Hybrid security trends show cyberattacks remain widespread

At a glance

What this is: This is a 2024 hybrid security trends report showing cyberattacks remain common and costly across organisations operating in cloud-heavy, remote-friendly environments.

Why it matters: It matters to IAM practitioners because hybrid operations keep widening the gap between access governance, security visibility, and the real-world pace of compromise across human, NHI, and autonomous identity estates.

By the numbers:

• 79% of organizations suffered a cyberattack within the last 12 months, up from 68% in 2023.
• 45% of attacked organizations faced unplanned expenses to address security gaps.
• 62% of organizations have a cyber insurance policy or plan to purchase one within 12 months, up from 59% in 2023.

👉 Read Netwrix's 2024 hybrid security trends report

Context

Hybrid security is the problem space where identity, endpoints, cloud services, and access policies all have to work together across distributed environments. The report shows that cyberattack exposure remains high even as organisations keep expanding cloud adoption and remote work, which means the governance model is still not keeping pace with how identities are actually used.

For IAM, NHI, and PAM teams, the important signal is not just breach frequency but the operational drag that follows compromise. When security gaps create unplanned expense, the issue is usually not a single control failure. It is a wider gap between who or what has access, how fast that access changes, and how much of the estate remains visible at decision time.

Key questions

Q: How should security teams reduce identity risk in hybrid environments?

A: Security teams should start by inventorying identities, privileges, and session paths across cloud, on-premises, and remote access layers. The goal is to remove hidden standing access, tighten privileged scope, and make investigation data available in one place. Without that visibility, hybrid security problems become slower, costlier, and harder to contain.

Q: Why do cyberattacks in hybrid environments so often become expensive?

A: They become expensive because identity evidence is fragmented, so teams spend time proving what happened before they can contain it. That drives emergency access changes, forensics, recovery work, and compensating controls. When access governance is weak, the cost of clarity becomes part of the incident itself.

Q: What do organisations get wrong about cyber insurance and identity security?

A: They often treat insurance as a substitute for control maturity. In practice, insurers care whether access is scoped, logs are reliable, and privilege can be revoked quickly. If IAM evidence is weak, insurance may soften the financial hit, but it will not restore operational resilience.

Q: How can teams tell whether hybrid access governance is actually working?

A: Look for short investigation times, complete privilege inventories, and the ability to trace who had access before, during, and after an incident. If those answers take days instead of hours, governance is lagging behind the environment. Strong control is visible in how quickly the organisation can prove or disprove access.

Technical breakdown

Why hybrid environments increase identity exposure

Hybrid environments combine on-premises systems, cloud platforms, remote endpoints, and third-party services into one access surface. That surface expands the number of identities, tokens, service accounts, and privileged workflows that must be governed consistently. The technical challenge is not only authentication. It is entitlement drift, inconsistent policy enforcement, and incomplete telemetry across domains that do not share the same trust boundaries. In practice, attackers look for the weakest identity control point, then move laterally through connected systems that were not designed to share one governance model.

Practical implication: map identity controls across hybrid platforms as one governance chain, not as separate admin silos.

Why cyberattacks keep turning into cost problems

The report links attacks to unplanned expenses because response costs often arrive before root causes are fully contained. In hybrid environments, that usually means emergency access changes, incident response labour, forensic work, recovery rebuilds, and temporary compensating controls. These costs rise when identity evidence is fragmented, because teams cannot quickly determine which accounts, keys, or sessions were involved. That makes identity observability a financial control as much as a security control. The less certainty teams have about who accessed what, the more expensive every decision becomes.

Practical implication: treat identity telemetry and access logging as cost-containment controls, not just detection tools.

How cyber insurance reflects control maturity

The rise in organisations either holding or planning cyber insurance shows that boards are treating cyber risk as a balance-sheet issue. But insurance does not replace governance. Insurers increasingly care about whether organisations can prove access control discipline, incident readiness, and recovery feasibility. For identity teams, this means policy language and underwriting expectations are converging with basic IAM hygiene: scoped privileges, account governance, and evidence of control operation. Hybrid environments that cannot show those controls consistently will struggle to translate insurance into true resilience.

Practical implication: align IAM evidence, privileged access records, and incident response documentation with insurance and audit requirements.

Threat narrative

Attacker objective: The attacker aims to convert identity weakness in a hybrid environment into operational disruption, broader access, and expensive remediation work.

1. Entry occurs when attackers exploit exposed credentials, weak hybrid perimeter controls, or account paths that were left reachable across cloud and remote access layers.
2. Escalation follows when privileged identities, over-permissioned accounts, or poorly governed sessions let the attacker expand reach across connected systems.
3. Impact lands as business disruption, recovery spend, and compensating control costs, especially when identity evidence is fragmented and containment takes longer.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Codefinger AWS S3 ransomware attack — Codefinger used compromised AWS credentials to encrypt S3 buckets via SSE-C.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Hybrid security is really an identity governance problem with infrastructure symptoms. The report’s attack and cost data point to a familiar pattern: organisations can expand cloud use faster than they can unify access governance across people, workloads, and third parties. That creates a control gap where security teams see incidents as isolated events, while attackers see one connected identity fabric. Practitioners should treat hybrid security as a programme-level governance issue, not a tool-by-tool hardening exercise.

Standing access across hybrid estates is the failure mode this report keeps exposing. Controls designed for stable, centrally managed environments break down when access is fragmented across cloud, remote, and legacy systems. The implication is that privilege is still being granted as if environments were static, even though the operating model is now distributed and change-heavy. Identity teams should read the report as evidence that access scope, not just attack volume, is the real structural weakness.

Unplanned expense is the measurable output of poor identity observability. When an organisation cannot quickly answer who had access, where a token was used, or which session was legitimate, response becomes slower and costlier. That is why hybrid security maturity should be judged by evidence quality as much as by prevention metrics. Practitioners need governance that shortens investigation time, because every unresolved identity question becomes a financial question.

Hybrid cyber risk is now inseparable from board-level resilience planning. The increase in organisations buying or planning cyber insurance shows that security is being priced as operational risk, not just technical exposure. For identity leaders, that means the conversation has to move beyond compliance artefacts and into verifiable control operation. The field is heading toward a model where IAM evidence, recovery readiness, and insurance posture are evaluated together.

Identity blast radius is the right concept for hybrid programme design. The report implies that the real question is not whether compromise happens, but how far one exposed identity can travel before containment begins. That pushes practitioners toward tighter entitlement scope, stronger privileged access discipline, and better telemetry across domains. The practical conclusion is simple: reduce the distance between identity misuse and containment.

From our research:

• 19% of organisations give AI systems dramatically more access than human employees, according to the 2026 Infrastructure Identity Survey.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• For a broader view of how access scope drives exposure, compare this with Ultimate Guide to NHIs , Key Research and Survey Results.

What this signals

Hybrid security programmes should expect identity scope to keep widening faster than manual review cycles can keep up. With 70% of organisations granting AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey, the access problem is already outgrowing human-paced governance. Teams that still review identity estate changes as periodic events will keep missing the real exposure window.

The next maturity step is not another isolated security control. It is a single operating model that can evidence privilege, session use, and remediation across human, workload, and AI-driven identities before an incident forces the issue.

For practitioners

• Unify identity governance across hybrid estates Build one entitlement inventory that covers cloud, on-premises, remote access, and third-party accounts so teams can see privilege relationships in a single control view.
• Prioritise access evidence for incident containment Make access logs, session records, and account provenance searchable within the same response workflow so investigators can identify scope before recovery costs expand.
• Review standing privilege in cloud and remote workflows Focus on always-on admin rights, long-lived tokens, and service accounts that remain valid across business changes, then remove unnecessary persistence wherever possible.
• Align IAM controls with insurance and audit evidence Document how privileged access is approved, reviewed, and revoked, because insurers and auditors increasingly want proof that the controls actually operate.

Key takeaways

• Hybrid security failures are increasingly identity failures, because access sprawl and fragmented visibility give attackers more room to move.
• The report shows that cyberattacks are not only frequent but financially disruptive, with 45% of attacked organisations absorbing unplanned remediation costs.
• IAM teams should respond by tightening privilege scope, improving access evidence, and aligning control proof with incident response and insurance expectations.

Key terms

• Hybrid Security: Hybrid security is the discipline of protecting environments that span on-premises systems, cloud services, remote endpoints, and third-party integrations. It requires consistent identity, visibility, and response controls across multiple trust boundaries, not separate security models that happen to coexist.
• Identity Observability: Identity observability is the ability to see who or what accessed a system, when access occurred, and how privilege was used across the full environment. It turns access logs, session records, and entitlement data into evidence that supports faster containment, investigation, and governance decisions.
• Standing Privilege: Standing privilege is access that remains continuously available rather than being granted only when needed. In hybrid environments, it increases the attack surface because a compromised account, token, or service identity can be reused without a new approval step or time-bound restriction.
• Identity Blast Radius: Identity blast radius is the amount of systems, data, and business process exposure that can result from misuse of a single identity. It is a practical measure of how far access can travel before detection or containment, and it is especially important in distributed hybrid estates.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Netwrix: 2024 Hybrid Security Trends Report. Read the original.