16% of 2025 security budgets are being reallocated to simulation exercises.

In 2024, downloads of malicious content from popular cloud apps occurred in 88% of organisations at least once per month.

73% of organisations block at least one GenAI app, with a steady rate of 2.4 GenAI apps blocked on average year over year.

Application security was the most significant vulnerability for 41% of federal contractors, with nearly half (46%) of the most impactful security issues originating from this area.

More than half (56%) of insurance companies had at least one compromised credential in the past two years.

Healthcare is the third-most-targeted industry by ransomware groups, behind manufacturing and professional services.

64% of CISOs said that lack of support led to a cyberattack.

67% of credential access techniques used in energy and utilities sector attacks were brute force.

66% of customer ransomware incidents in 2024 involved initial access likely purchased from an IAB.

The fastest time from initial access to data exfiltration was as little as 9 minutes.

73% of CISOs identified practical crisis simulations and incident response exercises involving both technical and non-technical teams as their top business priority for 2025.

The top phishing targets by links clicked are cloud services (27%), banking (17%), telecommunications (13%), social media (11%), and government (10%).

Only 24% of IT leaders believe their security spending is "very well aligned" with actual risks, while 53% think it is "quite well aligned," 20% feel it is "not particularly aligned," and 3% say it is "not at all aligned."

When asked about their primary email security focus for the next two to three years, 13% will focus more on inbound security solutions

When asked if they agree with the statement "My organization has blocked/is blocking access to one or several GenAI sites," 44% of organizations surveyed said they strongly agree, 42% said they agree, 6% said they neither agree nor disagree, 5% said they disagree, 2% said they strongly disagree.

The five most commonly exploited services in critical infrastructure sectors were File Transfer Protocol (FTP), Remote Desktop Protocol (RDP), Remote Procedure Call (RPC), Server Message Block (SMB), Internet Relay Chat (IRC).

43.6% of CISOs cited control mapping as a challenge in implementing new or updated compliance frameworks.

38.5% of CISOs said GRC tools are too expensive.

24% of IT leaders prioritize post-delivery protection for email security investment.

More than a third (36%) of employees across large organizations describe email security training as ineffective or a waste of time, and dissatisfaction increases to 54% among those who frequently make email mistakes