Despite massive investments in sophisticated technical firewalls, the “human element” remains the weakest link in the digital defense chain. According to the newly released Threatcop People Security Report 2025, an overwhelming 95% of all cyber breaches are now linked to human error.

The report, released on December 19, 2025, highlights a sobering reality for modern enterprises: cyber attackers are leveraging Artificial Intelligence (AI) to craft phishing campaigns that are faster, more personalized, and more deceptive than ever before.

The Failure of Static Training

The study warns that traditional, “static” security awareness programs—often consisting of annual videos or infrequent seminars—show “negligible retention” against AI-generated attacks. These modern threats are designed to continuously adapt their tone and timing, making them nearly indistinguishable from legitimate corporate communications.

This shift in strategy has proven highly profitable for bad actors. The report notes that Business Email Compromise (BEC) alone resulted in a global loss of $3 billion in 2023, as attackers pivot away from software vulnerabilities to exploit human behavior and credential misuse.

The Shrinking ‘Golden Hour’

A critical concern raised by Chief Information Security Officers (CISOs) in the report is the “golden hour”—the narrow window between the initial compromise and the detection of a breach.

“AI-driven attacks enable threat actors to move faster during this window, while organizations struggle to recognise early behavioural indicators that signal breach activity,” the report states. In regulated sectors like finance, the pressure is even higher, with 95% of attacks on banks and insurers involving a human element.

A Call for AI-Led Defense

Threatcop suggests that the only way to counter AI-driven deception is to deploy AI within the enterprise itself. This includes moving toward adaptive testing and continuous feedback loops that simulate real-world attacks at scale.

Commenting on the findings, Pavan Kushwaha, CEO, Threatcop & Kratikal, said:

“AI has changed the economics of social engineering. Attackers can now test, refine and deploy deception at a scale that manual training methods were never designed for. Our findings show that organisations need to move from periodic awareness sessions to continuous, AI driven testing that reflects how real attacks unfold. Without that shift, the gap between compromise and detection will continue to widen.”

Looking Ahead to 2026

The report is currently being briefed to security leaders across India and international markets. As enterprises begin planning their 2026 budgets, the findings are expected to trigger a significant recalibration, shifting the focus from purely technical tools to “people-centric” security strategies.