The time between an initial breach and the handoff to a ransomware group has fallen from more than eight hours to just 22 seconds, according to Mandiant, a threat intelligence unit of Google Cloud. That leaves companies with far less time to react and raises questions about whether many incident response plans are still fit for purpose.
The same message comes through in several recent industry studies. They look at different risks, from software flaws to fraud and supply chains, but point in a similar direction. Cyber attackers are becoming more organised and efficient, while many organisations are still catching up.
The change is already showing up in how attacks are carried out in practice. As organisations strengthened defences against malicious emails, attackers turned to methods that rely on persuasion rather than code. Voice-based social engineering — in which criminals call help desks and impersonate employees to gain access — was the second most common entry point last year, accounting for 11% of intrusions.
Ransomware groups are exploiting a different weakness. Mandiant’s M-Trends 2026 report shows that 30% of cases in 2025 began with access attackers had already gained in earlier breaches, double the share a year earlier. Instead of searching for new entry points, attackers are returning to systems where issues were never fully resolved.
Research from HPE Threat Labs highlights the same problem. In more than 1,100 attack campaigns studied in 2025, attackers repeatedly exploited vulnerabilities disclosed years earlier, including some dating back to 2014. In each case, fixes existed but were not implemented.
This points to a basic gap. Companies are being exposed through weaknesses they already know about. The challenge is less about new threats and more about whether known issues are properly addressed.
See also: Double-clicking on why AI agents are harder to secure
Some attackers are taking a different approach by staying hidden for as long as possible. Mandiant identifies intrusions targeting network edge devices such as routers and virtual private network systems, which tend to receive less attention than laptops or servers. Once inside, attackers can observe data flows without being noticed. In these cases, they remained undetected for nearly 400 days on average.
Additionally, many organisations retain records of network activity for only about 90 days. So, by the time a breach is discovered, the trail of how it started may already be gone.
Fraud risks are evolving on a separate front. LexisNexis Risk Solutions, which processes more than 100 billion transactions annually, found that one of the fastest-growing threats involves synthetic identities. These are constructed from pieces of real personal data and can be used to operate for months without raising alarms. The cybersecurity firm estimates that such cases grew eightfold in 2025 and now account for roughly one in nine fraud incidents worldwide.
See also: Bain and IBM to offer post-quantum cryptography assessments to private equity and corporate clients
A further complication comes from automated software agents, or AI agents. LexisNexis Risk Solutions says traffic from these agents rose 450% last year across payments, gaming and e-commerce platforms.
Cybercriminals are exploiting that environment by deploying bots that are sophisticated enough to mimic how a human moves a cursor across a screen. This level of realism makes them harder to detect and has contributed to a 59% rise in malicious bot attacks.
Supply chain risks remain another area of concern, particularly in Asia Pacific. A survey by Kaspersky found that between 30% and 61% of organisations in the region have vendor contracts without any security requirements. When a supplier is compromised, companies often have little leverage to demand notification or corrective action.
The impact is already being felt. One in three organisations globally experienced a supply chain attack last year. In Singapore, only 14% of respondents said they were confident in their ability to defend against such incidents.
Even as investment rises, results remain uneven. Research by International Data Corporation, commissioned by Ping Identity, shows that organisations which continuously verify user identity across transactions report lower fraud losses and higher customer onboarding rates. Still, only 9% had reached that level, despite more than half believing they had.
How companies approach the issue also differs. Those with stronger results tend to treat identity security as a business-wide responsibility. Others leave it within IT, where it is often viewed as a cost rather than something that supports trust and growth.
