Businesses need to have a complete picture of their deployments before they can properly implement IAM or other protocols. This can include specific groups of users (including third parties with system access and remote users), existing on-premises and cloud systems and tools regularly used to complete essential tasks.
How to enable access to business operations while maintaining security
July 7, 2025 | 3 minute read
Key takeaways:
- Identity and access management (IAM) is a framework for overseeing and managing the digital identities used to access an organization’s networks and systems.
- Effective IAM deployment depends on a combination of people, processes and technology that are governed by cybersecurity fundamentals.
- Technology-dependent tools such as multifactor authentication are valuable protections for identity but are not foolproof; your company must never assume it is 100% secure.
Digitization and cloud migration are creating new workflows, tools and services that are critical to staying efficient and competitive in today’s business environment. The shift in how we work has led to a corresponding increase in the number of users and identities (both human and machine) that have access to businesses’ critical systems.
Workplace demands and expectations have pushed most companies to make access to their systems faster and easier. But without sufficient access controls, businesses of all sizes face elevated security risks to legacy systems as well as evolving cloud environments.
What’s more, while security controls such as one-time passwords, multifactor authentication (MFA), passkeys and password-less sign on reduce many types of cyber-risk, these technologies can also be evaded or manipulated by innovative cybercriminals and employees acting negligently or maliciously.
As a result, identity-related cyber incidents remain a persistent problem. One study found that 93% of surveyed organizations experienced two or more identity-related breaches over a 12-month period.1 As more resources shift to cloud services — on which users were forecast to spend $679 billion in 20242 — managing and securing identity and access will likely remain an important business objective, particularly for those who must maintain strong protections of sensitive data, files and systems to comply with industry regulations.
Identity and access management (IAM) tools and processes can provide a strong security foundation for most organizations. However, businesses need to take a multifaceted approach to keep ahead of emerging threats. Malicious actors will continue to discover new methods for compromising digital systems that are rapidly evolving.
Here are six recommendations that can bolster your company’s identity protections:
Map your environment and user groups
Identify essential data
The global average cost of a data breach peaked at $4.88 million in 2024.3 Organizations that maintain inventory of their most critical data — and set strong identity and privilege access controls to protect it — can reduce the risk of the most damaging data-related cyber incidents.
Manage privileges in addition to access
Privileged access management (PAM) is part of most IAM approaches. It applies additional protections to the most sensitive accounts and processes and gives administrators visibility into who is accessing them and what activity occurs when sessions are in progress.
Maintain strong identity protection and employee awareness
No matter what access controls you implement, employees play a key role in protecting their identities. If your organization relies on passwords, ensure that all employees are educated in the fundamentals of creating strong passwords and regularly updating them. Conduct training about phishing, credential theft and emerging threats to protections such as MFA (e.g., token and cookie theft, MFA spamming).
Implement a zero trust model
Often referred to as “never trust, always verify,” the zero trust model presumes that company networks are already breached or vulnerable, that users must be validated continuously, and that security is enhanced by creating segmentation across company networks. Zero trust architecture typically operates off the principle of least privilege, which states that users should only have access privileges essential to their job function.
Maintain visibility into the network
To make IAM effective, companies need insight into activity on their networks and logs that contain evidence of who has attempted to access privileged accounts. System administrators should have controls in place to determine the types of users that are requesting account access and what types of information they provide to gain it. Activity logs can also reveal evidence of multiple failed logins, remote logins or other behaviors that may be linked to malicious activity. User and entity behavior analytics can help network administrators understand normal and abnormal usage patterns and potentially reveal activity related to insider threats.
Explore more
Security & Information Management
Phishing. Vishing. Smishing. Keeping up with threats from scams, fraud and cyberattacks is difficult. Our resources and insights can help you protect your company and customers.
Important Disclosures and Information
Bank of America, Merrill, their affiliates and advisors do not provide legal, tax or accounting advice. Consult your own legal and/or tax advisors before making any financial decisions. Any informational materials provided are for your discussion or review purposes only. The content on the Center for Business Empowerment (including, without limitations, third party and any Bank of America content) is provided “as is” and carries no express or implied warranties, or promise or guaranty of success. Bank of America does not warrant or guarantee the accuracy, reliability, completeness, usefulness, non-infringement of intellectual property rights, or quality of any content, regardless of who originates that content, and disclaims the same to the extent allowable by law. All third party trademarks, service marks, trade names and logos referenced in this material are the property of their respective owners. Bank of America does not deliver and is not responsible for the products, services or performance of any third party.
Not all materials on the Center for Business Empowerment will be available in Spanish.
Certain links may direct you away from Bank of America to unaffiliated sites. Bank of America has not been involved in the preparation of the content supplied at unaffiliated sites and does not guarantee or assume any responsibility for their content. When you visit these sites, you are agreeing to all of their terms of use, including their privacy and security policies.
Credit cards, credit lines and loans are subject to credit approval and creditworthiness. Some restrictions may apply.
Merrill Lynch, Pierce, Fenner & Smith Incorporated (also referred to as “MLPF&S" or “Merrill") makes available certain investment products sponsored, managed, distributed or provided by companies that are affiliates of Bank of America Corporation (“BofA Corp."). MLPF&S is a registered broker-dealer, registered investment adviser, Member SIPC, and a wholly owned subsidiary of BofA Corp.
Banking products are provided by Bank of America, N.A., and affiliated banks, Members FDIC, and wholly owned subsidiaries of BofA Corp.
“Bank of America” and “BofA Securities” are the marketing names used by the Global Banking and Global Markets division of Bank of America Corporation. Lending, derivatives, other commercial banking activities, and trading in certain financial instruments are performed globally by banking affiliates of Bank of America Corporation, including Bank of America, N.A., Member FDIC. Trading in securities and financial instruments, and strategic advisory, and other investment banking activities, are performed globally by investment banking affiliates of Bank of America Corporation (“Investment Banking Affiliates”), including, in the United States, BofA Securities, Inc., which is a registered broker-dealer and Member of SIPC, and, in other jurisdictions, by locally registered entities. BofA Securities, Inc. is a registered futures commission merchant with the CFTC and a member of the NFA.
Investment products: