2025: 71 percent of companies worldwide affected by at least one case of identity theft

The «State of Identity Security 2026» report by Sophos is a vendor-independent survey of 5,000 IT and cyber security managers from 17 countries. The survey shows that 71 percent of companies (Switzerland: 88.7 percent) have suffered at least one identity-related security incident in the past year, with organizations reporting an average of three separate incidents.

Human error as the main cause

The high number of companies affected multiple times was particularly striking: 5 percent even reported six or more security breaches. These attacks are mainly facilitated by human error and weak management of non-human identities (NHIs) - a challenge that is being rapidly exacerbated by agent-based AI and the resulting acceleration of attack processes.

Two thirds of the companies affected by ransomware (67%) that took part in the survey confirmed that their ransomware incident was the result of an identity-based attack. This establishes identity compromise as the primary attack vector for ransomware. Researchers at Sophos X-Ops have been observing this pattern continuously since last year. The financial consequences are considerable: the average recovery costs last year amounted to 1.64 million US dollars, the median was 750,000 US dollars, and 73 percent of those affected had to bear costs of at least 250,000 US dollars.

«Identities have become the top attack surface in modern cybersecurity, and this data shows that most organizations are increasingly losing ground,» said Ross McKerchar, Chief Information Security Officer at Sophos. «The problem of non-human identities is particularly pressing. AI agents are gaining credentials faster than security teams can track them. Companies that don't proactively address this problem will find that this vulnerability is increasingly costly to close.»

Other key findings from the «State of Identity Security 2026» report:

• Data and financial theft dominate the consequences of security breaches: Overall, 10 percent of organizations report an identity-related security breach with business impact in the past year. The most important consequences are data theft (49 percent), ransomware (48 percent) and financial theft (47 percent).
• A lack of transparency remains a critical weakness: Only 24 percent of companies continuously monitor unusual login attempts, while more than half only carry out such checks quarterly or even less frequently.
• Detection gaps persist: 14% of affected companies are unable to detect and stop their most serious identity-based attack before damage occurs. Smaller companies (100-250 employees) fail to detect attacks almost twice as often as medium-sized companies.
• Critical infrastructures are particularly at risk: Companies in the energy, oil/gas and utilities sectors (80 percent) and federal and central government agencies (78 percent) report the highest security breach rates of all industries surveyed.
• Compliance problems indicate an increased overall risk: companies that find compliance requirements very challenging have a security breach rate of 82.4 percent. This is 14 percentage points higher than companies with fewer compliance difficulties (68.3 percent).

Human error - such as employees being tricked into disclosing credentials - is cited as the cause in almost 43% of incidents. Weak management of non-human identities, including API keys stored in code, static credentials and orphaned service accounts, are cited in 41 percent of cases. Companies with inadequate NHI management have a 22 percent higher risk of financial theft and pay on average around 150,000 US dollars more for recovery than other companies.

The problem of NHI management is getting worse. AI agents can autonomously create sub-agents, each generating new credentials with far-reaching, permanent access rights - often without consistent human control. Existing identity frameworks have not been developed for this scenario, and many organizations are already lagging behind: only one in three organizations regularly rotate or review service accounts and non-human identities, and only 11 percent do so continuously.

Recommendations for reducing identity-based risks

To reduce the risk of identity-based attacks, companies should implement a multi-layered approach that encompasses both human and non-human identities. Key measures include the mandatory introduction of multi-factor authentication (MFA) for all user accounts, the application of the least privilege principle and the prompt deactivation or removal of inactive identities.

Specifically for non-human identities, organizations should inventory and classify all NHIs, replace long-lived credentials with short-lived alternatives, and deploy secrets management platforms to manage NHI credentials at scale. As agentic AI accelerates the proliferation of NHIs, Identity Threat Detection and Response (ITDR) capabilities and the adoption of a zero-trust security model will become increasingly important layers of defense.

Source: