The New Cyber Reality: Same Threats, Faster Attacks, Higher Stakes

by Erik Linask

Cybersecurity is entering a new phase of sorts, but it may not be quite what you might expect that to mean.  The industry is not dealing with a reinvention of risk, which remain mostly the same, but more an acceleration of familiar problems.  Ransomware, phishing, third-party exposure, and litigation are still defining the cybersecurity landscape.  What’s changed is the speed, complexity, and downstream business impact of security events.

Looking at BakerHostetler’s 2026 Data Security Incident Response Report, it’s clear security teams are being squeezed from two directions.  On one side, attackers are moving faster and using new AI-assisted methods.  On the other, regulators, litigators, and customers are bringing increased expectations around preparedness, notification, governance, and vendor oversight.

The basic threat landscape is familiar.  Phishing (30%) was still the leading root cause of incidents, while device theft and unpatched vulnerabilities came in at a distant 10% (19% of root causes were unidentified).  As far as incident types go, network intrusions (47%) and BEC (32%) headed up the list – nothing else was even close. 

When it comes to post-compromise activity, the focus seems to be direct access to accounts, data, and systems and, to a lesser degree, ransomware.

1. 48% of incidents led to theft or exfiltration of data,

2. 36% of incidents involved email account access, and

3. 27% of incidents resulted in ransomware deployment.

In short, attackers continue to succeed through identity, access, and human weakness as much as through code.

Ransomware data shows how expensive the cybersecurity reality has become.  Average ransom demands rose to roughly $4.24 million in 2025 (up sharply from about $2.5 million), while the average payment climbed to $682,702 (up from $501,338).

There’s notable shift in motivation when it comes to what motivates ransomware payments, though.   Previously, more breach victims paid to decrypt data than to prevent data publication, but that’s been flipped, with 43% of ransomware victims paying to prevent release of their data, while 31% paid to decrypt data).  That points to a parallel shift in threat actor mentality.  Specifically, they are relying less on data encryption for extortion than in the past and more on the threat of releasing corporate data. 

BakerHostetler suggests this changes what businesses must prioritize and that recovery is no longer only about restoring systems, but increasingly about limiting data exposure, reputational harm, and legal fallout.

Here’s the thing:  The strategic shift from threat actors could be driven by better backup and restoration capabilities.  If businesses have good backups in place, encrypting data serves less of a purpose than it once did, so why go through the exercise?  Why not jump straight to exposing the data?

The legal fallout is becoming harder to ignore.  Of the 482 incidents that led to notification in 2025, 68 resulted in one or more lawsuits – up from 51 the year before.  Importantly, litigation risk is no longer reserved for only the largest disclosure events.  While larger events (those impacting more people) naturally carry the greatest exposure, even incidents affecting fewer than 1,000 individuals resulted in lawsuits, especially when the impacted organization had substantial revenue or brand visibility.  The implication is that breach response is no longer just a technical and compliance function, but has become tightly connected to legal strategy, communications, insurance posture, and board-level risk management.

Why MSPs Should Pay Particular Attention

For MSPs, in addition to the ransomware stats, there’s an additional data point that warrants consideration – 25% of incidents in 2025 involved a vendor.  That should resonate because MSPs are built on managing layered stacks of security, cloud, SaaS, infrastructure, and now AI-enabled tools on behalf of clients.  As such, third-party risk should be viewed as a primary variable, not a secondary issue.

When an incident occurs in a provider’s environment, or in a downstream platforms the provider relies upon, the operational damage can spread quickly across multiple client organizations.  What makes the scenario even more challenging is vendors can lengthen notification timelines, which, in turn, compounds regulatory and contractual pressure.  In practice, that means MSPs need stronger internal controls and better client-facing governance around subcontractors, platforms, incident reporting workflows, and evidence of due diligence to protect both themselves and their clients.

When looking at the data from a sector perspective, that risk is reinforced.  Business and professional services – which include managed services – accounted for 15% of incidents last year.  That trailed only healthcare (27%) and finance and insurance (18%).  It serves as a reminder that MSPs are not adjacent to cyber risk; they are part of the target set.

The AI angle adds another layer of complexity and risk.  Last year saw something of a tipping point where AI moved beyond being simply enhancing phishing campaigns to supporting more sophisticated social engineering, automated reconnaissance, credential harvesting, and even AI-orchestrated espionage activity.  There’s also a growing concern around Shadow AI and the need to govern not only a company’s own AI use, but also its vendors’ use.  For MSPs, the risk is obvious:  Faster attacks, more convincing fraud, and more opaque vendor chains.  At the same time, there’s opportunity in clients needing more help with AI governance, identity-centric security, incident response readiness, and vendor risk management, which can all be built into a comprehensive service offering.

The bottom line is that, while faster investigations have improved median time to notification, the broader cyber risk environment has also been sped up – lawsuits are filed earlier, regulators are broadening scrutiny, and attackers are reducing dwell time and monetizing stolen data in new ways.  While new threat vectors are always important to understand, MSPs need to lean into operationalizing the basics across security, legal readiness, vendor governance, and response discipline to minimize the impact of threats.