Recent headlines about “16 billion stolen credentials” have sparked debate amongst the CyberOne team, with many questioning whether the story passes the "sniff test". While the specific claims may be inflated, the underlying threat is undeniably real and growing.
Verified data tells a stark enough story: credential abuse has become the #1 initial access vector for data breaches, according to Verizon’s latest Data Breach Investigations Report. Infostealers alone stole 2.1 billion credentials last year, accounting for nearly two-thirds of the 3.2 billion credentials stolen from all organisations.
This represents what we refer to as the industrial scale of cybercrime. Attackers are no longer working on one account at a time. They’re using automation to test billions of stolen credentials across thousands of systems around the clock.
The scale transforms every individual breach into a systemic risk for organisations everywhere.
The Automation Advantage
Industrial-scale credential attacks exploit a fundamental imbalance in the system. Businesses face the same sophisticated threats as enterprises, but often lack the same security budgets and teams.
Attackers use automation to test stolen credentials against thousands of targets. They know many smaller organisations lack the resources to enforce strong identity controls, monitor dark web exposures or respond 24x7.
At CyberOne, we focus on closing that gap. We deliver enterprise-grade security, including Zero Trust identity, continuous monitoring and dark web detection, in a cost-effective, managed service model.
This helps businesses build the same level of resilience as larger organisations, without the overhead of building it all in-house.
Why Passwords Persist Despite Everything
Security experts have declared "passwords are dead” for years. Yet here we are with 2.1 billion credentials stolen by infostealers alone last year (Source: Forbes, 2025). For many organisations, the barriers are real. Budget constraints, competing priorities and limited in-house expertise make it challenging to move beyond passwords alone.
We help businesses take practical steps toward modern identity security. We deploy Multi-Factor Authentication (MFA) and Conditional Access, ultimately moving toward passwordless authentication.
Microsoft is driving this direction with its security ecosystem, especially with the introduction of Passkeys. Passkeys provide a secure, phishing-resistant and user-friendly authentication method. Users no longer need to remember passwords or be exposed to phishing scams, as Passkeys leverage cryptographic authentication linked to the user’s device biometrics (fingerprint, facial recognition) or PIN. This significantly enhances security, simplifies user experience, and aligns with Microsoft's push towards a passwordless future.
Microsoft is driving this direction with its security ecosystem. By leveraging Microsoft Entra and the broader security stack, we make passwordless more achievable.
The Practical Transformation Roadmap
When businesses examine their password-heavy environments, they need to know where to begin.
The single highest-impact first move is rolling out Multi-Factor Authentication universally, it stops the vast majority of credential-based attacks, even if passwords are compromised.
We always start there because it delivers immediate risk reduction without disrupting operations.
From there, we help organisations implement Conditional Access policies to enforce context-aware access controls. We then plan a staged journey toward passwordless authentication, utilising Microsoft Entra’s capabilities.
Our approach is risk-based and practical. We prioritise high-value and high-risk targets first. Think of executives, admins and IT teams with privileged access.
These accounts are prime targets for attackers. Moving them to passwordless options, such as FIDO2 keys or the Microsoft Authenticator app, makes an immediate impact.
Meanwhile, for broader user populations, we often start with enforcing strong Multi-Factor Authentication and Conditional Access. This closes the biggest gaps while preparing them for a smoother transition to passwordless later.
Measuring What Matters
Our performance-led security approach ensures changes deliver measurable outcomes without derailing the business.
We measure success in two key ways. First, security impact: metrics like reduced credential compromise rates, increased MFA adoption, Passkey Usage and improved Microsoft Secure Score.
Second, operational impact: user support tickets, login success rates and feedback from the business.
For credential security, our primary target is often to achieve a Microsoft Secure Score of at least 80. This signals they’ve closed the most critical gaps.
That typically means enforcing Multi-Factor Authentication for all users, applying Conditional Access policies to reduce risky sign-ins and planning for passwordless options where feasible.
These steps significantly reduce the risk of credential-based attacks without requiring enterprise-level resources.
The Business Conversation That Changes Everything
When we sit across from a CEO or IT director who’s just realised their current approach isn’t working, we don’t start with technology. We start with risk and impact in business terms.
Attackers don’t care about your size. The same automated attacks targeting major banks are also testing your defences. The question isn’t if someone tries to break in. It’s whether you can stop them before they do real damage.
Then we focus on confidence and control. This isn’t about making life harder for users or drowning IT in complexity.
It’s about putting in place simple, effective, measured steps that reduce real-world risk and give visibility and control they don’t have today.
We prioritise, we plan and we deliver in phases that work for their team and budget. We provide clear metrics, including MFA coverage, Secure Score improvements and reduced incidents.
The commitment comes when they realise it’s not just buying security tools. It’s investing in resilience and business continuity.
The Next Three Years
The pressure on all businesses to modernise authentication will only grow. Over the next 2-3 years, we anticipate a significant shift in the landscape, moving decisively away from password-heavy environments toward layered, adaptive and increasingly passwordless models.Microsoft's investment in Passkeys and broader adoption across their platforms will accelerate this transition, making secure authentication more achievable for organisations.
Microsoft is leading that charge with Entra and the broader security stack. This makes passwordless sign-ins, phishing-resistant MFA and Conditional Access policies more accessible for organisations.
Businesses will move in phases. First, universal Multi-Factor Authentication is a table-stakes requirement. Then, smarter Conditional Access that evaluates risk in real time.
Finally, passwordless adoption for their highest-risk users and critical systems, extending outward as readiness improves.
The real change isn’t just technical. It’s cultural. More businesses will treat identity as the new security perimeter.
They’ll recognise that strong authentication isn’t an IT add-on. It’s fundamental to protecting revenue, reputation and customer trust in a world where stolen credentials power 80% of web application attacks.
What To Do This Week
If there’s one thing we’d tell any business leader to do this week, it’s this: ensure Multi-Factor Authentication is enabled for every user, wherever it’s supported.
It’s the single most effective and immediate step to shut down credential-based attacks, even with the billions of stolen credentials circulating on the dark web.
We see it repeatedly: businesses think they have MFA “mostly” deployed, but there are gaps: legacy apps, privileged accounts and third-party access.
Those gaps are exactly what attackers exploit. Audit your MFA coverage. Close those gaps. It’s the best immediate defence you can put in place.
It’s fast, it’s proven and it buys you time to plan more advanced steps, such as Conditional Access policies and passwordless authentication.
Beyond The Basics
Once you’ve closed the obvious gaps with universal MFA, the next step is to get a clear picture of your current identity security posture.
That means doing an Identity Security Assessment or a Microsoft 365 Security Review. These assessments help you see exactly where you’re strong, where you’re exposed and what your priorities should be.
At CyberOne, we conduct these assessments to provide organisations with a practical, prioritised roadmap. It’s not about buying every tool at once.
It’s about knowing which steps deliver the most risk reduction for your business. Typically, that means tightening Conditional Access policies, planning for passwordless authentication where it makes sense and ensuring you have visibility and response in place for suspicious sign-in activity.
If you want to go beyond MFA this year, start by understanding where you stand today. That clarity makes every security pound and every hour of your team’s time more effective.
In this environment, staying still isn’t an option.
Ready To Strengthen Your Identity Security?
Join our upcoming webinar
Access Granted: The Identity Security Gap
📆 Tuesday 22nd July 2025
⏰ 10:00 (UK time).
Learn actionable strategies for protecting your organisation when everyone is connected, but control remains elusive. Register Now.