Kaseya’s 2026 Cybersecurity Outlook Report shows that organizations worldwide are poorly prepared for cyberattacks. Human error, inadequate training, and limited AI adoption are the main vulnerabilities. Penetration testing is often not carried out because it is too expensive. How can we break this deadlock?
Human error remains the Achilles heel of cybersecurity. Kaseya’s report, based on a survey of more than 700 SMEs and 370 MSPs worldwide, shows that employees will be the most commonly used attack vector for the next 12 months. Poor user practices and inadequate training make organizations vulnerable.
Phishing remains dominant. It is a logical combination with employees who often click on dangerous hyperlinks. Fifty-six percent of organizations have been affected by phishing at some point, 49 percent of them in the past year alone. This is more than viruses and malware (32 percent) and business email compromise (27 percent).
The causes clearly lie with people and processes: 30 percent of incidents are due to poor user practices, 29 percent to lack of training, and 27 percent to limited cybersecurity expertise. We do wonder whether these issues fall within a spectrum: when is misuse not sufficiently trained away, and when is expertise sufficient to actually change practices?
Incident response plans are often lacking
Incident preparedness is a cause for concern regardless of how often attacks actually occur. Only 40 percent of the organizations surveyed have a formal incident response plan and test it regularly. While 27 percent do have a plan, they have never tested it. Experts consistently argue that this is effectively the same as having no plan, because the actual consequences of an incident are more unpredictable than a script can cover. Even more worrying: 24 percent have no formal plan at all and 10 percent do not know whether their organization has an IR plan.
This lack of preparation is risky, especially since 70 percent of organizations expect to be the victim of a phishing attack in the next 12 months. More than half anticipate a leak due to ransomware.
Penetration testing too expensive for many
Although 76 percent of organizations conduct annual penetration tests, nearly a quarter do so inconsistently or not at all. The biggest barrier is cost, cited by 47 percent of respondents.
For MSPs, however, pentesting appears to be profitable. Nearly 40 percent of MSPs report profit margins between 21 and 40 percent, especially when pentesting is part of bundled services. Strikingly, a third of MSPs do not offer the service at all, indicating an untapped market. Organizations mainly use penetration testing to validate controls (34 percent), estimate potential damage (20 percent), and prioritize investments (17 percent).
Although AI is growing in cybersecurity, trust remains an obstacle. 18 percent of companies do not yet use AI for security at all. Only 12 percent trust AI enough to act autonomously. For 81 percent, human supervision remains necessary. AI is currently used primarily for email security (49 percent), endpoint protection (34 percent), and threat detection (32 percent). For the future, organizations are primarily planning to expand into threat and vulnerability detection (32 percent) and automated response (30 percent).
The biggest concerns about AI are accuracy, including false positives and negatives (29 percent), data privacy (27 percent), and, yes, cost (19 percent).
Downtime and financial losses are increasing
The consequences of cyber incidents are severe. Approximately 40 percent of affected organizations report at least one day of downtime. Twenty-one percent avoided downtime, down from 27 percent in 2024. This is particularly concerning because downtime usually causes the most damage in an incident, not the existence of a breach alone, for example.
Financially, the losses are significant. Nearly 20 percent of companies lost $100,000 or more due to a security incident. The impact is also noticeable for MSPs, with 40 percent of MSPs reporting that customers experienced downtime due to a breach. 12 percent lost customers, mainly due to ransomware, account takeover, and BEC attacks.
Security budgets are growing steadily
Cybersecurity budgets are increasing, but growth remains modest. Most organizations spend between 10 and 50 percent of their IT budget on security. In the past year, 44 percent increased security spending.
For the next 12 months, 48 percent of respondents expect a budget increase, with 68 percent anticipating an increase of 5 to 25 percent. MSPs are anticipating this: 74 percent plan to expand their cybersecurity services.
The top investment priorities for the coming year are penetration testing (17 percent), cloud detection and response (17 percent), dark web monitoring (16 percent), and BCDR (15 percent). It is concerning that 14 percent are not planning any new security solutions at all.
Read also: Kaseya acquires INKY for AI-driven email security