Over one in three (35)% of enterprise PCs are not encrypted, despite standard security policies, amid millions of visits to generative AI platforms such as DeepSeek, often without formal approval or monitoring.
Without encryption, sensitive data on these devices is at greater risk of being exposed via these unsanctioned tools. This surge in Shadow AI activity heightens the risk of data leakage, governance failures, and serious compliance breaches for IT leaders.
The findings were revealed in Absolute Security’s Cyber Resilience Risk Index 2025, analysing 15 million enterprise PCs for gaps in endpoint protection, device compliance and AI readiness.By assessing key metrics, the analysis pinpointed the primary barriers to achieving Extreme Resilience, having full visibility into the inherent risks in every layer of security architecture, and proposed actionable strategies to address these gaps.
While a survey of 500 U.S.-based CISOs from Absolute Security, via independent polling agency Censuswide, found that 44% of security leaders are not aware of how widely generative AI tools are in use across their organization, or what information users are uploading onto these.
As a result, 44% have stopped using AI due to fears of a cyber breach.
Christy Wyatt, CEO of Absolute Security, commented: “The explosion of shadow AI use, combined with a third of devices lacking encryption, highlights a worrying gap between innovation and protection. As an industry, we spend so much time preparing for the next big attack, many enterprises are not meeting even basic security standards that can drastically boost resilience— like encryption, patch hygiene, visibility, and risk remediation. The stakes have never been higher. True cyber resilience means not just preventing breaches, but ensuring your digital operations can endure, adapt, and recover from any kind of cyberattack or incident.”
For the complete Cyber Resilience Risk Index 2025 report visit: https://www.absolute.com/resources/research-reports/resilience-risk-index-2025
Further findings from the Cyber Resilience Risk Index 2025:
- Enterprise Devices Are Missing Encryption: With 26% of devices being unaccounted for and 18% storing sensitive data, organizations are practically inviting data breaches creating dangerous blind spots for CISOs — increasing the risk of data loss, theft, and compliance violations.
- Security Tools Aren’t Holding the Line: Even with Endpoint Protection Platforms (EPP) and network access controls in place, security tools fail to stay compliant 22% of the time—leaving critical systems exposed nearly a quarter of the time— heightening the risk of ransomware, breaches, and operational instability. This shows minimal improvement from last year’s resilience index report, where Endpoint Protection Platforms (EPP) and network access security applications on managed PCs failed to operate effectively 24% of the time.
- Patching Delays Create Extended Risk Windows: Vulnerabilities in Windows 10 and 11 take nearly two months to patch. This prolonged delay offers a predictable and exploitable window for threat actors — especially in industries that rely on outdated infrastructure or manual patching processes. This shows a slight improvement from last year’s findings, where sectors like Education and Government faced patching delays of 119 and 82 days. However, the current 56-day delay still presents a considerable vulnerability window that leaves systems open to attack. It remains critical for organizations to streamline patching processes, as even minor delays continue to expose systems to potential threats.
