Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

One of my first intentional “to-dos” this year has been spending time with the World Economic Forum’s Global Cybersecurity Outlook 2026, a report I was privileged to actively contribute to over the past year. For KnowBe4 customers, this report offers more than trend analysis. It provides a baseline of where organizations stand today, what separates resilient organizations from less resilient ones, and why the human factor is now central to cyber resilience.

With organizations collecting and storing massive amounts of personal data these days, much of which people share freely, we need to become better at protecting data on both the storing and sharing side of things. Organizations must have strong data protection measures in place and everyone should start being more digitally mindful when sharing their own personal data. Ultimately, being careful of what we put out there is the best way to reduce cyberattacks and data breaches.

Forty percent of employees have never received cybersecurity training, according to a new report from Yubico. That number rises to nearly sixty percent for employees working for small businesses. The report surveyed 18,000 employed adults from the US, the UK, Australia, India, Japan, France, Germany, Singapore, and Sweden. “Our research finds that 4 in 10 (40%) employees have never received training on cybersecurity in any form,” Yubico says.

Scammers are increasingly using visually stylized QR codes to deliver phishing links, Help Net Security reports. QR code phishing (quishing) is already more difficult to detect, since these codes deliver links without a visible URL. Attackers are now using QR codes with colors, shapes, and logos woven into the code’s pattern. “Fancy QR codes further complicate detection,” Help Net Security says. “Their layouts no longer resemble the familiar black and white grid.

KnowBe4 Threat Labs recently examined a sophisticated dual-vector campaign that demonstrates the real-world exploitation chain following credential compromise. This is not a traditional virus attack. Instead of deploying custom viruses, attackers are bypassing security perimeters by weaponizing the necessary IT tools that administrators trust. By stealing a “skeleton key” to the system, they turn legitimate Remote Monitoring and Management (RMM) software into a persistent backdoor.

For those of you who are like me, when I first heard about the new EU AI Act, I had flashbacks to the implementation of the General Data Protection Act (GDPR) back in 2018. There are certainly a lot of similarities with the EU leading the way in consumer protections that will likely lead to more, similar legislation across the globe. I’m also reminded of the iPhone when it was introduced in the consumer market and bled into the workplace (I for one held onto my Blackberry for as long as I could).

A widespread phishing campaign is targeting LinkedIn users by posting comments on users’ posts, BleepingComputer reports. Threat actors are using bots to post the comments, which impersonate LinkedIn itself and inform the user that their account has been restricted due to policy violations. The comments contain links to supposedly allow the user to appeal the restriction.

A survey by the World Economic Forum (WEF) found that 47% of organizations cite the advancement of adversarial capabilities as their top concern surrounding generative AI. These capabilities include phishing, malware development, and deepfakes, all of which are increasingly accessible due to AI tools. Additionally, 42% of organizations experienced a successful social engineering attack last year, and the researchers expect this number to rise as AI-assisted social engineering grows more advanced.

While organizations invest heavily in stopping threats from entering their networks, a critical vulnerability often goes underprotected: sensitive data leaving the organization through email. Every day, employees send thousands of emails containing confidential information - patient records, financial data, legal documents, and personally identifiable information (PII). And every day, some of those emails go to the wrong recipient.