- Ransomware risk: What we saw and why it matters
- The “we have a plan” trap
- Why identity recovery risk should be on your first slide to the board
- Identity resilience: Improving security posture and recovery
- What to change for 2026: Board-ready moves
- How to put the ransomware research to work (this quarter)
- Keep it human—and measurable
- Resources to share with your leadership team
As a CISO, you’re likely bombarded with dire warnings about the next critical threat. And while you heed those warnings—and you know the consequences are real—you don’t need another breathless take on ransomware. You need information you can act on—and a plan your board will back.
Throughout the year, Semperis experts conduct cross-industry studies to understand and track global ransomware risk, threat preparedness, and crisis response. In those studies, you’ll find touchpoints and insights that can help you draft a pragmatic strategy for building not just defenses but also meaningful resilience against dynamic and sophisticated ransomware attacks.
Ransomware risk: What we saw in 2025 (and why it matters for 2026)
From this year’s research, one fact is unmistakable: The fastest way to turn a cyber incident into a business outage is through compromise of the identity infrastructure—especially Active Directory (AD) and Entra ID.
Our 2025 Ransomware Risk Report reveals that 83% of successful ransomware attacks compromised identity infrastructure; yet many organizations lack a tested AD recovery plan, and even more lack AD-specific backup capabilities.
Why is that a critical problem? Because recovering AD is complex, messy, and extremely time-consuming. 76% of ransomware victims needed far more than a day—and many as much as a month—to return to normal operations.
In addition, cyber attackers—always opportunistic—time their campaigns for moments when enterprises are distracted. In our 2025 Ransomware Holiday Risk Report, respondents reported that 52% of ransomware attacks hit on a weekend or holiday, and 60% followed material corporate events such as mergers and acquisitions.
Meanwhile, even though most respondents’ companies maintain a security operations center (SOC), 78% of them scale back SOC staffing by 50%+ during weekends and holidays—and 6% report no SOC coverage at all during those times.
That’s a coverage gap you can close.
For a CISO fighting ransomware in 2026, effective resilience requires not just robust defenses but also a crisis response plan that enables rapid recovery to a trusted state.
The “we have a plan” trap
Most enterprises can say, “We have a cyber crisis plan.” In our study of The State of Enterprise Cyber Crisis Readiness, 96% of organizations report they do.
Yet 71% still experienced at least one cyber incident that stopped critical business functions, and 90% activated crisis teams in the past 12 months.
The gap isn’t intent—it’s execution: 90% of teams reported serious blockers to effective cyber incident response.
The fix is centralization, orchestration—and lots of practice.
Your teams must be equipped with robust defensive and monitoring capabilities. And they must be confident in their identity recovery process. Having an out-of-band command center (such as the Ready1 platform) where your people, process, and technology are unified lets you not only plan your incident response but also train for it.
Without ongoing engagement with experienced incident response professionals, teams often build their plans around assumptions rather than real-world threats and trends. That gap becomes painfully obvious during an actual incident.
Jeff Wichman, Director of Incident Response, Semperis
Why identity recovery risk should be on your first slide to the board
Too often, organizations focus on data protection and backups to the exclusion of recovery planning. Defensive measures are essential—no question—and they can reduce the likelihood of a successful ransomware attack. But defense is only part of the equation. Identity is the first attack vector—and the first thing you must restore.
Let’s translate that into business terms. Every system in your business depends on the identity infrastructure, from applications to operations to people, systems, services, and corporate resources—in on-premises environments and in the cloud.
If the identity system falls, everything that depends on it fails. That means identity system loss is a high risk to the business—and identity system recovery prioritized in the enterprise crisis response plan.
Recovery with integrity—returning AD and Entra ID to a trustworthy state—is the precondition for restoring applications, access and revenue operations at speed.
The metric to carry into 2026: time to clean state identity recovery and the associated reduction in downtime.
Identity resilience: Improving security posture and recovery
You’ve likely adopted identity threat detection and response (ITDR) in principle. But the execution gaps are where attackers live. Many organizations lack executable identity recovery plans and consistent remediation follow through. Only:
- 66% report having an AD recovery plan
- 55% have an Entra ID recovery plan
- 63% automate identity system recovery
- 45% have procedures to remediate identity vulnerabilities
Those numbers are a gift to any adversary.
On the identity security posture side, this year’s Purple Knight Report community assessment shows why misconfigurations linger. The average initial security score reported in 2025 was 61 out of 100—a near failing grade. That’s not just cyber risk—that’s mission risk.
The good news: Teams that applied the tool’s remediation guidance improved an average of 21 points, with top improvements of 61 points—proof you can show measurable progress quarter over quarter.
What to change for 2026: Pragmatic, board-ready moves
You don’t need 30 priorities. You need the right five.
- Shrink your identity attack surface. Despite all the hype, most attackers use a small number of tried-and-true techniques to compromise identity systems, and thus cleaning these up can significantly reduce your exposure. Establish a cadence to detect and remediate indicators of exposure and compromise (IOEs and IOCs) across hybrid AD using prioritized guidance. Purple Knight benchmarks show credible, reportable improvement that boards understand.
- Make clean state identity recovery your RTO anchor. Document, automate, and test AD and Entra ID recovery to a trustworthy state—not just to an operational state. Track your recovery time objective (RTO) and recovery point objective (RPO) for identity as first order business metrics; tie them directly to downtime avoided.
- Keep up your guard during times of distraction. Treat weekends, holidays, and material corporate events as peak risk windows. The data says attackers are already there during those least-covered times. Pre-authorize decision thresholds, define on call rotations, and have out of band communications ready.
- Upgrade your tabletop exercises. Involve legal, finance, business continuity, and disaster recovery teams—because they’ll be critical when it’s real. Remember that crisis teams were activated at 90% of organizations last year. Practice like it’s a certainty, not a possibility.
- Transition from chaos to control. Plans fail under stress when communications fragment and tools multiply—hence the execution gap even among organizations that “have a plan.” Centralize crisis coordination and evidence capture. And establish clear roles and responsibilities.
How to put the ransomware research to work (this quarter)
If you want immediate traction with your leadership team:
- Share the executive visuals from the 2025 Ransomware Risk Report—especially the identity compromise and recovery time slides—and lock in identity RTO and RPO commitments.
- Use the Ransomware Holiday Risk Report to set temporary surge coverage for the next wave of weekends and holidays and to harden governance around M&A, IPOs, and layoffs.
- Commission a quick identity posture baseline with Purple Knight; show your current score and the improvement plan with dates and owners. It’s a simple, credible way to demonstrate momentum and ROI.
- Refresh your crisis drills to include the non technical stakeholders who actually determine decision speed and regulatory confidence. Cross team communication is a top blocker; start by identifying a comprehensive, out-of-band crisis management platform such as Ready1.
Keep it human—and measurable
Yes, we saw modest improvements in ransomware attack success this year. But the durable truths remain: Identity infrastructure compromise is the fastest route to material business impact, and recovery integrity is the bottleneck that decides your outage arc.
The pivot for 2026 isn’t more of everything; it’s a precision focus on identity resilience and the moments that matter coverage where adversaries keep winning.
You already lead from the front. The teams you protect do their best work when the path is clear and the metrics are honest. In 2026, that looks like: fewer surprise windows, fewer identity backdoors, faster clean state recovery, and more confident communications when the pressure spikes.
That’s resilience your board will feel—and your business will bank.
Resources to share with your leadership team
- 2025 Ransomware Risk Report (global study of 1,500 IT/security leaders)
- 2025 Ransomware Holiday Risk Report (timing and staffing insights)
- Purple Knight Report 2025 (identity posture benchmarks and improvements)
- The State of Enterprise Cyber Crisis Readiness (why plans fail under stress—and how to fix it)
