Identity, not the network perimeter, is now the primary way attackers break into enterprises. A survey of 5,000 IT and cybersecurity leaders across 17 countries from Sophos finds that 71% of organizations suffered at least one identity-related breach in the past year. Each affected organization was hit by an average of three separate attacks.
- Sophos’s State of Identity Security 2026 puts identity at the center of enterprise intrusions, yet most breach prevention still concentrates on human accounts.
- Weak management of non-human identities, the machine accounts that can outnumber human ones by 100 to 1, was the root cause of 41% of successful identity breaches.
- Two-thirds of ransomware victims, 67%, traced their attack to an identity compromise, and the average breach cost $1.64 million to fix.
- Only 34% of organizations regularly audit or rotate service accounts and non-human identities, the gap the report tells defenders to close first.
Identity-Related Breach Hit 71% Across 17 Countries
Energy, oil, and gas operators were the most exposed, with 80% reporting at least one identity-related breach, against 63% in IT and technology. By geography the spread ran wider still: 89% of Swiss organizations and 83% of Mexican ones were hit. The 5,000 leaders Sophos surveyed across 14 industries averaged three separate identity attacks over the year, at a mean recovery cost of $1.64 million and a median of $750,000. For 73% of victims, fixing a single breach cost $250,000 or more.
That financial weight tracks a change in how intrusions start. Identity compromise has become the connective tissue of the modern attack, and ransomware shows it most clearly. 67% of ransomware victims said their incident began with an identity attack rather than a malware drop or an unpatched edge device.
Why Non-Human Identities Are the Blind Spot
The survey’s most consequential finding sits in the accounts no one logs into. Non-human identities, the service accounts and machine credentials that keep software talking to software, can outnumber human identities by as much as 100 to 1. Weak management of those identities was the root cause of 41% of successful breaches, and only 34% of organizations regularly audit or rotate them. Most identity programs still budget attention by headcount, so the largest population of credentials gets the least oversight.
Detection follows the same fault line. Smaller organizations, those with 100 to 250 employees, were nearly twice as likely to miss an identity attack as organizations above 1,000. Sophos ties the rising tempo to agentic AI, which lets attackers iterate credential abuse faster than thinly staffed teams can review anomalous activity. The result is a widening gap between where credentials multiply and where anyone is watching them.
Where Identity Security Teams Should Start
The order matters: inventory the credentials that outnumber your people before tuning the controls on the ones that do not. Two moves follow from the data.
Inventory and rotate non-human identities first – With machine accounts outnumbering human ones up to 100 to 1 and behind 41% of breaches, the service accounts are where exposure concentrates. Bring them under the same rotation and audit cadence as privileged human accounts; only 34% of organizations do today.
Close the detection gap at smaller sites – Organizations under 250 employees miss identity attacks at nearly twice the rate of larger ones. Route their identity telemetry to a monitored destination rather than leaving login anomalies for a team that cannot watch them in real time.
For a security team already weighing the cost of paying a ransomware demand, the survey reframes the front door. With 71% of enterprises hit by an identity-related breach in a single year, the perimeter worth hardening first is built from credentials, most of them non-human.
Click Here For The Original Source.
