The 2026 DBIR is out. Here's what public sector needs to see

62% of all confirmed breaches involved the human element. Across more than 22,000 confirmed breaches in 145 countries, people remain the most consistent factor in how organizations get compromised.

The industry often interprets “human element” as a training problem. But the 2026 DBIR increasingly suggests it is also an exposure problem.

What the data shows about your sector

Public Administration recorded 3,634 incidents and 2,410 confirmed breaches in this year's dataset – among the highest of any vertical. The initial access picture is striking: vulnerability exploitation drove 40% of government breaches, followed by phishing at 20%. That makes public sector significantly more exposed to exploitation-based attacks than the global average of 31%.

The actor breakdown is equally telling. Internal actors accounted for 44% of breaches. State-affiliated threat actors appeared in 35% of breaches – frequently acting with an espionage motive. And the data most commonly exposed? Personal data in 50% of breaches. The information citizens hand over – diagnoses, case files, identity records – is exactly what attackers are after.

The 2026 DBIR also highlights a growing shift in how social engineering works. Pretexting – building false trust to manipulate employees directly – has become a significant initial access vector for ransomware and extortion attacks.

In phishing simulations, mobile-based attacks show 40% higher success rates than traditional email phishing.

This matters because pretexting depends on psychological leverage, not technical sophistication.Attackers no longer need malware first. They need influence first. And influence becomes dramatically easier when an employee has something to hide.

The risk that doesn't appear in any breach report

The DBIR captures what gets discovered. It cannot measure what organizations never find.

There is a category of insider vulnerability that generates no alerts, appears in no logs, and operates entirely under legitimate credentials.

This creates what could be described as silent insider risk:a condition where an employee remains fully legitimate from a technical perspective while simultaneously becoming highly vulnerable from a human perspective.

No malware, privilege escalation or anomalous login behavior. Just a trusted person operating under pressure.

That exposure is not a private matter. When someone with access to sensitive systems can be threatened with professional or legal consequences, they cannot report it. They stay silent. And they become a reliable access point – not because they were targeted technically, but because they were targeted personally. The 2026 DBIR notes that state-affiliated actors represent over a third of breaches in public administration, often with espionage motives.

Increasingly, these actors optimize for access that already exists.

The cheapest persistence mechanism is not malware. It is a compromised employee who cannot safely report coercion.

For a closer look at how this plays out in practice – in healthcare, schools, and social services – read our previous piece on the threat no one wants to talk about.

The detection gap

Traditional insider risk programs are designed to detect malicious intent, policy violations, or unusual behavior.

But some forms of human compromise produce none of those signals.

Your SIEM tracks access patterns. Your behavioral analytics flag unusual logins. Neither detects the specific behavior that creates coercive leverage – because it involves no anomaly. It is a legitimate user, doing something private, on a device that trusts them completely.

The 2026 DBIR confirms what we already know: in public sector, the human element is the primary risk surface, internal actors are a major factor, and personal data is the primary target.

Security teams have spent years improving visibility into devices, identities, cloud environments, and network traffic.

But the next detection gap may be human compromise that occurs before any technical compromise ever happens.

The question is whether your security program can see it.

Want to know how to close this gap? Talk to NetClean.