Sophos 2026: 71% of Organisations Hit by an Identity Breach

Sophos's State of Identity Security 2026, published May 2026, is a vendor-agnostic survey of 5,000 IT and cybersecurity leaders across 17 countries (U.S., U.K., Germany, France, Australia, Japan, India, Brazil and others) in organisations sized 100 to 5,000 employees across 14 industries.

71% of surveyed organisations confirmed at least one identity-related breach in the previous 12 months. The average among those was three incidents. 5% reported six or more. Less than a third of respondents reported no identity incident at all — and the methodology likely understates the figure because organisations report what they detected, not what occurred.

A finding worth singling out: 67% of ransomware victims in the survey confirmed their incident started with an identity attack. Identity compromise is no longer one of several ransomware delivery vectors — it is the dominant one.

Three patterns surfaced repeatedly:

Human error sits at the top of the cause list. Phishing, vishing, and other social-engineering vectors that result in a legitimate user surrendering a credential were named in 43% of the incidents. The next two largest categories — third-party / supply-chain access and unmanaged non-human identities — together account for another sizeable share.

Detection time has not improved. The median time to detect an identity breach remained measured in months, not days. The mean dwell time for incidents involving compromised credentials sits around 8 months, consistent with IBM's 2025 figure.

Identity-control investment is up; identity-incident frequency is up faster. Most surveyed organisations had increased identity-security spending year over year. The incident frequency rose in parallel, which suggests that the spend is being absorbed by attack volume rather than by defensive improvement.

For identity architecture, the survey reinforces a thesis we have been operating from for two years: the identity-incident response cycle has to be treated as a continuous operational discipline, not a tail-risk exercise. The question is no longer whether your organisation will face an identity incident this year. It is how the architecture is designed to handle the three of them.