Why identity has become the enterprise’s biggest cyber battleground

Cyberattacks rise while stagnant budgets & apathetic leadership remain major cybersecurity barriers in Asia Pacific & Japan: Study

Ransomware remains one of the most expensive cyber threats facing enterprises, but the nature of the risk is changing. Sophos’ latest global research suggests organisations are becoming better at recovery and ransom negotiation, yet attackers are simultaneously shifting towards identity-centric attacks and exploiting operational weaknesses that traditional security investments alone cannot address.

For years, enterprise ransomware strategy revolved around patching vulnerabilities, strengthening endpoint security and maintaining reliable backups. Those priorities remain relevant, but Sophos’ The State of Ransomware 2026 suggests the centre of gravity has shifted.

The report indicates that identity has now emerged as the defining battleground in ransomware defence. Malicious emails account for 26 percent of attacks, phishing contributes another 24 percent, while compromised credentials remain responsible for 23 percent. Collectively, nearly four out of five ransomware incidents now begin through identity-related attack techniques rather than purely technical exploits. Even more telling, two-thirds of surveyed organisations confirmed that their ransomware incident was also their most significant identity attack during the past year.

Prevention alone is no longer the measure of success

One of the more nuanced messages emerging from the report is that measuring cybersecurity success solely by attack prevention no longer reflects operational reality.

Despite years of investments in security technologies, 56 percent of ransomware attacks still succeeded in encrypting organisational data, reversing last year’s decline and suggesting attackers are regaining momentum. 16 percent of organisations experienced both data encryption and data theft, creating multiple opportunities for extortion. Recovery therefore becomes just as strategically important as prevention.

Encouragingly, enterprises appear to be responding.

Backup-based recovery rose significantly to 66 percent of encrypted incidents, while the proportion of organisations paying ransom declined to 48 percent, the lowest level recorded over the past three years. These findings suggest enterprises are gradually reducing their dependence on attackers to restore operations by strengthening internal resilience capabilities.

For technology leaders, this represents an important budgeting insight. Investments in recovery infrastructure, immutable backups and tested recovery processes are increasingly delivering measurable operational value.

Security spending must address operational weaknesses

Another striking observation is that technology alone is rarely the decisive factor behind ransomware success.

Respondents overwhelmingly attributed successful attacks to operational shortcomings rather than individual technical failures. Security gaps—whether known or unknown—were cited by 62 percent of organisations, followed by shortages in skills or personnel (58 percent) and inadequate protection capabilities (57 percent). Human error also remained a persistent contributor and was the only operational factor to increase compared with the previous year.

Identity security cannot depend on MFA alone

Perhaps the report’s most surprising finding concerns multi-factor authentication.

Among organisations where compromised credentials caused the ransomware attack, 97 percent already had MFA deployed in some capacity. Rather than diminishing MFA’s importance, the data suggests partial implementation or inconsistent deployment leaves sufficient gaps for attackers to exploit.

For enterprise leaders, this highlights an increasingly important distinction between deploying security controls and operationalising them comprehensively across every identity, application and access point.

Identity resilience now extends beyond passwords and authentication into continuous monitoring, privileged access governance and identity threat detection.

Firewalls become intelligence platforms

The report also reframes the role of traditional infrastructure.

Firewalls that detected attacks before ransomware deployment limited encryption success to 50 percent, compared with 71 percent where attacks went undetected. Rather than functioning merely as perimeter controls, firewalls increasingly serve as telemetry sources that enable earlier detection when integrated with broader security operations.

This reinforces another strategic lesson: cybersecurity effectiveness increasingly depends on how well existing technologies work together rather than how many independent security products organisations deploy.

Progress is real—but expensive

There are encouraging signs across several metrics.

Median ransom demands have declined to US $698,000, continuing a multi-year downward trend, while median ransom payments have fallen to US $769,000. More organisations are successfully negotiating lower settlements, with 51percent ultimately paying less than the initial demand.

However, these improvements should not create complacency.

The average recovery cost—excluding ransom payments—has increased to US $1.7 million. Beyond financial losses, ransomware continues to impose a significant organisational burden. 99 percent of organisations whose data was encrypted reported repercussions for their cybersecurity teams, with increased stress, leadership pressure and organisational disruption emerging as common consequences. In one-fifth of affected organisations, cybersecurity leadership was replaced following the incident.

For boards, this reinforces that ransomware is no longer solely an IT issue. It directly affects organisational resilience, executive accountability and business continuity.

Share on