79% of data breaches are linked to identity theft and cost businesses an average of $4.5 million, according to reports from the Identity Defined Security Alliance (IDSA) and the Ponemon Institute. Additionally, the 2025 edition of the Sophos Active Adversary Report reveals that the average time between the start of an attack and data exfiltration is only 72.98 hours (3.04 days), while the average time between exfiltration and attack detection is just 2.7 hours. Cyberattacks are becoming increasingly fast, and the longer a compromised identity remains active, the greater the potential damage.
In light of this, Sophos, one of the world’s leading providers of innovative security solutions designed to neutralize cyberattacks, is taking advantage of Identity Management Day, which takes place today to remind businesses of the best practices they should follow to manage and secure digital identities.
Cybercriminals can use a compromised identity to access confidential information, steal data, move laterally within the organization, and launch further attacks. It is therefore crucial to take immediate action to contain breaches and minimize their consequences. In this context, automation plays a key role by enabling organizations to respond quickly and effectively to identity-related threats.
Five Automated Measures to Protect Against Identity Theft
- Disable the User
When an identity breach is detected, one of the first steps is to disable the compromised user account. By preventing the attacker from using the stolen identity to access company systems and data, this measure outpaces the hacker and helps contain the breach.
Automation significantly speeds up this process. With automated response tools, businesses can quickly identify compromised accounts and disable them in real-time. This reduces the attack window and minimizes potential damage.
2. Force Password Reset
Passwords are often the first line of defense against unauthorized access attempts. In the event of an identity breach, it is essential to immediately force a password reset for the compromised account to prevent hackers from using stolen credentials.
Automated rules can be set up to trigger an instant password reset as soon as a breach is detected. This saves time and ensures that the reset process is initiated without delay, reducing the risk of further unauthorized access attempts.
3. Force Multi-Factor Authentication (MFA) Reset
Multi-factor authentication (MFA) adds an extra layer of security by requiring users to enter a verification code in addition to their password. If an identity breach occurs, it is crucial to reset MFA for the compromised account. This means that the user will have to re-authenticate using their MFA tool, which automatically invalidates any stolen authentication tokens the attacker may have acquired.
Automated rules can trigger the refresh of MFA tokens, ensuring that compromised accounts are quickly reauthenticated. This prevents cybercriminals from using stolen authentication tokens to access company systems.
4. Lock the Account
Locking a compromised account prevents hackers from attempting to use it until the issue is resolved. This also gives the organization time to investigate the breach and apply the necessary corrective measures.
Automation streamlines the account locking process, allowing businesses to lock compromised accounts as soon as a breach is detected. This immediate response helps contain the breach and blocks further unauthorized access attempts.
5. Revoke Active Sessions
In addition to disabling the user account and forcing a password reset, it is essential to revoke all active sessions associated with the compromised identity. This ensures that the attacker is immediately logged out of all systems they accessed using stolen credentials.
Automated actions can be configured to revoke active sessions in real-time, instantly disrupting any unauthorized access. This is a critical measure to neutralize the breach and prevent further malicious activity.
