2025 Cyber Year in Review: Lessons Learned and 2026 Predictions
This is the time of year when we naturally stop to recognize the challenges we faced over the last twelve months. It is also a moment to celebrate the victories we won by turning those hurdles into opportunities for growth in both life and business. As we look back at the year in cybersecurity, the SMB space has encountered some notable trends. We have seen everything from credential theft, email and trusted link abuse, identity-led Cloud and SaaS-based compromises, extortion-based ransomware attacks, and AI-driven social engineering blurs the lines of reality. Each of these shifts has challenged executive teams to ensure that cyber risk finally has a permanent seat at the management table.
Identity is the New Front Line
The security specialists here at Worksighted process millions of logged events and alerts every year. Looking at that data, one trend stands out above the rest: the end user identity is under constant attack.
I recently attended a great cyber conference in Grand Rapids, Michigan, called GrrCON. One of the sessions I enjoyed was titled “Hackers Don’t Hack, They Log in,” presented by Dr. Louis DeWeaver III. While most of us still imagine a “hacker” as someone in a dark hoodie with unparalleled coding skills, Dr. DeWeaver presented some eye-opening statistics. Between stealer logs, access brokers, and simple password reuse, we are seeing an epidemic of identity compromise. Because harvested credentials are so easy to get, threat actors are spending less time looking for technical weaknesses. Instead, they are just using stolen or leaked passwords to infiltrate organizations.
Hiding in Plain Sight: Living Off the Land
Throughout this year, we also noticed a rise in “living off the land” techniques. This basically means an attacker’s ability to stay inside an organization by using trusted services that are already there. Instead of installing obvious malware, they hide in plain sight by using built-in Microsoft tools like PowerShell to carry out their plans. This makes behavior-based tooling more critical than ever. We need systems that can flag when a user is doing something out of character, blocking attempts to abuse trusted services before a foothold is established. This is where Zero Trust comes in, layering controls to verify a user at every single step of the authentication chain.
The Human Element Under Fire
Security experts have been beating the war drum of end-user awareness training for a long time. Organizations spend a lot of money protecting their cloud services and remote users, yet the human element remains the primary target. With AI-powered phishing and the abuse of trusted links, our end users are truly under fire. These attacks compromise the human element, allowing threat actors a direct line into the organization, bypassing other security investments.
After 25 years of various training programs, we must ask ourselves if we are truly making progress to improve the defenses of the end user. As the modern workforce refreshes and older generations head into retirement, new workers are arriving with much higher digital acumen. However, that digital prowess does not always translate into better identity protection.
Users are still falling for well-crafted emails, URL link re-writing, and credential harvesting pages. AI has allowed threat actors to weaponize accuracy, quickly fixing errors to ensure their messages appear harmless. We also still see the dangerous habit of password reuse, which lets attackers “spray” leaked credentials across multiple sites with minimal effort and investment. Between session token theft and MFA bypass attacks, staying secure has never been more challenging for the average user.
The Reality of Business Email Compromise
The corruption of the user identity gravely leads to a common attack approach known as Business Email Compromise (BEC). Just like a lamprey attaches to a victim host, threat actors exfiltrate data and monitor communications, looking for the appropriate time to intercept and redirect payment instructions, committing ACH & Wire fraud.
We often see cases where a hacker gains access to a mailbox and immediately deploys a forwarding rule to an outside organization. Even if the session is terminated and the user changes their password, that forwarding rule continues sending potentially sensitive information, intellectual property, or trade secrets to the attacker.
Wire fraud is usually more of an attack on internal procedures than a failure of security tools. It tests whether a finance team can spot a tiny discrepancy in a payment request before they follow through with a large transaction.
Age of Deception: The Continued Rise of AI
The advancements in AI throughout 2025 have been staggering compared to what we saw just a year ago. Organizations are currently wrestling with how to use AI without putting themselves at risk. Many companies do not have a formal AI policy yet, even though employees are likely adopting tools like ChatGPT, Gemini, or Grok on corporate assets. This creates a real risk of corporate data leaking into public models, which can violate NDAs or compliance regulations.
Beyond data leaks, AI has ushered in an age of deception through deepfakes and vishing (voice phishing). These are now generated with incredible accuracy. A threat actor only needs three seconds of a recorded voice from a YouTube video or a voicemail greeting to create a full fraud campaign. They can use these voice clones to target key departments like Finance or HR with startling success.
Ransomware Evolution: Faster Turnarounds
Extortion-based ransomware is still on the rise, and the timeline from the initial breach to the actual impact is getting faster. With Ransomware-as-a-Service and AI automation, attackers can move through a network with purpose built tools that adjust on the fly to avoid defensive controls. Threat actors are now able to move more rapidly across an organization with purpose-built remote tooling and AI automations to speed offensive attacks and adjust on the fly to security controls and defensive tools.
If an organization manages to weather the storm and refuses to pay, they are now more likely to face a secondary threat where their data is sold to the highest bidder. The call for organizations to shift left and focus on proactive planning, risk management, security controls, and policy enforcement puts organizations in the best position to be a target not worth pursuing.
Looking Ahead: Cybersecurity Trends for 2026
Our observations mirror the latest Microsoft Digital Defense Report, which shows identity attacks surged 32% in early 2025 as AI fueled new social engineering tactics. Despite these sophisticated shifts, Microsoft confirms that modern multifactor authentication still blocks over 99% of identity compromises. It is a striking reminder that while tools evolve, more than 97% of attacks still rely on simple methods like password spraying and brute force cracking.
While those statistics give us a snapshot of the cybercrime economy, they also reveal a familiar theme: we are all being called to focus on basic cyber hygiene.
As we look toward 2026, let’s explore the cyber themes that will likely dominate the landscape:
- Phishing resistant MFA is the gold standard. We will see a shift toward physical tokens like Yubikeys, especially for accounts with high levels of access.
- High value targets remain a priority. End-users in finance, healthcare, and research will be targeted for their intellectual property.
- Social engineering will still top the list. It currently accounts for about 28% percent of reported breaches. Organizations must adapt their training to keep up with these evolving trends.
- Financial motivation is the primary driver. Over half of all attacks are about the payout, with only 4% being motivated by espionage.
- Data exfiltration is now the rule. If a hacker gains access, you should assume your data has been moved offsite. Detecting this requires a focused effort on monitoring for anomalous data transport.
- Workload identities are the next frontier. As we harden user accounts, attackers will pivot to application and service identities that often have high privileges but fewer protections.
- Destructive cloud attacks are rising. As more companies move to Azure, attackers are pivoting to delete resources or deploy ransomware in the cloud. Proactive assessments using CIS baselines are critical.
- AI is a force multiplier for the enemy. Threat groups are using AI to “self heal” their attack code and discover vulnerabilities at a rapid pace.
- Quantum computing is on the horizon. With Google’s recent demonstration of “quantum advantage” using the Willow chip, we must start watching encryption standards. This technology will eventually have the power to unencrypt data at an incredibly fast speed.
As we wrap up 2025, our mission remains clear: we must return to the basics. CISA’s recent Cybersecurity Awareness Month emphasized the same foundational concepts we have covered here, reminding us that resilience is built on the fundamentals.
We need to keep teaching our teams to spot phishing, enforcing strong passwords, and requiring phishing-resistant MFA. We must stay disciplined with software updates, system logging, data backups, and encryption. Each of these steps hardens your organization against attack and limits the damage threat actors can do. Think of these as a New Year’s resolution for your security posture; you won’t see results until you get into the gym and work on the basics. Let’s get to work today.
Mark Spaak, Director of Security
Mark is a seasoned cybersecurity expert with over 25 years in the IT industry. As the Director of Security at Worksighted, he leads our team in protecting client data and serves as a Virtual Chief Information Officer (vCISO). A Certified Information Systems Security Professional (CISSP), Mark offers tailored solutions across various industries. Outside of work, he enjoys camping, jet skiing, and volunteering with local charities like Kids Food Basket.
