TL;DR
- 67% of all cyberattacks now start with compromised credentials, not technical hacks
- Attackers reach Active Directory within hours of stealing a password
- Median dwell time dropped to 3 days — but ransomware deployment happens in minutes once inside
- 59% of breached organizations had no MFA enabled on compromised accounts
- Attackers work outside business hours (nights and weekends) to avoid detection
The Attack Pattern Has Changed
For years, businesses worried about sophisticated software exploits and zero-day vulnerabilities. According to Sophos's 2026 Active Adversary Report, that worry is misplaced. The real threat is far simpler: stolen passwords [1].
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
Sophos Incident Response and Managed Detection and Response teams investigated hundreds of real-world breaches in 2025.
Free Resource
Weekly Threat Briefing — Free
Curated threat intelligence for Australian SMBs. Active campaigns, new CVEs, and practical mitigations — every week, straight to your inbox.
Subscribe Free →This shift from exploiting vulnerabilities to exploiting logins changes everything about how businesses should protect themselves.
What Happens After They Steal a Password
The speed of modern attacks is alarming. Once an attacker has valid credentials, they don't wait. Sophos researchers observed that attackers reach Active Directory — the central authentication database for most corporate networks — within hours of initial access [1].
Active Directory is the crown jewels. Once an attacker controls it, they can create their own accounts, access any file, and deploy ransomware everywhere at once.
The timeline typically looks like this:
- Initial access: Credential theft via phishing, password spraying, or buying stolen passwords on the dark web
- Lateral movement: Scanning the network from inside, using legitimate access to hop between systems
- Privilege escalation: Exploiting misconfigurations to gain administrator rights
- Data exfiltration: Copying sensitive files to external servers
- Ransomware deployment: Encrypting everything to force payment
Sophos found that while the median dwell time — the time attackers spend inside a network before detection — has dropped to 3 days (down from 8 days in previous years), the damage is done long before detection [1].
Why Dwell Time Decreased (And Why That's Not Good News)
You might think faster detection is good news. It is — but attackers have adapted by moving faster too.
The report shows that attackers now prioritize speed over stealth. Rather than spending weeks quietly exploring, they rush to critical systems immediately [1]. This works because of another finding: 59% of compromised organizations lacked MFA on the breached accounts [1].
Without multi-factor authentication, a stolen password is an all-access pass. Attackers don't need to hack their way past defenses — they simply walk through the front door using legitimate credentials.
The After-Hours Advantage
One of the report's most telling findings: ransomware deployment and data theft predominantly occur outside business hours — nights, weekends, holidays [1].
This is deliberate. Attackers know that:
- Monitoring teams are smaller or non-existent
- Response times are slower
- Decision-makers are harder to reach
- Backups might be running, creating opportunities to encrypt them too
A Friday evening breach means attackers have all weekend to work uninterrupted before anyone notices on Monday morning.
ISO 27001 SMB Starter Pack — $97
Threat intelligence is one thing — having the policies and controls to respond is another. Get the complete ISO 27001 starter kit for SMBs.
Get the Starter Pack →The Ransomware Brand Explosion
Sophos tracked 51 different ransomware brands across investigated incidents — 27 returning from previous years and 24 completely new [1].
The most active was Akira (associated with the GOLD SAHARA threat group), appearing in 22% of cases. Second was Qilin (GOLD FEATHER) [1].
Only four brands or techniques have persisted continuously since 2020: LockBit, MedusaLocker, Phobos, and abuse of BitLocker (Windows' built-in encryption tool) [1]. This constant churn shows how the ransomware ecosystem adapts. When one operation is disrupted, others fill the vacuum.
The AI Reality Check
Despite widespread hype about AI-powered cyberattacks, Sophos found no evidence of a major AI-driven transformation in attacker behavior [1].
Generative AI has made phishing emails more polished and social engineering more convincing, but attackers still rely on the same fundamental techniques: stolen credentials, brute force, and exploiting weak authentication. The tools are incrementally better; the playbook hasn't changed [1].
This is actually good news. It means the defences that work today — MFA, least privilege access, monitoring — will still work tomorrow.
The 5-Step Defence Checklist
Based on the Sophos report's findings, here's what every business should do now:
1. Deploy Phishing-Resistant MFA Everywhere
Not all MFA is equal. SMS codes and authenticator apps can be intercepted. FIDO2/WebAuthn hardware keys — where you physically tap a security key to log in — are the gold standard [1].
If you can't deploy hardware keys yet, use time-based one-time passwords (TOTP) from an authenticator app. But treat SMS as a last resort, not a default.
Validate your MFA configuration. Sophos found cases where MFA was technically enabled but misconfigured, allowing bypass [1].
2. Reduce Identity Infrastructure Exposure
Ask yourself: does every employee need access to the VPN from anywhere? Does that admin account really need remote access enabled?
Attackers find exposed login portals by scanning the internet. The fewer you have, the smaller your attack surface [1].
Specific actions:
- Disable unused remote access services
- Require VPN for all administrative access
- Use just-in-time access that expires automatically
- Implement geofencing for remote logins
3. Patch Edge Devices Immediately
While identity attacks dominate, exploited vulnerabilities are still the third most common initial access vector [1]. Edge devices — firewalls, VPN concentrators, remote access tools — are prime targets because they're directly internet-facing.
When a critical vulnerability is announced, attackers weaponize exploits within days. You have a narrow window to patch before automated probes begin.
4. Implement 24/7 Monitoring or Managed Detection
If attackers work nights and weekends, your defence needs to be awake when you're not [1].
For small businesses, 24/7 in-house monitoring is unrealistic. Managed Detection and Response (MDR) services provide continuous monitoring at a fraction of the cost of a full security team.
At minimum, ensure that critical alerts (failed admin logins, unusual access patterns, MFA bypass attempts) generate immediate notifications regardless of time.
5. Preserve Logs for Investigation
Sophos found that inadequate log retention and missing telemetry significantly weakened detection and response [1]. If you don't log it, you can't investigate it.
Retention targets:
- Authentication logs: 6-12 months
- Firewall and network logs: 3-6 months
- Application logs: 90 days minimum
- Admin activity logs: 1 year
Store logs centrally where attackers can't delete them to cover their tracks.
Related: Stolen Logins Are Now the #1 Attack Vector
The Cost of Inaction
The Sophos report is based on real incidents — businesses that thought it wouldn't happen to them, right up until it did.
Identity attacks don't require advanced technical skills. They're about finding the weakest link: one user with a reused password, one admin account without MFA, one exposed login portal.
The good news is that these are fixable problems. MFA, least privilege access, and monitoring aren't bleeding-edge technologies. They're foundational security practices that stop the majority of attacks when implemented correctly.
The question isn't whether you can afford to secure identity. It's whether you can afford not to.
FAQ
Attackers follow the path of least resistance. Stealing or buying a password is easier than finding and exploiting a software vulnerability. As organizations improve perimeter security, criminals shift to authentication bypass. Additionally, more services are cloud-based, meaning password theft grants access without any network intrusion [1].
Common methods include phishing emails that mimic legitimate login pages, credential stuffing (trying passwords leaked from other breaches), brute force attacks against weak passwords, and purchasing stolen credentials on dark web marketplaces. Information stealer malware harvested from infected computers also bulk-extract saved passwords from browsers [1].
Dwell time is the total duration an attacker remains undetected in a network from initial access to containment. Detection time is how long it takes to discover the breach. Sophos reports the median dwell time is now 3 days, meaning attackers typically have a 72-hour window to move through systems, escalate privileges, and deploy ransomware before anyone notices [1].
Biometrics are a form of MFA, but most implementations still require a fallback password or PIN. The security benefit comes from requiring multiple factors — something you know (password), something you have (security key or phone), and something you are (biometric). Biometrics alone are convenient but not inherently more secure than phishing-resistant hardware keys when properly implemented.
Active Directory is Microsoft's implementation, but the concept applies to any centralized identity system: Google Workspace, Okta, Azure AD, even password managers. If your organization has a single source of truth for user accounts and permissions, that's your identity infrastructure — and attackers will target it. The specific platform matters less than the principle: centralize authentication, protect it with MFA, and monitor for suspicious access [1].
References
[1] Sophos, "Active Adversary Report 2026," Sophos, 2026. [Online]. Available: https://www.sophos.com/en-us/blog/2026-sophos-active-adversary-report
[2] Verizon, "2025 Data Breach Investigations Report," Verizon, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/
[3] CISA, "Identity and Access Management Security," Cybersecurity and Infrastructure Security Agency, 2025. [Online]. Available: https://www.cisa.gov/resources-tools/resources/identity-and-access-management
[4] NIST, "Digital Identity Guidelines (SP 800-63B)," National Institute of Standards and Technology, 2023. [Online]. Available: https://pages.nist.gov/800-63-3/sp800-63b.html
[5] Microsoft Security Blog, "Defending Against Active Directory Attacks," Microsoft, 2025. [Online]. Available: https://www.microsoft.com/en-us/security/blog/
[6] OWASP, "Authentication Cheat Sheet," Open Web Application Security Project, 2024. [Online]. Available: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html
[7] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/[data-breach](https://lil.business/blog/conduent-vendor-dwell-time-smb-security-checklist-2026/)
[8] Australian Cyber Security Centre, "Essential Eight Maturity Model," ACSC, 2024. [Online]. Available: https://www.cyber.gov.au/sites/default/files/2024-06/ESSENTIAL-EIGHT-IMPLEMENTATION-GUIDE.pdf
[9] SANS Institute, "How to Detect and Respond to Active Directory Attacks," SANS, 2025. [Online]. Available: https://www.sans.org/white-papers/
[10] Rapid7, "Attacker Behavior in 2025: The Identity Shift," Rapid7 Blog, 2025. [Online]. Available: https://blog.rapid7.com/
Your business doesn't need to be the next statistic. lilMONSTER provides practical, privacy-first cybersecurity defence for organisations that care about protecting what they've built. Book a free consultation to secure your identity infrastructure before attackers find it first.
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →TL;DR
- Two-thirds of hackers steal passwords instead of breaking into computers
- Once they have a password, they can reach your most important files in just a few hours
- Multi-factor authentication (MFA) stops most of these attacks cold
- You can fix this with 5 simple steps that cost nothing but time
The Real Problem: Your Keys, Not Your Locks
Imagine you come home and find your front door unlocked. You didn't leave it that way — someone used your keys. The lock worked fine. The problem was that someone had your key.
That's what's happening to businesses right now.
A new report from Sophos, a company that fights hackers, found that 67 out of every 100 cyberattacks start with a stolen password [1]. Hackers aren't breaking down doors. They're walking right in using keys they stole, bought, or tricked people into giving them.
This matters because stealing a password is much easier than hacking a computer system.
What Happens After They Steal a Password
Here's what typically happens:
- They get a password: This might be from tricking someone with a fake email, buying stolen passwords online, or guessing weak passwords
- They log in normally: No alarms go off because they're using a real password
- They look around: They check what files they can access, what computers are connected, and who has admin rights
- They move deeper: They try to get into more important accounts, often within just a few hours
- They strike: They steal your files or lock everything with ransomware
The scariest part? Sophos found that hackers can reach the most important parts of a business computer system within hours of getting in [1].
Why They Work Nights and Weekends
Think about when your office is empty. Nights. Weekends. Holidays.
Hackers know this too. The Sophos report found that most ransomware attacks happen when businesses are closed [1].
Why?
- Fewer people watching for problems
- Slower response times
- More time to work without getting caught
If a hacker gets in on Friday evening, they have all weekend to cause damage before anyone notices on Monday morning.
The Missing Protection: MFA
Remember that 67% of attacks start with stolen passwords. Here's the thing that would stop most of them: Multi-Factor Authentication (MFA).
MFA means needing two things to log in:
- Something you know (your password)
- Something you have (your phone, a security key, or your fingerprint)
Sophos found that 59 out of 100 businesses that got hacked didn't have MFA turned on [1].
Without MFA, stealing a password is like having a key to your house. With MFA, it's like having a key AND needing your fingerprint to open the door. Even if a hacker has your password, they can't get in without the second thing.
The 5 Things You Should Do Right Now
You don't need to be a computer expert to protect your business. Here are five practical steps:
1. Turn on MFA Everywhere
Every account that offers MFA should have it turned on. Email, banking, cloud storage — everything.
The best option: Use a security key (a small USB device you tap to log in). Even hackers can't fake physical possession.
Good option: Use an authenticator app on your phone (like Google Authenticator or Microsoft Authenticator). These generate codes that change every 30 seconds.
Okay option: SMS codes to your phone. Better than nothing, but hackers can sometimes intercept these.
2. Check Who Has Access
Not everyone needs access to everything. This is called "least privilege."
Ask yourself:
- Does every employee need access from anywhere?
- Do you really have 5 admins, or could you have just 1 or 2?
- Can you turn off access you're not using?
The fewer doors into your business, the fewer chances for hackers.
3. Update Your Edge Devices
"Edge devices" are the things that connect your business to the outside world: your router, your firewall, your VPN.
These are front-door locks. When the companies that make them find problems, they release updates. Hackers are very quick to attack businesses that don't update.
Make a rule: Update critical security devices within one week of a security update being released.
4. Get Help Watching While You Sleep
If hackers work nights and weekends, you need someone watching then too.
For most small businesses, hiring a 24/7 security team isn't realistic. But you can hire a Managed Detection and Response (MDR) service. They watch your systems around the clock and alert you immediately if something looks wrong.
Think of it like a security monitoring service for your business.
5. Keep Records
You can't stop an attack you don't know about.
Sophos found that many businesses weren't keeping logs — records of who logged in, when, and from where [1]. Without logs, you can't see what happened after an attack.
What to keep:
- Login records for at least 6-12 months
- Firewall logs for 3-6 months
- Any changes to user accounts or permissions
Store these somewhere secure. If a hacker gets in, they'll try to delete these logs to hide their tracks.
Why This Matters Now
The Sophos report isn't theory. It's based on investigating hundreds of real businesses that got hacked in 2025 [1].
These businesses thought it wouldn't happen to them. They were wrong.
The good news is that protecting your business doesn't require expensive tools or security experts. It requires:
- MFA turned on
- Careful access control
- Regular updates
- Someone watching for problems
- Good record-keeping
These are practical steps you can take this week.
A Simple Analogy: Your House vs. Your Business
Imagine your house has:
- One front door with a deadbolt
- Windows that lock
- Maybe a back door
- Keys that only a few trusted people have
Your business computer system is similar, but with one big difference: hackers can try your front door from anywhere in the world, thousands of times per second, without you ever seeing them.
That's why MFA is so important. It's like having a lock that needs your key AND your fingerprint. Even if someone copies your key, they can't get in.
What This Costs
The five steps above:
- MFA: Free (most services include it)
- Access review: Free (just your time)
- Updates: Free (just your time)
- Monitoring service: $100-500/month for most small businesses
- Log storage: Free to low cost depending on your setup
Compare that to the cost of a ransomware attack: an average of $4.88 million globally in 2025 [7].
The question isn't whether you can afford to protect your business. It's whether you can afford not to.
FAQ
MFA does add a few seconds to every login. But compare that to the days or weeks of downtime from a ransomware attack. Frame it as protecting their jobs and the business they depend on. Modern MFA options (like phone apps or security keys) are much faster than they used to be. Many people find that after a week, they don't even notice it anymore.
They can try, but it's much harder. Some advanced attacks can bypass SMS codes, but phishing-resistant MFA (like security keys) is extremely difficult to defeat. The goal isn't perfection — it's making attacks so difficult that hackers move on to easier targets. Most criminals, like most burglars, look for unlocked doors, not unpickable locks.
If your business has employees working remotely, you almost certainly have edge devices. These include: VPN servers (for remote access), routers (the devices that direct internet traffic), firewalls (security gateways), and remote access tools like TeamViewer or Splashtop. Check the manufacturer's website for security updates, or ask your IT provider to do this for you.
Not every business needs continuous monitoring. At minimum, ensure that critical alerts (failed admin logins, new user accounts created, access from unusual locations) send you an immediate notification, day or night. For many small businesses, this middle ground provides significant protection without the cost of full MDR services.
Use this analogy: "We're spending money on locks, but leaving keys under the mat. Hackers aren't picking locks — they're finding the keys we left out. MFA is like requiring both a key and a fingerprint. It's simple, it's cheap, and it stops most break-ins before they start." Focus on the business risk (downtime, lost revenue, reputational damage) rather than technical details.
References
[1] Sophos, "Active Adversary Report 2026," Sophos, 2026. [Online]. Available: https://www.sophos.com/en-us/blog/2026-sophos-active-adversary-report
[7] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach
[8] Australian Cyber Security Centre, "Essential Eight Maturity Model," ACSC, 2024. [Online]. Available: https://www.cyber.gov.au/sites/default/files/2024-06/ESSENTIAL-EIGHT-IMPLEMENTATION-GUIDE.pdf
[11] National Cyber Security Centre, "Password Guidance for Organisations," NCSC, 2024. [Online]. Available: https://www.ncsc.gov.uk/collection/passwords/password-guidance-for-organisations
[12] CISA, "Multi-Factor Authentication," Cybersecurity and Infrastructure Security Agency, 2024. [Online]. Available: https://www.cisa.gov/news-events/news/secure-our-world/multi-factor-authentication
[13] Google, "Security Keys: The Strongest Form of 2FA," Google, 2024. [Online]. Available: https://landing.google.com/advancedprotection/
Identity security doesn't have to be complicated or expensive. lilMONSTER helps small businesses protect what they've built with practical, jargon-free cybersecurity. Get in touch for a free consultation — we'll explain everything in plain English.
