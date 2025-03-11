Despite investments in training and AI-enabled defenses, The State of Human Risk 2025 report reveals email and collaboration security risks persist while GenAI opens new doors for bad actors

LEXINGTON, Mass., March 11, 2025 (GLOBE NEWSWIRE) -- Mimecast, a global cybersecurity leader transforming the way businesses manage and mitigate human risk, today published its ninth annual State of Human Risk report. Based on the findings of an in-depth global survey of 1,100 IT security and IT decision-makers, the report provides key insights into the human risk landscape and offers recommendations for organizations to improve their cybersecurity posture and optimize budgets.

While 96% of respondents say that the adoption of a formal cybersecurity strategy has improved their organization’s risk level, the report indicates that security leaders are still grappling with an increasingly complex threat landscape. Key findings from The State of Human Risk 2025 include:

AI is emerging as both a serious threat and a valuable opportunity. While 95% say that their organization is using AI to help defend against cybersecurity attacks and/or insider threats, 81% express concerns about the potential for sensitive data leaks via GenAI tools. More than half say they are not fully prepared with specific strategies for AI-driven threats (55%).

As the Head of IT at a retail company noted, when discussing the need for AI during the survey, “You can’t stand there trying to put your finger in the hole of a dam. You’ve got to embrace it.”

An IT Director at a utilities company also underscored the importance of embracing AI “I think [it] will evolve quickly, and we’ll have to embrace it quickly as well. You've got to always keep one step ahead of the game, [and] we're looking to vendors to help us with that.”

Threats from inside the organization carry costly ramifications. While mitigating external risk is still a significant requirement for security leaders, they must be just as vigilant when it comes to insider risk, both intentional and unintentional. 43% of respondents have seen an increase in internal threats and 66% are concerned that data loss from insiders will increase at their organization in the next year. The State of Human Risk report also found that the average insider-driven data exposure, loss, leak or theft event costs an organization $13.9 million.

Cybersecurity budgets are growing, but not enough to meet demand. While 85% of respondents said their organization’s cybersecurity budget has increased in the last 12 months, it’s clear that budget allocation is still an issue. According to Verizon’s 2024 Data Breach Investigations Report, 68% of breaches involved a non-malicious human element, an indicator that organizations are not taking a human-centric approach to managing cyber risk. According to the respondents of The State of Human Risk, additional budget is required for cybersecurity staff and third-party services (57%), collaboration tool security (52%) and email security (47%).

Organizations fear human error despite regular training. While 87% of surveyed security decision-makers say their organization trains its employees to spot cyberattacks at least once a quarter, one-third of respondents fear mistakes and human error in handling email threats by employees, and 27% fear employee fatigue causes lapses in vigilance.

As one respondent put it, an insurance industry CIO, “Accidental breaches occur when employees inadvertently compromise sensitive systems through misaddressed emails or failure to follow data disposal protocols. These errors, while unintentional, carry serious consequences.”

Collaboration tools continue to expand the attack surface. Collaboration tools are still a growing attack surface with 44% reporting an increase in threats over the last 12 months. Most say that it is inevitable or likely that their organization will suffer a negative business impact from an attack linked to a collaboration tool in 2025 (61%), and nearly all expect to continue seeing email security challenges (95%).

“With 80% of all security incidents caused by 8% of users, implementing a comprehensive human risk management approach has become a top priority for security professionals in 2025,” said Masha Sedova, VP, Human Risk Strategist at Mimecast. “Despite the complexity of challenges facing organizations – including increased insider risk, larger attack surfaces created by collaboration tools and sophisticated AI attacks – organizations are still too eager to simply throw point solutions at the problem. With short-staffed IT and security teams and an unrelenting threat landscape, organizations must shift to a human-centric platform approach that connects the dots between employees and technology to keep the business secure.”

