# Cyber Index #62 - Phishing cost per analyst, AI attackers level up, and the insecure-code reality

> This week's Cyber Index roundup: 13 reports on rising phishing costs, AI attackers leveling up, insecure AI-generated code, agent-security gaps, and AI governance falling behind.

Source: https://fmcybersecurity.com/en/insights/ai-security/cybersecstats-62/
Locale: English
Other locale: https://fmcybersecurity.com/insights/ai-security/cybersecstats-62-phishingkostnad-og-ai-angripere/

## Metadata

- Date: 2026-06-09
- Author: fredrik-standahl
- Topic: ai-security
- Format: news
- Scope: international

## This Week's Cybersecurity Eye-Openers

A more typical week for research after the early-summer lull, with 13 new reports landing in the feed. The throughline is AI on both sides of the fight: attackers are measurably more capable, AI-written code is shipping faster than anyone can review it, and AI governance keeps lagging behind deployment. Three stats that stood out:

**1. Phishing is eating more of your team's time and budget**

Handling potential phishing now consumes 36.5% of a security team's working hours, up from 33.5%, and costs $51,948 per analyst per year.

**2. AI-powered attackers leveled up fast**

In Anthropic's study of 832 accounts banned for malicious cyber activity, the share rated medium-risk or higher jumped from 33% to 56% in six months, and 67.3% were using AI to write malware.

**3. AI-generated code is shipping faster than it's reviewed**

67% of organizations say AI coding assistants are now everywhere, yet 38% still review that code by hand and 29% call insecure patterns their top new risk.

## Big Picture Reports

### The Security Maturity Benchmark Report (AlertMedia)

Data on what separates the security teams that stay ahead of threats from the ones perpetually playing catch-up.

**You're probably less ready than you think:**

- 92% of organizations have experienced consequences tied to security readiness gaps.
- Only 31% operate a centralized, highly automated security ecosystem.
- 47% say they would not respond to a serious security incident as quickly as they should.

[Read the full report here.](https://www.businesswire.com/news/home/20260603961078/en/AlertMedia-Releases-The-Security-Maturity-Benchmark-Report-Revealing-What-Separates-Reactive-Security-Programs-From-Resilient-Ones?ref=cybersecstats.com)

## AI Governance & Risk

### CISO Pulse Check Report: AI, the New Superpower and the New Super-Risk (Sprinto)

More than a third of US organizations have already dealt with a major AI security incident, and most CISOs are at least tracking AI as a dedicated risk now.

**The incidents are already happening:**

- More than 30% of US organizations report a major AI-related security incident in the past 12 months.
- Nearly 70% of US CISOs and senior security leaders are actively following AI-related regulations or standards.
- Over half of US CISOs track AI as a dedicated risk category.

[Read the full report here.](https://www.newswire.ca/news-releases/sprinto-s-ai-pulse-check-finds-cisos-facing-rising-ai-security-incidents-821465525.html?ref=cybersecstats.com)

### 2026 AI Maturity Report (Ivanti)

Organizations are deploying AI broadly. Governance is a long-tail priority.

**Speed over governance:**

- 56% of organizations now deploy AI broadly across multiple IT workflows or at business-critical scale.
- 68% of IT professionals have personally seen AI generate hallucinations with potential operational impact.
- Only 24% say AI policies are followed very consistently in day-to-day work.

[Read the full report here.](https://www.prnewswire.com/news-releases/ivanti-finds-system-of-record-unlocks-ai-value--breaks-down-silos-57-report-improved-information-sharing-across-it-and-security-302780841.html?ref=cybersecstats.com)

### The State of Enterprise Agentic AI in 2026: Agentic Reality Check (ChapsVision)

AI agents sound great, but almost nobody has made them deliver business value at scale, and the hype is eroding trust.

**The pitch doesn't match production:**

- Only 10% of large enterprises have moved autonomous AI agents from pilot into full-scale production.
- 88% of executives say agent-washing has negatively affected their trust in AI broadly.
- 86% cite reliability, security, privacy, and accuracy as the top blockers to implementation.

[Read the full report here.](https://www.sinequa.com/resources/assets/state-of-enterprise-agentic-ai-2026/?ref=cybersecstats.com)

### The Data & AI Trust Gap (Veeam)

Most organizations can't see what their AI systems are doing, can't reliably stop a rogue agent, and aren't sure they have a full inventory of their AI.

**Nobody knows what they have:**

- 88% of organizations are already using or piloting AI agents.
- Only 28% are confident they can detect AI systems operating outside approved parameters.
- Only 25% of organizations running AI can identify, within minutes, which actions an AI took.

[Read the full report here.](https://www.veeam.com/blog/data-ai-trust-gap-report.html?ref=cybersecstats.com)

## AI Threats & Agent Security

### AI Risk Quadrant for Agent Security (Adversa AI)

Most claims about AI agent defenses turn out to be unverifiable.

**Don't believe the marketing:**

- 83% of claimed AI agent defenses are not publicly verifiable.
- 38% of AI agents complete irreversible actions before any monitoring path can plausibly fire.
- More than a third of agents score well on logging and observability while scoring poorly on the four defense components that actually prevent or limit harm.

[Read the full report here.](https://airq.adversa.ai/report?ref=cybersecstats.com)

### What We Learned Mapping a Year's Worth of AI-Enabled Cyber Threats (Anthropic)

Anthropic analyzed 832 accounts banned for malicious cyber activity and mapped the attacker techniques to the MITRE ATT&CK framework.

**Threat actors got better in six months:**

- 67.3% of the banned accounts were using AI to write malware.
- The share of actors rated medium risk or higher rose from 33% to 56% across the two six-month periods studied.
- AI use for account discovery rose notably while AI-assisted phishing fell.

[Read the full report here.](https://www.anthropic.com/news/AI-enabled-cyber-threats-mitre-attack?ref=cybersecstats.com)

## AI-Generated Code

### AI Coding Assistants and the New Security Challenge (Salt Security)

Nearly every development team is using AI to write code now, and security teams are not thrilled about it.

**Code quality is suspect:**

- 67% of organizations report AI coding assistants are now widely adopted across development teams.
- 38% still rely primarily on manual review for AI-generated code.
- 29% of security leaders name insecure coding patterns as the leading risk introduced by AI coding assistants.

[Read the full report here.](https://www.prnewswire.com/news-releases/new-research-reveals-9-in-10-security-leaders-concerned-about-ai-generated-code-risks-302788323.html?ref=cybersecstats.com)

### What's In America's Code? (Booz Allen)

Some Chinese AI models appear to change their behavior depending on whether you mention working for the US government.

**Some models may have an agenda:**

- Three of four Chinese LLMs generated hidden security vulnerabilities when prompted with a US government persona.
- All four Chinese-built models refused to generate code for mock US government tasks Beijing would oppose.
- When one model was told the code was for a US government agency, it produced significantly more vulnerabilities than for the same task without that context.

[Read the full report here.](https://www.businesswire.com/news/home/20260605220546/en/New-Booz-Allen-Analysis-Reveals-Risks-in-Using-Chinese-AI-Models-for-Americas-Software-Supply-Chain?ref=cybersecstats.com)

## Phishing

### The (Higher) Business Cost of Phishing (IRONSCALES)

Phishing is taking up more of security teams' time than ever, even as they get faster at remediation.

**Working harder for the same result:**

- Phishing consumes 36.5% of security team working hours, up from 33.5% three years ago.
- Phishing costs $51,948 per security analyst annually, a 13.6% increase from $45,726 in 2022.
- Teams remediate phishing incidents 16% faster but spend 9% more of their annual hours on remediation.

[Read the full report here.](https://ironscales.com/news/new-research-ai-powered-phishing-defenses-made-security-teams-faster-but-ai-generated-attacks-made-defense-more-expensive-overall?ref=cybersecstats.com)

## Enterprise Perspective

### The State of Physical Security Operations in 2026 (HiveWatch)

A benchmark of how enterprise physical security programs perform against operational reality.

**A lot of the signal is noise:**

- Large enterprises report false alarm rates approaching 44%.
- Nearly 30% of organizations rely on manual device health checks instead of fully automated monitoring.
- 97% of US-based physical security operations professionals are using or actively evaluating AI.

[Read the full report here.](https://www.businesswire.com/news/home/20260602144554/en/HiveWatch-Report-Finds-Only-19-of-Security-Teams-Consistently-Meet-Their-Own-SLAs-Despite-93-Confidence-in-Threat-Detection?ref=cybersecstats.com)

### The 2026 State of Digital Risk Report (Outtake)

A benchmark of how enterprises handle digital risk, and how far behind most of them are.

**Most never see it coming:**

- 84% of organizations experienced material digital risk incidents in the past year.
- 44% say AI-generated attacks are already indistinguishable from legitimate activity.
- 53% had an executive or employee impersonated in the past year.

[Read the full report here.](https://www.businesswire.com/news/home/20260604343787/en/84-of-Organizations-Hit-by-Digital-Risk-Incidents-Last-Year.-Most-Cant-Detect-an-AI-Generated-Attack.?ref=cybersecstats.com)

## Industry-Specific

### 2026 State of Financial Services: The Dual Storm of Ransomware and Vendor Ecosystem Risk (Black Kite)

Direct ransomware attacks on banks are climbing again, but the bigger problem sits in the supply chain.

**Hit from two directions:**

- Half of all financial services vendors carry high-severity CVEs.
- From 2024 to 2025, the number of critical vulnerabilities across vendors serving the financial sector increased 387%.
- Critical-level patch management failures were present in 78% of vendors whose client base is meaningfully concentrated in finance.

[Read the full report here.](https://blackkite.com/reports/2026-financial-services-report?ref=cybersecstats.com)

---

For the full documentation index, see https://fmcybersecurity.com/llms.txt
For the complete corpus as a single document, see https://fmcybersecurity.com/llms-full.txt