# CyberSecStats #48 - The AI speed tax, insider risk costs, healthcare email trends and annual threat reports

> CyberSecStats #48: 27-second eCrime breakout, AI-first firms recover 80 days slower, $150B in cyber VC, 32M phishing emails, insider risk cost hits $19.5M.

Source: https://fmcybersecurity.com/en/insights/strategy/cybersecstats-48/
Locale: English
Other locale: https://fmcybersecurity.com/insights/strategy/cybersecstats-48/

## Metadata

- Date: 2026-03-03
- Author: fredrik-standahl
- Topic: strategy
- Format: news
- Scope: international

## This Week's Cybersecurity Eye-Openers

Three stats worth thinking about this week.

**1. AI is the top budget driver and the first thing on the chopping block**

AI drives cybersecurity budget expansion for 44% of organizations, but 44% would also cut AI investment first if budgets tighten.

**2. Healthcare email security deteriorates**

41% of breached healthcare organizations fell into a high-risk category based on their email configuration, up from 31% in 2024, with over half having permissive or missing SPF records.

**3. Cybersecurity VC funding approaches $150B**

Total venture capital invested in 2025 approaches $150 billion. Seed investment volume surged 41%, with identity and access management capturing more than 15% of all deals.

## Big Picture Reports

### 2026 X-Force Threat Intelligence Index (IBM)

Nation-state actors are doubling down on what works.

**The targeting shift:**

- Manufacturing is the top targeted sector for the fifth consecutive year, accounting for 27.7% of incidents.
- North America became the most-attacked region for the first time in six years, accounting for 29% of total cases.
- Attacks that begin with exploitation of public-facing applications increased by 44%.

[Read the full report here.](https://www.ibm.com/reports/threat-intelligence?ref=cybersecstats.com)

### 2026 Global Threat Report (CrowdStrike)

Attackers are moving so fast that the traditional incident response playbook is effectively obsolete.

**The breakout acceleration:**

- The fastest observed eCrime breakout occurred in 27 seconds.
- In one intrusion, data exfiltration began within four minutes of initial access.
- AI-enabled adversaries increased their operations by 89% year over year.

[Read the full report here.](https://www.crowdstrike.com/en-us/global-threat-report/?ref=cybersecstats.com)

### Annual Threat Report 2026 (Darktrace)

Phishing attacks are evolving faster than email security controls. Attackers are bypassing the authentication standards meant to stop them.

**The phishing evolution:**

- 32 million phishing emails were detected globally in 2025.
- QR code-based phishing attacks increased 28%, rising from 940,000 in 2024 to over 1.2 million in 2025.
- More than 8.2 million phishing emails targeted VIPs in 2025, more than a quarter of all phishing activity.

[Read the full report here.](https://www.darktrace.com/resource/annual-threat-report-2026?ref=cybersecstats.com)

### High-Tech Crime Trends Report 2026 (Group-IB)

Cybercrime is becoming more professional and selective. High-value access deals are moving into private markets away from public forums.

**The targeting patterns:**

- Financial services (68.45%) was the top industry targeted by phishing attacks globally in 2025.
- Public IAB listings declined 27%, shifting high-value deals into private channels.
- Access is increasingly sold as tokens, SaaS admin, and integration footholds, not just VPN or RDP.

[Read the full report here.](https://www.group-ib.com/landing/high-tech-crime-trends-report-2026/?ref=cybersecstats.com)

### Thales 2026 Data Threat Report (Thales)

Basic data security hygiene remains elusive. Organizations struggle with fundamentals like knowing where data lives and whether it is encrypted.

**The data visibility crisis:**

- Only 34% of organizations know where all their data resides, regardless of criticality.
- 47% of sensitive cloud data remains unencrypted.
- Only 39% of organizations can fully classify all their data.

[Read the full report here.](https://cpl.thalesgroup.com/data-threat-report?ref=cybersecstats.com)

### ReliaQuest 2026 Annual Cyber Threat Report (ReliaQuest)

The speed war between attackers and defenders is accelerating beyond what humans can manage without automation.

**The speed crisis:**

- Threat actors using AI and automation tools can achieve lateral movement within an organization in as little as 4 minutes, 85% faster than the previous year.
- On average, lateral movement takes 34 minutes, 29% quicker than the 48 minutes recorded in 2024.
- The quickest data exfiltration attack in 2025 took just 6 minutes, compared with over 4 hours in 2024.

[Read the full report here.](https://reliaquest.com/campaigns/annual-threat-report-2026/executive-summary-2025-vs-2024-at-a-glance?ref=cybersecstats.com)

### The CISO Report (Splunk)

The CISO role has expanded far beyond traditional security into AI governance, legal liability, and organizational resilience.

**The CISO burden:**

- More than three-quarters of CISOs are now worried about personal liability for security incidents, a sharp jump from just over half last year.
- 92% of CISOs say improving threat detection and response is a top priority.
- 68% of CISOs prioritize investing in AI cybersecurity capabilities.

[Read the full report here.](https://www.splunk.com/en_us/campaigns/ciso-report.html?ref=cybersecstats.com)

### 2025 Cyber Risk Report (Resilience)

Ransomware operators have realized that stealing data is often more profitable and less risky than encrypting it.

**The ransomware pivot:**

- In the second half of 2025, more than two-thirds of ransomware attacks leveraged data theft instead of encryption.
- Extortion demands to suppress stolen data made up 49% of extortion claims in the first half of 2025 and 65% in the second half.
- Infostealers harvested more than 2 billion credentials.

[Read the full report here.](https://unlock.cyberresilience.com/2025-cyber-risk-report-gated?ref=cybersecstats.com)

## Email Security

### 2026 Healthcare Email Security Report (Paubox)

Healthcare organizations are being breached through email systems with basic misconfigurations that should have been caught years ago.

**The email security gap:**

- 41% of breached healthcare organizations fell into a high-risk category based on their email configuration, up from 31% in 2024.
- 53% of email-related healthcare breaches occurred on Microsoft 365.
- 56% of breached healthcare organizations had permissive or missing SPF records (9% missing, 46% soft fail).

[Read the full report here.](https://www.paubox.com/resources/the-2026-healthcare-email-security-report?utm_campaign=39343925-LGN.202602.CyberSecStats&utm_source=css&utm_content=emailsecurityreport)

## Cybersecurity Investment

### Q4 2025: Valuations Rising, AI Still Running the Show (DataTribe)

Investment dollars are flowing toward cybersecurity at historic levels. Identity and access management is attracting the largest share of deal activity.

**The market momentum:**

- Total venture capital invested in 2025 approaches $150 billion.
- Seed investment volume in Q4 2025 rose 41% compared with the post-pandemic lows in Q4 2024.
- Identity and access management accounts for more than 15% of deals in Q4 2025.

[Read the full report here.](https://datatribe.com/news/q4-2025-valuations-rising-ai-still-running-the-show-the-2026-outlook/?ref=cybersecstats.com)

## AI

### From Adoption to Accountability (Exabeam)

AI is simultaneously driving the biggest cybersecurity budget increases and becoming the first thing cut when money gets tight.

**The budget surge:**

- 95% of organizations are increasing cybersecurity budgets in 2026.
- AI and automation are the primary catalysts for cybersecurity budget expansion for 44% of organizations.
- 44% of organizations would cut AI investment first if cybersecurity budgets tightened.

[Read the full report here.](https://www.exabeam.com/hubs/from-adoption-to-accountability-the-new-economics-of-ai-in-cybersecurity/?ref=cybersecstats.com)

### The AI Speed Tax (Fastly)

Organizations that move fastest on AI adoption are also moving fastest toward longer, costlier security incidents.

**The AI recovery gap:**

- AI-first businesses take nearly seven months on average to fully recover from cybersecurity incidents, 80 days longer than non-AI-first businesses.
- The financial cost of a cybersecurity incident for AI-first businesses exceeds the cost for non-AI-first businesses by more than 135%.
- 44% of AI-first organizations report that AI was directly exploited in their most recent security incident, compared with 6% of non-AI-first organizations.

[Read the full report here.](https://learn.fastly.com/the-ai-speed-tax.html?ref=cybersecstats.com)

## Identity and Access Management

### AI, Automation, and Risk in 2026: Identity at a Breaking Point (Lumos)

Identity has replaced the network perimeter as the primary battleground.

**The identity crisis:**

- 96% of organizations have experienced identity-related security incidents.
- Over 54% of security leaders cite unchecked growth of permissions as their top hurdle.
- 48.1% of organizations have experienced MFA fatigue attacks.

[Read the full report here.](https://www.lumos.com/report/ai-automation-risk?ref=cybersecstats.com)

## Ransomware

### Total Ransomware Payments Stagnate While Attacks Escalate (Chainalysis)

More attacks are happening. Victims are paying less often. Ransomware economics are shifting.

**The payment paradox:**

- The median ransom payment grew 368% year over year to nearly $60,000.
- Data leak site-claimed ransomware incidents grew by 50% year over year to an all-time high.
- On-chain analysis indicates that spikes in IAB inflows typically precede increases in ransomware payments and victim leaks by roughly 30 days.

[Read the full report here.](https://www.chainalysis.com/blog/crypto-ransomware-2026/?ref=cybersecstats.com)

## Open Source Security

### 2026 Open Source Security and Risk Analysis Report (Black Duck)

Open-source software in production is a risk organizations know about but rarely fix fast enough.

**The open source picture:**

- 98% of codebases contain open source components.
- Mean vulnerabilities per codebase increased by 107% year over year.
- 24% of organizations perform comprehensive IP, license, security, and quality evaluations for AI-generated code.

[Read the full report here.](https://www.blackduck.com/resources/analyst-reports/open-source-security-risk-analysis.html?ref=cybersecstats.com)

## Software Security

### 2026 State of Software Security Report (Veracode)

Technical debt is becoming a critical security liability.

**The security debt crisis:**

- 82% of organizations now harbor security debt, an 11% increase from the prior year.
- High-risk vulnerabilities (flaws that are both severe and highly exploitable) increased 36% year over year.
- Third-party libraries and open-source dependencies account for 66% of the most dangerous, longest-lived vulnerabilities.

[Read the full report here.](https://www.veracode.com/resources/analyst-reports/state-of-software-security-2026/?ref=cybersecstats.com)

### State of DevSecOps (Datadog)

Teams know which vulnerabilities exist in their production systems. They are not patching them.

**The DevSecOps gap:**

- 87% of organizations have at least one known exploitable vulnerability in deployed services.
- 42% of services rely on libraries that are no longer actively maintained.
- The median software dependency is 278 days out of date, 63 days further behind than last year.

[Read the full report here.](https://www.datadoghq.com/state-of-devsecops/?ref=cybersecstats.com)

## Insider Risk

### Cost of Insider Risks Global Report (DTEX)

Generative AI has created new pathways for insider threats that most organizations cannot see.

**The insider picture:**

- The average annual cost of insider risk reached $19.5 million in 2025, up 20% over two years.
- Organizations experienced an average of 25 insider incidents in 2025.
- Negligence drove the highest losses, with costs reaching $10.3 million annually, a 17% year-over-year increase.

[Read the full report here.](https://ponemon.dtex.ai/?ref=cybersecstats.com)

## SMB Threat Landscape

### The 2026 SMB Threat Landscape Report (VikingCloud)

For the first time, small business owners say cyberattacks worry them more than inflation, recession, or economic downturns.

**The SMB shift:**

- Cyberattacks rank as the number one business concern for small and medium-sized businesses.
- 84% of business owners still self-manage their cybersecurity programs.
- 40% say an attack costing $100,000 or less could put them out of business.

[Read the full report here.](https://www.vikingcloud.com/resources/the-2026-smb-threat-landscape-report-the-year-cybersecurity-risks-surpass-economic-concerns?ref=cybersecstats.com)

### Cybersecurity in the Age of AI (N-able)

Small and mid-sized businesses are now facing the same AI-powered threats designed for enterprise targets.

**The AI threat to SMBs:**

- 46.4% of SMBs experienced 3 or more incidents in the past 12 months.
- 47.2% say alert fatigue is the key hurdle to resolving security vulnerabilities and incidents.
- Only about 25% of medium and low priority alerts are investigated by SMBs.

[Read the full report here.](https://www.n-able.com/resources/cybersecurity-in-the-age-of-ai?ref=cybersecstats.com)

## Vulnerability Trends

### 2026 VulnCheck Exploit Intelligence Report (VulnCheck)

The vast majority of published vulnerabilities never get exploited. Defenders still struggle to focus on the ones that matter.

**The exploitation reality:**

- Only 1% of vulnerabilities are confirmed to be exploited in the wild in 2025.
- 56.4% of 2025 ransomware CVEs are first identified through active zero-day exploitation.
- Roughly one-third of 2025 ransomware CVEs lack public or commercial exploits as of January 2026.

[Read the full report here.](https://wwv.vulncheck.com/2026-vulncheck-exploit-intelligence-report?ref=cybersecstats.com)

## OT and Industrial Security

### Intelligence-Driven Active Defense Report 2026 (Palo Alto Networks)

Critical infrastructure operators are discovering just how much of their industrial control systems are visible and accessible from the public internet.

**The OT exposure crisis:**

- A 332% increase in unique internet-exposed OT devices and services, with nearly 20 million OT-related devices now observable on the public internet.
- 82.8% of adversary activity occurs during an extended precursor phase, long before operational impact is realized, with an average dwell time of 185 days.
- The highest concentrations of exposed OT devices were in the United States, China, and Germany.

[Read the full report here.](https://www.paloaltonetworks.com/resources/whitepapers/securing-ot-environments?ref=cybersecstats.com)

## Enterprise Perspective

### The 2026 State of Agentic AI Cyber Risk Report (Apono)

Everyone wants to deploy agentic AI. Almost nobody feels ready to secure it.

**The agentic AI slowdown:**

- 98% of global enterprises say security and data concerns have already slowed deployments, added review steps, or reduced project scope for agentic AI and autonomous systems.
- 100% of global enterprises agree attacks targeting agentic AI workflows would be more damaging than traditional cyberattacks.
- Only 21% say they feel prepared to manage attacks involving agentic AI or autonomous workflows.

[Read the full report here.](https://lp.apono.io/the-2026-state-of-agentic-ai-cyber-risk-report?ref=cybersecstats.com)

---

For the full documentation index, see https://fmcybersecurity.com/llms.txt
For the complete corpus as a single document, see https://fmcybersecurity.com/llms-full.txt