CyberSecStats #42 - Share of security budgets that will go to AI, bot traffic and adware trends
CyberSecStats #42: 99% of orgs hit by AI attacks, 70% of CISOs budgeting 10%+ for AI, AI code 1.7x more issues, SMS toll fraud explodes 78%.
This Week’s Cybersecurity Eye-Openers
Three takeaways from this week’s data.
1. AI code contains approximately 1.7 times more issues than human-written code
Performance inefficiencies appear nearly 8 times more often.
2. 99% of security leaders at large US organizations plan to increase cybersecurity budgets
For spending plans over the next two to three years. 70% of leaders plan to dedicate more than 10% of their budgets to AI-related cyber initiatives.
3. 99% of organizations experienced at least one attack on their AI systems
In the past year, AI-related deployments have been universally targeted by prompt injections and specific AI-related attacks. Attempts to compromise AI-related APIs increased by 41%.
Big Picture Reports
2025 KPMG Cybersecurity Survey (KPMG)
US organizations plan large increases in cybersecurity budgets. AI initiatives could consume 10% or more of planned spending.
According to KPMG:
- 99% of security leaders at US organizations with at least $1 billion in revenue plan to increase cybersecurity budgets over the next two to three years.
- 54% are planning for sizable increases of 6% to 10% in their cybersecurity budgets.
- 70% are dedicating more than 10% of their budgets to AI-related cyber initiatives.
AI and Code Security
State of the AI vs. Human Code Generation Report (CodeRabbit)
AI coding tools boost productivity, but have a measurable impact on the security of code that makes it into production.
AI’s code quality gap:
- AI-generated code contains approximately 1.7 times more issues than human-written code.
- Performance inefficiencies, such as excessive I/O, appear nearly 8 times more often in AI-generated code.
- Security vulnerabilities in AI-generated code increase by 1.5 to 2 times, particularly in password handling and insecure object references.
Navigating Software Supply Chain Risk in a Rapid-Release World (Black Duck)
AI adoption in development outpaces security. Only a fraction of organizations using AI tools have comprehensive protection strategies.
Security lags productivity:
- 95% of surveyed organizations reported using AI tools in software development.
- Only 24% have adopted comprehensive strategies to secure AI-generated code.
- 76% of organizations check AI code for security risks.
Bots
Fastly Threat Insights Report (Fastly)
Bot traffic now accounts for almost a third of all web activity.
Bot traffic picture:
- Bots account for 29% of all web traffic, with approximately 25% classified as unwanted.
- 89% of headless bot traffic targeted transaction-heavy industries like financial services and commerce.
- Meta’s AI crawler and OpenAI’s ChatGPT fetcher accounted for 60% and 68% of their respective traffic categories.
Cloud Security
The State of Cloud Security Report 2025 (Palo Alto Networks)
Your cloud attack surface is growing, and it is likely to be attacked by some kind of AI agent threat in 2026.
Cloud threat picture:
- 99% of organizations experienced at least one attack on their AI systems in the past year.
- API attacks increased by 41% due to the rise of agentic AI relying heavily on APIs.
- 30% of teams take more than a full day to resolve an incident due to disjointed workflows.
Application Security
From Code to Production: How Modern AppSec Programs Yield 3x Better Business Outcomes (Fastly)
AppSec maturity has measurable upsides for the business.
AppSec upsides:
- Organizations classified as ‘Exceptional’ in AppSec maturity are 3.6 times more likely to report a 20% or greater improvement in application availability.
- Exceptional programs are 1.9 times less likely to experience a data breach than emerging programs.
- High Technology industry leads with 35.5% of organizations classified as ‘Exceptional’, followed by Travel and Hospitality at 18.3%.
Mobile Security
Android Mobile Adware Surges in Second Half of 2025 (Malwarebytes)
Android adware and unwanted programs nearly doubled in the second half of 2025.
Malwarebytes reports:
- The volume of Android adware detections nearly doubled from the December-May period to the June-November timeframe in 2025.
- Potentially Unwanted Programs (PUP) detections increased by nearly 75% in the June-November period.
- MobiDash (a particularly aggressive adware) detections increased by 77% from September through November 2025.
Small Business Security
The 2025 SMB Cybersecurity Survey (Guardz)
Nearly half of US small businesses were hit by cyberattacks. Most are primarily worried about employee negligence.
What SMBs are worried about:
- 43% of SMBs experienced a cyberattack in the past 5 years.
- 45% cite employee negligence as their biggest cybersecurity concern.
- Only 34% have a formal incident response or continuity plan developed with a cybersecurity professional.
Enterprise Perspective
The Enterprise Unification Gap (JumpCloud)
Tool sprawl is a big enough problem that 87% of enterprises are considering platform changes to cut it.
The unification imperative:
- 87% of US IT leaders from enterprise organizations are considering changing their current productivity suite for a more unified platform.
- US IT leaders manage an average of over nine different tools.
- Only 6% report that their current setup works perfectly.
Enterprises Under Attack: Quarterly Threat Actor Patterns
SMS toll fraud is exploding across sectors as attackers shift to larger, more targeted campaigns.
The fraud surge:
- SMS toll fraud now comprises 78% of all attacks on the gig economy, up from 48% a year prior.
- SMS toll fraud malicious traffic surged by 67% over Q2 2025, making it the fastest-growing attack type.
- In Q3, SMS toll fraud targeting the gaming sector increased by 125%, while fintech grew by 97%.
Industry Deep Dives
Action1 Cybersecurity in Education Report 2025-2026 (Action1)
Schools face AI-powered phishing threats. Most do not have dedicated cybersecurity specialists.
The education picture:
- 89% of schools experienced at least one cyber incident in the past year.
- 74% of schools lack a dedicated cybersecurity specialist.
- 92% of school IT leaders expect AI-powered phishing to be the most dangerous threat in the coming year.
Regional Spotlight
New Yorkers Demand Businesses Prioritize Security and Resilience of Data (Commvault)
New Yorkers are ready to punish companies for data breaches.
Consumer accountability:
- Over 85% of New Yorkers indicated they would or might stop using a company if it suffered a data breach.
- 38% reported they have already stopped using a service because they did not trust it to protect their data.
- 48% stated they have been the victim of a cyberattack at least once.