Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Ransomware protection in 2026: are your identity controls enough?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10965
Topic starter  

TL;DR: Ransomware attacks now cost organisations an average of $5.08 million, median dwell time is six days, and nearly half of attacks are surfaced by the adversary before defenders detect them, according to Zero Networks and cited research. The operational lesson is clear: prevention depends on containing identity misuse and lateral movement, not just improving detection.

NHIMG editorial — based on content published by Zero Networks: How to Protect Against Ransomware (2026 Guide)

By the numbers:

Questions worth separating out

Q: What breaks when ransomware attackers can use legitimate admin tools inside the network?

A: When attackers can use legitimate admin tools, detection becomes much harder because the activity looks like ordinary administration.

Q: Why do standing privileges make ransomware much harder to contain?

A: Standing privileges let a compromised identity keep moving after the initial foothold.

Q: How do security teams know whether ransomware containment is actually working?

A: Containment is working when one compromised identity cannot reach backups, directory services, or multiple business-critical zones without additional approval.

Practitioner guidance

  • Map the paths ransomware can already trust Inventory which service accounts, admin roles, and remote management tools can still reach critical systems without additional approval.
  • Restrict native admin tooling by use case Limit PsExec, SSH, RDP, WinRM, and similar tools to approved maintenance workflows and isolate them from general user networks.
  • Apply task-scoped privilege to high-risk identities Replace persistent admin access with just-in-time access and revoke it automatically after the task ends.

What's in the full article

Zero Networks' full guide covers the operational detail this post intentionally leaves for the source:

  • Step-by-step containment patterns for ransomware, including how the vendor frames identity-aligned microsegmentation.
  • Implementation detail for locking down admin and service accounts without relying on detection-first response.
  • Examples of how deterministic policy automation is positioned for dynamic environments.
  • The article’s own breakdown of ransomware trends, case studies, and product-oriented containment guidance.

👉 Read Zero Networks' guide to ransomware protection in 2026 →

Ransomware protection in 2026: are your identity controls enough?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10520
 

Identity containment is now the primary ransomware control plane: Ransomware succeeds when valid identity paths remain broad enough to support lateral movement after initial access. That makes identity policy, segmentation, and privilege scoping part of the same control surface, not separate disciplines. If identity can still reach everything, ransomware can still spread.

A few things that frame the scale:

  • 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, which shows how slowly identity remediation can trail compromise, according to Ultimate Guide to NHIs.

A question worth separating out:

Q: Who is accountable when ransomware spreads through privileged internal access?

A: Accountability usually sits across IAM, PAM, network security, and platform teams because the failure spans identity scope and network trust. Organisations should assign clear ownership for privilege boundaries, segmentation policy, and credential lifecycle so one weak control does not become everyone’s blind spot.

👉 Read our full editorial: Ransomware protection in 2026 depends on identity containment



   
ReplyQuote
Share: