It may come as no surprise that ransomware is among the top cybersecurity threats today for IT departments. We’ve seen ransomware impact both massive organizations—think Colonial Pipeline or Change Healthcare. But threat actors are also targeting small and medium-sized firms, which poses a major business risk given that 60% of small businesses permanently close within six months of an attack.

In fact, ransomware has major implications for all parts of the business. Not only can a ransomware attack jeopardize sensitive and personal data, opening the doors for reputational damage, compliance concerns, and more, but it can also slam the brakes on daily operations. The average cost per minute of business downtime due to a cyberattack is $1,467—and mid-sized businesses end up paying over $250,000 to recover from a cyberattack.

As we found in our Huntress 2025 Cyber Threat Report, ransomware groups are also switching up their strategies, which is putting an added burden on IT teams. For example, attackers are no longer just encrypting data and demanding that victims pay a ransom. They’re also stealing data and threatening to publicly leak it as an extra means of putting pressure on victims to pay.

Threat actors continue to rely on tried-and-true techniques. Phishing is a good example. It’s still a primary means of initial access for threat actors because it works. In this type of attack, threat actors send messages to the employees in a targeted company—typically via email—and trick them into either downloading a malicious file or handing over their credentials on a fake attacker-owned webpage. 

Threat actors use different types of social engineering tactics that play on trusted relationships or sound urgent. For instance, in the 2025 Cyber Threat Report, Huntress found that threat actors often impersonate popular brands in their phishing attacks in order to build trust with their targets, including Microsoft, Docusign, and Dropbox. 

In some cases, attackers are also tweaking their phishing attacks to try to make them harder for traditional email security methods to detect. Some threat actors have turned to QR code phishing, for example, where they send users an email with an embedded QR that redirects to a malicious site.

While many threat actors are opportunistic and cast a wide net with their cyberattacks, advanced persistent threats (APTs) are much more targeted. The threat actors behind these threats, who are often well-resourced, sophisticated, and state-sponsored, aim to stay hidden on victim networks for as long as possible. By staying stealthy, these actors can exfiltrate data over a prolonged period of time to support espionage efforts.

The hack of the US Treasury Department in late 2024 is a good example of an APT attack. Chinese state-sponsored threat actors were able to access Treasury workstations and steal unclassified documents. APT attacks can hit various targets, including nuclear think tanks, journalists, human rights defenders, and more.  

While businesses face many external threats (threat actors trying to get in), insider threats are another pain point that IT departments need to manage and right within their own environments. The 2024 Verizon Data Breach Investigations Report found that internal actors are tied to 35% of breaches.  

In recent years, IT departments have been working to keep up with the security impacts caused by two sweeping changes across their workforces: the rise of both remote work and cloud-based services.

Remote work surged after the COVID-19 pandemic, and this rapid shift has made security teams’ jobs of making people and data secure more difficult. Companies that rely on remote and hybrid work environments deal with various device management challenges, external Wi-Fi networks, and more.

More businesses are also relying on cloud-based services and applications, dramatically expanding the potential attack surface for attackers—and threat groups like Scattered Spider are taking full advantage by targeting organizations’ cloud environments to steal data, hijack accounts, and more. There are several types of cloud-based attack vectors that threat actors use. They might target cloud-based storage buckets and databases that are misconfigured, use weak access controls to their advantage, or go through unsecured application programming interfaces (APIs).

Newer types of threats have also emerged over the past few years that IT teams must take into account when they’re assessing the security of their environments. 

Technologies like generative AI pose various cybersecurity risks for businesses. As more employees use generative AI in the workplace, IT teams are trying to navigate the best ways to prepare for potential cybersecurity risks that could come out of that, like inadvertent data leakage. Meanwhile, threat actors are also experimenting with ways to use generative AI in attacks, including through research to support reconnaissance, creating content for phishing emails, and troubleshooting code.

Threat actors are trying to get the biggest bang for their buck, and in doing so, they’ve looked at ways to hit the most companies with one attack. One way threat actors have done this is through the software supply chain. In these attacks, threat actors infiltrate a software company’s networks and compromise the software with malicious code before it’s sent out to customers, so that once that code is sent out, customer systems are compromised. We’ve seen this many times in recent years, in supply chain attacks against Kaseya, 3CX, and, of course, the infamous SolarWinds attack. 

IT teams are also dealing with various regulatory changes that are linked to cybersecurity, which put pressure on businesses for compliance. Regulations that have emerged over the last year include the EU AI Act, which touches on AI governance and data privacy, and the EU Digital Operational Resilience Act (DORA), which addresses threats across the financial sector (and the information and communications technology suppliers to this industry) and will require companies to assess their policies and controls.

IT department leaders can take several measures to either prevent or contain these types of attacks:

• Patch vulnerable software: Threat actors like to target software that’s not up-to-date and that contains vulnerabilities, so enabling auto-update mechanisms where possible and having a vulnerability management program in place can help you prioritize and address the flaws across your environment.

• Perform backups and test them regularly. Keep offline, encrypted backups for critical data and test them in disaster recovery scenarios. This can help mitigate the impacts of a ransomware attack.

• Multi-factor authentication (MFA): The security industry has a password problem—passwords are often weak, reused, or easily guessed by threat actors. MFA is a solid way to prevent account compromise by introducing multiple forms of authentication. Make sure MFA is mandated for users (and regularly look for non-compliant accounts to remediate them). In particular, make sure that system administrator accounts—valuable targets for threat actors—use MFA.  

While IT departments face a variety of threats today, Huntress offers fully managed endpoint detection and response (EDR), so you've got 24/7 support from security experts ready to respond to threats.