US businesses are reporting a greater number of data breaches than ever before, according to annual research from Apricorn, the leading manufacturer of software-free, 256-bit AES XTS hardware-encrypted USB drives. The company's 2025 survey reveals that 76 percent of organizations surveyed have self-disclosed a breach or potential breach to the appropriate authorities in the past year, up slightly from 72 percent in 2024.

Yet self-reporting does not imply incidents are under control. Apricorn's research found that two thirds of organizations surveyed (66 percent) admit their remote or mobile workers knowingly put corporate data at risk in the last year. Additionally, 69 percent believe their mobile workforce is likely to expose them to a future breach. These persistent concerns highlight a lack of confidence in user behavior and endpoint management, especially within decentralized and hybrid work environments.

In terms of the cause of data breaches, phishing and employee mistakes shared the top spot, both with 32 percent. While external threats continue to pose a risk, the data confirms that human behavior remains the leading cause of vulnerability, whether through error, negligence or malicious intent.

The majority (96 percent) of organizations surveyed have a mobile/remote working security policy in place, and 96 percent believe their workers understand and follow it. But this confidence is undermined by 73 percent of respondents who say their employees lack the technology or skills needed to properly secure data, even when they are willing to comply. This figure is comparable to last year (72 percent) and suggests that capability, not just awareness, is the missing link and needs greater ongoing attention.

Adding to the challenge is the continued reliance on employee-owned IT equipment. Showing similar year-over-year responses, 62 percent of organizations surveyed in both 2025 and 2024 allow staff to use personal devices to access corporate systems and data. Although most organizations use software to control access, these tools often lack the visibility and enforcement provided by corporate-issued devices.

Only 12 percent of respondents said their organization mandates the use of company-provisioned equipment with endpoint controls. This slight shift downward from 13% in 2024, is alarming and highlights how far most organizations still have to go in order to gain full control of the remote attack surface.

Kurt Markley, Managing Director, Americas, Apricorn, warned that businesses cannot afford to confuse policy with protection. "IT decision makers must go beyond policy creation and focus on equipping remote and mobile workers with the right tools and training to secure sensitive data. As always, human behavior remains the biggest vulnerability, and until organizations take control of endpoints and eliminate reliance on unsecured personal devices, their breach exposure will only grow."

The research also revealed deeper technical and operational issues. Almost forty percent (35%) of organizations say they cannot be certain that their data is adequately secured or they've lost visibility of where corporate data is stored, while 19 percent report that their current technology doesn't support secure mobile or remote working. Additionally, nearly 1 in 10 (7 percent) said they don't know which datasets within their organization need to be encrypted, pointing to a lack of basic data classification and risk assessment.

The mounting complexity of managing remote technologies is another key concern with more organizations struggling with this than has ever been recorded in the survey. Almost half (49 percent) of respondents reported that managing all of the technology that employees need and use for mobile/remote working is too complex. Unsurprisingly, 82% of respondents feel their office-based staff is more security conscious and savvy than those working remotely.

Markley concluded: "Self-reporting is a step in the right direction, but it also reveals how often breaches still occur. Policies mean little without execution. Organizations must equip remote teams with secure tools like hardware-encrypted drives, control how data moves, and build security into everyday habits. With many employees still working outside the office, raising their security know-how is not optional, it's essential."