More than seven in ten organizations suffered identity-related breaches over the past year, according to Sophos's State of Identity Security 2026 survey. The research found that 71% of surveyed organizations reported at least one identity breach, highlighting the persistent challenge of securing user credentials and access controls across enterprise environments.

The energy sector faced disproportionate risk, with energy, oil, gas, and utility providers experiencing the highest breach rate at 80.3%. This elevated exposure likely reflects the critical infrastructure status of these organizations, making them attractive targets for both financially motivated cybercriminals and state-sponsored threat actors seeking to disrupt essential services.

In contrast, organizations in IT, technology, and telecommunications reported the lowest breach rate at 63.1%, followed closely by healthcare at 63.4%. While these sectors still face significant identity security challenges, their slightly lower breach rates may indicate more mature security practices or different threat profiles compared to critical infrastructure targets.

Identity-based attacks have become a primary vector for initial access, as threat actors increasingly bypass perimeter defenses by compromising legitimate credentials through phishing, credential stuffing, or exploiting weak authentication mechanisms. Once inside a network with valid credentials, attackers can move laterally, escalate privileges, and access sensitive data while evading detection systems designed to spot external intrusions.

Security teams should treat identity security as a foundational control rather than an afterthought. Organizations should enforce multi-factor authentication across all access points, implement least-privilege access policies, conduct regular access reviews to remove unnecessary permissions, and deploy identity threat detection tools that can identify anomalous authentication patterns. Given that nearly three-quarters of organizations have already experienced identity breaches, proactive identity security measures are no longer optional but essential for maintaining defensive posture.

Source: https://oilreviewmiddleeast.com/industry/71-of-organisations-reported-minimum-one-identity-breach-last-year