The Billion-Dollar Security Threat: All Industries On Guard

The costs are piling up from a three-year running cybersecurity threat that shows no signs of abating as it spreads to more industries.

The likely culprit: a hacking collective known as 鈥淪cattered Spider.鈥� The playbook: get into a company鈥檚 internal systems via hacked employee credentials, cause havoc, demand ransom.

Just recently, was in an attack by the group. The company hasn鈥檛 been able to make cars for a month as a result. Before that, that annual executive bonuses would be cut by 15% after Scattered Spider targeted them in a July cyber attack.

Jason Martin is a co-founder and co-CEO of Permiso Security — Jason Martin

sued its help desk provider, , for $380 million in damages, Cognizant improperly reset passwords for hackers posing as employees. A few weeks earlier, supplier estimated it lost up to when hackers disrupted systems. Three years ago, casinos were hit.

This is real money, and a real threat that most companies are not well prepared to guard against. Today, hackers don鈥檛 just bust into corporate systems, they log in 鈥� like thieves walking in through open household doors. Almost nine of 10 (88%) of breaches via basic web applications involve use of stolen credentials, indicates 鈥檚 2025 .

In the case of Scattered Spider, culprits do such things as ask for password resets, change phone numbers tied to multifactor authentication solutions, or add phone numbers to reset passwords, and more.

The rise of AI and AI agents make securing identities even more critical. As AI agents spread, they鈥檙e a new class of 鈥渘on-human identities鈥� that vastly increase the attack surface. As with most cybersecurity threats, Scattered Spider changes tactics all the time and we are seeing indications of AI use supporting and augmenting their social engineering tactics.

Putting up speed bumps

When modeling approaches to increase resilience against their attacks it鈥檚 best to think of the worst case, which is: 鈥渁ssume breach.鈥� Then evaluate how quickly you could detect attacks matching their approach and what your teams would do. While keeping them out is an admirable goal, it is very difficult since they exploit the processes you鈥檝e set up to support your own enterprise users or contractors. The most realistic goal is to set up speed bumps to slow hackers down so they鈥檙e stopped before doing much damage.

Steps to bolster defenses include:

Teamwork. Most companies have 鈥渟ecurity teams.鈥� A lot of companies now have 鈥渋dentity teams.鈥� Identity refers to employees 鈥� or AI agents 鈥� with access to company assets via passwords and other credentials.

Given the rise of identity-based cybersecurity threats, it鈥檚 imperative that these teams fuse or work more closely together to find shared solutions. Company assets are now also highly fragmented, with some in the cloud, some on-premise and some via software-as-a-service providers like . There鈥檚 also shadow IT and shadow AI, like ChatGPT, that employees use that security or identity people may not know they鈥檙e using. Every organization needs to be clear on who owns what from a security and identity perspective so that guidelines, policies and solutions are more airtight.

Awareness. How exposed are you? How much 鈥渋dentity sprawl鈥� do you have? Identity sprawl occurs over time, just like data sprawl. New hires get digital identities and access to company data. In almost all cases when it comes to the cloud, policies are too lenient, research finds, which means employees have access to things they don鈥檛 really need 鈥� which can add security risk. There鈥檚 also risk when people leave a company, voluntarily or not, if digital identities don鈥檛 get quickly or properly shut down.

With Scattered Spider, we鈥檙e seeing criminals access things that real employees haven鈥檛 opened in more than a year. Identity management is not one and done. Identities have a life cycle and need to be managed through the whole thing.

Observability. How well can you see what鈥檚 going on inside your company? An attack via a network sets off bells and whistles. But when an 鈥渆mployee鈥� logs in who鈥檚 not an actual employee, there鈥檚 no bell or whistle. Instead, you want to detect threats via signals of suspicious and malicious activity.

Basic Training/Testing. Nearly 70% of organizations recently surveyed 鈥渂elieve their employees .鈥� This needs to change because employees, while one of your biggest cybersecurity risks, will also be one of your best lines of defense. Of course, training must extend to third-party vendors.

In its lawsuit, Clorox alleges that a hacker got a multifactor authentication reset by simply telling the help desk worker that the MFA wasn鈥檛 working and that he or she was 鈥渙n my old phone.鈥� Beyond training, test vendor performance so that you鈥檙e not blindsided if they鈥檙e not doing what they鈥檙e supposed to be doing.

Like good insurance

No doubt, companies will eventually take the right steps to curb Scattered Spider-like attacks. The bad news is that cybercriminals will adjust to launch new tactics. Companies that make cybersecurity defense a priority will be like people who have good insurance. They will never totally prevent risk, but they鈥檒l mitigate damage.

is a co-founder and co-CEO of , a leader in identity security, providing advanced solutions to help organizations detect and respond to threats targeting human and nonhuman identities across cloud environments. His extensive background includes leadership roles at , where he contributed to product strategy and engineering. Martin is also an active investor and adviser, supporting various startups in the security domain, and has authored multiple publications that contribute to the understanding of security analytics and risk assessment.