Least privilege and ransomware: what IAM teams are missing

TL;DR: Ransomware defence remains reactive for many organisations, and Delinea cites research showing only 34% have adopted least privilege, leaving broad pathways for lateral movement, unauthorized software, and compromised suppliers to expand impact. That gap matters because identity-first controls still shape how far ransomware can travel once an account or system is breached.

NHIMG editorial — based on content published by Delinea: Why your organization needs to defend against ransomware with least privilege access

By the numbers:

• Only 34% of organizations have adopted a least privilege approach.
• Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems.

Questions worth separating out

Q: How should security teams implement least privilege for ransomware defence?

A: Start with the identities that can cause the most spread: administrators, service accounts, backup operators, and third-party support users.

Q: Why does least privilege reduce ransomware impact?

A: Least privilege reduces ransomware impact because it limits what a compromised identity can reach after the initial foothold.

Q: What do organisations get wrong about privileged access in ransomware defence?

A: They often treat privileged access as a rare exception, then leave it standing for convenience.

Practitioner guidance

• Inventory every identity with recovery-relevant access Identify which users, service accounts, and supplier identities can reach backup systems, admin consoles, deployment tools, and remote management channels.
• Replace standing privilege with time-bound elevation Use PAM and JIT access for administrative tasks so elevated rights are granted only when needed and revoked immediately after use.
• Review third-party access as a ransomware entry path Limit supplier accounts to named systems, named tasks, and named windows of use.

What's in the full article

Delinea's full blog post covers the operational detail this post intentionally leaves for the source:

• How Delinea recommends applying least privilege across users, machines, and third-party access paths
• The specific ransomware defence tooling and workflow categories the article names, including IAM, PAM, CIEM, and ITDR
• The article's summary of Delinea's 2025 State of Ransomware Report and the survey findings behind the 34% adoption figure
• The practical examples Delinea gives for blocking unauthorized software installation and lateral movement

👉 Read Delinea's analysis of least privilege in ransomware defence →

Least privilege and ransomware: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →