Steven Scheurmann, Regional Vice President, ASEAN, Palo Alto Networks, explores why passwords are failing to defend business-critical information.
The cyberthreat landscape is continuously transforming, posing significant risks to enterprises all over the board.
Today’s attackers are using advanced tactics such as phishing, social engineering and brute force attacks to compromise critical information. As these threats become more sophisticated, the inadequacies of passwords are becoming even more apparent – passwords, once considered the first line of defence, are now often seen as the weakest link.
Passwords have long been fundamental to safeguarding business-critical information and financial data. However, their effectiveness is increasingly undermined by common user behaviours – such as reusing passwords across multiple sites or choosing simple, easy-to-remember passwords that are also easy for attackers to crack.
The latest Unit 42 Incident Response Report uncovered a stark reality: in 2024, previously compromised credentials emerged as the third most used initial access vector by threat actors, surging four-fold from 4% in 2021 to 16%. The reliance on traditional passwords is, thus, leaving businesses increasingly vulnerable.
Remote workforces increase vulnerabilities
Adding to this is the fact that the shift towards remote and hybrid work environments has transformed networking and security. Work is no longer just a place we go to; it’s something we can do from anywhere.
This means our applications and users are now spread out everywhere, which significantly expands the attack surface that cybercriminals can exploit Unit 42’s latest report also revealed that nearly half of security incidents (44%) involved the web browser – ranging from phishing to malware downloads – highlighting it as a persistent weak spot in enterprise defences.
To address these challenges effectively, adopting a Zero Trust (ZT) mindset is crucial. Zero Trust operates on the principle of ‘never trust, always verify,’ ensuring that no entity – whether inside or outside the network – is trusted by default. This approach involves continuous verification of user identities and device health to ensure secure access to applications and data.
Enhancing security with Multi-Factor Authentication (MFA)
Multi-Factor Authentication (MFA) remains one of the most critical components of a Zero Trust framework – and lack of MFA is still the most prevalent identity and access management (IAM) failure observed in Unit 42’s 2025 incident response cases.
In fact, one high-profile example saw RansomHub (tracked by Unit 42 as Spoiled Scorpius) access a municipal government’s network through a VPN connection – exploiting the organisation’s failure to enforce MFA. Within just seven hours, the attacker exfiltrated 500 GB of data, highlighting the speed and scale of damage when this key control is missing.
In line with a Zero Trust approach, many organisations are now turning to Multi-Factor Authentication (MFA) to bolster their security measures. Built on the core principle of continuous authentication, MFA requires users to provide two or more verification factors to gain access, ensuring a higher level of authentication than passwords alone.
This approach typically combines something the user knows (like a password or PIN) with something they have (such as a smartphone or a hardware token) or something they are (biometric data).
MFA enhances security by adding layers of verification, ensuring that access to applications and data is granted only after multiple factors have been authenticated. This proactive approach reduces the risk of unauthorised access even if credentials are compromised and strengthens the overall security posture.
This fits seamlessly in the Zero Trust security framework, which operates on the assumption that every connection and endpoint could be a potential threat, thus requiring verification at every step of a user’s interaction with the network .
The critical role of Zero Trust Network Access (ZTNA)
Furthermore, Zero Trust Network Access (ZTNA) offers a comprehensive security framework that goes beyond authentication. ZTNA solutions provide secure remote access to applications and services based on defined access control policies, unlike traditional VPNs, which grant complete access to the network once authenticated. This approach minimises security gaps and limits potential lateral movement within the network by attackers.
The benefits of ZTNA over traditional methods are significant. By providing identity-based authentication and access control, ZTNA reduces the organisation’s attack surface. It allows for location or device-specific access control policies, preventing unpatched or vulnerable devices from connecting to corporate services.
The strategy also mitigates common VPN-related challenges where remote users on personal devices are granted the same level of access as those at a corporate office, despite having fewer security controls.
By eliminating excessive trust and applying consistent policy enforcement at the browser, network and application layers, ZTNA helps organisations respond to threats like phishing and malicious redirects before they spread across systems.
ZTNA implementation strategies
Transitioning to MFA and ZTNA requires careful planning and execution. Organisations need to consider the technical aspects of integrating with existing IT infrastructures and workflows. This involves addressing challenges such as legacy system compatibility, scalability, user resistance and cost implications.
To facilitate a smooth transition, businesses will also have to emphasise on educating their employees, ensuring that they understand the benefits and functionalities of the new authentication methods and how to use them effectively. Additionally, companies need to assess and upgrade their infrastructure to support passwordless technologies and ZTNA, developing a comprehensive strategy that includes timelines, resource allocation and risk management.
As cyberthreats continue to evolve, so must the security measures that protect enterprise environments. Moving beyond passwords to embrace enhanced authentication methods within a larger Zero Trust framework is not just a technological upgrade -it is a strategic imperative that will position businesses for comprehensive cyber-protection in the digital age.
