Cybercriminals are increasingly relying on stolen login credentials rather than system vulnerabilities to breach networks, according to Sophos’s newly released 2025 Active Adversary Report. The cybersecurity firm revealed that in 2024, 56 percent of network intrusions were carried out using compromised credentials, particularly via remote access tools such as VPNs and firewalls.
This marks the second consecutive year that stolen logins have been the top method of cyberattack, surpassing traditional tactics like exploiting unpatched systems or using brute-force techniques. The shift has heightened concerns for small and medium-sized enterprises (SMEs), which often operate on lean cybersecurity budgets while depending heavily on remote tools to remain competitive.
“Basic security is no longer enough,” said Sophos’s Field Chief Information Security Officer. “Small businesses must actively monitor their networks and respond quickly to threats. The faster the detection, the better the outcome.”
The report also highlighted the speed at which modern cyberattacks unfold. On average, attackers accessed sensitive data within just over three days of the initial breach. In some incidents, they took control of core systems like Active Directory in as little as 11 hours,posing serious risks for businesses without dedicated IT teams.
Ransomware remains a dominant threat, with groups like Akira, Fog, and LockBit responsible for a majority of attacks. Despite crackdowns on LockBit, the group continues to be active. Notably, 83 percent of ransomware attacks in 2024 occurred outside regular business hours, leaving many SMEs caught off-guard.
For small businesses already grappling with limited cybersecurity infrastructure, the consequences of a successful breach, ranging from data loss to full operational shutdown, can be devastating.
Sophos advises firms to take practical steps to secure their networks, including blocking public access to Remote Desktop Protocol (RDP)ports, using strong multi-factor authentication, keeping systems regularly patched, and investing in round-the-clock monitoring or Managed Detection and Response (MDR) services.
As cyberattacks grow more sophisticated and fast-moving, the report reinforces the urgent need for SMEs to shift from reactive to proactive cybersecurity measures in order to protect their operations, data, and customers.
