Key Takeaways
- 71% of organizations across 17 countries experienced at least one identity‑related breach in the past year, averaging three separate attacks per victim.
- The average cost to remediate an identity breach is $1.64 million (median $750 k); 73% of victims spend $250 k or more.
- Non‑human (service/machine) identities outnumber human accounts by up to 100 : 1 and were the root cause of 41% of successful breaches, yet only 34% of organizations regularly audit or rotate them.
- Two‑thirds of ransomware victims (67%) trace the initial compromise to an identity attack rather than malware or unpatched edge devices.
- Smaller firms (100‑250 employees) are nearly twice as likely to miss identity attacks as larger enterprises (>1,000 employees), a gap worsened by agentic AI‑driven credential abuse.
- Energy, oil, and gas sectors are the most exposed (80% breach rate), followed by Swiss (89%) and Mexican (83%) organizations geographically.
- The report urges defenders to inventory and rotate machine accounts first, then extend detection capabilities to smaller sites by routing identity telemetry to a monitored destination.
Identity‑Related Breaches Have Become the Dominant Attack Vector
A Sophos survey of 5,000 IT and cybersecurity leaders across 17 countries reveals that identity compromise is now the primary entry point for attackers. Seventy‑one percent of respondents reported suffering at least one identity‑related breach in the last 12 months, with each affected organization experiencing an average of three separate incidents. This prevalence shifts the focus of security from traditional network perimeters to the credentials—both human and machine—that attackers exploit to gain footholds inside enterprises. The findings are detailed in Sophos’s State of Identity Security 2026 report, which positions identity as the central connective tissue of modern intrusions.
Financial Impact and Ransomware Connection
Remediating an identity breach carries a steep price tag. The average recovery cost across surveyed organizations is $1.64 million, with a median of $750 000. For 73 % of victims, fixing a single breach exceeds $250 000, underscoring the financial strain these incidents impose. Ransomware attacks, in particular, are tightly linked to identity compromises: two‑thirds (67 %) of ransomware victims stated that their incident began with an identity attack rather than a malware drop or an unpatched edge device. This statistic highlights how credential abuse fuels the ransomware economy, turning stolen or misused accounts into the launchpad for extortion campaigns.
Sector and Geographic Variations
Breach rates differ markedly by industry and geography. Energy, oil, and gas operators reported the highest exposure, with 80 % experiencing at least one identity‑related breach, compared to 63 % in the IT and technology sector. Geographically, Swiss organizations were hit hardest at 89 %, followed closely by Mexican firms at 83 %. These variations suggest that certain critical‑infrastructure sectors and regions face heightened credential‑targeting pressure, possibly due to the high value of operational technology assets or differing regulatory landscapes that affect identity hygiene practices.
The Blind Spot: Non‑Human Identities
While human accounts receive considerable attention, the survey identifies non‑human identities—service accounts, machine credentials, and API keys—as the most glaring weakness. Such machine accounts can outnumber human identities by as much as 100 to 1, yet they are frequently overlooked in governance programs. Weak management of these credentials was cited as the root cause of 41 % of successful identity breaches, and only 34 % of organizations routinely audit or rotate them. Because security budgets and monitoring efforts are often sized by headcount, the vast population of machine credentials receives disproportionately little oversight, creating a fertile ground for attackers to abuse.
Detection Gaps in Smaller Organizations
The detection deficit is especially pronounced in smaller enterprises. Organizations with 100‑250 employees are nearly twice as likely to miss an identity attack as those with more than 1,000 staff. Sophos links this shortfall to the rapid tempo enabled by agentic AI, which allows adversaries to iterate credential‑abuse techniques faster than thinly stretched security teams can review anomalous login activity. Consequently, the gap between where credentials proliferate (largely in machine accounts) and where effective monitoring exists continues to widen, leaving smaller firms vulnerable to stealthy, identity‑based intrusions.
Prioritizing Action: Inventory and Rotate Machine Accounts
To close the most critical exposure, the report recommends a two‑step prioritization. First, inventory and rotate non‑human identities. Given that machine accounts outnumber human ones up to 100 : 1 and underlie 41 % of breaches, bringing them under the same rotation and audit cadence applied to privileged human accounts is essential. Currently, only a third of organizations do this; elevating this practice to a baseline control will dramatically reduce the attack surface. Second, align detection capabilities with the inventory—ensuring that any credential, especially service accounts, is subject to real‑time monitoring and anomaly detection.
Closing the Detection Gap at Smaller Sites
The second priority targets the detection blind spot at smaller organizations. Rather than relying on overburdened internal teams to spot login anomalies, firms should route identity telemetry from all sites—including remote offices and branch locations—to a centralized, monitored destination such as a SIEM or managed detection and response (MDR) service. This approach enables continuous correlation of authentication events, timely alerts on suspicious credential use, and faster containment, thereby compensating for limited staffing and expertise in smaller enterprises.
Conclusion: Shifting Focus from Perimeter to Credential Hygiene
The Sophos data make clear that the enterprise “front door” is no longer a firewall or VPN gateway; it is the aggregate of credentials that authenticate users and machines to internal resources. With 71 % of organizations hit by identity‑related breaches in a single year and the average incident costing well over a million dollars, investing in robust identity governance—particularly for the vast, often‑ignored population of non‑human accounts—is a strategic imperative. By inventorying and rotating machine accounts first, then extending vigilant detection to all corners of the organization, security teams can transform identity from the weakest link into the strongest line of defense against modern, credential‑driven attacks.