CyberSecStats #59 - 93% use AI agents for sensitive tasks, MySQL exposure, and when compliance cancels work
This week's CyberSecStats roundup: 30+ stats on AI agents accessing data beyond scope, ransomware recovery times, identity breaches, MySQL exposure, and the exception economy.
This Week’s Cybersecurity Eye-Openers
This week’s newsletter carries 30+ statistics. If you only have a minute to skim, here are three worth thinking about.
1. AI agents are already touching data they shouldn’t
67% of organizations using AI agents suspect those agents have already accessed data beyond their intended scope. Only 7% believe their controls would prevent a compromised agent from operating.
2. Most CISOs would consider paying the ransom
58% of cybersecurity leaders would consider paying cybercriminals to end a ransomware attack. Not a single CISO in the survey could recover from ransomware within a day.
3. Identity breaches hit most organizations
71% of organizations suffered at least one identity-related breach in the past year. Mean recovery cost reached $1.64 million, with a median of $750,000.
Big Picture Reports
Quarterly Threat Report, Q1 2026 (Beazley Security)
Q1 2026 saw double-digit growth in exploitation activity. Exploited vulnerabilities went up. Compromised credentials drove most ransomware intrusions.
Big jump in exploitation:
- Exploited vulnerabilities rose 43% in the first three months of 2026.
- Vulnerabilities added to CISA’s Known Exploited Vulnerabilities catalog increased 43% in Q1 2026 compared with Q4 2025.
- Compromised credentials accounted for 74% of ransomware intrusions observed by Beazley Security investigators in Q1 2026.
The Exception Economy Report (Replica Cyber)
Every organization grants security exceptions to keep the business moving. Some kill the project entirely when the security cost is too high.
Everyone makes exceptions:
- 100% of organizations grant security or compliance exceptions to allow high-risk digital work to proceed.
- 39% of organizations delay or cancel market expansion, product launches, M&A, or AI deployment because the work cannot be conducted securely.
- 20% of high-risk digital work is canceled outright due to exposure or compliance constraints.
2026 ASM Index (Intruder)
Databases and admin panels keep ending up on the public internet. Most of it by accident.
Databases exposed everywhere:
- 26% of organizations leave MySQL databases exposed to the internet.
- More than 1 in 7 organizations expose API documentation to the internet.
- 49% of organizations expose risky ports and services.
AI Security
2026 State of AI Agent Identity Security (Akeyless)
AI agents are running with more access than they should have, and most organizations cannot tell when one is compromised.
Already accessing unauthorized data:
- 67% of organizations using AI agents suspect those agents have already accessed data beyond their intended scope.
- It takes an average of 14 hours to detect a compromised AI agent.
- Only 7% of organizations believe their controls would prevent a compromised agent from operating.
Human Behavior, the AI Risk Surface GRC Can’t Ignore (Optro)
AI-enabled attacks are climbing. Most organizations cannot see, catalog, or block the AI tools their employees are using.
Can’t see it, can’t block it:
- 82% of IT, security, audit, and GRC professionals report an increase in AI-enabled attacks over the last 12 months.
- Only 34% of organizations maintain a formal AI model inventory.
- Only 18% of organizations automatically block unauthorized AI domains.
2026 Global AI Report, A Playbook for Private and Sovereign AI (NTT Data)
Most organizations call private and sovereign AI a priority. Few have moved past the slide deck.
Everyone says it matters, few are doing it:
- More than 95% of organizations say private and sovereign AI are important.
- Only 29% of organizations are prioritizing sovereign AI in a concrete, near-term way.
- More than half of organizations cite integration complexity as their top challenge.
The State of Identity Security in the AI Era (Semperis)
Organizations are handing AI agents the keys: password resets, VPN access, SSH and encryption keys on local machines. Very few are confident they could get the keys back.
Handing it over:
- 93% of organizations already use or plan to use AI agents for sensitive security tasks such as password resets and VPN access.
- Only 32% of organizations globally are very confident they could regain control if AI exposes admin credentials.
- 92% of organizations have AI installed on at least some local machines with access to SSH and encryption keys.
Ransomware
The Resilient CISO, the Ransomware Reality (Absolute Security)
Useful benchmark for ransomware readiness. The numbers also explain why so many leaders quietly say they would pay.
Nobody recovers in a day:
- 58% of cybersecurity leaders would consider paying cybercriminals to end a ransomware attack.
- 57% of CISOs report taking as long as six days to recover from a ransomware attack.
- No CISOs report the ability to recover from ransomware within a day.
Email Security
2026 Email Threats Report (Barracuda)
Email remains the dominant attack channel. Account takeover is no longer a rare event.
Email is still the front door:
- One in three email messages is malicious or unwanted spam.
- 48% of malicious email activity is phishing.
- 34% of companies experience at least one account takeover incident every month.
Identity Security
The State of Identity Security 2026 (Sophos)
Identity-related breaches now hit most organizations. They are also expensive to clean up.
Identity breaches are everywhere:
- 71% of organizations suffered at least one identity-related breach in the past year.
- 67% of ransomware victims confirmed their ransomware incident stemmed from an identity attack.
- Mean recovery cost for identity-related incidents reached $1.64 million, with a median of $750,000.
2026 Identity Security Landscape (Palo Alto Networks)
AI agents are now everywhere, and identity-related breaches are too. The correlation is not subtle.
Machine identities are the new perimeter:
- 99% of respondents say their organization already uses AI agents.
- 90% of organizations report a successful identity-related breach in the last 12 months, with 83% seeing it happen at least twice.
- Over the next 12 months, organizations expect AI agents to grow by 85% and machine identities by 77%, compared to 56% growth in human identities.
Consumer Scams
Scam Intelligence and Impacts Report 2026 (F-Secure)
Consumers are hit constantly. The share who lose money has doubled in a year.
Loss rates doubled:
- 56% of consumers encounter scam attempts at least monthly.
- 52% of scam victims lose money, more than twice the 2025 rate.
- Nearly 40 million U.S. consumers report being scam victims in the past year.
Fraud in America Has Diverged by Generation (Abrigo)
Younger Americans worry about deepfakes and peer-to-peer scams. Older Americans worry about impersonation. Both age groups are right.
Different generations, different threats:
- 1 in 5 Americans experienced bank fraud in the past 12 months.
- More than half of Americans under 35 are concerned about deepfake scams.
- Over 60% of Americans over 55 are concerned about impersonation scams.
Middle Market Security
US Middle Market Business Index Special Report, Cybersecurity 2026 (RSM)
Mid-market executives sound very confident, even though one in four was hit by ransomware this year. Cyber spending growth is also slowing.
Confidence high, governance lagging:
- 96% of middle-market executives express confidence in their cybersecurity posture.
- Nearly 1 in 4 middle-market organizations reported a ransomware attack or ransom demand in the past year.
- 81% of middle-market organizations plan to increase cybersecurity spending in the year ahead, down from 91% the previous year.
Industry-Specific
Operational Technology Faces Heightened Cyber Risk (NCC Group)
Hard data on what the industrial sector absorbed last year. Ransomware operators are not slowing down on capital goods and industrial targets.
Industrials under attack:
- Industrial organizations accounted for an average of 29.6% of all ransomware activity in the 12 months from March 2025.
- Industrial organizations experienced 2,073 ransomware attacks in that 12-month window.
- Capital goods organizations alone experienced 1,192 ransomware attacks in the same period.
2026 Financial Services Threat Landscape Report (CrowdStrike)
North Korean groups had a strong year stealing digital assets. Financial services saw a sharp rise in hands-on intrusions across two years running.
DPRK-nexus actors stole big:
- DPRK-nexus actors drove a 51% year-over-year increase in digital asset theft in 2025.
- 423 financial services organizations appeared on dedicated leak sites, a 27% year-over-year increase.
- Hands-on keyboard intrusions against financial institutions spiked 43% globally and 48% in North America over the past two years.
Regional Spotlight
Cyber Security Sectoral Analysis 2026 (Department for Science, Innovation and Technology, UK)
The UK cyber sector keeps expanding: more firms, more revenue, more jobs.
UK sector growing:
- 2,603 firms are now active in UK cyber security, an increase of 438 firms (20%) from 2,165.
- Total annual revenue in the UK cyber security sector reached £14.7 billion, a nominal rise of about 11% on the previous year.
- Approximately 69,600 full-time equivalent employees work in cyber security roles across UK firms, an increase of about 2,300 jobs (3%) in the last 12 months.
