Credential theft (the stealing of usernames and passwords) is often considered a core driver of cyber incidents. However, this assessment does not capture the big picture accurately as credential theft itself, and even the use of the stolen credentials is not the root of the incident. The effective use of stolen credentials is a symptom of something deeper: Weak foundational cybersecurity maturity across the industry.
Stolen credentials alone cannot magically compromise a well-defended organization. Weak or missing implementations of the core cybersecurity controls are the real culprits. This has proven particularly relevant in the recent uptick of stolen credentials being used to maliciously access remote management and monitoring (RMM) tools with devastating effectiveness. Still, focusing on the stolen credentials as the root of the problem can result in wasted time and money pursuing solutions to a symptom without addressing the underlying operational cracks that make the use of credential theft such a devastating attack vector.
Understanding the true contributors to the impact of an incident is critical to effectively implementing lessons learned and updating security posture where needed to prevent repeat incidents caused by the same attack vectors or methods. Misdiagnosis of root causes also leads to misaligned governance. If governance focuses only on authentication requirements rather than strengthening organization-wide cyber hygiene, it perpetuates the conditions that make ransomware, extortion, and supply-chain attacks successful.
Prioritizing a foundational-security-first approach directly reduces operational downtime, litigation risk, and insurance costs. Starting with a strong foundation of the core cybersecurity best practices is the most cost-effective way to improve organizational resilience. Whereas organizations that focus solely on the possibility of stolen credentials being used against them will miss the opportunity to prevent the success of these attacks by understanding what it is that makes them so successful:
- Poor asset and identity inventory;
- Inconsistent onboarding and offboarding processes;
- Flat or poorly segmented networks;
- Outdated software and operating systems;
- Overreliance on vendors without proper vetting and oversight; and
- Minimal logging and poor incident visibility.
These gaps are contributing to an industry that is increasingly known by the bad actors as having a soft underbelly of easy attack surfaces to exploit with massive ROI for minimal effort.
It is critical that federal and state transportation cybersecurity efforts avoid narrow “credential security” language and instead work toward minimum foundational cybersecurity maturity requirements; strong identity lifecycle management, multi-factor authentication (MFA) everywhere, auditable logging, modernized systems and software, and a minimum baseline of proper segmentation between operational and administrative networks.
It is time to reassess the cybersecurity roadmap. Prioritizing investments in phishing awareness training, and core cybersecurity controls including identity management, asset inventory, logging and visibility, and vendor management will reduce the blast radius around any cyberattack (including those “caused” by credential theft), and coincidentally, it will also serve to make the theft of credentials in the first place much less likely.
Attacks carried out using stolen credentials are not the disease. They are the warning beacon alerting us that the industry is still operating with a fragile cybersecurity foundation. Strengthen this foundation and attackers will lose their lowest hanging fruit.
Did You Know?
The National Motor Freight Traffic Association, Inc.® (NMFTA)™ recently produced its annual report: 2026 Transportation Industry Cybersecurity Trends report? Download today to see cyber threats and trends—ensure your fleet and operations are ready for the new year.
