Cybercrime today has become about business models and automation rather than direct hacking and espionage. This represents a shift in the way cybercriminals attempt to gain entry, and organizations must adapt accordingly.
Over 50% of global cyberattacks in the last year were driven by ransomware and extortion, according to Microsoft’s latest Digital Defense Report.
Hackers are evolving, and so is the ecosystem that supports them. Ransomware-as-a-service and other black-hat third-party services make it easier for cybercriminals to simply purchase malware or leaked credentials off the shelf, which can then automate their attempts to gain access.
Organizations are far more vulnerable than they used to be because of their heavy reliance on cloud services and SaaS platforms, as well as the general increase in remote work.
Distributed teams and contractors mean that an organization has multiple devices connecting from anywhere.
Organizations face constant digital exposure, yet many are still trying to solve attacks using solutions from a different era.
Attackers operate like businesses now. An underground ecosystem exists where they can buy off-the-shelf ransomware kits and prebuilt exploit tools.
The barrier to entry has collapsed, allowing inexperienced hackers to operate at scale. Hackers no longer need to be technically sophisticated. They only need to know where to shop.
The result of this is that financially motivated cybercrime now dwarfs espionage-motivated attacks. In 2025, espionage-related attacks made up only 4% of all attacks, while 80% of all attacks were attempts to steal data.
Hackers treat their work like a business because it is one, complete with supporting services and instruction manuals.
Identity is the weakest link in modern cybersecurity, allowing hackers to simply walk in the front door. Identity-based attacks rose by 32% in 2025, while 97% of all identity attacks are password attacks.
The opportunities for finding the keys to the front door (i.e., a username and password) are immense. Browser-saved logins, which provide a false sense of security, are a goldmine. Credential-theft via infostealers is up by a whopping 800%! That’s a total of 1.8 billion stolen credentials. Phishing sites, created in minutes using AI, allow hackers to intercept MFA credentials. As a result, 79% of initial access is now gained without any malware at all.
Then, once the hackers get in, they move fast.
“Breakout time” is defined as the time it takes for an attacker to move from the initially compromised host to a second target inside the same organization. The average breakout time in 2024 was a mere 48 minutes, with the fastest being 51 seconds.
Making matters worse is the overconfidence of security leaders. Eighty-six percent believe they’re ready for this new era of attacks. However, 85% of organizations were hit by ransomware in the previous year. Of those, 31% had between 6 and 10 attacks.
The gap between perception and reality exists because sector leaders are measuring the wrong things. They’re likely watching for break-ins while attackers are using the login page, or they’re focusing on perimeter defenses while attackers already have the credentials to get into the network.
For example, tracking malware attempts and firewall events will not detect attackers using valid credentials. Monitoring for unusual network traffic patterns misses legitimate-looking logins from compromised accounts. The focus remains on stopping intrusions rather than on detecting credential misuse.
AI and automation are transforming the threat landscape. Attackers use AI to automate phishing at scale, to create convincing deepfakes for voice scams, or to personalize social engineering.
Attackers can whip up a phishing site in minutes, regardless of their technical skill. The popular AI website generator Lovable has been used heavily by hackers to create phishing websites that intercept credentials, including SMS credentials.
Voice-phishing (vishing) attacks increased by a wild 442% in the second half of 2024 as hackers leverage new AI tools to create convincing voice deepfakes.
While 92% of organizations do believe that AI increases threat complexity, only 47% are using AI tools for defense.
What’s worse is that most defenders aren’t using AI at all. Smaller businesses, often lacking the financial and/or technical resources, can’t match automation with automation.
Unfortunately, the automation gap is widening. More attacks are occurring on smaller targets. The ease with which these attacks can be perpetrated means that hackers can now afford to go after “small fish.”
Every day, Microsoft processes more than 100 trillion security signals, blocks ~4.5 million new malware files, analyzes ~38 million identity risk detections, and screens ~5 billion emails for malware and phishing. That’s the monumental scale defenders are facing.
Organizations with limited resources are hit the hardest. Microsoft has confirmed that schools, local governments, and hospitals are being increasingly targeted because of their limited defense capabilities. Hackers also know that such organizations tend to pay quickly to restore critical operations.
Mid-market businesses have a similar problem. Their operational urgency, plus limited cybersecurity resources, makes them equally vulnerable.
Individuals are also hit personally. In total, 850 billion exposed assets now exist on the dark web, exposing all those credential holders to identity theft and other risks.
Security leaders must reframe their thinking to stay afloat in these new waters. Instead of defending against hackers breaking down the door, they should start focusing on defending against people walking in with stolen keys.
In actionable terms, that means minimally:
The principle is to defend where the actual risk is (identity) rather than where we hope it might be.
Cyberattacks are getting faster, cheaper, and more automated. The only way to prepare for this is to make cyber defense more efficient.
Attackers have industrialized and automated because it’s profitable. Defenders need to stop trying to match their volume and start making better decisions about where the actual risk is. You can’t out-spend or out-tool a scalable, automated threat.
Simplified, modern security approaches are the only approaches that work. They’re also cost-effective.
Efficiency and focus are now core to a strong security posture.
SolCyber provides this efficiency through fully managed cybersecurity centered on identity protection with 24/7 monitoring, human-led response, and integrated security tools. Our services include endpoint detection, email protection, and dedicated security analysts. Organizations receive transparent, continuous protection with per-user pricing and no hidden vendor complexity.
To learn more about SolCyber’s human-led managed security services, visit https://solcyber.com.
Photo by Mohamed Nohassi on Unsplash
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
