In the rapidly advancing era of generative AI (GenAI), the traditional boundaries of cybersecurity are being redrawn. A new issue paper based on a 2026 global research study of 305 organizations reveals a stark reality: security and compliance have transcended their roles as "insurance policies" to become primary competitive differentiators. As organizations integrate complex AI-driven tools into their workplace collaboration and customer engagement platforms, the risk profile has shifted from manageable to volatile.
The paper begins by documenting a staggering 306.7% increase in attacks against collaboration platforms since 2021. This "seismic shift" in the threat landscape is no longer a theoretical concern but a daily operational hurdle. For the first time, data also quantifies the vulnerability of contact centers, with nearly 28% reporting incidents in the past year alone. Perhaps most concerning is the "operational drag" highlighted in the study: on average, it takes organizations over 26 hours to detect a breach and nearly 60 hours to resolve it. These windows of exposure provide ample time for data exfiltration, deepfake impersonations, and costly toll fraud.
While the statistics on attacks are sobering, the core of the report focuses on a distinct subset of organizations labeled the "Success Group." These are companies that have achieved above-average ROI and productivity gains by viewing security not as a gatekeeper to innovation, but as its foundation. The paper identifies five critical "imperatives" that separate these high performers from their peers. These range from the strategic integration of security leadership into the earliest phases of procurement to the adoption of centralized third-party platforms that manage security across multi-vendor environments like Microsoft Teams, Zoom, and Slack.
A significant portion of the paper is dedicated to the unique risks posed by GenAI, including prompt injection and poisoning attacks. The data suggests a widening gap between companies that have a formal GenAI security plan and those operating ad-hoc. Interestingly, the report highlights a specific policy adopted by the most successful firms: the "human in the loop" requirement. This mandate ensures that AI-generated output - whether code, customer communications, or internal summaries - is never published autonomously, thereby mitigating the risks of hallucinations and intellectual property leakage.
The paper concludes with a roadmap for IT and security leaders, emphasizing that "set it and forget it" security is a relic of the past. It advocates for a transition from a defensive posture to a proactive, strategic alignment between IT and compliance. However, the specific technical benchmarks for these audits, the detailed ROI correlations of third-party security overlays, and the full breakdown of common "shadow IT" vulnerabilities remain detailed within the full text. For leaders looking to secure their infrastructure without stifling the rapid deployment of high-value AI technologies, the full report offers the granular data and actionable recommendations necessary to turn security into a business enabler.
The paper begins by documenting a staggering 306.7% increase in attacks against collaboration platforms since 2021. This "seismic shift" in the threat landscape is no longer a theoretical concern but a daily operational hurdle. For the first time, data also quantifies the vulnerability of contact centers, with nearly 28% reporting incidents in the past year alone. Perhaps most concerning is the "operational drag" highlighted in the study: on average, it takes organizations over 26 hours to detect a breach and nearly 60 hours to resolve it. These windows of exposure provide ample time for data exfiltration, deepfake impersonations, and costly toll fraud.
While the statistics on attacks are sobering, the core of the report focuses on a distinct subset of organizations labeled the "Success Group." These are companies that have achieved above-average ROI and productivity gains by viewing security not as a gatekeeper to innovation, but as its foundation. The paper identifies five critical "imperatives" that separate these high performers from their peers. These range from the strategic integration of security leadership into the earliest phases of procurement to the adoption of centralized third-party platforms that manage security across multi-vendor environments like Microsoft Teams, Zoom, and Slack.
A significant portion of the paper is dedicated to the unique risks posed by GenAI, including prompt injection and poisoning attacks. The data suggests a widening gap between companies that have a formal GenAI security plan and those operating ad-hoc. Interestingly, the report highlights a specific policy adopted by the most successful firms: the "human in the loop" requirement. This mandate ensures that AI-generated output - whether code, customer communications, or internal summaries - is never published autonomously, thereby mitigating the risks of hallucinations and intellectual property leakage.
The paper concludes with a roadmap for IT and security leaders, emphasizing that "set it and forget it" security is a relic of the past. It advocates for a transition from a defensive posture to a proactive, strategic alignment between IT and compliance. However, the specific technical benchmarks for these audits, the detailed ROI correlations of third-party security overlays, and the full breakdown of common "shadow IT" vulnerabilities remain detailed within the full text. For leaders looking to secure their infrastructure without stifling the rapid deployment of high-value AI technologies, the full report offers the granular data and actionable recommendations necessary to turn security into a business enabler.
Table of Contents
- Introduction
- The State of the Threat: Companies Increasingly Under Attack
- Five Approaches of Successful Organizations
- Imperative #1: The CISO/CSO as a Strategic Partner
- Imperative #2: A Structured, Comprehensive Security Plan
- Imperative #3: Rigorous AI Compliance and Human Oversight
- Imperative #4: Investment in Third-Party Security and Compliance Platforms
- Imperative #5: Regular Auditing Cadence
- Conclusion and Recommendations
Companies Mentioned
- Microsoft
- Zoom
- Slack (owned by Salesforce)
- Webex (by Cisco)
- WhatsApp (owned by Meta)
- Signal
- The U.S. Securities and Exchange Commission (SEC)
