.webp)
A new Sophos study of 5,000 IT and security leaders across 17 countries dropped a number that's hard to ignore: 71% of organizations suffered at least one identity-related breach in the past year. The average organization got hit three times. Five percent were breached six or more times. And for the businesses that failed to stop an attack before it caused damage, the mean recovery cost reached $1.64 million.
Those sound like enterprise numbers. They're not. The same report found that smaller organizations - specifically those with 100 to 250 employees - were nearly twice as likely to fail to detect an identity attack before damage was done, compared to larger peers. Smaller doesn't mean safer. It often means less monitoring, less defined ownership, and fewer people who are paid to watch for the warning signs.
So what's actually going on, and what can a small or mid-sized business realistically do about it?
What "Identity Breach" Actually Means
Most people associate identity theft with someone stealing a Social Security number. In a business context, it means something more operational: an attacker gets hold of a credential, a session token, or a service account, and uses it to log in as a legitimate user. No malware, no exploit, no alert triggered. From your security tools' perspective, everything looks normal. Someone is just... logged in.
Common ways this happens include employees being tricked into entering credentials on realistic fake login pages, credentials purchased in bulk from dark web marketplaces where previous breach data gets resold, OAuth tokens stolen from browser sessions or compromised third-party app integrations, API keys left in code repositories or config files, and former employee accounts that were never deactivated.
The Sophos report found that 43% of identity breaches traced back to human error - specifically, employees being tricked into sharing or entering credentials. Another 41% involved weak management of service accounts, API keys, and automated credential chains. Put those two categories together and you're looking at roughly two-thirds of all incidents that had nothing to do with sophisticated technical exploits. The attacker had a key. They walked through the door.
The Link to Ransomware
Identity attacks aren't just about data theft. The Sophos report found that 67% of ransomware victims in the survey confirmed their ransomware incident was directly connected to a prior identity attack. That's consistent with what we see in breach investigations: attackers compromise credentials, move laterally through the network over days or weeks, identify the most valuable systems, and then deploy ransomware when they're ready to cash out.
The Verizon 2026 Data Breach Investigations Report, also released this week, notes that ransomware now appears in a large share of confirmed breaches, and that attackers are increasingly using generative AI to speed up the entire process - from reconnaissance through lateral movement. The window between initial access and damage is shrinking.
For small businesses, this means the old assumption - "we'll notice something before it gets bad" - is less reliable than it used to be.
The Three Specific Gaps Getting Small Businesses Hit
1. Monitoring That Only Happens After Something Goes Wrong
The Sophos study found that only 24% of organizations continuously monitor for unusual login activity. More than half check every three months or less. That's a 90-day window during which an attacker with valid credentials can operate undetected.
Credential-based intrusions don't look broken from the outside. A valid login from a new location looks similar to an employee who traveled for a conference. An account accessing files it doesn't normally touch looks similar to an employee whose role recently changed. You only catch these things if someone is actively looking for anomalies - impossible travel (logins from two countries within an hour), logins at 3am on a Sunday, bulk downloads that don't match any business process.
Microsoft 365 and Google Workspace both have built-in tools to alert on these patterns. But the alerts do nothing if they're routed to an inbox nobody checks, or if they're not configured in the first place. An actively monitored security environment makes the difference between detecting a breach in hours versus finding out from a ransomware note months later.
2. The Orphaned Account and Service Credential Problem
When an employee leaves, how long does it take to deactivate their accounts? Across their email, your CRM, your accounting software, your project management tools, any shared password vaults they had access to? In most small businesses, the honest answer is "it depends" - and often some accounts survive long after the person is gone.
Service accounts and API keys are even worse. These are credentials that applications use to talk to other applications. A QuickBooks integration, a Salesforce connector, a billing system API key - all of these generate credentials that persist indefinitely unless someone explicitly rotates or revokes them. They don't have a logout button. They don't expire. And in many cases, no one is entirely sure where all of them are.
The Sophos report found that organizations with weak management of these non-human identities are 22% more likely to experience financial theft and spend approximately $150,000 more recovering from a breach than average. A quarterly access audit - reviewing which accounts exist, who provisioned them, and whether they're still needed - is one of the more cost-effective security investments a small business can make. Our team helps clients with this as part of ongoing vulnerability management.
3. Security Training That Hasn't Kept Up with the Threat
Security awareness training has been standard practice for years. Most employees now know not to click suspicious links in emails. That's genuinely progress. But attackers have adapted.
Vishing - voice phishing, where an attacker calls an employee pretending to be from IT, a vendor, or a bank - is surging because it bypasses email filters entirely. AI-generated messages can now replicate the writing style of a specific person convincingly enough to fool colleagues. Real-time phishing pages can capture an MFA code and relay it to the real site before it expires, defeating standard six-digit authenticator codes.
If your security awareness training was built on the assumption that the threat is mainly a phishing email with a suspicious link, it's worth updating the curriculum. The people who need to spot today's attacks need to know about phone-based social engineering, OAuth consent requests from apps they didn't install, and why they should be skeptical of urgent internal requests that arrive through unusual channels.
What Good Identity Security Actually Looks Like
None of this requires an enterprise security team or an enterprise budget. The controls that matter most for small businesses are well-established and relatively straightforward to implement.
Upgrade to Phishing-Resistant MFA
Standard MFA - where you approve a push notification or enter a six-digit code - is much better than no MFA. But it has a well-documented weakness: a real-time attacker can capture that code from a fake login page and replay it to the real site before it expires. Phishing-resistant MFA, built on the FIDO2/WebAuthn standard and implemented through passkeys or hardware security keys, doesn't use codes that can be intercepted. The credential is cryptographically bound to the specific site, so it simply won't work on a fake page.
The FIDO Alliance reports more than five billion passkeys now in active use globally - this is mainstream technology, supported natively by Microsoft 365, Google, and most major SaaS platforms. For accounts that matter - email, payroll, banking, your CRM - switching to passkeys or FIDO2 hardware keys is one of the highest-leverage moves available right now.
Build an Offboarding Checklist That Gets Used Every Time
Create a documented process for employee departures that covers disabling accounts within 24 hours of their last day, revoking active sessions across all SaaS tools (not just email), removing them from shared password managers, rotating any credentials they had access to, and transferring ownership of things they created - shared inboxes, Drive folders, app integrations.
Then, quarterly, run an access review: which accounts exist, which haven't logged in for 60+ days, which API keys have no expiration date and no identified owner. Every orphaned credential that gets cleaned up is one less door an attacker can walk through.
Know What Baseline Looks Like Before Something Changes
It's hard to spot anomalies if you don't know what normal looks like. Take 30 minutes to document what typical access patterns look like for your business - which accounts access which systems, what hours people normally work, which apps connect to which data. When something deviates significantly from that baseline, you want an alert.
This doesn't require sophisticated tooling. Microsoft 365 Defender and Google Workspace both surface this kind of activity in their admin consoles. The barrier is usually just not having looked at those consoles before something goes wrong.
Test Your Incident Response Before You Actually Need It
Less than half of small businesses have a documented incident response plan. Most that do have never tested it. Run a tabletop exercise once a year - a 60-minute scenario where you walk through what you'd do if an employee's credentials were compromised tomorrow. Who gets notified first? What gets shut down? How do you communicate with customers if data was accessed? Who has authority to make decisions under time pressure?
Running through it once reveals gaps that are cheap to fix in advance. Finding them for the first time during an actual incident is substantially more expensive.
A Note for Regulated Industries
For businesses operating under compliance requirements - car dealerships under the FTC Safeguards Rule, healthcare practices under HIPAA, law firms and financial services under their applicable frameworks - identity security isn't optional. The FTC Safeguards Rule requires covered businesses to implement access controls, multi-factor authentication, and monitoring for authorized users of customer information. An identity breach that stems from weak credential management is also a compliance failure, which can layer regulatory exposure on top of recovery costs.
For dealerships running DMS software with staff that turns over regularly, the offboarding and access control problem is particularly acute. A former finance manager whose access to customer credit records was never revoked represents exactly the kind of exposure the Safeguards Rule is designed to prevent.
The Practical Takeaway
The IDC survey of 2,200 SMBs published this week found that 60% of small businesses plan to increase cybersecurity spending over the next year. That's a reasonable response to a real threat. But the same report flags that security responsibilities in most small businesses remain informal - reactive rather than proactive, with no defined ownership and no structured review cycles. Spending more on tools doesn't close the gaps that the Sophos data identified: no continuous monitoring, orphaned accounts, and training that hasn't kept up with current attacks.
The businesses most likely to avoid ending up in next year's 71% aren't necessarily the ones with the biggest security budgets. They're the ones that have structured their cybersecurity program around proactive monitoring, regular access reviews, and training that reflects how attacks actually work today.
If you're not sure where your organization stands - which accounts are active, whether your MFA can be bypassed, or how your team would respond to a credential compromise - we're happy to take a look. Burgi Technologies helps small and mid-sized businesses in Orange County build practical security programs that don't require enterprise headcount. Give us a call at (949) 381-1010 or reach out through our contact page.
Frequently Asked Questions
What is an identity breach, and how is it different from a regular data breach?
An identity breach specifically involves compromised credentials or account access - an attacker using valid login information rather than a technical exploit to get in. Most data breaches start this way. The Sophos 2026 report found that 67% of ransomware incidents were connected to a prior identity attack, so the two are closely related.
We already have multi-factor authentication. Are we protected?
Standard MFA - push notifications or six-digit codes - significantly reduces risk but has documented weaknesses. A real-time attacker can capture that code from a fake login page and replay it to the real site before it expires. Phishing-resistant MFA based on FIDO2 or passkeys eliminates this weakness because credentials are bound to the specific site and can't be relayed. For critical accounts, upgrading to passkeys or hardware keys is worth the effort.
How do I know if any of our accounts have already been compromised?
Common indicators include login alerts from unfamiliar countries or cities, password reset emails no one requested, accounts showing activity outside business hours, or users getting locked out of accounts they didn't try to access. Reviewing active sessions in your Microsoft 365 or Google Workspace admin console is a practical first step. You can also check whether your company email domain appears in breach databases via HaveIBeenPwned's domain search tool.
We're a small business. Do identity breaches really happen to companies our size?
Yes. The Sophos data found that organizations with 100 to 250 employees were nearly twice as likely to fail to detect an identity attack before it caused damage compared to larger organizations. Smaller businesses tend to have less monitoring in place and less defined security ownership - which is exactly what attackers count on. The targets aren't always chosen for their size; they're chosen because the door is open.
How often should we audit employee accounts and access permissions?
Quarterly is a reasonable starting point. Look for accounts belonging to former employees, service accounts with no clear owner, API keys with no expiration date, and integrations that haven't been used in months. The goal is to reduce the number of valid credentials in your environment at any given time. Every orphaned account you close off is one fewer entry point.
