Thales

Nearly two-thirds (64%) of respondents ranked cloud security among their top five security priorities.

17% of respondents identified cloud security as their number one priority.

55% of respondents report cloud environments are more complex to secure than on-premises infrastructure. This represents a 4-percentage-point increase from last year.

57% of organisations use five or more encryption key managers.

Enterprises now use an average of 85 SaaS applications, contributing to security tool sprawl.

Four of the top five most targeted assets in reported attacks are cloud-based.

Over half (52%) of respondents are prioritising AI security investments over other security needs.

68% of respondents reported a rise in access-based attacks.

61% of organisations use five or more tools for data discovery, monitoring, or classification.

85% of organisations say at least 40% of their cloud data is sensitive.

Over half of cloud data is now classified as sensitive.

Only 66% of organisations have implemented multifactor authentication (MFA)

The average number of public cloud providers per organisation has risen to 2.1.

Of those prioritizing AI security, nearly half are turning to new or emerging startups.

Malware remains the top attack type, holding this position since 2021.

Of those prioritizing AI security, over two-thirds have acquired tools from their cloud providers.

Half (50%) of organizations are assessing their encryption strategies in response to quantum risks.

Security for generative AI has quickly risen as a top spending priority, securing the second spot in ranked-choice voting, just behind cloud security.

In 2021, 56% of surveyed enterprises reported experiencing a breach. That figure has dropped to 45% in 2025.

57% of organizations view lack of trustworthiness as a major concern regarding AI adoption.

Only one-third of organizations are placing their trust in telecom or cloud providers to manage the transition to PQC.

A third of respondents indicate that GenAI is either being integrated or is actively transforming their operations.

61% identified key distribution vulnerabilities as a major quantum-related threat.

73% of respondents report investing in AI-specific security tools, using either new budgets or reallocating existing resources.

Nearly 70% of organizations identify AI’s fast-moving ecosystem, particularly in generative AI, as the top GenAI-related security risk.

64% of organizations view lack of integrity as a major concern regarding AI adoption.

Of those prioritizing AI security, three in five (60%) are leveraging established security vendors.

58% highlighted the “harvest now, decrypt later” (HNDL) threat as a major quantum-related threat.

Nation-state actors are second most concerning threat actors.

60% identified future decryption of today’s data and future encryption compromise as major concerns among quantum computing security threats.

Phishing has risen to second place of most popular attack types.

Human error, while still significant, has dropped to third place of most concerning threat actors.

The top quantum-related threat, cited by 63% of respondents, is future encryption compromise (the risk that quantum computers could break current or future encryption).

The percentage of respondents reporting a breach within the last 12 months has fallen from 23% in 2021 to just 14% in 2025.

Ransomware has dropped to third place of most popular attack types.

When it comes to the most concerning threat actors, external sources dominate with hacktivists holding the top spot.

60% (three out of five) of organizations are actively prototyping or evaluating post-quantum cryptography (PQC) solutions or prototyping new ciphers.

Human error, while still significant, has dropped to third place of most concerning threat actors.

In the Retail sector, bad bots made up 59% of their traffic.

Malicious bots now account for 37% of all internet traffic, a significant increase from 32% in 2023.

Financial services, healthcare, and e-commerce are the most affected sectors by sophisticated bot attacks targeting APIs

Computing & IT accounted for 17% of all ATO incidents.

Telecoms and ISPs accounted for 18% of all ATO incidents.

In the Travel sector, bad bots made up 41% of their traffic in 2024. There was a decline in advanced bot attacks targeting the travel industry (41% in 2024, down from 61% in 2023) and a sharp increase in simple bot attacks (52% in 2024, up from 34% in 2023).

The travel sector topped the list for bot attacks overall, accounting for 27% of all bot attacks in 2024, up from 21% in 2023.

44% of advanced bot traffic targeted APIs.

ByteSpider Bot was responsible for 54% of all AI-enabled attacks. Other significant contributors include AppleBot at 26%, ClaudeBot at 13%, and ChatGPT User Bot at 6%.

The financial services sector was the most targeted industry for account takeover (ATO) attacks, accounting for 22% of all incidents.

Automated traffic surpassed human activity, accounting for 51% of all web traffic. This is the first time in a decade that automated traffic has exceeded human activity. This occurred in 2024.