Cybercriminals seize any opportunity to extort sensitive information from organisations, and for the fifth year in a row, attackers mostly used exploits to obtain sensitive data, a new report found.
In 2024, exploits were the most frequently observed initial infection vector; 33% of cyberattacks began with exploitation of a vulnerability, a decline from 38% in 2023, according to the M-Trends 2025 Report from Mandiant, a Google Cloud-affiliated cybersecurity consultancy.
The most frequently exploited weaknesses were security devices with injection vulnerabilities, the report said. Stolen credentials (16%) and email phishing (14%) were also commonly used to break through cybersecurity defences.
Email phishing (17%) was more frequent than stolen credential breaches (10%) in 2023. Phishing ploys dropped slightly, as adversaries can now acquire credentials through purchasing leaked or stolen credentials on underground forums, mining large data leaks, and infecting users with malware.
While technological advancements risk exposing weaknesses for attackers to exploit, digital transformation is also enhancing security teams’ defences. Intrusions that were discovered in one week or less increased from 43.3% in 2023 to 45.1% in 2024, the report said. Overall, dwell time (how long a cyberthreat remains undetected) in 2014 was 205 days, compared with 11 days in 2024.
Digital transformation has made some industries more vulnerable than others, according to the report. The financial sector (17.4%), business and professional services sector (11.1%), and high-tech sector (10.6%) were the most targeted by cybercriminals last year, consistent with previous years.
For the financial sector, “this confluence of [technology] adoption and consistent threat actor activity has highlighted the need for additional scrutiny as organisations seek to protect their users, data, and digital assets,” the report said.
The report examined data collected from more than 450,000 hours of incident response engagements globally. The metrics are based on investigations conducted by Mandiant in 2024.
Cloud migration brings more complex risks
Hosting sensitive information on cloud platforms requires more advanced controls, as potential complexities in cloud infrastructure can increase visibility challenges for security teams.
“Cloud environments scale more broadly and require an in-depth understanding of a variety of logging options,” the report said. “Attackers are exploiting the gaps and risks introduced as organisations continue their migrations to the cloud.”
Attackers commonly compromised cloud assets through email phishing (39%), stolen credentials (35%), SIM swapping (6%), and voice phishing (6%). Mandiant’s research found that the majority of those attacks were used to steal data (66%) for the purpose of financial extortion (38%).
Updates to risk management frameworks straggle behind a large increase in cloud computing adoption, the report said. “While security fundamentals stayed relatively the same, many of the traditional security controls that were once effective in detection and mitigation of data theft started to fall behind.”
Managing the demands of business should not come at the expense of risk mitigation, as some companies continue to prioritise the operational value of cloud platforms without the security posture to use those applications safely, according to the report.
Steps for cybersecurity optimisation
Improving security posture requires companies to ensure governance frameworks transform with technology. The report recommends that companies:
Audit data repositories: Pinpoint where sensitive data resides, routinely audit data repositories, and remove data no longer needed for business purposes.
Minimise exposure and increase security protocols: “Ensure users have only the minimum accesses to data necessary to perform their jobs”, encrypt data being stored and transferred, and enforce multifactor authentication for accessing data stored in single-sign-on resources.
Upskill employees: Educate employees on data security best practice, how to identify and protect sensitive data, and the consequences of data breaches.
Implement a zero-trust model: Zero trust-based authentication restricts connectivity to a resource even when valid credentials are obtained. Organisations can also implement data loss prevention solutions to prevent sensitive data being leaked through email attachments and file transfers.
Utilise dynamic secret management systems (DSMS): DSMS can limit the impact of credential misuse by “automatically rotating the credential and expiring active sessions.” Integrating continuous delivery and deployment pipelines with DSMS can also “rotate credentials as infrastructure and assets move from development to production.”
Regularly scan for vulnerabilities: “Recurrent and regular security assessments help determine the impact and overall exploitability of any identified credentials” and assess the effectiveness of current security processes and procedures.
— To comment on this article or to suggest an idea for another article, contact Steph Brown at Stephanie.Brown@aicpa-cima.com.
LEARNING RESOURCES
Course
AICPA and CIMA’s Transformative Skills Pack can help finance professionals to strengthen soft skills, interpersonal behaviours, and digital competencies to drive and lead change in their organisations.
Webcast
A webcast on 19 May, “Navigating the AI Landscape,” offers an introduction into generative AI for finance professionals.
MEMBER RESOURCES
Articles
“How Finance Business Partners Can Optimise ‘Democratised’ Data”, FM magazine, 23 April 2025
“Cyberattack Hack: The Case for Targeting Prevention Over Detection”, FM magazine, 28 March 2025
“Cybersecurity: Considerations for Business”, FM magazine, 16 January 2025
Podcast
“AI’s Future: Figuring Out What It Means for Finance Teams”, FM magazine, 22 January 2025
