Identity has become the primary attack surface in cybersecurity, according to Sophos. It’s vendor-agnostic survey of 5,000 IT and cybersecurity leaders across 17 countries. The survey found that 71 per cent of organizations suffered at least one identity-related breach in the past year, and on average organizations reported three separate incidents. Repeat victimization reached a notable level, with 5pc reporting six or more breaches. These attacks are driven in the main by human error (such as employees tricked into providing their credentials) or weak management of non-human identities (NHIs), says the firm. It points to how AI agents can autonomously spin up sub-agents, each generating new credentials.
Ross McKerchar, chief information security officer at Sophos, said: โThe non-human identity problem is particularly urgent. AI agents are being granted privileges faster than security teams can track them, and organizations that fail to get ahead of this will find it an increasingly costly gap to close.โ
Threat intelligence
Check Point Research, the Threat Intelligence arm of Check Point Software Technologies Ltd, released its Global Threat Intelligence report for April 2026. Severity of cyber attack is escalating, according to Mark Weir, regional director for the UK & Ireland at Check Point Software. He said: “Data from the National Cyber Security Centre (NCSC) showed that nationally significant attacks on the UK more than doubled in its last annual review, rising from 89 to 204 incidents in a single year. Across the continent, Europe accounted for 27 per cent of ransomware victims in April alone. As ransomware continues to scale and GenAI becomes embedded in everyday workflows, organisations must assume that cyber risk is continuous and focus on prevention, governance, and AIโdriven security that can stop threats before impact.โ
In April, the education sector once again ranked as the most targeted industry globally, followed by Government, and telecoms.
CISOs surveyed
A survey of 200 CISOs (chief information security officers) across the UK, Sweden, Germany and France, for the company MetaCompliance, found that most, 81pc of CISOs say awareness programmes fail because they treat human cyber risk as a training issue rather than a wider risk management challenge. At the same time, most, 68pc of businesses identify employees as their biggest security risk; even before the coming risk of AI-enabled social engineering, such as voices and faces generated by fraudsters.
As for outcomes from time and money spent on raising IT security awareness, a quarter (25pc) of those surveyed say they struggle to capture employee attention, while 24pc fail to embed secure behaviour into daily work, and a further 24pc struggle to align stakeholders across functions.ย MetaCompliance point to an outdated approach. While many CISOs believe their employers have moved beyond โtick-boxโ awareness โ with some describing their approach as behaviour-led (33pc) or integrating human risk management (24pc) โ this perceived progress is not translating into meaningful change, the company suggests.
James Mackay, Chief Executive Officer atย MetaComplianceย said: โConfidence is rising, but thatย doesnโtย mean risk is falling. Many businesses mistake completed security training for realย security, whenย the underlying human vulnerabilities havenโtย changed.ย This creates a dangerous disconnect. Businesses feel more secure, yet employeesย remainย the biggest source of risk. At the same time, threats are becoming more sophisticated, with AI accelerating the scale and precision of social engineering attacks. This is leaving organisations increasingly exposed if this gapย isnโtย addressed.โ
โHuman cyber risk needs to be treated like any other business risk โ measurable, targeted, and continuously managed. That means moving beyond awareness to genuine behaviour change. Organisations need to flip the script on how they are managing cybersecurity, using real-time targeting and insight to reach the right people, with the right message, at the right moment.ย Thatโsย how you reduce human cyber risk at scale.โย Visit www.metacompliance.com.
Mythos
The emergence of autonomous AI models like Mythos has fundamentally shifted the cybersecurity landscape, according to cyber figures. Chris Wallis, CEO and founder of Intruder, said: โThe security industry is seeing a major compression in the time between vulnerability discovery and exploitation.โ Any unnecessarily exposedย internet facingย asset (whether ports, services, databases orย files) is carrying more risk, the firm warns. Some services and admin such as WordPress continue to persist on the public internet, despite being intended for internal networks, the firm adds.ย If a business grows, its attack surface risks and management challenges scale disproportionately, according to the firm.
MSPs surveyed
Cyber risk and economic pressure are now inseparable, itโs suggested. Managed Service Providers (MSPs) can no longer sell cybersecurity in isolation when rising costs dominate customer priorities, according to a cyber platform. A survey of MSPs, for CyberSmart found that nearly half (46pc) of MSP customers are more concerned about operational challenges such as rising costs and inflation than cybersecurity risks, despite increasing threats. Meanwhile, the MSPs identified AI-driven threats as their top security concern for a second year. Most, 59pc of MSPs feel that their customers are more at risk in the past 12 months than they previously were.
Jamie Akhtar, CEO and Co-Founder of CyberSmart, said:ย โThe real challenge has moved beyond the tech stack into liability, compliance and accountability. For SMEs, the key is embedding security into day-to-day operations and working with trusted partners to maintain resilience without adding unnecessary complexity or cost.โ Three quarters of MSPs admitted to suffering at least one breach in the last 12 months, while a majority, 54pc, reported being breached two or more times and some 32pc of respondents admitting to having three or more breaches.
