It’s often not the sophisticated malware or zero-day exploits that cause the most damage. It’s the simple, overlooked gaps in process and identity management. Recent high-profile breaches, including those at major UK retailers like Marks & Spencer and Co-op, have highlighted just how vulnerable organizations remain to low-tech, high-impact attacks.
These incidents weren’t the result of advanced persistent threats or nation-state actors. They were social engineering attacks, where threat actors impersonated employees and convinced IT support staff to reset passwords. No code was written. No systems were hacked. Just a convincing phone call.
Let that sink in.
The result? Unauthorized access to internal systems, operational disruption, and a wave of scrutiny over how something so basic could slip through the cracks.
The Real Threat: Human Error and Legacy Processes
These breaches underscore a critical truth: the weakest link in cybersecurity is often not the technology. It’s the people and the outdated processes they rely on.
Manual password resets via IT help desks are a prime example. They depend on human judgment, often under pressure, and assume a level of internal trust that no longer aligns with today’s threat landscape.
In many organizations, password reset procedures haven’t evolved. A user calls the help desk, answers a few questions, and gets their password reset. But what happens when the person on the other end of the line isn’t who they claim to be?
Learn how to defend against account takeover: Watch Webinar with Stuart Sharp – OneLogin VP of Product and Solenne Le Guernic – Solution Engineer
The Simple Fix: Self-Service Password Reset with MFA
Incidents like this underscore the importance of taking humans out of the loop for sensitive security operations. The good news? This is a solvable problem. One of the most effective ways to eliminate this attack vector is by implementing self-service password reset (SSPR) with multi-factor authentication (MFA).
Here’s why this approach is so powerful:
- Eliminates social engineering opportunities: If users reset their own passwords through a secure, automated workflow, there's no IT help desk for attackers to manipulate.
- Adds strong identity verification: With MFA, even if someone knows an employee’s username or can guess a few details, they can’t complete a password reset without access to a second factor—like a mobile authenticator or biometric ID.
- Improves response time and user satisfaction: Users regain access to accounts quickly and securely, without waiting on support teams or exposing the organization to risk.
- Frees up IT resources: Your IT staff stops being the front line for identity validation and can focus on more strategic work.
What to look for in a modern IAM system
To effectively mitigate social engineering and unauthorized access, organizations need identity solutions that go beyond basic password management. Look for solutions that prioritize:
- Capability to enforce password resets that require multiple authentication factors
- Step-up authentication based on contextual risk (e.g., location, device, time of day)
- Competency in integrating self-service password reset into the login experience
- Granular delegated administrative controls
- Features that reduce help desk tickets and improve security posture simultaneously
- Ensures consistent enforcement of password changes and access policies across cloud, hybrid, and on-prem systems.
A Breach That Didn’t Have to Happen
The attacks on M&S and Co-op are cautionary tales, but they’re also reminders that many breaches are preventable. Organizations often have the tools they need but fail to implement them in ways that close critical gaps. By modernizing identity workflows and removing manual processes from sensitive operations, companies can dramatically reduce their attack surface. If you're still relying on manual password resets or haven’t rolled out MFA across your identity stack, now is the time to act. Your help desk shouldn’t be your first line of defense.