Think your business might fly under cybercriminals’ radars? Think again. Ransomware accounted for 70% of Sophos Incident Response cases for small business customers in 2024 — and over 90% for midsized organizations. As fraudulent apps, scams, and social engineering tactics attack organizations’ lines of defense, teams across the business must take precautions, not just IT.
As cyberattacks grow in sophistication and frequency, posing serious risks to organizations of all sizes, it’s important to be aware of their playbook. We’re breaking down some of the big shifts we’ve seen impacting SMBs from this year’s report — The Sophos Annual Threat Report: Cybercrime on Main Street 2025:
1. Rise of Remote Ransomware
Ransomware continues to be the biggest threat for small and medium-sized businesses. This is partially driven by the increase in remote ransomware. As companies increasingly deploy endpoints on their systems, attackers are focusing on new ways to successfully deploy ransomware. Hackers use unmanaged machines connected remotely to the network to quietly access files over the network and encrypt them, without ever triggering antivirus or endpoint protection. Because the ransomware is run from an unprotected system, the ransomware can fly under the radar of traditional security tools.
2. Risk at the edge
Attackers have become more skillful at exploiting parts of the network that security defenders aren’t watching. In other words, they’re zeroing in on edge devices, including firewalls, and VPNs, as a way to breach corporate networks. In 2024, at least a quarter of initial compromises occurred “at the edge.” Because these devices sit at the perimeter, and attackers know they are often overlooked when it comes to updates and patching, they’ve become a highly effective way to breach networks.
3. Modernized social engineering
Phishing continues to be one of the most effective ways to steal credentials and log into corporate systems. However, now attackers have the benefit of upgraded tools and techniques.
Cybercriminals are now using AI and Large Language Models (LLMs) to create highly convincing phishing emails that are grammatically correct and personalized, making them harder for spam filters to catch. In addition, they’re taking advantage of tactics like vishing (malicious phone calls), email bombing (thousands of emails sent in a short period of time), and quishing (malicious QR codes) to trick employees into handing over their login information.
The road ahead
From exploiting unpatched systems to deploying remote ransomware and bypassing MFA with social engineering, cybercriminals adapt faster than ever. Here’s what organizations should do to stay secure:
- Migrate from passwords to passkeys for account credentials. Passkeys are stored digital keys assigned to specific devices and can’t be intercepted by adversary-in-the-middle phishing kits.
- For accounts that can’t be secured with passkeys, use multifactor authentication (MFA), and migrate to passkey protection when possible.
- Prioritize patching edge devices such as firewalls and VPN devices and following through on all required steps for patching (including device resets.)
- Ensure endpoint security software is deployed across all your assets so that unmanaged devices can’t be abused by attackers.
- Enlist outside help to audit and monitor your external attack surfaces regularly to ensure you don’t have exploitable entry points.
Check out the full 2025 Threat Reportto learn more and follow us here for more cybersecurity insights.
