” observed Mark St. John, co-founder and COO of Neon Cyber, a provider of browser-based security tools, in Fort Worth, Texas.

“We are only beginning to see the results of the last few years of data dumps and password spraying, along with the new generation of AI-powered social engineering,” he told TechNewsWorld. “We have left a treasure trove of identity data out there for attackers to build a compelling identity attack against almost everyone.”

“The identity data, coupled with our desire to rapidly adopt SaaS applications, will continue to be fruitful for attackers of all scales and skills,” he said. “Organizations had a hard enough time keeping attackers from accessing self-hosted applications and infrastructure. The explosion and spread of SaaS apps, beyond the organizations’ full visibility, is the next risky attack surface.”

“Given the complexities of the modern identity landscape, it is all too easy for attackers to exploit identities and use them to cross organizational and technological silos by exploiting the paths to privilege associated with those identities,” added James Maude, field CTO of BeyondTrust, a maker of privileged account management and vulnerability management solutions, in Carlsbad, Calif.

He argued that identity has become the new perimeter. “Organizations, as well as individuals, are starting to realize this and better understand and protect their identity attack surface,” he told TechNewsWorld.

Escalating Breach Costs

Mike Malone, CEO and founder of Smallstep — a cybersecurity company based in San Francisco specializing in certificate management and secure infrastructure automation — agreed that identity has become the new perimeter in security. “But most organizations are still only securing half of it,” he told TechNewsWorld.

“They’ve done the hard work of implementing user identity through SSO [single sign-on] and MFA, but they haven’t extended the same rigor to devices,” he explained. “Every laptop, phone, or server becomes a potential blind spot if it’s not cryptographically verified. Attackers understand that gap and exploit it to move laterally or impersonate trusted systems.”

“Hybrid work, cloud sprawl, and shadow IT have multiplied the number of unmanaged endpoints, while older identity frameworks like SCEP certificates were never designed for today’s scale,” he continued. “The result is an environment where organizations can’t always tell whether a valid user request is coming from a trusted machine or an attacker’s laptop, which is driving the increase in identity-related breaches, many of which go undetected.”

The RSA report also found that identity breach costs have escalated. Nearly half of organizations (45%) said that the cost of an identity-related breach exceeded the typical cost of a breach as defined by IBM, with 24% noting that costs exceeded US$10 million, a three-percentage-point year-over-year increase since the previous year’s survey.

“They are costing more than a typical breach because they go wider and deeper within an organization,” RSA’s Marx explained. “If you get the credentials of somebody and are able to penetrate a system’s data pools, it’s extremely costly to remedy or rectify the situation because identity really touches everything.”

“A compromised user may be privileged with access to multiple security systems, or may have access to multiple databases or private information,” added Ambuj Kumar, founder of Simbian, a provider of autonomous AI agents for cybersecurity, in Mountain View, Calif.

“All those would be readily accessible and available to the attacker,” he told TechNewsWorld. “If compromised, a ‘right’ user can do a lot more harm than just one data breach.”

Brad Lassiter, CEO of LastTech, an IT services company in New York City, maintained that identity is the fundamental piece of the modern cybersecurity and IT environment. “Many organizations pour resources into protecting their computers and data, forgetting that a user’s identity is the master key to unlock access to everything,” he told TechNewsWorld.

“A traditional data breach means an attacker gained some data,” he said. “An identity breach, whether that is an email compromise or other identity access, allows unfettered access to all that user’s data, all the data that user can access, as well as the influence that user wields over systems and other users.”

Help Desks Emerge as Prime Targets

The RSA report also noted that following high-profile breaches at MGM Resorts, Caesars Entertainment Group, and Marks & Spencer, organizations are increasingly concerned about help desk security. Nearly two-thirds of survey respondents (65%) said they are seriously worried about a similar attack on their help desks, and 51% consider service desk bypass attacks their most significant risk.

“The help desk has become a key vulnerability for organizations because a threat actor can trick a help desk into granting them privileges,” RSA’s Marx noted. “It can be a threat actor pretending to be an employee needing access to files and data, or the threat actor pretending to be someone working a help desk to get an individual employee to give them credentials to get into an organization.”

Service desks are ripe for social engineering attacks, added Andy Thompson, a senior cyber researcher at CyberArk, an information security company in Newton, Mass. “As the name suggests, their priority is to provide service, rather than security,” he told TechNewsWorld. “Often, they are measured by service level agreements that might incline them to close tickets they might not otherwise close.”

“Additionally,” he continued, “many service desks are remote or offshore. These users have no idea who they are speaking with and have a difficult time effectively validating the identity of their customers.”

Despite the threats posed by weak identity management, the RSA researchers found that more than half of the organizations in the survey (57%) haven’t made passwordless authentication their primary method. An overwhelming number of respondents (90%) reported challenges in moving toward passwordless authentication.

“Despite its benefits, passwordless adoption is hindered by legacy infrastructure, user resistance, and integration complexity,” CyberFOX’s Bellini said. “Many organizations are still tied to systems that don’t support modern authentication methods.”

RSA CEO Greg Nelson noted that the 2026 RSA ID IQ Report underscores that identity simply fails too many organizations too often. “The likelihood of a breach — and the cost of inaction — are too high for leaders to tolerate the status quo,” he said in a statement. “Instead, these new findings should urge organizations to act quickly to keep themselves secure.”