This article first appeared in Digital Edge, The Edge Malaysia Weekly on January 13, 2025 - January 19, 2025

Last year was marked by a significant uptick in cybersecurity regulations globally, particularly targeting generative artificial intelligence (Gen AI) and third-party risks. As organisations rushed to tackle these new challenges, many neglected to establish essential cybersecurity measures to protect their assets.

This oversight, coupled with a lack of resilience planning, resulted in widespread IT disruptions affecting nearly every industry. In fact, global cybercrime costs are projected to reach a staggering US$12 trillion (RM54 trillion) by 2025, according to a prediction by research and advisory firm Forrester.

As Asia continues to ramp up its digital investments, new security challenges have arisen. Yet, there remains a lag in the current strategies organisations have today. In fact, almost half of Asia-Pacific organisations are still at the lowest security maturity, operating without a strategic security framework and holistic visibility into the identities in their environment, finds SailPoint’s Horizons of Identity Security 2024-2025 report.

The rapid advancements in Gen AI are propelling a wave of automation across diverse industries, reshaping how tasks are handled and accelerating the integration of machines into workflows.

AI-powered assistants are empowering employees to navigate complex documents and data, while AI-driven tools are streamlining the way developers work with code, enhancing efficiency and accelerating project timelines. With automation becoming increasingly prevalent, 70% of organisations now manage more machine identities than human ones.

At the heart of automation lies trust. The trust placed in these machine accounts, while essential to their functionality, also places greater emphasis on security, compliance and the assurance that these machines will perform as expected without compromising on sensitive information.

With the same report revealing that 57% of organisations have given inappropriate access to a machine identity, these identities present a potent threat vector ready to be exploited.

Businesses are improving their ability to train employees to recognise phishing attacks and other social engineering tactics designed to exploit human identities.

Technology solutions have also emerged, offering an extra layer of support for employees who may miss the warning signs. While there is no silver bullet solution that can guarantee complete protection, this combined approach has significantly reduced the impact of social engineering attacks.

Unfortunately, attackers have shifted their focus to machine identities, driven by the growth of AI and automation. In fact, the number of machine identities is projected to grow 30% over the next three to five years, outpacing the growth of human identities.

Yet, these identities lack the ability to recognise and respond to social engineering tactics. The rapid proliferation of machine identities, often distributed across various cloud environments and managed by different teams, further exacerbates the challenge of managing and securing them.

Moreover, with only 38% of organisations having real-time visibility into active machine identities, a significant security gap persists. Contrary to how human access to sensitive data is managed, machine identities often lack identity security controls. Many exploit this vulnerability, manipulating machine identities into performing actions or revealing information they normally would not. Once inside a network, an attacker can further deceive machine identities to obtain additional credentials or privileges, enabling them to move laterally across systems and widen their attack.

As AI investments in Asia-Pacific surge towards US$110 billion by 2028, the technology will only become more accessible and advanced. Cyber attackers can be expected to leverage it to launch even more complex and sophisticated threats. For instance, AI-enabled deepfakes, capable of impersonating C-suite executives, are already being used to perpetrate corporate fraud, spread misinformation and automate phishing campaigns.

With an ever-increasing number of identities to manage, it is clear that human-driven identity management is no longer sufficient. While identity management needs have evolved, the adoption of advanced identity security tools by organisations has not followed suit.

Looking ahead to 2025, the next generation of identity security will be about unification. Organisations need to achieve full visibility into their identity landscape and eliminate the complexities associated with disparate systems. After all, organisations will have a broad spectrum of identities beyond workforce identities to manage. By leveraging automation and AI, organisations can effectively manage and secure all types of enterprise identities (employees, non-employees, non-human), as well as data across various locations and at scale. Through a unified identity approach that delivers policy-based, just-in-time access to critical resources, organisations can ensure regulatory compliance, mitigate risks and drive business acceleration.

Eric Kong is managing director for Asean at SailPoint

Save by subscribing to us for your print and/or digital copy.

P/S: The Edge is also available on Apple's App Store and Android's Google Play.