80% of Australian Organisations Suffered at Least One Identity Breach In the Past Year, Sophos Research Finds

Today, Sophos released the State of Identity Security 2026, a vendor-agnostic survey of 5,000 IT and cybersecurity leaders across 17 countries, including 300 in Australia. The survey found that 80% of Australian organisations surveyed suffered at least one identity-related breach in the past year, and on average organisations reported three separate incidents. Repeat victimisation reached […]

Reports & Predictions | Security Awareness

Posted: Thursday, May 14

KBI.Media
$
80% of Australian Organisations Suffered at Least One Identity Breach In the Past Year, Sophos Research Finds

80% of Australian Organisations Suffered at Least One Identity Breach In the Past Year, Sophos Research Finds

Today, Sophos released the State of Identity Security 2026, a vendor-agnostic survey of 5,000 IT and cybersecurity leaders across 17 countries, including 300 in Australia. The survey found that 80% of Australian organisations surveyed suffered at least one identity-related breach in the past year, and on average organisations reported three separate incidents. Repeat victimisation reached a notable level globally, with 5% reporting six or more breaches. These attacks are driven primarily by human error and weak management of non-human identities (NHIs), a challenge that is accelerating rapidly as agentic AI accelerates attack processes.

More than three quarters (77%) of Australian ransomware victims responding to the survey confirmed their ransomware incident stemmed from an identity attack, establishing identity compromise as a primary delivery mechanism for ransomware. Sophos X-Ops threat researchers have observed this consistently over the past year. The financial consequences are steep: the global mean recovery cost reached US$1.64 million, with a median of US$750,000, and 73% of those affected faced costs of US$250,000 or more.

“Identity has become the primary attack surface in modern cybersecurity, and this data shows most organisations are losing ground,” said Ross McKerchar, chief information security officer, Sophos. “The non-human identity problem is particularly urgent. AI agents are being granted privileges faster than security teams can track them, and organisations that fail to get ahead of this will find it an increasingly costly gap to close.”

Key global findings from the State of Identity Security 2026:

Data and financial theft dominate breach fallout: Overall, 10% of organisations reported an identity breach that impacted their business in the last year with the primary consequences being data theft (49%) and ransomware (48%), and financial theft (47%)
Visibility remains a critical weakness: Only 24% of organisations continually monitor for unusual login attempts, and more than half check every three months or less.
Detection gaps persist: 14% of breached organisations could not detect and stop their most significant identity attack before damage was done. Smaller organisations (100–250 employees) were nearly twice as likely to fail at detection as mid-sized peers.
Critical infrastructure most exposed: Energy, oil/gas, and utilities (80%) and federal/central government (78%) reported the highest breach rates across all industries surveyed.
Compliance struggles signal broader risk: Organisations that found compliance requirements very challenging had a breach rate of 82.4%, a full 14 percentage points higher than those with lower compliance difficulty (68.3%).

Human error (employees tricked into providing credentials) was cited in nearly 43% of incidents. Weak NHI management, including API keys stored in code, static credentials, and orphaned service accounts, was cited in 41%. Organisations with weak NHI management are 22% more likely to experience financial theft and pay approximately $150,000 more to recover than average.

The NHI management problem is intensifying. AI agents can autonomously spin up sub-agents, each generating new credentials with broad, persistent access and inconsistent human oversight. Existing identity frameworks were not built for this, and organisations are already behind: only 1 in 3 organisations regularly rotate or audits service accounts and non-human identities, and just 11% do so continuously.

Recommendations to reduce identity-based risks

To reduce exposure to identity-related attacks, organisations should implement a multi-layered approach covering both human and non-human identities. Essential steps include enforcing Multi-Factor Authentication (MFA) for all user accounts, applying least-privilege access principles, and disabling or removing inactive identities promptly.

For non-human identities specifically, organisations should inventory and classify all NHIs, replace long-lived credentials with short-lived alternatives, and implement secrets management platforms to manage NHI credentials at scale. As agentic AI accelerates NHI proliferation, deploying Identity Threat Detection and Response (ITDR) capabilities and adopting a Zero Trust security model are increasingly critical layers of defense.

The State of Identity Security 2026 report comes from a vendor-agnostic survey conducted in Q1 2026 of 5,000 IT and cybersecurity leaders across 17 countries, including the U.S., U.K., Germany, France, Australia, Japan, India, and Brazil, in organisations with 100 to 5,000 employees across 14 industries.

The full report is available here.