Every year, security researchers, insurance underwriters, and incident response teams compile the data on what actually happened. 2025 was a year of escalation across nearly every threat category — and a year where several theoretical risks that cybersecurity professionals had warned about for years moved into the mainstream. Understanding what changed is the first step toward ensuring your organization is prepared for 2026.
Ransomware: Record Payments, Shifting Targets
Ransomware continued its upward trajectory in 2025, with average ransom payments reaching new highs. Healthcare organizations remained the most heavily targeted sector — the combination of life-critical systems, sensitive data, and historically underfunded IT security creates an environment that ransomware operators exploit systematically. But municipalities, school districts, and small businesses saw significant increases in targeting as well, as criminal groups recognized these sectors often lack the security infrastructure of large enterprises while still holding valuable data and operational dependencies.
Critically, the entry point for the vast majority of ransomware incidents in 2025 was not a zero-day vulnerability or sophisticated technical exploit. It was a phishing email that an employee clicked, or a stolen credential used to authenticate into a VPN without MFA. The technical sophistication of the ransomware itself has increased dramatically — but the initial access vector remains stubbornly human.
Business Email Compromise: The Quieter Threat
While ransomware generates headlines, BEC fraud continued to quietly accumulate losses that dwarf ransomware payments. The FBI reported $2.9 billion in BEC losses in its most recent annual report, with the actual figure believed to be significantly higher due to underreporting. Unlike ransomware, BEC attacks leave no encrypted files — just a wire transfer that cannot be reversed. The average loss per incident exceeds $100,000, and healthcare, local government, and professional services firms are consistently among the most impacted sectors.
AI-Assisted Attacks: The Accelerant
2025 was the year that AI-assisted phishing moved from research papers into widespread deployment. Generative AI tools dramatically reduced the time and skill required to produce convincing phishing emails at scale. The tell-tale grammatical errors and awkward phrasing that historically helped employees identify phishing attempts have largely disappeared from sophisticated attacks. AI-generated spear phishing emails — personalized to the recipient's role, recent activity, and relationships — are now being produced at volumes that would have required large criminal organizations to generate manually just three years ago.
The defensive implication is significant: training that teaches employees to spot phishing by looking for grammatical errors is now insufficient. Modern phishing awareness training must focus on the structural elements of attacks — urgency, unexpected requests, verification procedures — rather than surface-level text quality.
Supply Chain: The Attack That Hits Many Targets at Once
Supply chain attacks remained a persistent threat category throughout 2025, with multiple incidents where a single vendor compromise cascaded into breaches at dozens or hundreds of downstream organizations. For any organization that relies on third-party software, IT management tools, or managed service providers, the security posture of those vendors is now a direct extension of their own attack surface. Vendor risk management has moved from a compliance checkbox to a genuine operational necessity.
What Must Change Heading Into 2026
The data from 2025 points to three concrete organizational priorities. First, security awareness training must be updated to reflect current attack techniques — including AI-assisted phishing and BEC patterns. Training built on 2020 threat scenarios does not prepare employees for 2026 attacks. Second, verification procedures for financial transactions must be established and enforced as standard operating procedure, not optional best practice. Third, organizations must conduct honest assessments of their vendor ecosystem and establish minimum security requirements for any third party with network or data access.
The organizations that emerged from 2025 incidents relatively unscathed shared a common trait: their employees had been trained to pause, verify, and report — and their processes made it easy to do so. That is achievable for organizations of every size, with the right training investment.
Security awareness training
Start 2026 with training that matches current threats
EncryptedTechnology's curriculum is built around 2025–2026 threat patterns including AI-assisted phishing, BEC, and supply chain awareness.
