Why OT and IT credential convergence is the energy sector’s defining vulnerability

The February 2021 attack on Oldsmar's water treatment facility in Florida began with a single compromised credential. Within minutes, an attacker had gained remote access and attempted to poison the water supply for 15,000 residents by increasing sodium hydroxide levels to dangerous concentrations. Only quick intervention by an on-site operator prevented catastrophe.

This incident crystallises a fundamental shift in critical infrastructure security. As operational technology (OT) systems converge with IT networks, the traditional air-gap defence has dissolved. What remains is an authentication architecture designed for office environments, now protecting systems that control power grids, refineries, and water supplies.

The convergence problem

Energy sector organisations face an unprecedented authentication challenge. Legacy OT systems, designed for isolation and reliability, now require connectivity for efficiency and monitoring. Meanwhile, IT systems demand flexibility and user convenience. The result is a hybrid environment where industrial control systems share network infrastructure with corporate applications, each governed by incompatible security models.

The complexity multiplies across typical energy infrastructure. A single facility might host distributed control systems managing turbines, SCADA networks monitoring transmission lines, enterprise resource planning systems tracking maintenance, and cloud-based analytics platforms optimising performance. Each system requires authentication, yet none were designed to work together securely.

This convergence creates what security researchers term "credential sprawl" – the proliferation of usernames, passwords, certificates, and tokens across systems. Workers managing both IT and OT systems often reuse credentials or store them in accessible locations to maintain operational efficiency. The result is an expanded attack surface where compromise of any single credential can cascade across both domains.

The scale of exposure

Recent data reveals the magnitude of this vulnerability. The 2023 Verizon Data Breach Investigations Report found that 49% of breaches involved stolen credentials, with critical infrastructure sectors experiencing a 13% increase year-over-year. Within energy specifically, the Industrial Control Systems Cyber Emergency Response Team reported 70 incidents in 2022, with 43% attributed to credential-based attacks.

More alarming is the convergence trend itself. Dragos Inc.'s 2023 Industrial Cybersecurity Year in Review found that 74% of industrial organisations now have some level of IT-OT network convergence, compared to 52% in 2020. Yet only 31% have implemented unified authentication policies across both domains.

The financial implications are substantial. According to IBM's Cost of a Data Breach Report 2023, critical infrastructure breaches cost an average of $5.04 million – 4.5% above the global average. For energy companies specifically, operational disruption costs can exceed security remediation by a factor of ten, as extended outages trigger regulatory penalties and customer compensation requirements.

Perhaps most concerning is the persistence problem. Mandiant's M-Trends 2023 report found that attackers maintain access to critical infrastructure networks for an average of 146 days before detection. During this period, they often establish multiple credential-based footholds, making complete remediation extremely difficult.

Why current solutions fall short

Traditional identity and access management approaches prove inadequate for this converged environment. Single sign-on systems, designed for IT convenience, often cannot integrate with industrial protocols. Privileged access management tools may protect high-value accounts but leave standard OT credentials exposed. Multi-factor authentication, while valuable, can be bypassed through credential stuffing or social engineering.

The fundamental problem lies deeper than tool selection. Most authentication systems assume users should create, know, and control their own credentials. This user-centric model prioritises convenience over security, allowing password reuse, weak credential selection, and insecure storage practices.

Zero Trust architectures, increasingly popular in enterprise IT, face similar limitations in OT environments. While continuous verification improves security posture, these systems still rely on initial credential-based authentication. If those underlying credentials are compromised, Zero Trust verification becomes meaningless.

Rethinking credential control

A structural solution requires abandoning user-controlled credentials entirely. Instead of allowing workers to create and manage authentication tokens, organisations must generate, distribute, and revoke every credential through centralised systems. Users should never see, store, or control the credentials that grant them access.

This approach, exemplified by solutions like MyCena's patented credential control technology, inverts the traditional model. Rather than protecting user-held credentials, it eliminates user credential visibility entirely. Access becomes unphishable because workers cannot inadvertently share what they do not possess.

The technology encrypts and distributes credentials automatically based on role requirements and security policies. When access is needed, the system provides temporary, encrypted tokens that authenticate without user knowledge. Revocation becomes instantaneous since credentials exist only within the managed system.

For energy sector applications, this model addresses both IT and OT requirements. IT systems benefit from seamless authentication without password management overhead. OT systems gain modern authentication capabilities without compromising operational reliability. The unified approach eliminates credential sprawl by centralising all authentication tokens under organisational control.

The strategic imperative

Energy sector leaders face a clear choice. The convergence of IT and OT systems is irreversible, driven by efficiency demands and digital transformation initiatives. Traditional credential management approaches, designed for simpler environments, cannot secure this new reality.

Regulatory pressure intensifies this timeline. The EU's NIS2 Directive, effective October 2024, explicitly requires critical infrastructure operators to implement "state-of-the-art" cybersecurity measures. US pipeline operators face similar requirements under Transportation Security Administration directives following Colonial Pipeline's 2021 ransomware attack.

The solution requires recognising that identity and access are distinct concepts. Workers need verified identity to perform their roles, but they do not need to hold the credentials that grant system access. By separating these functions, organisations can maintain operational efficiency while achieving unprecedented security resilience.

The question is not whether credential-based attacks will target converged IT-OT infrastructure – they already have. The question is whether energy sector organisations will abandon vulnerable authentication models before the next Oldsmar incident succeeds.

Why Clinical Staff Controlling Their Own Credentials Is a Structural HIPAA Failure

When hackers breached CommonSpirit Health in October 2022, compromising 623,774 patient records across 142 hospitals, the attack vector was disturbingly familiar: compromised employee credentials. The cybercriminals didn't exploit a sophisticated zero-day vulnerability or breach air-gapped systems. They simply used legitimate clinical staff login details to access protected health information, highlighting a fundamental flaw in how healthcare organisations approach credential security.

The breach underscores a critical structural problem that permeates healthcare cybersecurity: clinical staff creating, controlling, and ultimately compromising their own digital credentials creates an inherent HIPAA compliance failure that no amount of additional security layers can fully address.

The Healthcare Credential Control Problem

Healthcare organisations face a unique challenge in credential management. Unlike other sectors, clinical environments require rapid access to patient data across multiple systems, often in life-or-death situations. This urgency has traditionally justified allowing healthcare workers to create and manage their own passwords, PINs, and authentication methods.

However, this approach creates what security experts term "credential sprawl" – a phenomenon where individual users accumulate dozens of self-created login details across electronic health records (EHR), pharmaceutical databases, medical device interfaces, and administrative systems. Each credential represents a potential entry point for malicious actors seeking access to protected health information (PHI).

The problem extends beyond simple password hygiene. When clinical staff control their own credentials, they inevitably reuse passwords across systems, store them in unsecured locations, or share them with colleagues during shift changes. This behaviour, while understandable given operational pressures, creates systematic HIPAA violations that organisations struggle to detect or prevent.

The Scale of Healthcare Cybersecurity Breaches

Healthcare data breaches have reached epidemic proportions. According to the Department of Health and Human Services' Office for Civil Rights, healthcare organisations reported 707 data breaches affecting 500 or more individuals in 2023, exposing over 133 million patient records – a 141% increase from 2022.

The financial impact is equally severe. IBM's 2023 Cost of a Data Breach Report found healthcare breaches cost an average of $10.93 million per incident, nearly three times the cross-industry average of $4.45 million. More critically, the Ponemon Institute's research indicates that 83% of healthcare breaches involve compromised credentials as either the primary attack vector or a significant contributing factor.

These statistics reveal a troubling pattern: despite substantial investments in cybersecurity infrastructure, healthcare organisations remain vulnerable to attacks that exploit the fundamental weakness of user-controlled credentials. The problem isn't technological sophistication – it's structural control.

Why Traditional Security Tools Miss the Mark

Healthcare organisations typically respond to credential-related breaches by layering additional security technologies. Identity and Access Management (IAM) systems promise better user provisioning. Privileged Access Management (PAM) tools monitor high-risk accounts. Single Sign-On (SSO) reduces password fatigue. Multi-Factor Authentication (MFA) adds verification steps. Zero Trust architectures assume breach and verify continuously.

Yet these solutions share a critical flaw: they still permit users to create, know, and control their own credentials. IAM systems may enforce password complexity, but users still choose and remember passwords. PAM tools may monitor privileged sessions, but users still input their own authentication factors. SSO may reduce the number of passwords, but users still control the master credential. MFA may add security layers, but users still possess the primary authentication factor.

This fundamental design assumption – that users should control their own credentials – creates an irreducible security vulnerability. Social engineering attacks, phishing campaigns, and credential stuffing attacks all exploit this user control to gain unauthorised access to healthcare systems.

The Structural Solution: Organisational Credential Control

Addressing healthcare's credential security crisis requires abandoning the assumption that users should control their own authentication factors. Instead, organisations must generate, distribute, and revoke every credential without users ever seeing or controlling them.

This approach, termed "credential custody," ensures that healthcare organisations maintain complete control over access to PHI. When the organisation generates encrypted credentials and distributes them through secure channels, clinical staff can access necessary systems without ever possessing the underlying authentication secrets. When staff leave, change roles, or face security concerns, the organisation can instantly revoke access without relying on user cooperation or password changes.

MyCena's patented credential control technology demonstrates how this structural approach works in practice. Rather than asking clinical staff to create passwords, the system generates encrypted access credentials that users never see. Authentication happens automatically through secure organisational channels, eliminating the possibility of credential compromise through user action or inaction.

This isn't simply an additional security layer – it's a fundamental restructuring of the relationship between identity and access. Clinical staff retain their identity and role-based permissions, but the organisation maintains exclusive control over the mechanisms that grant system access.

The HIPAA Compliance Imperative

For healthcare organisations, implementing credential custody isn't merely a security best practice – it's a HIPAA compliance necessity. The regulation's Administrative Safeguards require covered entities to "assign a unique name and/or number for identifying and tracking user identity." When users control their own credentials, organisations cannot truly verify user identity or track access with the certainty HIPAA demands.

Furthermore, HIPAA's Access Management standard requires organisations to implement "procedures for granting access to electronic protected health information." User-controlled credentials make it impossible to implement genuine access control procedures, since users can modify, share, or compromise their authentication factors without organisational knowledge.

Healthcare CISOs and compliance officers should evaluate their current credential management practices against these HIPAA requirements. Organisations that allow clinical staff to create and control their own credentials may face regulatory exposure that extends beyond cybersecurity concerns to fundamental compliance failures.

The path forward requires recognising that identity and access are separate concepts. Clinical staff identities – their roles, permissions, and responsibilities – can remain unchanged while organisations assume complete control over access mechanisms. This structural shift transforms credential security from a user responsibility to an organisational capability, finally aligning cybersecurity practices with HIPAA compliance requirements.

Why cleared personnel controlling their own credentials is a national security vulnerability

The recent breach of Snowflake's cloud infrastructure, which compromised data from over 165 major organisations including Ticketmaster and Santander Bank, began with a single compromised credential. More concerning for national security professionals: the attack vector wasn't a sophisticated zero-day exploit, but credentials stolen from an employee's personal device through common malware. When personnel with security clearances control their own access credentials, they create systemic vulnerabilities that no amount of training or technology layering can fully mitigate.

The credential control paradox in defence organisations

Defence contractors, government agencies, and cleared facilities operate under a fundamental security contradiction. While physical access to sensitive areas requires strict organisational control—with badges issued, tracked, and revoked centrally—digital access credentials remain largely under individual user control. Personnel create their own passwords, manage their own authentication tokens, and store credentials on personal devices and browsers.

This approach violates basic security principles that govern every other aspect of classified environments. No cleared facility would allow personnel to manufacture their own security badges or choose their own access codes. Yet the digital equivalent happens thousands of times daily across the defence sector, creating attack surfaces that hostile actors actively exploit.

The problem extends beyond weak passwords. Even when organisations mandate complex password policies and multi-factor authentication, the fundamental vulnerability remains: users possess and control the very credentials that grant access to sensitive systems. This possession creates multiple exploitation vectors that sophisticated adversaries understand and target systematically.

The scale of the credential compromise problem

Current breach statistics reveal the magnitude of this vulnerability. According to Verizon's 2024 Data Breach Investigations Report, 68% of breaches involve a human element, with stolen credentials accounting for 31% of all data breaches—making it the second most common attack vector after social engineering. For government and defence contractors, these figures represent more than financial risk; they constitute potential national security compromises.

The Cybersecurity and Infrastructure Security Agency (CISA) reports that in 2023, credential-based attacks increased by 71% compared to the previous year. Their analysis of nation-state attacks shows that 89% began with compromised user credentials, often obtained through phishing campaigns specifically targeting cleared personnel.

More troubling is the persistence of these attacks. IBM's Cost of a Data Breach Report 2024 found that breaches involving stolen credentials took an average of 292 days to identify and contain—nearly ten months during which adversaries maintain unauthorised access to sensitive systems. For organisations handling classified information, this timeline represents an unacceptable window of potential intelligence compromise.

The human factor compounds these risks exponentially. Research from the SANS Institute indicates that 61% of security professionals reuse passwords across multiple systems, including personal accounts that lack enterprise-grade security controls. When these personal accounts are compromised—as occurred in the Snowflake breach—the exposure can cascade into organisational systems.

Why current security solutions fail to address the root cause

Modern security architectures typically layer multiple technologies: Identity and Access Management (IAM), Privileged Access Management (PAM), Single Sign-On (SSO), Multi-Factor Authentication (MFA), and Zero Trust frameworks. While these tools provide valuable security enhancements, they fail to address the fundamental vulnerability because they still rely on user-controlled credentials.

IAM systems excel at managing user identities and permissions but typically allow users to create and manage their own passwords. PAM solutions secure privileged accounts but often through password vaults that users must access—creating another credential-dependent layer. SSO reduces the number of credentials users must remember but concentrates risk in master credentials that users still control.

MFA adds authentication factors but doesn't eliminate credential exposure. Sophisticated attacks increasingly target MFA systems through techniques like SIM swapping, social engineering, and malware that intercepts authentication tokens. The Lapsus$ group's attacks on Microsoft and other major organisations demonstrated how MFA can be bypassed when attackers gain access to user-controlled credentials and devices.

Zero Trust architectures represent a significant advancement in security thinking by assuming breach and continuously verifying trust. However, most implementations still rely on user-controlled credentials for initial authentication, creating a single point of failure that undermines the entire security model.

The structural solution: organisational credential control

The solution requires a fundamental architectural shift: organisations must control the entire credential lifecycle, from generation through distribution to revocation. Rather than allowing users to create or possess credentials, secure systems should generate credentials organisationally, distribute them through encrypted channels, and maintain complete control over their usage.

This approach treats digital credentials like physical security tokens in a classified facility. Users receive access through organisationally controlled mechanisms but never possess or control the underlying authentication materials. When access is required, the system authenticates users through credentials they cannot see, copy, or compromise.

MyCena's patented technology demonstrates how this principle works in practice. The platform generates unique, encrypted credentials for each user and system interaction, but users never possess or control these credentials directly. Access becomes truly unphishable because there are no user-controlled credentials to steal or compromise. The organisation maintains complete oversight of credential generation, distribution, and revocation, creating an audit trail that meets the most stringent compliance requirements.

This approach aligns with regulatory frameworks including NIST 800-53 controls for access management, DoD 8570 requirements for information assurance, and FedRAMP authorization standards. By removing user control over credentials, organisations can demonstrate compliance with principles-based security requirements rather than relying solely on checklist approaches.

Strategic implications for defence organisations

The shift from user-controlled to organisation-controlled credentials represents more than a technical change; it requires a fundamental reimagining of access management strategies. Defence organisations that implement credential control gain several strategic advantages: genuinely unphishable access, complete audit visibility, and simplified compliance demonstration.

For security professionals responsible for protecting classified information, the choice is increasingly clear. Continuing to allow cleared personnel to control their own credentials perpetuates a fundamental vulnerability that sophisticated adversaries understand and exploit. Organisational credential control provides a structural solution that addresses the root cause rather than merely adding additional layers of complexity.

The question facing defence leaders is not whether credential-based attacks will continue—they will intensify. The question is whether organisations will address the fundamental vulnerability or continue attempting to solve it through technological layering that leaves the core problem intact.

Tier 1, 2, and 3 suppliers hold credentials to your production systems. All of them.

When Toyota shut down 28 manufacturing plants across Japan in February 2022 following a cyberattack on supplier Kojima Industries, the automotive giant's production ground to a halt for an entire day. The breach cost Toyota an estimated 13,000 vehicles in lost production. The attack vector? Compromised supplier credentials that provided direct access to Toyota's production planning systems.

This incident exposed a fundamental vulnerability in modern manufacturing: every tier of your supply chain holds digital keys to your most critical systems. From Tier 1 suppliers managing just-in-time inventory flows to Tier 3 vendors monitoring equipment sensors, each partner requires authenticated access to production networks. Each represents a potential entry point for threat actors.

The manufacturing credential paradox

Manufacturing's digital transformation has created an intricate web of system interdependencies. Production lines rely on real-time data exchanges between OEMs, suppliers, logistics providers, and maintenance contractors. Industry 4.0 initiatives have only intensified these connections, with suppliers now accessing predictive maintenance dashboards, inventory management systems, and quality control databases.

Consider a typical automotive manufacturer: Tier 1 suppliers need access to production scheduling systems to coordinate just-in-time deliveries. Tier 2 component manufacturers require visibility into demand forecasts and quality specifications. Tier 3 raw material suppliers must integrate with procurement platforms and compliance reporting tools. Each access point requires credentials—usernames, passwords, API keys, or certificates.

The mathematical reality is stark: a manufacturing organisation with 200 suppliers, each requiring access to an average of three systems, creates 600 potential credential-based attack vectors. Traditional security models assume these credentials remain secure across hundreds of external organisations, each with varying cybersecurity maturity levels.

The data tells the story

Recent research from IBM's Cost of a Data Breach Report 2023 found that 19% of breaches in manufacturing originated from compromised partner credentials, with an average cost of $4.45 million per incident. The manufacturing sector ranked third-highest for credential-based attacks, behind only financial services and healthcare.

Ponemon Institute's 2023 State of Third-Party Risk Management study revealed that 56% of manufacturing executives experienced a data breach caused by third-party access in the past 24 months. More concerning, 74% of manufacturers admitted they have limited visibility into how suppliers manage credentials for accessing their systems.

The UK's National Cyber Security Centre reported a 300% increase in supply chain attacks targeting manufacturing between 2021 and 2023, with 82% involving compromised supplier credentials as the initial attack vector.

Operational disruption amplifies financial impact in manufacturing. When production stops, costs compound rapidly. Deloitte's Supply Chain Risk Survey found that manufacturers experiencing credential-related supply chain breaches faced an average of 3.2 days of production downtime, translating to $1.2 million in lost revenue per day for mid-sized manufacturers.

Why conventional security tools miss the mark

Identity and Access Management (IAM) systems excel at managing internal employee access but struggle with external supplier credentials. IAM platforms typically rely on suppliers to self-manage their authentication, creating visibility gaps and inconsistent security policies across the supply chain.

Privileged Access Management (PAM) solutions provide session monitoring and credential vaulting but require suppliers to access a centralised portal—often impractical for real-time manufacturing integrations. PAM systems also depend on suppliers following prescribed access procedures, introducing friction that operational teams frequently bypass.

Single Sign-On (SSO) reduces credential proliferation but doesn't eliminate it. Suppliers still hold the initial authentication credentials needed to access SSO systems. Furthermore, SSO creates a single point of failure: compromise one supplier's SSO credentials, and multiple systems become accessible.

Multi-Factor Authentication (MFA) adds security layers but remains vulnerable to sophisticated attacks. The 2023 Lapsus$ campaigns demonstrated how threat actors bypass MFA through social engineering, SIM swapping, and prompt bombing techniques. For suppliers operating across multiple time zones with varying technical capabilities, MFA implementation often becomes inconsistent.

Zero Trust architectures improve network segmentation and continuous verification but still rely on traditional credential models. Zero Trust validates that supplied credentials are authentic but cannot prevent their theft or misuse if compromised at the supplier's end.

The fundamental flaw in all these approaches: they assume suppliers can securely hold and manage credentials. In reality, suppliers face the same credential security challenges as any organisation, often with fewer resources and less mature cybersecurity programmes.

Rethinking credential ownership

The solution requires inverting the traditional credential model. Instead of distributing credentials to suppliers and hoping they remain secure, manufacturers need to retain complete control over authentication while maintaining operational efficiency.

MyCena's patented approach separates identity from access by ensuring suppliers never possess usable credentials. The system generates unique, encrypted credentials for each supplier interaction and transmits them through secure channels directly to authentication systems. Suppliers receive access to required systems without ever seeing, storing, or potentially compromising the underlying credentials.

This model makes phishing attacks ineffective—suppliers cannot surrender credentials they don't possess. Social engineering fails when targets have no authentication secrets to divulge. Even if a supplier's systems are completely compromised, threat actors find no credentials to steal or misuse.

For manufacturers, this approach provides complete audit trails, real-time access control, and instant revocation capabilities across the entire supply chain. When supplier relationships change or security incidents occur, access can be immediately terminated without requiring coordination with external parties.

The competitive imperative

Manufacturing operates on razor-thin margins where security breaches can eliminate quarters of profitability. As supply chains become more digitally integrated, credential security will increasingly differentiate competitive manufacturers from vulnerable ones. Regulations are following suit: the EU's NIS2 Directive and proposed US supply chain security requirements will mandate stricter oversight of supplier access to critical systems.

The question for manufacturing leadership is not whether to address supply chain credential risks, but whether to act before or after a Toyota-scale disruption forces change. In an industry where hours of downtime translate to millions in losses, the mathematics of prevention versus response are compelling.

The next generation of manufacturing security starts with a simple premise: if suppliers don't hold your credentials, they cannot lose them.

The BPO credential problem every financial services firm is carrying

When Medibank's customer data breach exposed 9.7 million records in October 2022, investigators traced the attack vector to compromised credentials at a third-party provider. The incident crystallised a growing concern across financial services: Business Process Outsourcing (BPO) arrangements create credential exposure that traditional security frameworks cannot adequately address.

The hidden liability in your supply chain

Financial institutions have spent the past decade hardening their internal security posture, deploying sophisticated identity and access management systems, implementing zero-trust architectures, and enforcing multi-factor authentication across their estates. Yet a critical vulnerability persists in plain sight: the credentials managed by Business Process Outsourcing partners.

BPO arrangements in financial services typically involve sensitive operations—customer service, claims processing, transaction monitoring, compliance reporting, and data analytics. These partnerships require BPO providers to maintain administrative access to core banking systems, trading platforms, customer databases, and regulatory reporting tools. Each access point represents a credential that, if compromised, can provide attackers with a direct pathway into the financial institution's most sensitive systems.

The challenge extends beyond simple access management. BPO environments often operate under different security standards, employ staff with varying levels of security awareness, and maintain credential practices that would be considered inadequate within the financial institution itself. Yet these same credentials can access systems containing customer financial data, trading information, and regulatory filings.

The scale of exposure

Recent industry analysis reveals the extent of this exposure. According to the Financial Conduct Authority's 2023 operational resilience survey, 78% of UK financial services firms rely on critical BPO arrangements, with an average of 12 third-party providers having access to systems classified as important business services.

Verizon's 2023 Data Breach Investigations Report found that 61% of breaches in financial services involved compromised credentials, with 43% of these originating from partner or supply chain access points. The average cost of a supply chain breach in financial services reached $4.8 million in 2023, according to IBM Security's Cost of a Data Breach report.

The regulatory implications are equally concerning. The European Central Bank's 2023 cyber incident reporting data shows that 34% of significant cyber incidents reported by credit institutions involved third-party or outsourcing arrangements. In the United States, the Office of the Comptroller of the Currency cited inadequate third-party risk management in 23% of enforcement actions against national banks in 2023.

Perhaps most tellingly, a study by the Ponemon Institute found that financial services organisations can identify only 57% of the credentials held by their BPO providers at any given time. This visibility gap represents a fundamental control failure in environments where regulatory frameworks demand comprehensive oversight of access to sensitive systems.

Why current security tools miss the mark

The financial services sector has invested heavily in sophisticated access management technologies, yet these solutions fail to address the fundamental issue of credential control in BPO relationships.

Identity and Access Management (IAM) systems excel at managing identities within organisational boundaries but struggle with the distributed nature of BPO credentials. These systems can provision and deprovision access, but they cannot prevent BPO staff from accessing, copying, or sharing the underlying credentials themselves.

Privileged Access Management (PAM) solutions provide session recording and approval workflows, but they still rely on the principle that users hold their own credentials. When a BPO employee receives credentials for a privileged account, PAM systems can monitor how those credentials are used but cannot prevent the credentials from being compromised at source.

Single Sign-On (SSO) reduces credential proliferation but requires extensive integration work and may not be feasible across complex BPO arrangements involving multiple systems and platforms. More fundamentally, SSO still requires users to hold authentication credentials, merely consolidating rather than eliminating the risk.

Multi-Factor Authentication (MFA) adds a layer of security but does not address credential theft. Sophisticated attackers have demonstrated numerous techniques for bypassing MFA, from SIM swapping to real-time phishing attacks that capture both passwords and authentication tokens.

Zero Trust architectures improve security posture by assuming no inherent trust, but they still must grant access based on some form of credential verification. If those underlying credentials are compromised, Zero Trust principles provide limited protection.

The common failure across these approaches is structural: they assume that users must hold credentials to access systems. This assumption creates an inherent vulnerability that no amount of monitoring, encryption, or access control can fully eliminate.

Solving credential control at source

The solution lies in fundamentally restructuring credential ownership and distribution. Rather than allowing BPO partners to create, hold, and manage credentials, financial institutions need systems where credentials are generated, distributed, and controlled entirely by the organisation—with users never gaining direct access to the credential material itself.

Under this model, when a BPO employee needs to access a financial system, they receive encrypted credential material that can only be decrypted and used within a controlled environment. The employee cannot extract, copy, or share the underlying credentials because they never possess them in a readable format. Access becomes cryptographically bound to specific devices and sessions, making credential theft practically impossible.

MyCena's patented credential control technology demonstrates this approach in practice. The system generates unique encrypted credentials for each user and session, distributing them through secure channels without ever exposing the credential material to the end user. BPO employees can access the systems they need to perform their roles, but the underlying authentication mechanism remains entirely under the financial institution's control.

This architectural shift transforms BPO credential management from a risk management exercise into a technical control. Rather than hoping that BPO partners will maintain adequate security practices, financial institutions can ensure that compromise of BPO environments cannot lead to credential theft.

The compliance imperative

For financial services firms, the implications are clear. Regulatory frameworks increasingly require demonstrable control over third-party access to sensitive systems. The EU's DORA regulation, which takes effect in January 2025, explicitly requires financial entities to maintain "full oversight and accountability" for ICT services provided by third parties.

The time for treating BPO credential management as a contractual rather than technical problem has passed. Financial institutions that continue to rely on traditional access management approaches for BPO relationships are carrying a structural vulnerability that regulatory scrutiny and threat actor sophistication will inevitably expose.

The path forward requires recognising that identity and access are separate concepts—and that true security emerges from controlling access without distributing the credentials that enable it.

SOC 2, ISO 27001, and NIS2: what MSPs must evidence on credential governance

The £36 million fine imposed on British Airways following its 2018 data breach sent shockwaves through every sector that handles client data. For Managed Service Providers (MSPs), the message was unambiguous: credential compromise affecting customer environments now carries existential financial risk. Yet three years after NIS2 came into force, most MSPs remain fundamentally exposed to the same attack vector that felled BA—compromised credentials that auditors cannot trace, control, or revoke.

The MSP credential complexity crisis

MSPs face a unique credential governance challenge that traditional enterprises do not. Where a corporation manages credentials for its own employees accessing its own systems, MSPs must govern credentials across multiple client environments, each with distinct security requirements and regulatory obligations.

Consider a mid-sized MSP managing 200 client environments. Each technician requires administrative access to client systems, backup platforms, monitoring tools, and cloud infrastructure. Multiply this across shift patterns, contractor access, and emergency response scenarios, and the credential count rapidly exceeds 50,000 active credentials. When SOC 2 Type II auditors examine this environment, they require evidence of credential creation, distribution, usage monitoring, and revocation for every single access point.

The regulatory burden intensifies under NIS2, which explicitly requires "appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems." For MSPs, this translates to demonstrable control over every credential that could impact client systems. ISO 27001 certification, increasingly demanded by enterprise clients, requires similar evidence under control A.9.2.1 (User Registration and De-registration) and A.9.2.6 (Access Rights Review).

The data tells a stark story

Recent research from the Ponemon Institute reveals that 61% of data breaches in managed services environments involve compromised credentials. More concerning for MSPs: the average time to identify a credential-based breach is 287 days, during which attackers maintain persistent access to client environments.

Verizon's 2024 Data Breach Investigations Report found that 68% of breaches involving managed service providers used stolen credentials as the primary attack vector. The financial impact extends beyond direct losses—MSPs report an average 23% client churn rate following a credential-related security incident, according to CompTIA's 2024 MSP Trust and Security Study.

Regulatory penalties compound these losses. Under NIS2, fines can reach €10 million or 2% of global annual turnover. For MSPs operating on typical 15-20% margins, a single significant breach can eliminate years of profit growth.

The compliance burden generates hidden costs too. MSPs report spending an average of 40 hours per quarter preparing credential governance evidence for SOC 2 audits, according to Service Leadership research. ISO 27001 certified MSPs spend 60% more time on credential documentation than their non-certified counterparts.

Why current tools fall short of regulatory requirements

Identity and Access Management (IAM) platforms promise credential control but typically delegate password creation to users. When auditors examine IAM logs, they see access events but cannot verify who actually created or knows the credential. SOC 2's CC6.1 control requires evidence that logical access is "restricted to authorised users"—difficult to prove when users generate their own passwords.

Privileged Access Management (PAM) solutions create another layer of complexity. While PAM tools can vault and rotate passwords, they still rely on users creating initial credentials. Under ISO 27001's A.9.4.3 control (Privileged Access Rights Management), organisations must demonstrate that privileged credentials are "allocated and used on a restricted and controlled basis." User-generated passwords cannot meet this standard.

Single Sign-On (SSO) centralises authentication but does not address the fundamental issue: users still create and know their credentials. Multi-Factor Authentication (MFA) adds security layers but phishing attacks increasingly defeat SMS and app-based MFA. Microsoft reported a 74% increase in successful phishing attacks against MFA-protected accounts in 2024.

Zero Trust architectures assume breach and verify every transaction, but verification relies on credentials that users control. If the underlying credential is compromised, Zero Trust becomes a sophisticated system for authenticating attackers.

The common failure point across all these technologies: they conflate identity with access. Users prove who they are using credentials they created and control. This fundamental design makes credentials inherently phishable and governance inherently incomplete.

Separating identity from access control

The solution requires recognising that identity and access represent distinct concepts. Identity establishes who someone is; access determines what they can reach. Current systems blur this distinction by letting users create credentials that serve both functions.

MyCena Technologies has developed a patented approach that separates these functions entirely. Under this model, organisations generate all credentials using cryptographic processes. These credentials are encrypted and distributed to authorised users, but users never see the actual password. When authentication occurs, the credential is decrypted automatically without user visibility or input.

This architectural change makes credentials unphishable—users cannot reveal passwords they have never seen. For MSPs, it creates complete credential governance: every password is organisationally generated, cryptographically distributed, and centrally revocable. Auditors can trace the complete lifecycle of every credential without relying on user testimony or behaviour.

The compliance implications are significant. SOC 2 auditors can verify that all credentials are "restricted to authorised users" because unauthorised users cannot create them. ISO 27001 requirements for "controlled allocation" of access rights become automatically satisfied. NIS2's "appropriate technical measures" standard is met through cryptographic proof rather than policy documentation.

The path forward for MSPs

MSPs cannot afford to treat credential governance as a technical problem solved by layering additional tools onto user-controlled passwords. Regulatory frameworks increasingly require evidence of organisational control over credentials, not just monitoring of credential usage.

The shift toward organisational credential generation represents a fundamental architecture change, not a product upgrade. MSPs evaluating this transition should assess their current credential count, audit preparation costs, and client security requirements. The question is not whether credential governance will become mandatory—NIS2, SOC 2, and ISO 27001 have already made that decision—but whether MSPs will implement proactive solutions or await the next regulatory penalty.

The British Airways fine demonstrated that credential compromise carries existential risk. For MSPs managing hundreds of client environments, the stakes are proportionally higher. The technology now exists to eliminate this risk entirely. The only question is timing.