Our Fraud, Cyber and Security Smarts series invites industry experts to share timely insights into current security challenges and opportunities. In recognition of Cybersecurity Awareness Month, we’re launching a special series dedicated to helping businesses and individuals strengthen their defenses with practical knowledge and actionable tips.

This first installment takes a close look at the current cybersecurity landscape while highlighting the trends, risks and strategies leaders need to know to stay one step ahead.

Q.          What are the most pressing cyber threats businesses are facing right now?

Businesses are currently facing a wide range of cyber threats impacting their overall financial health as well as their reputation.

The top five attack vectors are:

1. Ransomware Attacks

Ransomware remains the dominant threat, with a surge in operations targeting sectors such as healthcare, finance and infrastructure. Attackers are using double-extortion tactics, encrypting data and threatening leaks. Companies are not only hurt by the high costs of the ransomware attacks but also by reputational damage and lower stock prices.

2. Phishing and Social Engineering

Attackers are becoming more sophisticated with their use of artificial intelligence (AI) in phishing attacks, resulting in more personalization and fewer spelling errors so they’re harder to identify.

Social engineering exploits human weaknesses and could include posing as a trusted figure in the organization. For example, an attacker could pretend to be an IT help desk employee and extract passwords or send a fake login page to steal credentials.

3. Zero-Day Attacks and Unpatched Systems

Bad actors are continuously seeking vulnerabilities that are not yet known and software updates not yet applied. Companies often lag in patching and updating software libraries.

4. Third-Party Risk and Supply Chain Attacks

Attacks on vendors (via compromised software updates) can impact businesses as seen in recent events affecting thousands of companies. For example, the Cybersecurity and Infrastructure Security Agency (CISA) recently warned about a widespread supply chain compromise involving the JavaScript registry, npmjs.com. A self-replicating worm, known as “Shai Hulud,” has compromised over 500 packages.

Companies remain increasingly dependent on the security of their third-party vendors, which proves problematic since 98% of organizations have integrations with at least one third-party vendor that has experienced a cyberattack in the last two years.

5. Cloud Misconfigurations and Vulnerabilities

Since 94% of businesses use cloud services, exposed storage buckets like Amazon Web Services (AWS) or Azure and weak access controls are rampant, enabling data exfiltration via employees using unvetted software and apps. Hybrid environments heighten risks with attackers exploiting unpatched Application Programming Interfaces (APIs) and shadow IT.

Additionally, callback phishing attacks, where attackers use a phone number instead of a link, are on the rise as a separate but related tactic.

Q.          How have cybercriminal tactics evolved in the past year, and what should business owners be watching closely?

In 2025 and beyond, cybercriminals will continue to use generative AI to launch large-scale phishing and ransomware attacks. Companies should also watch closely for a resurgence in “low-tech” attacks that elude traditional email security detection.

These types of phishing attacks simply include the attacker’s phone number and require a user to inquire about a charge or other issue. The attacker will then press for credentials and other critical information, or they may suggest downloading a tool that could be a remote administration tool (RAT). This tool will then steal and upload data from the victim’s device.

Q.          Are there particular industries or company sizes that are being targeted more heavily, and why?

Sectors such as healthcare, financial services, technology companies and manufacturing are targeted more heavily. Bad actors value the high volume of customer data especially the sensitive personally identifiable information (PII) data.

Q.        How prepared are most businesses for today’s cyber threats?

Most businesses, especially small to medium-sized businesses (SMBs), are ill-prepared for the growing threat of cyberattacks due to a lack of designated cybersecurity professionals in their organization.

According to the World Economic Forum, there is a global shortage of approximately four million cybersecurity professionals. In the U.S. alone, approximately 700,000 cybersecurity roles remain vacant. The outlook is especially bleak when it comes to high-demand skills, such as AI security.

Q.          What common mistakes tend to leave businesses most vulnerable? Do you have any recommendations for remaining cybersafe?

These four common mistakes can leave businesses vulnerable to cyberattacks:

1. Neglecting Cybersecurity Awareness Training: Employees are often soft targets that bad actors try to exploit through phishing attempts. Untrained employees can lead to ransomware attacks that can ultimately lead to SMBs going bankrupt.

Recommendations: Implement a cybersecurity awareness program, such as KnowBe4 or Mimecast training. If these programs are cost-prohibitive, look for ways to create your own home-grown cybersecurity awareness training program that involves phishing training and/or phishing simulations to test your employees.

2. Failing to Implement Multifactor Authentication (MFA): According to CrowdStrike, weak or stolen credentials account for 80% of data breaches.

Recommendations: MFA requires users to provide two or more verification factors to gain access to a system, such as a password or Personal Identification Number (PIN) plus something they physically have, like a phone or authentication app. There are many misconceptions about MFA being costly or difficult to implement. Since the average breach is over $4.5 million, not implementing MFA can end up being disastrous.

3. Ignoring Cloud Misconfigurations: Misconfigured cloud settings, such as open cloud storage containers called “buckets,” can lead to bad actors exfiltrating and stealing important customer data. Also, weak Identity and Access Management (IAM) policies and exposed APIs can lead to data breaches.

Recommendations: Hire at least one cybersecurity professional or an outside consultant to secure your websites, login portals, APIs and implement MFA on all login portals. Also, make sure you have strong IAM policies and all critical storage buckets are not publicly exposed.

4. Poor Patch Management and Legacy System Maintenance: Frequently, companies do not update their legacy systems, and they do not regularly patch or update their software. This can lead to data breaches.

Recommendations: Make sure you have a regular patching cadence and a plan to replace or upgrade legacy systems.

As cyber threats continue to evolve, awareness and preparedness remain the strongest lines of defense. By understanding the current landscape and taking proactive steps, businesses of all sizes can reduce risks and strengthen cybersecurity resilience. This is just the beginning of our Fraud, Cyber & Security Smarts subseries for Cybersecurity Awareness Month, so be sure to stay tuned for more expert insights, practical tips and strategies to help you stay safe and secure.

Looking to stay ahead of fraud and move from risk to readiness? Check out our on-demand webinar here!

^{Disclaimer: The information provided herein is for general informational purposes only and is not intended to be legal, investment or tax advice. It is not a substitute for professional legal, investment or tax advice, and you should not rely on it as such. No attorney-client or accountant-client relationship or any other kind of relationship is formed by any use of this information. The effective date of various provisions, amendments, and regulatory guidance may impact eligibility. The accuracy, completeness, correctness or adequacy of the information is not guaranteed, and isolved assumes no responsibility or liability for any errors or omissions in the content. You should consult with an attorney, investment professional or tax professional for advice regarding your specific situation.} 

Print