Password is the cause like a gun is the cause of a shooting.
Networks are targets - both because their assets make them attractive to attack, and because a network is inherently vulnerable (since it is a set of connected nodes).
So the cause is the network and the solution is to eliminate the network. Securely identified, properly authenticated, least privileged access, app-specific, ephemeral connections. Can such a connection still be breached? Of course. But it will be more difficult and it will be isolated, micro-segmented by definition, and unable to be leveraged to attack laterally.
That said, networks makes things simple. And complexity is insecure. As soon as we can make the paradigm listed above as simple as networking, we will see a massive shift. We need it.
Password, allowing access to something with a very large 'blast radius', horrible.
Systematic failure of compartmentalization and roles/access control within the organization's network.
I do not agree that eliminating the network is the solution. Properly securing the network is. I could go into a 30 page essay on what might be considered within the category of 'proper', but suffice to say that organizations of this importance should have a serious infosec/netsec department.
Networks are targets - both because their assets make them attractive to attack, and because a network is inherently vulnerable (since it is a set of connected nodes).
So the cause is the network and the solution is to eliminate the network. Securely identified, properly authenticated, least privileged access, app-specific, ephemeral connections. Can such a connection still be breached? Of course. But it will be more difficult and it will be isolated, micro-segmented by definition, and unable to be leveraged to attack laterally.
That said, networks makes things simple. And complexity is insecure. As soon as we can make the paradigm listed above as simple as networking, we will see a massive shift. We need it.