Cybercriminals are now more likely to use stolen login details rather than system flaws to gain access to networks, a new report by global cybersecurity company Sophos has revealed.
The 2025 Sophos Active Adversary Report found that 56 per cent of network breaches in 2024 were linked to compromised credentials, especially through remote access systems such as VPNs and firewalls. This marks the second consecutive year where stolen login details were the most common way attackers accessed systems, surpassing both system vulnerabilities and brute-force attempts.
Read also: Al Salam Bank partners with startups to drive digital innovation in Bahrain
Small businesses most exposed
This growing trend presents a rising concern for small and medium-sized enterprises (SMEs), which typically operate with limited cybersecurity resources. Many SMEs depend on remote access tools to stay productive, making them a key target.
“Basic security is no longer enough,” said John Shier, Field CISO at Sophos. “Small businesses must actively monitor their networks and respond quickly to threats. The faster the detection, the better the outcome.”
Read also: China strikes back with 34% tariff on US goods, SMEs brace for impact
Speed of attack is increasing
The report also showed that cyberattacks are becoming faster. On average, it took attackers just over three days to access sensitive data after breaching a network. In some instances, they took control of systems like Active Directory in as little as 11 hours.
This short window makes it difficult for smaller firms without full-time IT teams to respond effectively. The risk includes potential data loss, ransomware incidents, or full operational shutdown.
Read also: Macron urges French SMEs to pause US investments amid rising trade tensions
Ransomware attacks remain a threat
Ransomware remains a key method used by attackers. According to the report, some of the most active ransomware groups in 2024 were Akira, Fog, and LockBit. LockBit continues to pose a risk, despite global efforts to shut it down.
Notably, 83 per cent of ransomware attacks occurred outside regular working hours. This timing often catches businesses unprepared and slows down their ability to detect and respond to the threat.
Read also: Antigua and Barbuda Backs global push to protect oceans, strengthen fisheries and support SMEs
Recommendations for businesses
- To lower the risk of breaches, Sophos recommends several preventive steps:
- Blocking public access to Remote Desktop Protocol (RDP) ports
- Using strong authentication tools
- Keeping systems updated and patched
- Investing in 24/7 monitoring or Managed Detection and Response (MDR) services
Read also: South Korea’s financial institutions step in to shield SMEs from US tariffs
The need for proactive measures
The findings highlight the need for businesses, especially SMEs, to prioritise cybersecurity. As attack methods evolve and become faster, waiting for a breach before acting can lead to costly consequences.
For many small businesses, even a short period of downtime or data compromise can result in financial loss or reputational damage. The report calls for a shift from reactive to proactive strategies to secure digital operations and prevent future incidents.
