Consumers fear cyber threats but remain exposed; preparedness fails

Two new reports reveal a troubling dissonance between perceived security and actual preparedness. And when examined together, their findings draw a sobering conclusion: people are more aware of cyber threats, but they remain dangerously under protected, especially as AI empowers cybercriminals to innovate faster than defenses can adapt.

Iris’ consumer-focused Identity & Cybersecurity Concerns Survey underscores that while individuals recognize the dangers of identity theft, their behavioral response remains insufficient. Only 30 percent of respondents reported following all recommended cybersecurity practices, despite deep concerns about data breaches, compromised passwords, and fraud.

Particularly alarming is the concern surrounding AI. Ninety-one percent cited AI as a significant threat to personal information, an anxiety that is especially acute among women. Yet, this high level of awareness does not translate into meaningful action. Most respondents described themselves as feeling only “somewhat secure” while using their digital devices, a sense of unease that reflects the gap between what they know and what they do.

This unease is well founded. According to Delinea Labs’ Cybersecurity and the AI Threat Landscape report, AI is not just accelerating existing cyber threats, it is completely redefining them. AI-generated phishing, deepfake impersonations, and automated ransomware are rapidly becoming the norm. In 2024, phishing attempts increased by over 200 percent, and credential phishing surged by 703 percent. Deepfake attacks are now occurring every five minutes around the world.

One notorious case involved a finance employee of British engineering giant Arup transferring $25 million after being duped by a deepfake impersonation of the company’s CEO during a video call. Such events reveal how AI enables attackers to craft convincing social engineering schemes, tricking even the most security-conscious individuals into compromising their organizations.

Despite these realities, though, most consumers still turn to their banks or credit card companies rather than dedicated cybersecurity providers when confronted with a data breach. Iris’ survey revealed that 46 percent would contact their financial institution compared to just 19 percent who would reach out to a cybersecurity provider.

This behavior aligns with another key finding, which is 66 percent of consumers expressed interest in buying cyber protection directly from their bank or credit card issuer, which in turn suggests a significant opportunity for trusted institutions to embed digital protection into the platforms consumers already use, addressing both the accessibility gap and trust deficit.

This embedded approach also speaks to the broader challenge, which is the complexity of cybersecurity tools. Iris Chief Technology and Product Officer Erik Nienaber explained that consumers shouldn’t have to navigate a labyrinth of products to stay protected. Instead, the goal should be seamless, behind-the-scenes security that is integrated into daily workflows and built into the systems people already rely on.

“These findings only confirm what we’re doing at Iris. Our identity and cyber protection suite has been designed with this idea in mind, allowing our partners to seamlessly integrate proactive security into the systems their customers already use,” Nienaber said. “By embedding protection where consumers already are -whether through banks, credit card companies, or other trusted providers – we’re making it easier than ever for them to stay ahead of evolving cyber threats without having to navigate complex security solutions on their own.”

The Delinea report supports this approach. It highlights the growing attack surface of identity systems, particularly those involving Non-Human Identities (NHIs), digital accounts used by apps, APIs, and services. For every human identity, there are 46 NHIs, and over 70 percent are not rotated according to security best practices. Worse, 97 percent of organizations expose these NHIs to third parties, further compounding the risk.

Failures in identity protection aren’t just theoretical. The Snowflake breach in 2024 – one of the biggest breaches last year – exploited stolen credentials from an employee account lacking multi-factor authentication (MFA). This single vulnerability led to the exposure of data from multiple high-profile clients that affected hundreds of millions of consumers. Similarly, a breach of the Internet Archive was due to unsecured non-human identity tokens left accessible in a public repository for nearly two years.

These incidents serve as stark reminders of the cascading consequences when identity systems are not secured, especially as attackers grow more adept at exploiting them. Windows’ Active Directory, the backbone of access management for many enterprises, was the target of nine out of 10 ransomware attacks in 2024, according to Delinea. Attackers increasingly are using AI to probe weaknesses, bypass MFA through fraudulent push notifications, and exploit identity provider systems. MFA itself was implicated in nearly half of all incidents, often due to misconfiguration or user error.

Iris CEO Paige Schaffer emphasized that consumers shouldn’t be left to navigate these complex threats alone. Indeed, this is the core message echoed by both reports, which is that cybersecurity is no longer just a technical challenge – it’s a societal one. The stress of recovering from identity fraud is immense. Iris found that 93 percent of recent victims reported significant emotional distress, with over half describing the experience as more stressful than any previous event in their lives. Yet only 5 percent of these victims received help from an identity protection provider, revealing a striking underutilization of available support.

And this is where coordinated, proactive defenses become essential. Delinea’s report urges organizations to adopt identity-first security strategies and investing in advanced threat detection and continuous monitoring. It highlights the rapid growth in identity-related vulnerabilities, which rose by nearly 40 percent in 202.

As attackers leverage AI to automate phishing sites, impersonate executives, and target privileged accounts, the window for detection narrows. Human vigilance, while still important, is no longer enough. Instead, a layered defense strategy is necessary. One that integrates intelligent access controls, risk-based authentication, and real-time monitoring. Identity systems must be hardened against exploitation and consumer-facing platforms must evolve to offer embedded protection that meets users where they are. Institutions, whether financial or governmental, must lead by example in deploying AI to defend, not just attack.

In the final analysis, both the Iris and Delinea reports point to the same conclusion, which is the cybersecurity landscape is undergoing a fundamental transformation. The tools of attack have changed – fueled by AI, scale, and automation – yet the tools of defense remain fragmented and underutilized. Bridging this gap will require more than awareness and a rethinking of how cybersecurity is delivered, accessed, and experienced.

Article Topics

biometrics  |  consumer adoption  |  cybersecurity  |  deepfakes  |  Delinea  |  digital trust  |  generative AI  |  identity theft  |  iris