CyberSecStats #27 - Monthly statistics round-up (July/August 2025)

Hi there!

It’s the end of August, which means it's time for our monthly cybersecurity statistics roundup.

Over the past 30 days, we’ve added 700+ new statistics from 64 different cybersecurity reports to our internal database.

In this edition, we’ll highlight key insights from those reports, covering everything from the latest threat landscape to declining security budget growth rates to the state of quantum readiness.

We’ve organized the data into sections based on this month’s most common cybersecurity topics, complete with direct links to each source, a quick TL;DR for every section, and insights on emerging trends.

If you’ve recently signed up, welcome. I hope you find this report both useful and insightful.

Each month, over 500 security professionals read this roundup, and many have told us how valuable they find it, which is something we love to hear. Thank you for subscribing, and we hope you enjoy this edition.

Generally relevant data about the cybersecurity landscape

TL;DR: AI creates new attack vectors through unsecured employee usage, ransomware groups evolve sophisticated multi-pressure tactics, and organizations struggle with fundamental security basics like credential management and supply chain oversight.

Employee GenAI usage exposes organizations to significant risk

The dominance of generative AI in security breaches is stark, accounting for 70% of all real-world AI security incidents. (Source)

The data exposure problem runs deeper than many organizations realize. When researchers examined submissions to 300 GenAI tools, they discovered that nearly a quarter of uploaded files contained sensitive information, along with over 4% of prompts revealing confidential data. (Source)

This risk is amplified by widespread employee behavior: more than two-thirds use free-tier AI tools through personal accounts, with 57% regularly inputting sensitive company data into these uncontrolled platforms. (Source) 

This extends across all levels: 35% of C-suite executives said they have submitted proprietary company information so AI could complete a task for them. (Source)

Oh, and 49% of AI users at work keep their usage secret. (Source) Considering that one in five organizations reported a breach due to shadow AI, this is a problem - one that could probably be solved with an AI governance policy. 63% of breached organizations either don't have an AI governance policy or are still developing one. (Source) Though something to note: 37% of entry-level professionals admitted they wouldn't feel guilty for violating AI policy. (Source)

Your reminder not to trust AI when generating code 

When given a choice between a secure and insecure method to write code, GenAI models chose the insecure option 45% of the time. (Source)

The riskiest language for AI code generation? Java. It has a security failure rate of over 70%. Other major languages, such as Python, C#, and JavaScript, presented significant risk, with failure rates between 38 percent and 45 percent. (Source)

Ransomware trends 

In our last month’s report, ransomware numbers were encouraging (based mostly on reports comparing 2025 to 2024). This month, that’s no longer the case (based mainly on comparisons between Q1 2025 vs Q2 2025). 

• Average ransom payment rocketed to $1.13 million in Q2 2025 (104% increase from Q1). (Source)
• Median payment reached $400,000 (100% increase from Q1). (Source)
• 69% of victimized companies paid ransoms. 38% paid multiple times, with 11% paying three or more times. (Source) 

Would a ransom ban help? Unlikely. In real-world situations within the private sector, if a ransom payment ban were to take hold in the private sector (and not just in the public sector as currently planned), only 10% of UK business leaders said they would comply if they were attacked. (Source)

The number of ransomware groups has also grown. 41 new ransomware groups emerged in the past year, with 60+ active groups recorded for the first time. The top ten ransomware groups now account for only 50% of attacks, which is down from 69% previously. (Source)

Quadruple extortion is the new tactic

Moving beyond simple data encryption and theft, criminal organizations pioneered "quadruple extortion" tactics that create multiple pressure points on victims. 

This approach builds on traditional double extortion by adding DDoS attacks to disrupt operations, harassment of third parties (customers, partners, and media), and regulatory blackmail threats (with 47% of companies across 10 countries threatened). (Source)

New development: In 40% of ransomware attacks, threat actors threatened to physically harm executives at organizations that declined to pay a ransom demand. (Source)

Identity and access: The weak link

Since the beginning of 2025, organizations have witnessed an almost incomprehensible surge in credential theft:

• An 800% increase in credential theft via info-stealing malware since the beginning of 2025. (Source)
• 1.8 billion credentials stolen in H1 2025 alone. (Source)
• Of organisations that experienced attacks, 38% of breaches stemmed from compromised employee credentials. (Source)

Authentication controls lag behind

Despite the clear evidence of credential-based attacks, organizations continue to struggle with implementing comprehensive authentication controls: 

• Only 60% of organizations enforce MFA for all users.
• Just 40% conduct regular user access reviews.
• Only 27% enforce least privilege access models. (Source)

Worryingly, 40% of workers admit to using login credentials from previous jobs, and 15% actively use old work credentials. (Source)

There’s a disconnect between organizational confidence and actual security posture when it comes to identity management. 74% of organizations in one survey rated their identity posture as "Established" or "Advanced.” Yet "Advanced" organizations follow only 4.7 out of 12 best practices. 

Also: Less than 30% allocate 20%+ of their cybersecurity budget to identity security. (Source)

Breach costs

The global average breach cost fell to $4.44 million (the first decline in five years), and response times improved to 241 days. 

However, this progress varies significantly by sector, with healthcare breaches still averaging $7.42 million and taking 279 days to resolve. 

The economic impact of a breach extends beyond immediate costs, with nearly half of organizations planning to raise prices due to breach expenses, and one-third implementing increases of 15% or more. (Source)

Supply chain breaches become the norm 

Third-party breach percentage doubled from the previous year.

There’s a fundamental flaw in how organizations approach vendor relationships. While nearly every organization (99%) conducts initial vendor risk assessments, this due diligence creates a false sense of security that dissolves over time. 

The reality is that only one-third maintain ongoing monitoring of their third-party relationships, creating a dangerous blindness to evolving risks within their trusted vendor ecosystem. (Source)

Software vulnerabilities

The software supply chain presents particularly acute challenges, with attackers consistently outpacing traditional vulnerability management processes. 

Criminal groups have developed sophisticated intelligence operations that identify and exploit vulnerabilities before organizations even know they exist:

• 246% increase in vulnerability disclosures since the start of 2025. (Source)
• 179% increase in publicly available exploits. (Source)

80% of edge device attacks precede CVE disclosure (up to 6 weeks early). (Source)

32.1% of vulnerabilities (Known Exploited Vulnerabilities - KEVs) had exploitation evidence on or before the day of their CVE disclosure, often indicating zero-day exploitation. This marks an 8.5% increase in the percentage of KEVs exploited on or before disclosure compared to 23.6% in 2024. (Source)

The top five categories for KEVs in 1H-2025 are: 

• Content Management Systems (CMS): 86 KEVs, with a significant volume attributed to WordPress Plug-ins.
• Network Edge Devices: 77 KEVs.
• Server Software: 61 KEVs.
• Open Source Software: 55 KEVs.
• Operating Systems: 38 KEVs. (Source)

API security

APIs have also become prime targets for attackers seeking to exploit the gaps between systems:

• 20.8% of analyzed APIs are vulnerable. (Source)
• Only 37% have dedicated API security solutions. (Source)
• 400% spike in critical API vulnerabilities for tech/SaaS providers’ environments. (Source)

Social engineering

78% of security leaders now identify social engineering and phishing as their organization's top threat, and with good reason: 39% of initial access incidents used social engineering in H1 2025.  (Source) 

Things to watch out for:

• Malicious CAPTCHAs. There was a 1,450% jump in fake CAPTCHA social engineering attacks. (Source)
• Non-Business Email Compromise (BEC). BEC incidents rose by 214% between January 1st and May 31st, 2025. (Source) 
• Voice phishing (vishing). On track to double last year’s volume by the end of 2025. (Source)

Quantum and Future-Proofing Challenges

TL;DR: Organizations are unprepared for both future quantum threats to encryption and current certificate management challenges. 

Preparedness gap in quantum risk readiness

Despite widespread awareness of quantum computing's potential to break current encryption standards, organizational preparation remains inadequate across all sectors. 

Nearly half of all organizations (48%) acknowledge they are not prepared for quantum computing challenges, with mid-sized organizations facing even greater vulnerabilities at 56% unpreparedness. 

While 42% claim (Source) to be actively addressing quantum risk, only 14% of organizations (Source) have conducted comprehensive assessments to identify quantum-vulnerable systems within their infrastructure, meaning the vast majority are operating with incomplete knowledge of their exposure.  

On a positive note, 90% have allocated budgets for post-quantum cryptography preparedness. (Source)

Certificate management crisis

The challenge extends beyond quantum preparation to immediate operational realities, particularly in certificate management, where organizations face imminent disruption. 

The industry's move toward 47-day SSL/TLS certificate lifecycles has created widespread anxiety, with 96% of organizations expressing concern about this compressed renewal timeline.

This concern is well-founded given current operational capabilities: 

• Only 19% feel adequately prepared for shorter renewal cycles.
• A mere 5% have achieved full automation of certificate management processes. The remaining 95% continue to at least partially rely on manual processes that will become increasingly unsustainable as renewal frequencies accelerate. 

Perhaps most troubling, only 28% maintain complete inventories of their certificates, meaning the majority lack basic visibility into the assets they need to manage more frequently. (Source)

Investment and Market Dynamics

TL;DR: Security budgets are stagnating at their lowest growth rate in five years while staffing challenges intensify, with organizations underinvesting in critical application security and security services providers struggling to differentiate in an oversaturated compliance market despite widespread demand.

Budget trends

The average security budget growth dropped to just 4%, the lowest in five years (down from 8%).

Over half of CISOs now report flat or shrinking budgets, and only 10.9% of IT spend goes to security (down from 11.9%). 

The result? Staffing challenges have intensified dramatically. Only 11% of CISOs report adequate staffing, and cybersecurity staffing growth has slowed to 7%, a four-year low that leaves teams increasingly stretched across expanding attack surfaces. (Source)

Application security spending modest despite growing risk

Nearly 90% of organizations allocate 11-20% of their security budgets to application security, while only 1% invest more than 20% of total security spending in this area. 

The market response to this capability gap is evident in outsourcing trends, with 83% of organizations considering the external provision of application security functions. (Source)

Compliance boom meets differentiation crisis in the services market

The security services industry has experienced a massive shift toward compliance offerings, with 87% of providers now including these services in their portfolios. 

This trend reflects growing regulatory complexity and the appeal of recurring revenue models. Managed compliance providers are seeing particular success, with 44% reporting that at least a quarter of their compliance revenue is recurring, compared to just 28% for traditional consulting-first security services firms.

However, 90% of security services providers say they face challenges differentiating and standing out in a crowded market, and one in three security services providers struggle to consistently show value and ROI. Only one in four met their recurring revenue targets in 2024. (Source)

Industry-Specific Risk Profiles

TL;DR: Healthcare faces massive exposure with over a million connected medical devices and the longest breach response times, financial services endure 300 times more attacks than other sectors, manufacturing grapples with IT-OT convergence risks worth hundreds of billions, and the legal sector has lost confidence as phishing overtakes ransomware as their primary threat.

Healthcare

The healthcare sector presents a particularly vulnerable target, with over 1.2 million internet-connected medical devices exposed globally, 174,000 of which are located within the United States. (Source)

This massive attack surface has made healthcare organizations prime targets for cybercriminals, with 67% experiencing ransomware attacks. (Source)

Breaches across the healthcare sector take the longest to identify and contain at 279 days, which is more than 5 weeks longer than the global average of 241 days. (Source)

Perhaps most concerning, 98% of small healthcare organizations falsely believe they maintain HIPAA compliance, creating a dangerous gap between perceived and actual security posture that leaves patient data systematically vulnerable. (Source)

Financial services

Financial institutions experience up to 300 times more cyberattacks annually than organizations in other industries. This relentless targeting has intensified recently, with intrusion events increasing 25% year-over-year and targeted intrusions surging by 109%. (Source) 

Compounding these external threats, 60% of finance workers admit to violating organizational AI usage rules, creating internal vulnerabilities for attackers to potentially exploit. (Source)

Manufacturing

Currently, 61% of manufacturers plan to adopt AI and machine learning for security within the next 12 months, while 30% rank cybersecurity as their second-highest external risk after inflation. 

The convergence of IT and operational technology (OT) systems is seen by 48% of manufacturers as a crucial security priority. (Source) This concern is well-founded, with potential global financial risk from OT cyber incidents estimated at up to $329.5 billion. (Source)

Legal sector

50% of legal firms now cite phishing as their top security concern, a new category that has surpassed traditional ransomware fears. 

Security confidence within the legal sector has declined significantly, with only 38% considering themselves "very secure" (down from 50% in 2023). 

This erosion of confidence appears justified, as 23% now acknowledge known security gaps (up from 14%), while only 18% apply multi-factor authentication to production storage systems. (Source)

Want to feature your company’s report in CyberSecStats?

Contact us at laura@contentvisit.com.