90% of companies still unprepared
Security Boulevard reports that roughly 90% of organizations remain unprepared for current cyber threats despite rising security spend, a gap echoed by PKWARE’s roundup that highlights ransomware, AI‑enabled attacks and failed perimeter models. The research underscores a mismatch between investment and operational readiness—especially in patching, monitoring and incident response. (securityboulevard.com) (pkware.com)
A lot of companies are buying more security software and still leaving the front door open. Security Boulevard says about 90% of organizations are still unprepared for 2026-era threats, even after years of higher spending. (securityboulevard.com) The reason is simple: buying alarms is not the same as practicing a fire drill. PKWARE’s April 9, 2026 roundup says the pressure points this year are ransomware, artificial intelligence-assisted attacks, nation-state activity, and the collapse of old perimeter defenses. (pkware.com) Perimeter defense is the old idea that you can build one strong wall around the office network and keep attackers outside. That model breaks when employees use cloud apps, contractors log in remotely, and company data moves across laptops, phones, and software vendors all day. (pkware.com) That is why identity has become the softer target. IBM said in its 2025 X-Force Threat Intelligence Index that nearly half of the cyberattacks it observed led to stolen data or stolen credentials, and identity abuse was the preferred entry point. (newsroom.ibm.com) Artificial intelligence is making that identity problem cheaper to exploit at scale. PKWARE says attackers are using artificial intelligence tools to craft more convincing phishing messages and speed up reconnaissance, while defenders are using similar tools to monitor networks faster. (pkware.com) Ransomware also did not go away just because some headline numbers cooled. PKWARE says ransomware remains one of the leading 2026 threats, and IBM said attackers in 2024 shifted toward quieter credential theft and data theft even as enterprise ransomware incidents declined. (pkware.com) (newsroom.ibm.com) The ugliest gap is patching, which is the basic job of fixing known software flaws before someone uses them. Verizon’s 2025 Data Breach Investigations Report said vulnerability exploitation showed up in 20% of breaches, up 34% year over year, and only about 54% of edge-device vulnerabilities were fully remediated during the year. (verizon.com 1) (verizon.com 2) Monitoring is the next weak point. If attackers are stealing credentials and moving quietly, a company that only watches for loud malware can miss the break-in entirely, which is why IBM described a shift toward stealthier tactics and lower-profile credential theft. (newsroom.ibm.com) Incident response is the last missing piece, and it is the one companies usually discover they never rehearsed. The World Economic Forum’s Global Cybersecurity Outlook 2026 says artificial intelligence, geopolitical fragmentation, and widening cyber inequity are reshaping risk faster and more unevenly, which makes slow, ad hoc response plans even more brittle. (weforum.org) So the story inside that 90% number is not that companies ignored security. It is that many of them spent on tools while attackers kept targeting identities, unpatched internet-facing systems, and cloud-heavy environments that no single wall can protect anymore. (pkware.com) (verizon.com)
