Are Your Business Identities Secure for 2025? Find out with an IAM Maturity Benchmark Read More
72% of Orgs Struggle with IAM Complexity. But why? Get Access Now
Are Your Business Identities Secure for 2025? Find out with an IAM Maturity Benchmark Read More
72% of Orgs Struggle with IAM Complexity. But why? Get Access Now
News

Lessons Learned from the Stryker Incident

 

Allen Moffett

Allen Moffett

Managing Director, Simeio
March 31, 2026

Allen Moffett is a Managing Director at Simeio Solutions and was previously the Global Head of Identity Security at Atos. He has been leading the implementation and operation of IAM and cybersecurity services businesses and advising customers on Identity Security for over 35 years, previously working for organizations such as Unisys, Siemens, and Banyan Systems.
He has been actively involved in industry organizations such as the Electronic Messaging Association, the Smart Card Alliance (now the Security Technology Alliance), and the Identity Defined Security Alliance as a member of the Executive Advisory Board. Allen is passionate about mentoring and enabling the next generation of identity and cybersecurity professionals. When not thinking about identity, Allen has been a dog trainer working with local shelters and rescues to make dogs more adoptable for over 15 years.

Modern cyber incidents increasingly hinge on a single truth: when attackers gain control of a privileged account, they don’t need malware to cause catastrophic damage. The March 2026 cyberattack on medical technology giant Stryker is a stark illustration of this reality. By abusing a compromised administrative account within Microsoft Intune, attackers were reportedly able to remotely wipe tens of thousands of corporate and BYOD devices across dozens of countries—using only legitimate tools and permissions. CISA has subsequently issued an alert calling for the hardening of endpoint management systems in response to this incident.

This incident reinforces a fundamental security truth: identity is now the primary attack surface, and privileged accounts represent concentrated operational risk. While tools can help, this is more about policy, process, and breaking down organizational silos. Principles of zero trust and least privilege need to be embraced across the organization. Incidents like this will continue to happen until organizations accept the fact that identity programs need to cover all identities and access in the organization. We need appropriate policies and processes in place to govern access based on risk, and the rigor to follow these processes and maintain good hygiene practices. There can be no sacred cows. These policies need to apply across the organization. An Intune account that can trigger a mass update to thousands of devices, including a wipe of the device, has to be considered high risk and treated accordingly. The risk of an incident like this is real. The fact that this tool is not managed by identity or security teams is irrelevant.

One of us

As organizations are doing more to detect anomalous behavior, attackers are getting smarter at avoiding detection and are employing “living off the land” techniques. This is where an attacker has compromised a valid account and is using tools that already exist in the environment in a way that the activity appears to be the action of a legitimate user. To all of the tools monitoring behavior and looking for anomalies, this appears to be normal behavior, so it does not stand out. This attack approach does not require the installation of malware or additional tools and is significantly more difficult to detect. It requires controls that will help to prevent insider threats, such as monitoring normal user activity and having controls in place to enforce appropriate governance around any high-risk activity. This is challenging when balancing monitoring against privacy, especially in countries where some controls are prohibited due to privacy concerns.

How can tools help?

Once appropriate policies and processes are in place, implementing a set of controls that is fully manual will provide some protection and may be fine for small organizations, but the typical issues with manual control processes exist. They are slower, dependent on the expertise of the human executing the control, and vulnerable to human error. Implementing the controls with the appropriate tools can provide a better user experience, reduced risk, consistent monitoring and enforcement, continuous assessment of identity posture, real-time threat detection, and automated response. Of course, solutions such as phishing-resistant MFA, Just-in-time access, Identity Threat Detection and Response, etc will help, but only if they are supporting robust policies and processes and there are no gaps in coverage. Implementing an expensive tool to support a broken process or incomplete policy will still leave a gap to be exploited.

Recommendations for reducing the risk of a similar incident

  • Establish an organization-wide identity program. Organizational silos that identity controls do not apply to are a risk to the organization. If there is a hole in your security, an attacker will eventually find it.
  • Policies and processes based on zero trust and least privilege. These should cover all types of identities, human or otherwise, how they authenticate, how access is granted, the definition of high-risk access and any special handling required based on the level of risk.
  • Monitor and control access to high-risk identities and activities. An admin account being accessed must be closely monitored and the creation of a global admin account be even more tightly controlled and should trigger an alert. This type of action must never go unnoticed. An Intune administrator must not be able to make a high-risk configuration change, such as issuing a wipe command especially on a wide scale, without further verification. MFA for accessing the account and Intune’s Multi Admin Approval would have helped to prevent the incident.
  • Diligence around privileged access hygiene. While hygiene around all access is important, for privileged access it is critical. Whether it is manual or automated, access that is no longer required must be removed. In the Stryker case, if the compromised account did not have direct access to implement such a change in Intune to trigger the wipe, the incident may have been prevented.

In Conclusion

Attackers continue to find these holes and take advantage of areas where organizations are not treating identity and access as an organization-wide concern. It is time for organizational leadership to break down these silos and get everyone on board. Internal silos for teams such as IT, applications, cloud, networking, and even cybersecurity are the weak spots in our security controls that no one is talking about, until an incident like this occurs and shines a spotlight on it. If done correctly, with Usable Security being one of the guiding principles, applying the appropriate controls does not need to add friction. It can even improve the user experience while improving security.

How does your IAM program measure up?

What area should be your first priority?

Simeio’s advisory and benchmarking service team provides a clear, quantifiable assessment of your identity management system, highlighting both strengths and areas for improvement. Schedule a session now to explore critical aspects of your identity fabric from onboarding to risk management. Gain a clear roadmap for enhancing your identity platform, closing gaps, and strengthening your enterprise’s security foundation.