AI-powered cyber attacks and ransomware top the cyber security challenges for 2026, warn cyber security firms.
In November 2025, global organisations faced an average of 2 003 cyber attacks per week, driven by ransomware expansion and GenAI-linked risks, representing a 3% increase from October and a 4% rise year-on-year.
This is according to cyber security firm Check Point’s overview of activity, including its latest Global Threat Intelligent insights, which confirmed a 22% rise in ransomware. It also found that one in every 35 GenAI prompts posed a high risk of data leakage, impacting 87% of organisations that use GenAI regularly.
Of the four African countries included in the report, Angola faced 4 251 attacks per organisation per week, followed by Nigeria at 3 374, Kenya at 2 384 and South Africa at 1 863 attacks per organisation per week.
Overall, attacks in Africa declined by 13% year-over-year (YOY). In terms of African industry sectors, government, financial services, and consumer goods and services were the most attacked in November.
With enterprise use of GenAI tools expanding rapidly, Check Point identified increasing exposure to sensitive data.
The research underscored how deeply AI has become embedded in daily workflows.
According to Check Point, an additional 22% of prompts contained potentially sensitive information, such as internal communications, customer data, proprietary code, or personal identifiers. While some usage occurs through managed tools, organisations still average 11 different GenAI tools per month, most of which are likely unsupervised and operating outside formal security governance.
Such misuse increases the likelihood of accidental data exposure, leading organisations to higher risk of malicious infiltration, ransomware and AI-powered cyber attacks, the cyber security firm added.
The education sector remained the most targeted globally, averaging 4 656 weekly attacks per organisation (+7% YOY). Government institutions followed with 2 716 weekly attacks (+2% YOY), while associations and non-profits saw a dramatic increase with 2 550 attacks per week, marking a 57% year-over-year surge.
According to Check Point research, ransomware remained one of the most damaging cyber threats, with 727 publicly reported incidents globally in November, marking a 22% YOY increase. North America accounted for 55% of all reported cases, followed by Europe at 18%. The United States alone represented 52% of global incidents, followed by the United Kingdom (4%) and Canada (3%).
By industry, industrial manufacturing (12%), business services (11%) and consumer goods and services (10%) were the most impacted sectors.
The leading ransomware groups in November were Qilin (15%), Clop (15%) and Akira (12%), collectively accounting for a substantial portion of victim disclosures.
Omer Dembinsky, data research manager at Check Point Research, said: “November’s data shows that along with the overall number of attacks continuing to rise, we see additional concern in the increasing sophistication behind these operations. The combination of ransomware growth and GenAI-related data exposure provides attackers with more tools and opportunities to execute damaging campaigns. The only effective approach is prevention-first, powered by real-time AI and proactive threat intelligence to block attacks before they cause harm.”
Cyber security firms flag AI-powered attacks
Cyber security firms share the common believe that AI will be used as part of a fresh wave of cyber attacks in the new year.
Mimecast Field CISO Beth Miller said for years, the cyber security industry has warned that threats are becoming ‘more sophisticated’, but in reality, attackers aren’t getting smarter, they’re simply leveraging new tech to exploit the same long-standing vulnerabilities that remain unpatched and overlooked. In 2026, those gaps will widen.
“AI-powered phishing will become nearly impossible to spot, driving 90% of breaches through hyper-personalisation. Employees are so overwhelmed they’re turning to unauthorised AI tools to keep up, inadvertently creating a whole new category of insider risk. And security analysts get buried deeper under a relentless flood of alerts, each one a potential threat, as they manually triage, investigate and close out false positives.”
Among the company’s predictions are that e-mail will account for 90% of cyber attacks, that shadow AI swill supercharge insider threats, and that AI will take over triage (assessment and prioritisation of security alerts and incidents).
“As organisations cut headcount and raise productivity expectations, employees are stretched to breaking point. This is a breeding ground for mistakes. Layer on shadow AI, and the risk compounds. In search of shortcuts, employees are adopting unsanctioned AI tools, pasting proprietary data into consumer apps or even training personal models on company information they can take with them when they leave,” Miller added.
According to Mimecast, the attack surface is expanding faster than most teams can track. By mid-2026, organisations could see 10 times as many rogue AI agents as unauthorised cloud apps. Simultaneously, attackers are actively courting insiders and probing outsourced operations in lower-cost regions where controls may be weaker.
Cyber security company Integrity360 believes security leaders agree on one thing: cyber threats are accelerating faster than traditional defences can keep up with. It’s a technical shift and a business challenge that will impact financial performance and board-level risk from day one of the new year.
Richard Ford, group CTO of Integrity360, has identified the top five trends that will shape the security landscape in 2026:
- Attackers are weaponising speed to outpace human defence.
- Deepfakes are rendering standard phishing awareness obsolete.
- The tiered SOC is being replaced by AI co-pilots.
- Static assessments cannot track the expanding SaaS attack surface.
- Regulation and quantum threats demand immediate architectural changes.
“Real-time exposure management will be critical. This includes monitoring SaaS configurations, and credential use. Static assessments will no longer be enough. Businesses must continuously assess what is exposed and how attractive those assets are to attackers. Access controls must be contextual, based on device health and behaviour. Frameworks like Zero Trust can help reduce standing privileges and prevent lateral movement. The perimeter is now a moving target; only dynamic, identity-aware models can keep pace,” said Ford.
