# Cyber Index #60 - $15k a minute downtime, benchmark your patch management maturity, DBIR stats

> This week's Cyber Index roundup: 10 fresh reports covering Verizon's DBIR, the real cost of downtime, patch management benchmarks, AI security, supply chain risk, and mobile app attacks.

Source: https://fmcybersecurity.com/en/insights/exposure/cybersecstats-60/
Locale: English
Other locale: https://fmcybersecurity.com/insights/exposure/cybersecstats-60/

## Metadata

- Date: 2026-05-26
- Author: fredrik-standahl
- Topic: exposure
- Format: news
- Scope: international

## This Week's Cybersecurity Eye-Openers

This week's three stats that jumped out at us.

**1. Patching is happening faster, but most organizations are still very worried about exposure**

Speed might not be the answer to your patch management problems. The share of organizations deploying patches within six days has nearly quadrupled since 2023, from 15% to 59%. Yet 56% of organizations remain concerned they are still exposed to known vulnerabilities that have not been remediated.

**2. Employees are doing business work on personal AI accounts**

AI is almost the inverse of typical corporate software misuse. 64.5% of activity on personal and free-tier AI accounts is business use, meaning most employees are doing work on accounts their employers cannot see.

**3. Nearly a third of breaches now start with software vulnerabilities**

Software vulnerabilities are probably the OG drivers of breaches, and they are still very much with us. Verizon's latest DBIR shows that 31% of security breaches involve exploiting a software vulnerability.

## Big Picture Reports

### 2026 Data Breach Investigations Report (Verizon)

Verizon's flagship DBIR, now in its 19th year, pulls together data from 31,000 real-world security incidents across 145 countries, with more than 22,000 confirmed as data breaches. This is probably the most comprehensive security report of the year, and you could easily fill several newsletters with it.

**Software vulnerability risk is growing:**

- 31% of breaches start with software vulnerabilities.
- Only 26% of critical vulnerabilities were fully remediated by organizations in 2025, down from 38% the previous year.
- The median time to full resolution increased to 43 days, almost 2 weeks longer than the previous year's 32 days.

[Read the full report here.](https://www.verizon.com/business/resources/reports/dbir/?ref=cybersecstats.com)

### The Hidden Costs of Downtime (Splunk)

What does downtime cost Global 2000 companies? The answer is quite shocking ($15k a minute).

**$600 billion annually and getting worse:**

- Aggregate unplanned downtime costs for Global 2000 companies total $600 billion annually, representing a 50% increase in two years.
- The average cost of downtime for organizations is $15,000 per minute.
- Downtime costs an organization $95 million in lost revenue annually, nearly double the 2024 level.

[Read the full report here.](https://www.splunk.com/en_us/form/the-hidden-costs-of-downtime.html?ref=cybersecstats.com)

### The State of Patch Management Report 2026 (Adaptiva)

How does your patch management program compare to your peers? This report covers trends, challenges, and opportunities based on a survey of 200+ IT and security professionals.

**Faster but still manual:**

- Since 2023, the share of organizations deploying patches within six days has nearly quadrupled, rising from 15% to 59%.
- More than 60% of organizations rely on manual processes in at least part of the patch lifecycle.
- 74% of organizations cite coordinating vulnerability prioritization and remediation as their biggest security issue.
- Only 8% of organizations report fully autonomous patching today, but 90% plan to expand automation in the next 12 months.

[Read the full report here.](https://adaptiva.com/resources/report/state-of-patch-management?ref=cybersecstats.com)

### 2026 State of Tech Talent Report (The Linux Foundation)

What's holding back AI adoption? Security, increasingly.

**The biggest blocker:**

- 48% of organizations report security concerns as the top barrier to AI adoption, up from 17% in 2024.
- 57% of organizations report a significant capacity gap in AI security and risk management.
- 40% of organizations report being understaffed in cybersecurity and compliance.

[Read the full report here.](https://www.linuxfoundation.org/research/state-of-tech-talent-2026?ref=cybersecstats.com)

### Cyber Threat Intelligence Report 2026 (Bridewell)

A wide-ranging report on how attackers are adapting their infrastructure, identity-led compromise, infostealers, fragmenting ransomware, evolving social engineering, abuse of trusted platforms, AI-amplified capability, and emerging 2026 risks like edge exploitation and state-aligned cybercrime.

**The attacker playbook:**

- In 2025, 27.89% of all adversary infrastructure tracked was hosted in the US, up from 23.63% in 2024.
- Cobalt Strike accounted for 38.4% of all OST output, maintaining its position as the primary adversary framework.
- Across 2025, 7,918 victim postings were observed on ransomware group data-leak sites across 129 distinct threat actors.

[Read the full report here.](https://www.bridewell.com/insights/white-papers/detail/cyber-threat-intelligence-report-2026?ref=cybersecstats.com)

## Supply Chain Security

### 2026 Supply Chain Vulnerability Report (Black Kite)

Over 48,000 CVEs were published last year. Very few of them actually mattered.

**Signal vs. noise:**

- Of the 48,000+ CVEs published in 2025, only 58 represented a genuine, discoverable, and exploitable threat to enterprise supply chains.
- Attackers exploited vulnerabilities an average of seven days before public disclosure in 2025.
- 2,130 AI-related vulnerabilities were reported in 2025, a more than 200% increase since 2023.

[Read the full report here.](https://blackkite.com/reports/supply-chain-vulnerability-report-2026?ref=cybersecstats.com)

### 2026 Software Supply Chain Security State of the Union (JFrog)

Where software supply chain security is improving, and where it is not.

**A gap between what orgs say and what they do:**

- Malicious npm packages surged 451% year-over-year.
- 97% of organizations claim they have certified model governance.
- 53% of organizations self-host models from sources where malicious payloads have been detected.

[Read the full report here.](https://jfrog.com/software-supply-chain-state-of-the-union/?ref=cybersecstats.com)

## Mobile Application Security

### 2026 Application Security Threat Report (Digital.ai)

App attacks have been climbing for five years straight, and two sectors are taking the worst of it.

**Up every single year:**

- Mobile application attack rates climbed 58% between 2022 and 2026, rising from 55% to 87%.
- Financial services applications faced a 91% attack rate in 2026, the highest recorded for any vertical.
- Automotive applications faced a 91% attack rate in 2026.

[Read the full report here.](https://digital.ai/resource-center/whitepapers/2026-application-security-threat-report/?ref=cybersecstats.com)

## AI Security

### From Agentic Risk to Human Win, Building a Culture of Security in the Era of Agentic AI (KnowBe4)

AI agents are doing real things in workflows, but too many organizations have no real handle on their AI use.

**Action outpacing oversight:**

- 58% of cybersecurity leaders report that AI agents are already taking actions within organizational workflows.
- 52% of organizations report their use of AI is unapproved or ungoverned.
- Only 19% of cybersecurity leaders report their organizations have an integrated, culture-embedded approach in place to manage human-related cybersecurity risk.

[Read the full report here.](https://www.knowbe4.com/press/knowbe4-report-reveals-success-in-the-era-of-agentic-ai-demands-a-cybersecurity-culture-first-approach?ref=cybersecstats.com)

### Enterprise AI Provisioned. So Why Is the Work in Personal Accounts? (Harmonic Security)

Employees are doing a lot of their AI work for the business on personal accounts the company has no visibility into.

**Paying for enterprise AI, using personal accounts:**

- 64.5% of activity on personal and free-tier AI accounts is business use rather than personal use.
- 45.6% of employees' personal AI activity flows through enterprise tools their company is paying for.
- 74.6% of all AI use at work has a clear business purpose.

[Read the full report here.](https://www.harmonic.security/blog-posts/genai-in-the-enterprise-its-getting-personal?ref=cybersecstats.com)

---

For the full documentation index, see https://fmcybersecurity.com/llms.txt
For the complete corpus as a single document, see https://fmcybersecurity.com/llms-full.txt