CyberSecStats #48 - The AI speed tax, insider risk costs, healthcare email trends and annual threat reports
CyberSecStats #48: 27-second eCrime breakout, AI-first firms recover 80 days slower, $150B in cyber VC, 32M phishing emails, insider risk cost hits $19.5M.
This Week’s Cybersecurity Eye-Openers
Three stats worth thinking about this week.
1. AI is the top budget driver and the first thing on the chopping block
AI drives cybersecurity budget expansion for 44% of organizations, but 44% would also cut AI investment first if budgets tighten.
2. Healthcare email security deteriorates
41% of breached healthcare organizations fell into a high-risk category based on their email configuration, up from 31% in 2024, with over half having permissive or missing SPF records.
3. Cybersecurity VC funding approaches $150B
Total venture capital invested in 2025 approaches $150 billion. Seed investment volume surged 41%, with identity and access management capturing more than 15% of all deals.
Big Picture Reports
2026 X-Force Threat Intelligence Index (IBM)
Nation-state actors are doubling down on what works.
The targeting shift:
- Manufacturing is the top targeted sector for the fifth consecutive year, accounting for 27.7% of incidents.
- North America became the most-attacked region for the first time in six years, accounting for 29% of total cases.
- Attacks that begin with exploitation of public-facing applications increased by 44%.
2026 Global Threat Report (CrowdStrike)
Attackers are moving so fast that the traditional incident response playbook is effectively obsolete.
The breakout acceleration:
- The fastest observed eCrime breakout occurred in 27 seconds.
- In one intrusion, data exfiltration began within four minutes of initial access.
- AI-enabled adversaries increased their operations by 89% year over year.
Annual Threat Report 2026 (Darktrace)
Phishing attacks are evolving faster than email security controls. Attackers are bypassing the authentication standards meant to stop them.
The phishing evolution:
- 32 million phishing emails were detected globally in 2025.
- QR code-based phishing attacks increased 28%, rising from 940,000 in 2024 to over 1.2 million in 2025.
- More than 8.2 million phishing emails targeted VIPs in 2025, more than a quarter of all phishing activity.
High-Tech Crime Trends Report 2026 (Group-IB)
Cybercrime is becoming more professional and selective. High-value access deals are moving into private markets away from public forums.
The targeting patterns:
- Financial services (68.45%) was the top industry targeted by phishing attacks globally in 2025.
- Public IAB listings declined 27%, shifting high-value deals into private channels.
- Access is increasingly sold as tokens, SaaS admin, and integration footholds, not just VPN or RDP.
Thales 2026 Data Threat Report (Thales)
Basic data security hygiene remains elusive. Organizations struggle with fundamentals like knowing where data lives and whether it is encrypted.
The data visibility crisis:
- Only 34% of organizations know where all their data resides, regardless of criticality.
- 47% of sensitive cloud data remains unencrypted.
- Only 39% of organizations can fully classify all their data.
ReliaQuest 2026 Annual Cyber Threat Report (ReliaQuest)
The speed war between attackers and defenders is accelerating beyond what humans can manage without automation.
The speed crisis:
- Threat actors using AI and automation tools can achieve lateral movement within an organization in as little as 4 minutes, 85% faster than the previous year.
- On average, lateral movement takes 34 minutes, 29% quicker than the 48 minutes recorded in 2024.
- The quickest data exfiltration attack in 2025 took just 6 minutes, compared with over 4 hours in 2024.
The CISO Report (Splunk)
The CISO role has expanded far beyond traditional security into AI governance, legal liability, and organizational resilience.
The CISO burden:
- More than three-quarters of CISOs are now worried about personal liability for security incidents, a sharp jump from just over half last year.
- 92% of CISOs say improving threat detection and response is a top priority.
- 68% of CISOs prioritize investing in AI cybersecurity capabilities.
2025 Cyber Risk Report (Resilience)
Ransomware operators have realized that stealing data is often more profitable and less risky than encrypting it.
The ransomware pivot:
- In the second half of 2025, more than two-thirds of ransomware attacks leveraged data theft instead of encryption.
- Extortion demands to suppress stolen data made up 49% of extortion claims in the first half of 2025 and 65% in the second half.
- Infostealers harvested more than 2 billion credentials.
Email Security
2026 Healthcare Email Security Report (Paubox)
Healthcare organizations are being breached through email systems with basic misconfigurations that should have been caught years ago.
The email security gap:
- 41% of breached healthcare organizations fell into a high-risk category based on their email configuration, up from 31% in 2024.
- 53% of email-related healthcare breaches occurred on Microsoft 365.
- 56% of breached healthcare organizations had permissive or missing SPF records (9% missing, 46% soft fail).
Cybersecurity Investment
Q4 2025: Valuations Rising, AI Still Running the Show (DataTribe)
Investment dollars are flowing toward cybersecurity at historic levels. Identity and access management is attracting the largest share of deal activity.
The market momentum:
- Total venture capital invested in 2025 approaches $150 billion.
- Seed investment volume in Q4 2025 rose 41% compared with the post-pandemic lows in Q4 2024.
- Identity and access management accounts for more than 15% of deals in Q4 2025.
AI
From Adoption to Accountability (Exabeam)
AI is simultaneously driving the biggest cybersecurity budget increases and becoming the first thing cut when money gets tight.
The budget surge:
- 95% of organizations are increasing cybersecurity budgets in 2026.
- AI and automation are the primary catalysts for cybersecurity budget expansion for 44% of organizations.
- 44% of organizations would cut AI investment first if cybersecurity budgets tightened.
The AI Speed Tax (Fastly)
Organizations that move fastest on AI adoption are also moving fastest toward longer, costlier security incidents.
The AI recovery gap:
- AI-first businesses take nearly seven months on average to fully recover from cybersecurity incidents, 80 days longer than non-AI-first businesses.
- The financial cost of a cybersecurity incident for AI-first businesses exceeds the cost for non-AI-first businesses by more than 135%.
- 44% of AI-first organizations report that AI was directly exploited in their most recent security incident, compared with 6% of non-AI-first organizations.
Identity and Access Management
AI, Automation, and Risk in 2026: Identity at a Breaking Point (Lumos)
Identity has replaced the network perimeter as the primary battleground.
The identity crisis:
- 96% of organizations have experienced identity-related security incidents.
- Over 54% of security leaders cite unchecked growth of permissions as their top hurdle.
- 48.1% of organizations have experienced MFA fatigue attacks.
Ransomware
Total Ransomware Payments Stagnate While Attacks Escalate (Chainalysis)
More attacks are happening. Victims are paying less often. Ransomware economics are shifting.
The payment paradox:
- The median ransom payment grew 368% year over year to nearly $60,000.
- Data leak site-claimed ransomware incidents grew by 50% year over year to an all-time high.
- On-chain analysis indicates that spikes in IAB inflows typically precede increases in ransomware payments and victim leaks by roughly 30 days.
Open Source Security
2026 Open Source Security and Risk Analysis Report (Black Duck)
Open-source software in production is a risk organizations know about but rarely fix fast enough.
The open source picture:
- 98% of codebases contain open source components.
- Mean vulnerabilities per codebase increased by 107% year over year.
- 24% of organizations perform comprehensive IP, license, security, and quality evaluations for AI-generated code.
Software Security
2026 State of Software Security Report (Veracode)
Technical debt is becoming a critical security liability.
The security debt crisis:
- 82% of organizations now harbor security debt, an 11% increase from the prior year.
- High-risk vulnerabilities (flaws that are both severe and highly exploitable) increased 36% year over year.
- Third-party libraries and open-source dependencies account for 66% of the most dangerous, longest-lived vulnerabilities.
State of DevSecOps (Datadog)
Teams know which vulnerabilities exist in their production systems. They are not patching them.
The DevSecOps gap:
- 87% of organizations have at least one known exploitable vulnerability in deployed services.
- 42% of services rely on libraries that are no longer actively maintained.
- The median software dependency is 278 days out of date, 63 days further behind than last year.
Insider Risk
Cost of Insider Risks Global Report (DTEX)
Generative AI has created new pathways for insider threats that most organizations cannot see.
The insider picture:
- The average annual cost of insider risk reached $19.5 million in 2025, up 20% over two years.
- Organizations experienced an average of 25 insider incidents in 2025.
- Negligence drove the highest losses, with costs reaching $10.3 million annually, a 17% year-over-year increase.
SMB Threat Landscape
The 2026 SMB Threat Landscape Report (VikingCloud)
For the first time, small business owners say cyberattacks worry them more than inflation, recession, or economic downturns.
The SMB shift:
- Cyberattacks rank as the number one business concern for small and medium-sized businesses.
- 84% of business owners still self-manage their cybersecurity programs.
- 40% say an attack costing $100,000 or less could put them out of business.
Cybersecurity in the Age of AI (N-able)
Small and mid-sized businesses are now facing the same AI-powered threats designed for enterprise targets.
The AI threat to SMBs:
- 46.4% of SMBs experienced 3 or more incidents in the past 12 months.
- 47.2% say alert fatigue is the key hurdle to resolving security vulnerabilities and incidents.
- Only about 25% of medium and low priority alerts are investigated by SMBs.
Vulnerability Trends
2026 VulnCheck Exploit Intelligence Report (VulnCheck)
The vast majority of published vulnerabilities never get exploited. Defenders still struggle to focus on the ones that matter.
The exploitation reality:
- Only 1% of vulnerabilities are confirmed to be exploited in the wild in 2025.
- 56.4% of 2025 ransomware CVEs are first identified through active zero-day exploitation.
- Roughly one-third of 2025 ransomware CVEs lack public or commercial exploits as of January 2026.
OT and Industrial Security
Intelligence-Driven Active Defense Report 2026 (Palo Alto Networks)
Critical infrastructure operators are discovering just how much of their industrial control systems are visible and accessible from the public internet.
The OT exposure crisis:
- A 332% increase in unique internet-exposed OT devices and services, with nearly 20 million OT-related devices now observable on the public internet.
- 82.8% of adversary activity occurs during an extended precursor phase, long before operational impact is realized, with an average dwell time of 185 days.
- The highest concentrations of exposed OT devices were in the United States, China, and Germany.
Enterprise Perspective
The 2026 State of Agentic AI Cyber Risk Report (Apono)
Everyone wants to deploy agentic AI. Almost nobody feels ready to secure it.
The agentic AI slowdown:
- 98% of global enterprises say security and data concerns have already slowed deployments, added review steps, or reduced project scope for agentic AI and autonomous systems.
- 100% of global enterprises agree attacks targeting agentic AI workflows would be more damaging than traditional cyberattacks.
- Only 21% say they feel prepared to manage attacks involving agentic AI or autonomous workflows.
