The State of Human Risk

The continued need to address human risk inside today’s organizations is the overwhelming top priority for cybersecurity teams in 2025. It is also the main theme of Mimecast’s recently released ninth annual report on the state of the industry, this year aptly titled The State of Human Risk 2025.

Each year, Mimecast conducts a survey of CISOs and other cybersecurity professionals to gain an understanding of the problems they are facing and the issues that are their priority for the coming year. For 2025’s report, we surveyed 1,100 IT security and IT decision makers from the United States, United Kingdom, France, Germany, South Africa, and Australia. A range of private and public sectors were covered, including healthcare, retail, finance, manufacturing, and utilities.

Human Risk Remains the Biggest Concern

This year’s findings confirm that human risk has surpassed technology gaps as the biggest cybersecurity challenge for organizations around the globe. Our research uncovered the fact that despite having spent billions to strengthen their technology stacks, breaches continue unabated, mostly due to human error. In fact, insider threats, credential misuse, and human missteps now account for most security incidents.

In the movies, hackers sit at their laptop and within a few key strokes, boldly say, “I’m in.” But in reality, they are increasingly spending more time planning out their attacks, factoring in their best option for hacking into systems, humans. They are leveraging AI-powered phishing, exploiting collaboration tools, and bypassing traditional authentication methods. The end result is costlier, bolder, larger data breaches that are not only harder to detect, but once detected, are harder to contain.

And while a lot of this understanding about the dangers of human risk is not necessarily something new for security professionals, the rate at which human error is being exploited, the rate at which AI is being used to speed up detection and exploitation of potential threats as well as craft phishing emails and other attack methods, and the rate at which the volume of attacks is growing are all the likes of which have not been seen before. This is leading to an increased need for organizations to focus on human risk management by turning to a human risk management platform that combines leading edge technology with effective human-risk-centric security awareness and training.

In the past, security professionals were able to set up a defensive perimeter and concentrate their efforts on external attacks, but based on this year’s survey results, there is also growing concern about threats from within. Yes, outside forces are working to compromise organizations, but now, with AI being used to trick users into clicking on bad links, downloading malicious documents, and handing over their credentials, the threats from within have never been greater.

Some Key Findings

Each year, we uncover some very insightful key findings through our survey. This year was no exception. The main theme we discovered is that not only is human risk the hot topic for 2025, but there is also a high level of risk of serious security mistakes across all activities – and this is increasing. 

Other key findings include:

• 94% of surveyed organizations feel they face obstacles in ensuring employees adhere to compliance standards and consistently follow security protocols.
• Collaboration tool security is still a growing attack surface with 37% reporting an increase of this in 2024 and 44% reporting an increase in 2025.
• 96% of organizations say that the adoption of a formal cybersecurity strategy has improved their cybersecurity risk level, but 95% still expect to see email security challenges in 2025.
• 61% say that it is inevitable or likely that their organization will suffer a negative business impact from an attack linked to a collaboration tool in 2025.

In addition, when it comes to cybersecurity budgets, we uncovered that most organizations (85%) say their cybersecurity budget has increased in the last 12 months, but only 3% say no additional budget is needed across any cybersecurity areas. Over half of the organizations surveyed say additional budget is required for cybersecurity staffing (57%), third-party services (57%), and collaboration tool security (52%). Also, 47% say additional budget is still needed for email security.

When it comes to artificial intelligence, 95% of survey respondents say their organization is using AI to help defend against cybersecurity attacks and/or insider threats, but 81% are concerned about the potential for sensitive data leaks via GenAI tools, and 55% are NOT fully prepared with specific strategies for AI-driven threats.

Read the Full Report

In this year’s report, we provide key insights into:

• The arrival of the age of human risk management and what this means for securing organizations.
• The current state of market adoption of human risk management, including a look at why HRM platforms are so essential to securing today’s enterprise.
• Security budgets and how they are impacting security teams’ ability to effectively secure their environments, including what CISOs can do to mitigate budget impacts.
• Email and collaboration security and sophisticated business email compromise attacks.
• How data loss and insider risk can impact organizations and what they can do to limit their exposure.
• How both the good guys and the bad guys are using AI in their respective sides of the cybersecurity fight.
• The evolution of security awareness training into something more impactful for organizations, human risk management and the need for a human risk management platform.
• The key takeaways from this very important annual research and recommendations for the next steps in securing organizations.

Download the full report to learn more.