81% of small businesses experienced a cyber or data security incident over the past year, according to new research from the Identity Theft Resource Center.
The impact wasn’t abstract. 38% of affected firms raised prices to offset costs tied to breaches, downtime, and recovery.
The findings show a shift in who, or what, drives these incidents. External attackers now outrank malicious insiders as the most common root cause.
According to the report, AI-assisted social engineering explains much of that change, with more than 41% of victims pointing to it as a contributing factor.
Researchers link this pattern to the rapid spread of generative AI in cybercrime. The technology now supports phishing emails that read clean, deepfake audio and video that pass casual checks, and malware that adapts on the fly. What once required highly specialized skills no longer does.
The report argues that insiders traditionally held an edge because they understood internal workflows, tone, and hierarchy.
That familiarity let them bypass controls built on trust. AI gives external actors a way to copy that advantage, and do it repeatedly, across many targets, without deep organizational access.
As a result, familiar warning signs fade. Typos, awkward phrasing, and clumsy impersonation, once easy tells, often don’t show up anymore. According to Beinsure, users who rely on those cues risk missing modern attacks entirely.
Training, then, needs to shift. The ITRC says employee security programs should address AI-driven threats directly. Staff need to learn how to spot subtle visual artifacts in synthetic video, flattened emotional tone in cloned voices, or emails that feel oddly perfect.
The guidance pushes for skepticism as a default reaction, where employees feel comfortable pausing, questioning, and verifying unusual or urgent requests, Beinsure stated.
According to our data, this human layer keeps growing in importance as technical controls struggle to keep pace. AI-powered security awareness training already sits at the center of many corporate defenses, aimed at reducing exposure created by human decision-making.
Vendors like KnowBe4 report adoption across more than 70,000 organizations worldwide, as companies look for ways to counter social engineering that no longer looks sloppy or obvious.
