Identity flaws drive 67% of cyber incidents, Sophos finds

Weaknesses in identity systems lay behind 67 percent of the cybersecurity incidents Sophos investigated over the past year, the British security company said on Wednesday, as cybercriminals leaned heavily on stolen credentials and bypassed traditional defences.

The conclusion comes from the 2026 Sophos Active Adversary Report, which examined 661 cases handled by its incident response and managed detection teams between November 2024 and October 2025. Those cases spanned organisations in 70 countries and 34 industries.

Attackers appear to have largely moved past hunting for fresh software bugs. Brute-force credential attacks now account for 15.6 percent of initial access points, almost even with exploitation of vulnerabilities at 16 percent.

Read also: Smartcomply enters Kenya with AI, cybersecurity push for digital trust

In 59 percent of identity-related breaches, multifactor authentication was either absent or ineffective, letting adversaries slip inside using valid accounts. Once on the network, movement happens with striking speed.

The median time to reach an Active Directory server, the high-value target that controls domain privileges, stood at 3.4 hours. Overall dwell time before detection or disruption dropped to three days, helped by quicker defender responses in monitored environments.

Ransomware groups, meanwhile, still prefer quiet periods. Payloads dropped outside business hours in 88 percent of cases, while 79 percent of data exfiltration took place then, underlining the value of continuous overnight coverage.

The threat landscape itself has grown more crowded. Sophos tracked a record number of active ransomware brands, 51 in total, including 24 newcomers. Akira led the pack, appearing in 22 percent of incidents.

Although law enforcement pressure has dented older names like LockBit, the churn has spawned more players and complicated attribution.

Read also: AI raises cybersecurity stakes for African firms

Sophos researchers saw no sign that generative AI has yet reshaped attack methods in any fundamental way. The tools have made phishing emails faster to produce and more convincing, but the underlying tactics remain familiar.

“The shift toward identity compromise has been building for years. These are not problems that get fixed by installing the latest patches. Companies need to treat identity security as a frontline priority,” said John Shier, field chief information security officer at Sophos and lead author of the report.

Among its recommendations, Sophos urged deployment of phishing-resistant multifactor authentication, tighter controls on identity infrastructure, rapid patching of internet-facing devices, 24/7 monitoring, and longer retention of security logs, something that deteriorated last year as many firewall vendors stuck with seven-day or even 24-hour defaults.