68% of respondents reported a rise in access-based attacks.

61% of organisations use five or more tools for data discovery, monitoring, or classification.

85% of organisations say at least 40% of their cloud data is sensitive.

Code vulnerability was the second most costly attack vector, with $235,783,844 stolen across 47 on-chain security incidents in Q2 2025.

Over half of cloud data is now classified as sensitive.

Only 66% of organisations have implemented multifactor authentication (MFA)

The average loss per on-chain security incident was $7,129,980 in H1 2025.

Phishing was the most costly attack vector, with $395,063,695 stolen across 52 on-chain security incidents in Q2 2025.

Losses on Ethereum amounted to $65,370,264 due to security incidents in Q2 2025.

Losses on Ethereum amounted to $1,634,891,832 in H1 2025.

A total of $801,315,669 was lost across 144 on-chain security incidents in Q2 2025. This represents an approximate 52.1% decrease in value lost compared to the previous quarter.

The median loss per on-chain security incident was $89,026 in H1 2025.

There were 59 fewer on-chain security incidents in Q2 2025 than the previous quarter.

80% of enterprise AI tools operate unmanaged.

ClickFix became the second most common attack method after phishing.

As a result of TPRM teams being understaffed, organisations are only managing about 40% of their vendor population.

Almost 40% of ransomware attacks in the US targeted the education sector

Nearly half (approximately 50%) of programmes cite departmental silos as a major barrier.

65% of TPRM programmes are exploring AI capabilities.

Fewer than 25% of TPRM programmes are "highly coordinated".