Chinenye Chizea
'Identity…. The Low-Hanging Fruit'

AN: It has been said that identity theft is low-hanging fruit—what makes identities easier to exploit than systems today?

​

CC: Think about it this way, as professionals defending our respective organizations, we did a great job creating awareness on the vulnerability of systems. Most organizations have built impressive fortress around their networks: firewalls, intrusion detection, endpoint protection, the works. While hardening the perimeter and securing the infrastructure, the number of identities we have to maintain has exploded we need to manage employees, contractors, service accounts, API keys, SaaS integrations etc. Then some organizations cannot accurately confirm how many identities they actually have. In some cases, we've got employees juggling dozens of passwords, so of course they're reusing the same ones on different systems. Others have access for contractors who left six months ago still sitting in Active Directory like digital ghosts. Service accounts with passwords that haven't changed since. When an attacker logs in with these valid credentials, our systems roll out the red carpet no alarms, no alerts. They look exactly like an authorized user. This is what makes identities easier to exploit than systems today.

​

The gap is threefold:

​

1. People are still the weakest link—password reuse, falling for phishing, clicking on things they shouldn't.

2. Processes are broken—we can onboard someone in a day but take three weeks to kill their access when they leave. and

3. Technology is fragmented—MFA is "enabled" but somehow not enforced on that critical legacy app everyone still depends on. Our identity governance tools don't talk to each other; privileged access isn't monitored in real-time.

​

So, identities are low-hanging fruit because we've planted an orchard and completely forgotten to tend it.

​

 

AN: In your experience, where do organizations underestimate identity risk the most - employees, third parties, or privileged access?

​

CC: Third parties! 

​

I remember reading of a breach from 2013, how the entry point was a HVAC vendor. They had network access from a refrigeration project that nobody thought to revoke after it ended. Those credentials ended up on the dark web and just like that, attackers had their foothold. The vendor had no idea they'd been compromised. Since then, till now we're still seeing this exact pattern play out. Just last year alone, we had multiple high-profile breaches that started with third-party access.

​

Organizations will obsess over employee access reviews, quarterly recertifications, manager approvals, the whole nine yards. But with third parties, contractors, managed service providers, all those SaaS integrations we've bolted on there are no regular reviews, no monitoring, and sometimes not even basic MFA requirements. We hand them the keys and just... forget about them.

​

Privileged access runs a close second, but not in the way people think. Everyone knows Domain Admins and root accounts are critical those get attention, but we underestimate "shadow privilege". Think of the help desk analyst who can reset anyone's password, including the CEO's. The DevOps engineer who can spin up cloud infrastructure and access production databases. The finance user who approves wire transfers. They often times don't get the red-flag treatment. But to an attacker these are golden tickets for lateral movement and persistence. They fly under the radar, which makes them even more dangerous.

​

 

AN: What common identity controls give leaders a false sense of security?

​

CC: MFA is the big one. I often hear "we have MFA enabled" but the reality is nuanced. Is it enforced everywhere? Because if it's not covering your VPN, your cloud admin consoles, and yes, even that ancient legacy application everyone still depends on, these are exploitable blind spots for an attacker.

​

This means that when MFA is deployed everywhere, it matters how you're doing it. It’s no  longer comforting just enabling MFA the how is equally as important. Now we have attackers working on MFAs they now intercept SMS codes, launch MFA fatigue campaigns to intercept push notifications on mobile apps. So, when implementing MFA use phishing-resistant methods like hardware tokens or passkeys, but most organizations aren't there yet.

​

Another identity control that provides a false sense of security is annual access reviews. Typically happens in preparation for a certification audit. In some organizations this is a checkbox exercise where once a year someone asks, "does John still need access to this?" and everyone clicks "approve" without really looking. Meanwhile, John's been hoarding permissions for years. Imagine the damage if John’s account is compromised. What should be done is continuous monitoring, and real-time alerts when privileges change.

​

AN: If Nigerian organizations could fix just one identity-related issue in the next 90 days, what would reduce the most risk?

​

CC: Let’s enforce phishing-resistant MFA on all privileged, remote, and third-party access. Most of the reported breaches still start the same way: stolen credentials. a compromised VPN login, an email account taken over, an admin password shows up on the dark web, or a vendor gets phished. Once an attacker has that valid identity, they're inside, and everything becomes an internal problem that's much harder to contain.

 

But MFA alone isn't the complete answer.

Given budget realities some organizations face, pair MFA with a rigorous identity cleanup and strict enforcement of least privilege. To put it differently, MFA locks the front door, least privilege ensures that if someone does get in, they're stuck in a locked room with no keys to move anywhere else. Strip unnecessary admin rights, kill ghost accounts from staff who left months ago and shadow privileges  from staff who have changed roles. This shrinks your attack surface without spending a kobo. Use the tools you already have to enforce strict access boundaries.

 

Then as part of the 90 days action plan, ensure that your organization institutionalizes the link between HR and IT if it is not already in place. No staff exit clearance is complete until IT confirms their digital identity is deactivated. No internal role change is finalized until old access is revoked. We need to ensure least privilege "access by necessity." It's a procedural shift, not a technical one which makes it sustainable and cost-effective in our resource-constrained environment.

 

Key takeaway: Lock the doors with phishing-resistant MFA, clean house with least privilege, and make HR-IT coordination automatic not optional.

​

​