The mean time between the initial email wave of a help-desk scam and the phishing message was just 4 minutes, with another 4 minutes to establish command and control (C2).

The time between a vulnerability being discovered and its exploitation by attackers (time to exploitation) decreased by 62%, from 47 days in 2023 to just 18 days in 2024.

Phishing is on the rise globally, with 8.4 out of every 1,000 users (2.9 in 2023) clicking a phishing link per month, nearly triple last year’s average, with Microsoft 365 credentials being the top target.

Personal app use is rampant in the enterprise, with more than one out of every four users (26%) uploading, posting, or otherwise sending data to personal apps every month, with personal use of cloud storage, webmail, and genAI apps posing the most significant risks to organizations worldwide.

The most common type of data policy violation was for regulated data (60%), including personal, financial, or healthcare data being uploaded to personal apps.

Attack volumes increased quarter on quarter in 2024, with a 16% rise between Q1 and Q2 and a 20% escalation from Q2 to Q3.

Employees frequently send the wrong attachment (33%), misaddress emails to unintended recipients (32%), or misuse CC and BCC fields (20%). These mistakes are more likely to happen when employees are tight on time (54%), when they are stressed (40%), or when they feel overwhelmed by too many messages (40%).

Phishing attacks rose most significantly across the APAC region, with a 30.5% year-over-year increase in incidents.

Phishing attacks in Japan and Singapore spiked by 37%, while Australia and New Zealand experienced a 30% increase.

55% of employees in government say they frequently use IT policy workarounds to “get the job done” and save time or effort.

85% of employers in the UK admit to using online employee monitoring techniques.

46% of Brits say the prospect of their boss surveilling their online activity and communication causes them stress and anxiety.

38% of Brits are unaware that employers are legally allowed to monitor all employee communications for legitimate business purposes.

Only 11% of AI-powered APIs had robust security measures in place, leaving most endpoints vulnerable.

Modern APIs represent over 33% of exploited vulnerabilities in CISA KEV.

Malicious attacks, or “inbound” threats, are considered the biggest threat vector to email amongst IT leaders, with 47% stating that inbound threats are a bigger concern to them than outbound email security

Phishing continues to dominate as one of the most prevalent and sophisticated cyber threats, accounting for over 80% of reported security incidents in 2024

56% of IT leaders in Netherlands admit that employee mistakes in outbound emails result in more significant data loss than malicious inbound attacks.

62% of IT leaders in Belgium admit that employee mistakes in outbound emails result in more significant data loss than malicious inbound attacks.

68% of IT leaders in France agree that outbound email security doesn’t get as much attention beyond compliance, but it is the silent security killer