67% of Breaches Start at Login. Is Your Board Paying Attention?

The Breach Didn't Start With Malware. It Started With a Password.

If you're a CISO preparing for your next board meeting, here's the number that should anchor your entire presentation: 67%. That's the share of all security incidents in 2026 that are rooted in identity-related attacks, according to Sophos' Active Adversary Report. Not zero-days. Not sophisticated exploit chains. Compromised credentials, weak MFA, and hijacked SSO sessions.

The board cares about business risk, not technical risk. So frame it this way: in two out of three incidents, attackers don't break in — they log in. And once they're authenticated, your expensive security stack treats them like a trusted user. Because, technically, they are one.

The Evidence Is Piling Up

March 2026 alone gave us a masterclass in what identity-first attacks look like at scale:

• Crunchyroll (6.8M users exposed): Hackers compromised an Okta SSO account, planted malware, and exfiltrated personal data for nearly 7 million users. The entry point wasn't a software vulnerability — it was a single compromised identity.

• Infinite Campus (11M student records): An attacker gained access to an employee's Salesforce account and used it to reach the K-12 student information system managing data for roughly 11 million students. Again: no exploit, just a compromised credential.

• European Commission: The ShinyHunters group breached the Commission's AWS cloud environment hosting Europa.eu. ShinyHunters has targeted over 100 organizations using vishing and compromised SSO credentials as primary entry points.

• FBI Director's email: The Handala Hack Team broke into the personal email of FBI Director Kash Patel and leaked photos and documents. If the FBI director's personal email can be compromised, so can your CEO's.

• CareCloud (healthcare IT): Disclosed March 30, a breach exposed sensitive data and caused an 8-hour network disruption in healthcare infrastructure.

The pattern is unmistakable. Attackers are not breaking down doors. They're walking through the front entrance with stolen keys.

Why Boards Are Still Getting This Wrong

Per IDC, only 43% of CISOs in large enterprises have monthly board engagement — 48% engage only ad-hoc. That means in most organizations, cybersecurity gets discussed at the board level only when something has already gone wrong. And when it does come up, the conversation often centers on the wrong things: perimeter defenses, endpoint protection, patch management. Important, but not where the actual risk is concentrating.

Most boards still have a mental model of cybersecurity that looks like a castle: firewalls are the walls, antivirus is the guard, and the bad guys are outside trying to get in. That model died years ago, but budget allocation often hasn't caught up. When 67% of incidents start with identity compromise, your identity infrastructure isn't just an IT system — it's your primary attack surface.

Per Sophos, attackers exploit compromised credentials, weak or missing multifactor authentication, and poorly protected identity systems — often without needing to deploy new tools or techniques. The barrier to entry has collapsed. You don't need a zero-day when you can buy credentials on a Telegram channel for $10.

The Board Conversation You Need to Have

As a vCISO, here's how I'd frame identity risk for a board that's used to thinking in business terms:

1. Quantify the exposure

Don't say "our SSO could be compromised." Say: "We have 2,400 employees with SSO access to 47 SaaS applications. 340 of those employees have admin-level access to systems containing customer PII. If one admin credential is compromised — which is how Crunchyroll lost 6.8 million records — our estimated breach cost is $4.2M based on our data volume and regulatory exposure." Boards understand dollars. Give them dollars.

2. Show the gap between investment and risk

Most organizations spend heavily on perimeter and endpoint security but underinvest in identity. Per the 2026 Cyber Strategy Institute Ransomware Report, organizations that implemented phishing-resistant MFA across all privileged accounts saw a 78% reduction in successful credential-based attacks. If 67% of incidents are identity-driven but identity gets 15% of the security budget, that's a misalignment the board can see and act on.

3. Frame resilience, not prevention

Per SecurityWeek, 2026's mandate is resilience-first: shifting from trying to prevent every attack to ensuring the organization can take a hit, contain the damage, and recover quickly. For identity specifically, this means: assume a credential will be compromised. Then ask — what happens next? Can you detect the anomalous login? Can you contain the blast radius? Can you revoke access in minutes, not hours? If the answer to any of these is "no" or "we're not sure," that's your board ask.

The Regulatory Pressure Is Coming Either Way

Even if the breach statistics don't move your board, regulation will. In Europe, NIS2, DORA, and the EU AI Act are creating a compliance environment where identity governance isn't optional. Per IDC, governance, risk, and compliance (GRC) is now the

top security technology priority for over 40% of large organizations, and liability for security failures is increasingly being assigned to senior management personally. Your board members have skin in this game whether they know it or not.

In the US, the SEC's cybersecurity disclosure rules mean material breaches must be reported within four business days. A credential compromise that leads to data exfiltration is exactly the kind of incident that triggers this requirement. Boards that haven't prepared for rapid disclosure are setting themselves up for regulatory and reputational damage on top of the breach itself.

Five Things to Do This Quarter

• Deploy phishing-resistant MFA on every privileged account. Not SMS codes, not TOTP apps — FIDO2 hardware keys or passkeys. Start with admin accounts for your identity provider (Okta, Entra ID, Google Workspace), cloud infrastructure, and any system containing PII. This is the single highest-ROI security investment you can make right now.

• Audit your SSO token lifetimes and session policies. Many organizations set SSO sessions to "remember me" for 30 days. A stolen session token gives an attacker 30 days of authenticated access. Reduce session lifetimes for privileged accounts and implement continuous access evaluation (CAE) policies that re-validate sessions when risk signals change.

• Implement identity threat detection. Your SIEM watches network traffic and endpoint events. What watches your identity layer? Deploy ITDR (Identity Threat Detection and Response) that flags impossible travel, unusual application access patterns, OAuth token abuse, and privilege escalation within your identity provider.

• Run a vishing tabletop exercise. ShinyHunters targeted 100+ organizations with voice phishing. Your help desk is a high-value target — one call to IT support with a convincing pretext can reset MFA, trigger a password change, or add a new authentication device. Test whether your team can resist a targeted social engineering attempt.

• Brief your board with the 67% number. Schedule a 15-minute slot at your next board meeting. Lead with the Sophos statistic, show the March breach examples, present your identity maturity assessment, and make a specific budget ask tied to measurable risk reduction. If you don't have a vCISO doing this for you, get one.

Sources

• Sophos — Active Adversary Report 2026: Identity Attacks Dominate

• IDC — From Cyber Risk to Business Risk: How CISOs Should Engage the Board in 2026

• SecurityWeek — Cyber Risk Trends for 2026: Building Resilience, Not Just Defenses

• Cyber Strategy Institute — 2026 Ransomware Reality Report

• TechCrunch — European Commission Confirms Cyberattack

• Privacy Guides — Data Breach Roundup Mar 20-26, 2026

• Sophos — 2026 CISO Report: The Leadership Gap