1. IN Groupe
  2. /
  3. Newsroom
  4. /
  5. Trend Report: Securing Workforce Identities in 2026

Back

Trend Report: Securing Workforce Identities in 2026

Trend report - Securing Workforce
Identities in 2026

Four questions to Christophe Chollet, Director of Innovation at IN Groupe.

At a time when cyberattacks are multiplying, becoming more professionalized, and increasingly relying on AI, companies and organizations need to rethink their security priorities. While attack patterns are evolving, one constant is reinforced: identity security continues to be one of the main entry points exploited by hackers.

On the occasion of the launch of IN Groupe’s “2026 Trend Report: Securing Workforce Identities”, Christophe Chollet, Director of Innovation at IN Groupe, looks back at the key trends shaping the cybersecurity landscape, and reflects on the actions companies need to put in place to protect themselves in an effective way.

1. What are the most significant attack patterns currently affecting companies?

Attack methods are evolving, particularly with the use of AI, but the weakest link remains the human factor. The most effective attacks (and the less costly ones to run) rely on social engineering. The recipe is simple: gather information about a person, build a credible context, establish trust, and then trigger an action, obtain an access, or an approval. According to the CESIN 2025 Barometer, 60% of successful cyberattacks in France still begin with a fraudulent email.

Attack methods are evolving with AI, but the weakest link remains the human factor. Behind the most advanced attacks, we still see people deceived by hackers posing as legitimate counterparts.

This mechanism has existed for a long time, but it is now taking far more sophisticated forms. The most striking example I can think of is this one: In early 2024, attackers used AI-generated deepfake video and audio of senior executives to convince a finance clerk in Hong Kong that a fraudulent “confidential HK$200 million (USD$25.6 million) transaction” request was legitimate. The financial clerk processed it, in good faith. Behind the most advanced attacks, we always see people deceived by hackers posing as legitimate counterparts.

2. Why has identity become the cornerstone of cybersecurity?

Because today, identity determines access. It governs entry into systems, access to data, levels of authorization, and the ability to carry out specific actions. In other words, identity is more than ever the key that opens the door. Once that key is compromised, the entire security architecture becomes vulnerable.

Today, identity determines access. Once that identity is compromised, the entire security architecture becomes vulnerable.

 

There are of course several major categories of cyberattacks. “Denial-of-service attacks” consist in disrupting services. “Brute-force attacks” consist in hackers forcing their way in through cryptography, testing password combinations until they find the right one. Software vulnerabilities also remain a major entry point: According to the CESIN 2025 Barometer, they account for 47% of initial intrusion vectors. But in practice, one of the most common and effective routes into companies and organizations remains the identity-based attack: phishing, social engineering, credential theft. All rely on the same objective: Either stealing someone's credentials or convincing them to hand over access themselves. This is precisely why securing identity has become such a central issue.

At IN Groupe, this is where the core of our work lies: strengthening trust around identity, whether the identity of a person or a device, to better protect access to systems and services.

3. What are the main technological priorities today to better secure identities within companies and organizations?

The first priority is clearly the deployment of multi-factor authentication (MFA). Passwords alone, even strong ones, are no longer enough to protect ourselves: they can be stolen, reused, shared, or bypassed. Many companies still have not rolled out MFA broadly, yet it is one of the most effective measures available to reduce the risks associated with credential theft.

The second priority concerns identity verification, especially in remote contexts. As we outline in our 2026 Trend report, with hybrid working, digital onboarding, and the multiplication of remote interactions, it has become essential to verify not only an identity, but the link between that identity and the person presenting it. For instance, what proves that the image you see in front of you is genuinely real, and not a photograph, a replayed video, or a deepfake? This is where biometrics comes in, along with the detection of “presentation attacks” (for instance, someone holding up a photo or wearing a mask in front of a camera) and video “injection attacks” (where the camera feed is replaced entirely by a synthetic stream). These technologies are designed to guarantee that the person interacting with the system is physically present and genuinely who he/she claims to be.

With hybrid working, digital onboarding, and the multiplication of remote interactions, it has become essential to verify not only an identity, but the link between that identity and the person presenting it.

More broadly, this shows that cybersecurity is no longer purely a technical issue: as long as the primary vulnerability remains human, it also becomes a matter of leadership, training, and awareness across the entire company or organization.

4. Beyond current threats, should organizations already be preparing for the post-quantum risk?

Yes. And the clock is already ticking. Google has announced quantum computing as a reality by around 2029 – tomorrow! The cryptographic algorithms that currently secure data exchanges, digital signatures, and authentication mechanisms (RSA, elliptic curves…) will be weakened by quantum computing power.

One threat is already active: malicious actors are collecting encrypted data today, deliberately, with the intention of decrypting it later. It is a real and documented strategy. But the risk goes further than that. If quantum computing becomes accessible, creating a technically valid forged electronic passport could be achieved in a matter of hours, because the entire security of a passport rests on these asymmetric algorithms. For IN Groupe, it is therefore an immediate strategic priority, and this is why we are already acting on it.

The good news: post-quantum algorithms, which are designed to resist quantum computing, already exist today. The transition, however, takes time, for data encryption schemes and for digital signature mechanisms alike. Which is precisely why now is the right moment to start!

Download Trend Report: Securing Workforce Identites 2026

This website uses cookies

Cookies ("cookies") consist of small text files. The text files contain data which is stored on your device. To be able to place some type of cookies we need your consent. We at IN Groupe use these types of cookies. To read more about which cookies we use and storage duration, click here to get to our cookiepolicy.

Manage your cookie-settings

Necessary cookies

Necessary cookies are cookies that need to be placed for fundamental functions on the website to work. Fundamental functions are for instance cookies that are needed for you to use menus and navigate the website.

Functional cookies

Functional cookies need to be placed for the website to perform in the way that you expect. For instance to remember which language you prefer, to know if you are logged in, to keep the website secure, remember login credentials or to enable sorting of products on the website in the way that you prefer.

Statistical cookies

To know how you interact with the website we place cookies to collect statistics. These cookies anonymize personal data.

Ad measurement cookies

To be able to provide a better service and experience we place cookies to tailor marketing for you. Another purpose for this placement is to market products or services to you, give tailored offers or market and give recommendations on new concepts based on what you have bought from us previously.