CyberSecStats #49 - Life of a CISO in 2026, saying no to ransom demands, European cyber trends and third-party knock-on effects
CyberSecStats #49: 86% refuse ransom payments, 90 zero-days exploited in 2025, third-party breaches cascading to 5.28 victims per vendor, deepfake voice calls everywhere.
This Week’s Cybersecurity Eye-Openers
Three takeaways from this week’s data.
1. Most companies refused to pay ransoms
A record 86% of businesses refused to pay ransom demands in 2025, even as initial ransom demands surged 47% year over year.
2. 90 zero-days exploited in the wild
Google Threat Intelligence Group tracked 90 zero-day vulnerabilities exploited in the wild in 2025. 48% targeted enterprise-grade technology, and operating systems accounted for 44% of all zero-days.
3. Third-party breaches keep cascading
The average number of downstream breach victims per vendor rose from 2.46 in 2021 to 5.28 in 2025, with 433 million people impacted by third-party breaches.
Big Picture Reports
The State of Human Risk 2026 (Mimecast)
Organizations universally acknowledge they cannot adequately protect against human-targeted attacks.
The human vulnerability:
- 96% of organizations admit they have incomplete protection against human risk.
- 69% see AI-driven attacks as inevitable within 12 months.
- 71% expect negative business impact from attacks via Slack, Teams, Zoom, and similar platforms in 2026.
2026 Cyber Claims Report (Coalition)
Businesses are calling ransomware operators’ bluff. Refusal rates hit record highs.
The ransom refusal:
- A record 86% of businesses refused to pay ransom demands.
- Initial ransom demands surged 47% year over year in 2025.
- Ransomware was the most costly type of cyber claim in 2025, with an average loss of $269,000.
Third-Party and Supply Chain Risk
2026 Third-Party Breach Report (Black Kite)
A single vendor breach now ripples through more than five downstream organizations on average.
The cascade effect:
- Average downstream breach victims per vendor rose from 2.46 in 2021 to 5.28 in 2025.
- 433 million people are publicly disclosed as impacted by third-party breaches.
- The average disclosure window worsened from 76 days in 2024 to 117 days in 2025.
Beyond the Black Box (Manifest)
Organizations are generating SBOMs, but most are not using them to manage security.
The SBOM gap:
- 60% of organizations generate SBOMs.
- More than half of organizations that generate SBOMs are not consuming or managing them in practice.
- 63% of organizations acknowledge that there is shadow AI within their organization.
AI
AI-Augmented Cybersecurity Performance Data (Hack The Box)
AI augmentation is delivering measurable productivity gains for cybersecurity teams.
The AI advantage:
- AI-augmented teams improve the solve rate for cybersecurity challenges by 70% within the same time window.
- AI advantage peaks at 3.89x for mid-level operators on medium-difficulty cybersecurity tasks.
- AI-augmented teams achieve a 27% solve rate for cybersecurity challenges, versus 16% for top human-only teams.
Cybersecurity Workforce
2026 CISO-Board Engagement (IANS, Artico Search, and The CAP Group)
CISOs are getting more board time, but the quality of strategic dialogue remains inconsistent.
The engagement gap:
- 95% of CISOs provide regular updates to the board.
- Only 30% of boards describe their relationship with the CISO as strong and collaborative.
- 53% of boards indicate that reporting on the impact of evolving threats needs improvement.
The 2026 State of the Cybersecurity Workforce Report (Seemplicity)
Cybersecurity leaders are working what amounts to a sixth day every week as AI reshapes their role.
The burnout signal:
- 45% of U.S.-based cybersecurity leaders work 11 or more extra hours per week, and 20% work 16 or more hours weekly.
- 44% say their role feels emotionally exhausting more often than rewarding.
- Despite this, 94% would still choose cybersecurity as a career.
Pentester Profile Report (Cobalt)
Professional penetration testers prefer structured testing over bounty programs for finding serious vulnerabilities.
The testing model divide:
- 58% of professional pentesters rank PTaaS as the most effective model for uncovering complex vulnerabilities.
- Only 15% rank public bug bounties as the most effective way to uncover complex vulnerabilities.
- 30% of all bug bounty submissions are invalid or low-value noise.
Zero-Day Vulnerabilities
2025 Zero-Days in Review (Google Threat Intelligence)
Zero-day exploitation patterns are shifting toward enterprise-grade technology and operating systems.
The zero-day picture:
- Google Threat Intelligence Group tracked 90 zero-day vulnerabilities exploited in the wild in 2025.
- 48% of 2025’s zero-days targeted enterprise-grade technology.
- Operating systems, both desktop and mobile, were the most exploited product category, accounting for 44% of all zero-days.
Industrial Security
The State of Industrial Remote Access 2026 (Secomea)
Industrial organizations are overconfident about their remote access security as vendor risks multiply.
The remote access blind spot:
- Only 43% of organizations in manufacturing and critical infrastructure report full audit trails of vendor sessions.
- Where IT/OT alignment weakens, vendor-related incident exposure nearly triples.
- Organizations managing 21 to 100 external vendors report the highest incident exposure levels.
2026 State of Industrial AI Report (Cisco)
Cybersecurity concerns are holding back AI adoption in industrial sectors, even as most organizations expect AI to improve their security posture.
The industrial AI paradox:
- 40% of organizations in industrial sectors cite cybersecurity concerns as a top obstacle to AI adoption.
- 48% identify security as their biggest networking challenge.
- 85% expect AI to improve their cybersecurity posture.
Consumer Scams and Fraud
State of the Call (Hiya)
Deepfake voice technology has moved from theoretical threat to everyday reality for Americans.
The deepfake voice picture:
- One in four Americans has received a deepfake voice call in the past 12 months.
- 24% of Americans are not sure they could tell the difference between a deepfake voice call and a real call.
- About 49% of Americans have either received an AI voice deepfake call or cannot distinguish one from a real call.
How E-Commerce Scams are Shaping Consumer Behavior (Clutch)
Online shopping scams have become so prevalent that they are changing how consumers make purchasing decisions.
The e-commerce scam picture:
- 71% of consumers have encountered a scam or attempted scam while shopping online.
- 92% of consumers say they are concerned about the influence online scams have on their purchasing decisions.
- 58% of consumers report seeing a fake ad impersonating a well-known brand.
Tax Scams Hit Nearly 1 in 4 Adults (McAfee)
Tax season is prime time for scammers targeting confused and anxious filers.
The tax scam surge:
- Nearly 1 in 4 Americans (23%) have fallen victim to a tax scam.
- Only 29% of Americans feel very confident they could recognize a tax scam.
- Nearly 1 in 5 Americans say they have lost money to a tax scam, with victims losing an average of $1,020.
Industry-Specific
2026 Healthcare Email Security Report (Paubox)
Healthcare organizations are being breached through email systems with basic misconfigurations that should have been caught years ago.
The email security gap:
- 56% of breached healthcare organizations had permissive or missing SPF records (9% missing, 46% soft fail).
- 41% of breached healthcare organizations fell into a high-risk category based on their email configuration, up from 31% in 2024.
- 53% of email-related healthcare breaches occurred on Microsoft 365.
Banking Trust and Technology Report (Integris)
Banks are preparing for sizable technology investments.
The banking security picture:
- 51% of banking executives report a sizable email-based breach in the past year.
- 50% report a mobile-related breach in the past year.
- 45% expect technology budgets to increase by 40% or more, with some projecting 50 to 80% growth.
Regional Spotlight
European Cyber Report 2026 (Link11)
DDoS attacks have become a near-constant threat, with organizations under attack most days of the year.
The relentless assault:
- The longest recorded DDoS attack lasted 12,388 minutes (over eight days).
- On average, 2.8 follow-up DDoS attacks occurred after an initial incident, an 80% increase compared to the previous year.
- The number of documented DDoS attacks in the Link11 network rose by 75% in 2025, after a 137% increase the previous year.
