LevelBlue

67% of retail executives who reported high-profile breaches indicated that cybersecurity has become a higher priority on the C-suite agenda in 2025.

60% of retail executives indicated that their cybersecurity team is integrated with lines of business.

Only 25% of retailers reported being prepared for AI-powered threats, despite 45% expecting such threats to occur.

47% of retail executives reported having very low to moderate visibility into their software supply chain.

34% of retailers stated that their organization has suffered a breach in the past 12 months.

44% of retailers reported experiencing a significantly higher volume of attacks in 2025.

66% of retailers plan to invest significantly in application security to prepare for evolving threats.

65% of retailers intend to invest significantly in cyber-resilience processes across their business.

63% of retailers plan to invest significantly in generative AI for social engineering attacks.

63% of retailers aim to invest significantly in machine learning for pattern matching to enhance cybersecurity.

Globally, Europe is the most prepared region for AI-driven attacks with 66% saying they are prepared.

56% of organizations noted preparedness for business email compromise.

38% of organizations admit to being underprepared for AI-driven social engineering threats such as automated attacks, deepfake-based videos, and voice scams.

Just 32% of organizations have enlisted training and awareness experts to help educate their workforce on social engineering attacks over the past 12 months.

44% of organizations believe an AI-powered attack is likely to occur within the next 12 months.

Only 29% of organizations are prepared for an AI-powered attack.

Just 20% of organizations describe themselves as highly effective in defending against cyber adversaries using AI techniques.

44% of organizations are prepared for insider threats or account takeover.

57% of organizations are prepared for personal information exfiltration.

43% of organizations are prepared for smishing.

41% of organizations are prepared for quishing.

51% of organizations are prepared for phishing.

32% of organizations reported being prepared for deepfake and synthetic identity attacks.

Only 20% of organizations feel confident they are implementing a strategy to educate their workforce.

Only 13% of organizations are investing significantly in Zero Trust Architecture (ZTA).

41% of organizations report a significantly higher volume of cyberattacks compared to 12 months ago.

59% of organizations report an increasing difficulty for employees to discern real from not real.

Organizations are most likely to make significant investments in cyber resilience processes across the business (33%).

Organizations are likely to make significant investments in generative AI to defend against social engineering attacks (31%).

Approximately one-quarter (24%) of organizations say they are highly effective at implementing and using AI to enhance cybersecurity.

Fake CAPTCHA social engineering attacks, particularly ClickFix campaigns, jumped 1,450% from the second half of 2024 to the first half of 2025.

The average breakout time for attackers (how quickly they move laterally after initial access) is under 60 minutes, and in some cases, less than 15 minutes.

Social engineering attacks accounted for 39% of initial access incidents observed during the first half of 2025.

Non-Business Email Compromise (BEC) incidents rose by 214%.

The number of cybersecurity incidents observed between January 1 and May 31 2025 nearly tripled.

In Latin America, 50% say they are prepared for software supply chain attacks.

80% of organizations with low visibility of their software supply chain view critical factors like custom code, commercial off-the-shelf software, and API integrations as "very risky" or "somewhat risky".

About half (49%) of companies say they lack the visibility to fully understand – or even identify – software supply chain risks.

40% of CEOs believe that the biggest security risk the organization faces today is from the software supply chain, compared with 29% of CIOs and 27% of CTOs.

Despite high investment in enhanced software supply chain security, Europe ranks lowest at 23% in prioritizing engaging with software suppliers about security credentials

39% of CEOs say AI adoption presents a greater risk to the software supply chain.

57% of North American organizations say they are prepared for software supply chain attacks.

67% of European organizations are investing in enhanced software supply chain security, which is the highest of all regions.

In North America, the top three risks for organizations are third-party software distribution channels (49%), third-party risk management (48%), and unsupported software (48%).

80% of organizations that report very low visibility across the software supply chain have suffered a security breach in the past 12 months.

Only 25% of organizations plan to prioritize engaging with software suppliers about security credentials in the next 12 months.

Only 23% of organizations are confident that they have very high visibility of their software supply chain.

The 6% of organizations with "very high visibility" of their software supply chain are a stark contrast to the 80% with "very low visibility" who suffered a breach.

A total of 68% of organizations report that media attention has elevated cybersecurity on the C-suite agenda.

In Europe, 51% of organizations say they are prepared for software supply chain attacks.