Six Security Threats Every IT Team Should Track (Updated Annually)

When we first wrote about the top security threats facing mid-market IT teams, ransomware was a growing concern, phishing was the most common breach vector, and "nation-state actor" was something most CFOs had never heard said out loud in a board meeting. Much has changed. Quite a bit hasn't.

The specific malware families shift every few months. The attack surface expands with every new SaaS product and remote worker. But the categories of threat have been surprisingly stable for a decade, and the defensive muscles you need to build against them are the same ones you needed five years ago — they just need to be more developed now. Here is the list we give every customer, updated for what the landscape actually looks like in 2024.

1. Credential compromise and identity attacks

This is still the number one way people get into your environment. It used to be "phishing." Today it is a portfolio of attacks against your identity provider — credential stuffing, MFA fatigue bombing, adversary-in-the-middle phishing kits that defeat push MFA, OAuth consent phishing, and session token theft through info-stealer malware.

The scariest development in the last two years is how good the AitM phishing kits have become. Tools like EvilGinx and its commercial successors let a moderately skilled attacker run a convincing Microsoft 365 login page that captures the session cookie after the user has completed MFA. From the defender's perspective, the victim did everything right — the phish was convincing enough that they clicked, and the session cookie bypassed the MFA step entirely.

The defense in 2024 is phishing-resistant MFA. That means FIDO2 security keys, Windows Hello for Business, or platform authenticators — not SMS, not push notifications, not TOTP. Combine that with Conditional Access policies that require a compliant device, and you shut down the majority of the current credential-theft tradecraft. If you haven't moved your admin accounts to phishing-resistant MFA yet, stop reading and go do that this week.

2. Ransomware — now mostly double-extortion

Ransomware is still the threat that takes down organizations. The economics have shifted, though. Pure encryption-only ransomware is on the decline because too many victims have decent backups. Modern ransomware operators now exfiltrate data before encrypting, and threaten to publish or sell it regardless of whether you pay for decryption.

This changes the defensive calculus meaningfully. Backups still matter — immutable, air-gapped, tested backups are table stakes — but they no longer eliminate the business risk. The attacker can still leak your customer data, your employee records, your intellectual property, and your internal email even if you restore everything in 48 hours. The real prevention strategy is network segmentation to limit lateral movement, aggressive privilege management so stolen credentials can't reach every file share, and active detection on the behaviors that precede encryption — things like mass enumeration, shadow copy deletion, and unusual outbound transfer volumes.

The organizations that survive ransomware events best are the ones who drilled for it. Tabletop exercises with real decision-makers in the room are cheap insurance. Do them yearly.

3. Third-party and supply-chain compromise

This category didn't really exist in the original version of this post. It does now. The SolarWinds compromise, the Kaseya VSA incident, the MOVEit vulnerability, and the 3CX supply-chain attack all taught the industry the same lesson: your security perimeter extends to every software update you install and every SaaS vendor you depend on.

The defensive posture for this is fundamentally different from the other categories on this list. You can't patch your way out of it. You have to assume that one of your vendors will get compromised, and you have to have detection and response capabilities that would catch the blast radius of that compromise inside your environment.

Concretely, this means: network segmentation so that a compromised management agent can't reach your crown-jewel data stores, EDR coverage on every host (including ones your MSP manages), audit logging on privileged actions from every vendor-provided integration, and a real process for reviewing and approving new SaaS tools before they touch company data.

4. Cloud misconfiguration and exposed data

When organizations ran everything on-prem, firewall rules were the control plane. Today, a misconfigured S3 bucket, a too-permissive SAS token, a storage account with public blob access, or a poorly scoped IAM role is the equivalent of leaving the file server on the public internet with anonymous read access.

The attacks against cloud misconfiguration are largely automated. Cloud infrastructure gets scanned continuously by both researchers and criminals. A bucket that becomes publicly readable on Tuesday afternoon will be indexed by a dozen tools before Wednesday morning.

Defense here is about posture management. Cloud Security Posture Management (CSPM) tools — Microsoft Defender for Cloud, Wiz, Orca, Lacework, or an open-source equivalent like CloudSploit — are no longer optional for any organization with meaningful cloud footprint. Neither is a process for reviewing and approving identity and access changes. The pattern of breaches we see is almost never "the attacker found a zero-day." It is "the engineer made a change two months ago and nobody caught it."

5. Business email compromise and invoice fraud

BEC is not technically sophisticated. It is socially sophisticated. An attacker phishes their way into a single mailbox, reads months of correspondence, identifies an in-flight payment to a vendor, and inserts themselves into the email thread at exactly the right moment with updated wire instructions. The CFO approves the payment and wires hundreds of thousands of dollars to an attacker-controlled account.

BEC is consistently one of the top two or three cyber loss categories by dollar value. The FBI's IC3 report has it in the billions annually. It is also one of the hardest threats to stop with technology alone, because by the time the fraudulent email arrives, it is arriving from a legitimate account that belongs to a legitimate vendor whose mailbox has been compromised.

The defenses are a mix of technical and procedural. DMARC, DKIM, and SPF properly configured prevent some of the spoofing variants. Mail flow rules that flag messages with modified reply-to headers or newly registered domains help more. But the real stopper is a financial process that requires an out-of-band verbal confirmation for any wire instruction change, no exceptions. Make it a rule with no wiggle room, and drill it.

6. Insider threats and departing employees

Not every insider threat is malicious. Most aren't. The category covers everything from an administrator who holds onto credentials after leaving, to an employee who exports the customer list "just in case," to a contractor whose personal machine is compromised and is now a foothold inside your environment.

The 2024 version of this problem is complicated by remote work. Your "insider" may be working from a personal laptop, over a home network, through a VPN that you configured two years ago and haven't audited since. Access reviews — who has access to what, and do they still need it — are the single most effective control. The frequency needs to be quarterly at minimum, monthly for privileged roles.

Offboarding discipline is the other lever. Every departing employee should trigger the same checklist: disable account, revoke MFA tokens, rotate any shared credentials they knew, recover the device, and audit their access logs for the last 30 days for anything unusual.

Three takeaways

1. The categories are stable. The tradecraft inside them isn't. Track the six above, and tune your defenses against what attackers are actually doing this year.
2. Identity is now the primary perimeter. Phishing-resistant MFA, Conditional Access, and aggressive privilege management are the biggest controls you can deploy, and they reduce risk across most of this list at once.
3. Procedures beat products for the human-centric threats. BEC and insider threats are stopped by process discipline, not by the next tool on the exhibit floor.