Three major cybersecurity reports were released in early 2026: from CrowdStrike, Flashpoint, and CyberProof. They each analyze the threat landscape of 2025. The conclusion is the same, regardless of the source. The traditional lock on the door has become obsolete. Attackers already have the key.
What has changed
In 2025, cybercrime shifted from breaking in to logging in. Not through complex malware or zero-days, but through stolen passwords, session tokens, and cloud access that are simply for sale on the dark web.
Flashpoint recorded more than 3.3 billion compromised credentials in 2025. CrowdStrike measured an average attack time of 29 minutes from initial access to full infiltration. Ransomware increased by 53%, but in a new form: no more encryption, just pure extortion using stolen identities.
And agentic AI is accelerating all of this to a speed no human can keep up with.
What this means for an SME
You should not dismiss this as a problem for large companies. Attackers deliberately target SMEs because they are low-hanging fruit: limited IT capacity, incomplete basic security, and valuable data.
But the good news is: the defense is neither expensive nor complex. Most of the tools are already included in your Microsoft 365 subscription. They are just not being used.
What you should do
- Priority 1: Identity is the new perimeter. Enable MFA for every employee. Today. No exceptions for the business owner, the accountant, or field staff. Use Microsoft Authenticator, included in every M365 subscription. Then activate Security Defaults in Entra ID: three clicks, zero cost, and a dramatically lower attack risk.
- Priority 2: Review your security score. Go to security.microsoft.com and open Secure Score. You will get a list of concrete actions, ranked by impact. Most of them cost nothing extra. Many SMEs score below 40% on features they are already paying for.
- Priority 3: Secure your email domain. Properly configure DMARC, DKIM, and SPF. This prevents criminals from sending emails as if they were you—a technique widely used in CEO fraud and supplier fraud.
- Priority 4: Test your backups. A backup you have never tested is not a backup. Schedule this quarterly. Also check whether OneDrive Version History is enabled. It is not a full backup, but it is a first safety net.
- Priority 5: Make awareness a habit, not a yearly training. One short monthly tip to your team. A clear procedure: “What do I do when I see a suspicious email?” No punishment for reporting, reward those who stay alert.
The core
Attackers are investing in AI to operate faster and cheaper. You do not need to become a security expert. You need to get the basics right, because anyone with MFA, tested backups, and aware employees is already better protected than 80% of SMEs.
Technology will not solve this. Discipline will.
