TL;DR: Weak passwords, credential reuse, phishing, and insecure web traffic remain the core identity and communication risks highlighted in GlobalSign’s Segurinfo 2016 presentation, which recommends stronger authentication, S/MIME email protection, and SSL/TLS encryption for corporate data flows. The identity lesson is unchanged: if trust is built on shared secrets, attackers will target the human workflow first.
NHIMG editorial — based on content published by GlobalSign: a Segurinfo República Dominicana 2016 recap on authentication, phishing, and secure communications
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes , and as quickly as 9 minutes in some cases.
Questions worth separating out
Q: How should security teams reduce account takeover risk from phishing sites?
A: Security teams should combine phishing-resistant authentication, domain monitoring, redirect analysis, and post-login session inspection.
Q: Why do signed emails matter when phishing is still the main threat?
A: Signed emails matter because phishing succeeds by impersonating trusted senders, not just by delivering malicious content.
Q: What breaks when organisations rely on TLS but weak passwords remain in use?
A: TLS protects the channel, but it does not stop a user from handing over a password to an attacker or reusing that password elsewhere.
Practitioner guidance
- Remove password reuse risk at the source Prioritise phishing-resistant authentication for employees, contractors, and administrators, then block or step up access when reused credentials are detected across enterprise and personal accounts.
- Deploy signed email for sensitive workflows Use S/MIME for approvals, payment instructions, and other high-trust message flows so recipients can verify sender identity and message integrity before acting.
- Treat TLS as a baseline, not a complete control Keep web encryption in place, but pair it with domain validation, MFA, and browser-side anti-phishing controls because encrypted traffic can still carry fraudulent identity interactions.
What's in the full article
GlobalSign's full post covers the practical detail this summary intentionally leaves at a higher level:
- Examples of how certificate-based authentication reduces exposure from password reuse and weak login habits
- A closer look at S/MIME for message signing and encryption in high-trust email workflows
- Specific explanations of SSL/TLS validation and why transport encryption alone does not stop phishing
- The event discussion themes that prompted the original presentation in a government and enterprise audience
👉 Read GlobalSign's discussion of phishing, authentication, and secure communications →
Credential theft and phishing: what IAM teams need to tighten now?
Explore further
Credential reuse is the hidden multiplier in phishing-driven identity compromise. When users reuse passwords across personal and corporate accounts, a single theft becomes multi-system exposure rather than a one-off event. That is why phishing remains effective even when organisations believe they have basic authentication in place. The governance conclusion is simple: shared secrets turn human identity into a reusable attack surface.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to the Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when phishing leads to account compromise?
A: Accountability is shared, but security leadership owns the control environment that made impersonation succeed. Email authentication, browser trust configuration, access scoping, and incident reporting are governance responsibilities, not just end-user habits. If phishing can repeatedly turn into compromise, the control model is failing at the organisational level.
👉 Read our full editorial: Credential theft and phishing expose identity gaps in digital security