Sophos has released its Annual Threat Report 2025: Cybercrime on Main Street, which sheds light on the biggest security threats small and medium-sized businesses faced in 2024. According to the report, the number one way attackers infiltrated networks was through network edge devices like firewalls, routers, and VPNs, accounting for the initial compromise in nearly 30% of cases.
“Over the past several years, attackers have aggressively targeted edge devices,” said Sean Gallagher, principal threat researcher at Sophos. “Compounding the issue is the increasing number of end-of-life (EOL) devices found in the wild – a problem Sophos calls digital detritus. Because these devices are exposed to the internet and often low on the patching priority list, they are a highly effective method for infiltrating networks.”
The report found that VPNs were the most frequent compromise point, accounting for over 25% of all incidents and 25% of ransomware and data exfiltration events. “Attackers don’t have to deploy custom malware anymore,” Gallagher explained. “Instead, they can exploit businesses’ own systems, increasing their agility and hiding in the places security leaders aren’t looking.”
Other key findings from the Sophos report include:
- Ransomware still the biggest threat: Ransomware accounted for over 90% of incident response cases involving midsized organizations, and 70% of cases involving small businesses.
- MFA is no longer enough: Attackers are bypassing multi-factor authentication through adversary-in-the-middle authentication token capture, using phishing platforms to mimic the authentication process and steal credentials.
- Attackers favor commercial Remote access tools: The most frequently abused legitimate, trusted tools were commercial remote access tools, involved in 34% of incident response and managed detection and response cases.
- Attackers are evolving their social engineering tactics: Attackers are turning to the abuse of QR codes (quishing) and phone messages (vishing) to compromise businesses, as well as email bombing – sending thousands of spam emails in as little as one or two hours.
