reports
May 19, 2026 · Last updated on June 16, 2026
What Human Risk Managers can learn from the latest Verizon DBIR 2026 report
The findings that should change how you work this year might not be the ones getting the most coverage
Maxime Cartier
The Verizon DBIR is probably the best cybersecurity report to understand what cyber-attacks really look like today, vs. what’s noise. This year, the team dug into 31,000 actual real-world security incidents, of which more than 22,000 were confirmed data breaches involving organizations in 145 countries (their biggest dataset ever).
This report is often used by security awareness practitioners like us with one quote, usually some version of "the human element is responsible for X% of breaches". And that’s a powerful stat. But there’s more gold to find in the report! As Hoxhunt is an official contributor to the Verizon DBIR, I received an advanced copy and spent my Monday reading its 121 pages.
There are findings that should impact how you plan your program, and how you talk about your work to leadership. Here's what I think matters most for security awareness practitioners, and how to actually use it.
The fundamentals are back. And culture is one of them.
The DBIR team gave this year's report an overarching theme: "keeping a strong foundation in the face of change." Or, as they put it more bluntly, refinement, not revolution. The threat landscape is moving fast (AI-augmented attacks, mobile-centric social engineering, help desk impersonation etc.) but the response is to double down on what works, not to throw out the playbook.
What jumped out at me is what made it into their list of fundamentals. Disciplined patch management, well-practiced response plans, sure. But then this: "a culture that supports and enables secure behavior."
That's the Verizon DBIR, not a vendor, putting security culture in the same sentence as patching and incident response. For anyone who's been making the case that culture is a foundational discipline rather than a soft "nice to have," that's a useful sentence to highlight the next time you're defending your budget.
The biggest finding this year isn't about humans (but that's still our problem)
Source: Verizon Data Breach Investigation Report 2026
Here's the headline finding from the 2026 DBIR that, on the surface, has nothing to do with us: exploitation of vulnerabilities is now the #1 initial access vector for breaches, at 31%, up from 20% last year.
Worse: only 26% of critical vulnerabilities in the CISA KEV catalog were fully remediated last year (down from 38% the year before), and the median time to fully patch one rose to 43 days!
So why am I including this in an article for security awareness practitioners? Because I've seen my colleagues failing when communicating about their patching programs
- The "why" wasn't clear to the people doing the work, so it kept slipping behind feature delivery.
- The communication from security to IT operations was technical, dense, and didn't help them prioritize.
- Other times, it didn’t explain at all the how but just said “Go patch, you figure out how”.
- At times it was downright threatening “If you don’t patch your applications without 48h, we’ll shut them down”!
This is an area where we as security awareness practitioners can make a difference! Your IT operations team, your sysadmins, your developers, your patch management team, they're employees too. And the behaviors that drive patching outcomes are exactly the kind of thing we're trained to influence: motivation, clarity, friction, prioritization, communication, follow-through. Simply put, when it comes to communication and behavior change, we can help our security and IT colleagues achieve their goals and significantly improve the risk posture of the company by doing so. So, talk to your vulnerability management lead. Offer to help. You might be surprised how welcome that conversation is.
The "human element" is no longer just about phishing
Source: Verizon Data Breach Investigation Report 2026
62% of breaches involve the human element this year, up slightly from 60% last year. That's the headline. The exact figure (60, 62 or 67%) matters little: what’s important is that this is the majority of all breaches. Security programs tend to focus 90 to 99% of their time and budget on technology. But year after year, the Verizon DBIR shows that investing in the human element is one of the best ways to reduce your overall risk.
Social engineering accounts for 16% of all breaches. Inside this, email is still the top vector. But if there's one finding from the 2026 DBIR that should rearrange your roadmap, it's this: 41% of social engineering breaches now involve vectors other than email.
Attackers are reaching people through SMS, voice calls, Teams chat requests, and increasingly mobile devices. In phishing simulations, the median click rate on email is 1.4%. The median click rate on non-email simulations (such as SMS, voice or Microsoft Teams message) is around 2%. 40% higher. And pretexting, where an attacker engages in a back-and-forth conversation through email, chat, or phone to manipulate someone, is on the rise as an initial access vector to ransomware.
Source: Verizon Data Breach Investigation Report 2026
The DBIR team made a comment I want to quote directly, because it's the most useful sentence in the report for our field:
Training IT help desks and customer support agents to not be helpful and supportive in cases when a threat actor is trying to manipulate them is not as simple as 'check if the email is external, from a source you trust and if it uses proper language.
That's the DBIR validating something most practitioners I talk to already suspect: a single, generic, email-focused awareness program is no longer enough.
What this means for your program: map which roles in your organization are most likely to be targeted by pretexting attacks — help desks, customer support, finance, executive assistants — and design role-specific training and verification procedures for them. Run targeted and adaptive phishing simulations, relevant to each individual in your organization vs. one-size-fits-none campaigns.
It's also worth looking at whether your simulations still reflect modern attacker behavior. Callback emails, external Teams chat requests, fake CAPTCHAs asking users to paste a command into a terminal (the "ClickFix" technique the DBIR covers in detail). These are out there, and some (most?) awareness programs haven't caught up yet. Hoxhunt and other vendors have strongly developed SMS, Microsoft Teams or phone call simulations in the past year, to continue to train people about what really matters.
The DBIR is making the case for better and expanded social engineering training programs clear.
Shadow AI is the new shadow IT, and it's growing fast
This one has accelerated dramatically in the past year. According to the 2026 DBIR, 45% of employees are now regular users of AI on corporate devices, up from 15% last year. But what’s worrying is that 67% of users are accessing AI through non-corporate accounts. Shadow AI is now the third most common non-malicious insider action in their DLP dataset, a fourfold increase from last year.
It reinforces that training employees on safe AI use is a must in 2026. The behaviors worth influencing are practical: using sanctioned AI tools, not pasting confidential data into public LLMs, and knowing what types of information should never be shared with an external model.
One piece of advice: don't lead with a ban. Lead with making the right thing easy: sanctioned tools, clear guidance, and visibility. Bans rarely work; you'll just push behavior further into the shadows. You probably already know this from every other security topic you've worked on, but it bears repeating because the temptation to ban AI outright is strong.
Hey, there’s some good news too!
This 2026 report also contains genuinely good news:
- Ransomware payments are declining. Ransomware involvement grew to 48% of breaches, but 69% of victims didn't pay (up from 65%), the median ransom paid dropped to around $140,000.
- AI is not (yet) breaking everything. Despite 44% of AI-assisted attack techniques being used for phishing, overall phishing has not grown as a successful vector of breach (yet) but has stayed stable.
How to actually use the report
For your program planning, use the report to validate or challenge what you're prioritizing. The 2026 data is essentially telling us to expand or focus on:
- Role-specific pretexting training (for your service desk or HR for example);
- Non-email phishing simulations: via SMS, phone calls or Microsoft Teams;
- Modern baiting lures, such as Clickfix scenarios (instead of the classic credential harvester after a phishing simulation);
- Shadow AI guidance.
For your budget and roadmap discussions, the report contains specific sentences worth quoting directly. Of course, the highlight on 62% of all breaches involving a non-malicious human element. The help desk training quote above can be one too, as well as how scammers are 40% more successful with non-email social engineering. Bringing these to a budget conversation lets you tie your initiatives to an industry-respected source, rather than asking leadership to take your word for it.
That said, avoid using the DBIR as a scare slide. The report offers very balanced views. This year it basically says “there’s new things going on, but mostly you need to be strong on your fundamentals such as vulnerability management, MFA or secure culture”. Leadership trusts practitioners more when they bring nuance rather than alarm. And when they need to make trade-offs, they'll remember the practitioner who showed them both sides.
Conclusion
The 2026 DBIR is full of data that, in the right hands, can move a program forward. The findings that should change how you work this year aren't necessarily the ones that get the most coverage. The 41% non-email social engineering stat, the help desk training quote, the Shadow AI explosion, the quiet "culture is a fundamental" message in the intro: those are the ones I'd be building my next quarter around.
If you had to pick one thing in your program to change because of this report, what would it be?
Source: Verizon Data Breach Investigation Report 2026 https://www.verizon.com/business/resources/reports/dbir/
Comment (1)
Popular
Table Of Contents
Popular
Dive in