Before a Ransomware Attack: How IGA Shrinks Your Identity Attack Surface

In September 2025, Jaguar Land Rover suffered what has been called the most economically damaging cyberattack in British history. The attack forced production shutdowns across facilities in the UK, China, Slovakia, India, and Brazil for nearly four weeks. The estimated economic impact reached £1.9 billion, affecting over 5,000 organizations across the supply chain and requiring the UK government to guarantee a £1.5 billion emergency loan.

The attack vector was not a sophisticated zero-day exploit. Analysis of the breach revealed that attackers used stolen credentials harvested via infostealer malware, including credentials from a third party with access to JLR’s Jira system. Once inside, the attackers moved laterally through the network using valid accounts, eventually deploying ransomware across the entire enterprise.

JLR’s experience illustrates a pattern that security teams increasingly recognize: the business impact of ransomware often stems not from encrypted files but from loss of trusted operations. When organizations cannot verify which identities are legitimate and which are compromised, the only safe response is to shut everything down. That decision cost JLR £196 million in a single quarter and disrupted supply chain workers by the thousands.

Third-Party Risk at Scale

JLR was not an isolated incident. The 2025 Verizon Data Breach Investigations Report confirms that credential abuse remains the dominant initial access vector, appearing in 22% of all breaches. More troubling, third-party involvement in breaches doubled year-over-year, jumping from 15% to 30% of all incidents. These breaches extend beyond software supply chain vulnerabilities to include credential exposures from partners, misconfigured SaaS environments, and inadequate controls over external identities.

Marks & Spencer’s April 2025 breach demonstrates how third-party risk translates into operational catastrophe. The attack, attributed to the Scattered Spider collective, began with social engineering of a third-party IT service desk. Attackers impersonated an employee to obtain a password reset. Within hours, they had credentials for the entire organization. The result: 46 days without online ordering capability, approximately £300 million in lost profit, and over £1 billion wiped from market value.

The identity lesson is consistent across both cases: your security posture extends only as far as the identities you actually govern. Supplier identities, contractor accounts, and partner access represent attack vectors that traditional security tools struggle to govern. When third-party identities operate with excessive privileges, time-unlimited access, and minimal oversight, they become precisely the entry points attackers seek.

The Visibility Gap

There exists yet another structural challenge: access accumulates faster than it gets reviewed, and entitlements scatter across so many systems that no one has a complete picture.

Consider how access actually evolves: an employee joins the marketing team and is granted permissions to the content management system and collaboration tools. A year later, they move to product management and gain access to roadmaps, customer data, and development environments. Another transition to sales engineering adds customer-facing systems, technical documentation, and demo platforms. At no point does anyone remove their previous access rights.

The problem is visibility, not negligence. Their marketing access lives in one system, product access in another, sales engineering access in a third. Active Directory permissions exist somewhere else entirely, and cloud entitlements distribute across AWS, Azure, and Google Cloud. Each move added access. Nothing ever came off.

Non-Human Identities: The Blind Spot

Most organizations have built governance frameworks around human identities, but the same rigor rarely extends to non-human identities. which include the service accounts, synchronization accounts, and automated credentials that connect systems to each other. These accounts often hold elevated privileges, rarely get reviewed, and operate without multi-factor authentication. Attackers have learned to target them specifically.

Microsoft’s research on a ransomware group it tracks as Storm-0501 documents how this plays out. After compromising on-premises environments, attackers targeted the systems that connect corporate networks to cloud platforms. In one case, they discovered a non-human identity used to synchronize identities between on-premises systems and the cloud. This service account had no human owner full administrative privileges over the entire cloud environment and no multi-factor authentication. Once attackers took control of it, they had unrestricted access to everything.

Using legitimate cloud administrative tools, attackers exfiltrated sensitive data, then deleted virtual machines, backups, and snapshots. Rather than encrypting files with conventional ransomware, they held the organization hostage by destroying its cloud infrastructure and threatening to leak stolen data.

Organizations that govern non-human identities but leave machine identities unmanaged create precisely the blind spots these attackers exploit.

Understanding the Blast Radius Before the Breach

The blast radius problem is straightforward: when credentials are compromised, the damage extends as far as those credentials can reach. A service account with elevated privileges across multiple cloud environments becomes a highway for lateral movement. Attackers who obtain those credentials inherit all associated permissions, escalate privileges, and exfiltrate data before anyone notices.

Organizations that lack comprehensive visibility into identity relationships and access patterns cannot accurately assess the potential blast radius. Security teams spend days reconstructing which systems an account touched, what data it could access, and which other accounts it interacted with. Every hour of investigation extends attacker dwell time. Every system missed in forensics represents another potential foothold.

The questions boards now ask reflect this reality: How fast can you safely shut off access without stopping the company? Which identities can access production-critical systems? What access can be revoked surgically versus what will halt operations?

JLR’s four-week shutdown illustrates what happens when organizations cannot answer these questions. Without visibility into which identities were compromised and what they could reach, the only safe option was to take everything offline. A surgical response requires knowing your blast radius before the breach, not piecing together who has access to what while attackers maintain control. Your SIEM cannot provide that visibility. Identity governance can.

Shrinking the Attack Surface Through Governance

Identity Governance and Administration provides the visibility layer that most security architectures lack. IGA aggregates identity data from across the environment, including directories, cloud identity providers, HR systems, SaaS applications, and databases, into a unified view that answers the fundamental question: who has access to what right now?

That visibility enables action. Automated lifecycle management closes orphaned accounts within minutes of an employee’s departure, eliminating the weeks-long window that manual deprovisioning creates. Access certification campaigns surface accumulated entitlements for review, with analytics highlighting the high-risk combinations that require immediate attention.

Third-party identities come under the same governance framework as internal employees. Partner and contractor accounts receive time-bound access with clear ownership, least-privilege assignments, and certification tied to business context rather than annual checklists. When engagements end, access is revoked automatically across all connected systems.

Non-human identities receive equivalent treatment, operating under policy-based governance with automated credential rotation and anomaly detection. In a properly governed environment, the type of ungoverned non-human identity that enabled the Storm-0501 attacks would surface immediately as a high-risk entitlement requiring remediation.

Attack surfaces now expand faster than manual processes can track. AI-powered tools generate new identities without IT approval. Applications deployed by business teams outside IT oversight authenticate through service accounts holding excessive privileges. Non-human identities proliferate with every new automation workflow, containerized workload, and API integration. Effective governance must operate at the same speed. IGA platforms bring all identities under continuous governance, provisioning access based on policy, rotating credentials on schedule, and flagging accounts that operate outside normal patterns.

This continuous governance transforms IGA from a compliance exercise into an active security control. Rather than periodic access reviews that catch problems months after they emerge, analytics examine access patterns continuously, identifying anomalies and surfacing risk signals as they develop.

The Foundation for What Comes Next

Shrinking the identity attack surface represents the first line of defense against ransomware. Fewer credentials to steal, fewer privileges to abuse, and far fewer opportunities for lateral movement mean that even successful credential theft leads to contained damage rather than a catastrophic breach.

But governance doesn’t end at prevention. When attacks do occur, identity governance becomes the foundation for rapid containment and response. When recovery begins, identity governance provides the audit trail and access intelligence needed to understand what happened and ensure it doesn’t happen again.

Those capabilities are the subject of the next two posts in this series. Part 2 will examine how IGA enables rapid detection and containment during an active attack. Part 3 will explore the role of identity governance in clean recovery, forensics, and post-incident hardening.

The organizations that invest in comprehensive identity governance now will face ransomware attacks with a critical advantage: they will know their identity attack surface, understand how far any compromise can spread, and have the controls in place to limit damage before the first credential gets stolen.

Ready to assess your identity attack surface? Schedule a demo to see how Omada Identity Cloud delivers the visibility and governance controls that shrink blast radius and strengthen ransomware defense.