Notifications
Clear all
Topic starter
25/06/2026 2:51 pm
TL;DR: A global survey of more than 2,100 IAM, IT and security professionals found 69% of organisations experienced an identity-related breach in the last three years, 45% said breach costs exceeded IBM’s typical breach estimate, and 65% are now seriously concerned about help desk bypass attacks, according to RSA Security. The findings show identity governance is being outpaced by social engineering, service desk weakness, and stalled passwordless adoption.
NHIMG editorial — based on content published by RSA Security: Help Desk Hijacks & Soaring Costs: RSA ID IQ Report Unveils Top Identity Threats
By the numbers:
- 69% of organizations experienced an identity-related breach in the last three years
- 45% of organizations said that the cost of an identity-related breach exceeded the typical cost of a breach as defined by IBM
- 65% of organizations are seriously concerned about a similar attack
Questions worth separating out
Q: What breaks when help desk recovery can override identity assurance?
A: When support staff can reset access without strong verification, the help desk becomes an attack path rather than a safeguard.
Q: Why do passwordless programmes still fail if recovery is weak?
A: Passwordless only reduces one class of credential risk.
Q: How do teams know whether service desk controls are actually working?
A: Look for evidence that recovery actions are rare, auditable, and independently verified.
Practitioner guidance
- Harden help desk identity verification Require stronger proofing for any reset, recovery, or exception request.
- Separate support access from privileged approval Make sure service desk agents can initiate recovery workflows but cannot complete high-risk changes without independent approval or step-up verification for the affected identity.
- Review fallback paths in passwordless programmes Map every route a user can take when passwordless fails, including backup factors, recovery contacts, and manual overrides.
What's in the full report
RSA Security's full report covers the operational detail this post intentionally leaves for the source:
- Survey methodology and respondent breakdown across IAM, IT, and cybersecurity roles
- Year-over-year comparison tables for breach frequency, breach cost, and passwordless adoption
- The report’s full commentary on AI expectations in security teams and why adoption is accelerating
- Additional context on the help desk bypass concern and the referenced breach examples
👉 Read RSA Security's 2026 ID IQ Report on identity breaches and help desk hijacks →
Help desk hijacks and identity breach costs: what teams need to know?
Explore further
25/06/2026 4:03 pm
Help desk trust is now a privileged access decision, not a support convenience. RSA Security’s findings show that the support workflow itself has become part of the attack surface, especially where recovery actions can override normal authentication assurance. That changes how identity teams should classify the service desk: not as an adjacent operations function, but as a control point that can authorize or expose accounts. Practitioners should treat service desk governance as a core identity risk domain.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who is accountable when an identity breach starts in the service desk?
A: Accountability sits with the organisation that owns the identity recovery workflow, not just the agent who handled the call. Security, IAM, and service operations all share responsibility for the control design. Frameworks such as Zero Trust and identity governance expect verification to be enforced across the full access lifecycle.
👉 Read our full editorial: Identity breaches surge as help desk hijacks expose IAM gaps
