.webp)
Every March, Google's Mandiant team releases their M-Trends report - a comprehensive look at what actually happened in cybersecurity over the past year. The 2026 edition dropped last week, and if you run a small or mid-sized business, there are some findings you need to know about.
This isn't theoretical security research. Mandiant analyzed over 500,000 hours of real incident investigations from 2025. Real breaches, real victims, real attack methods that worked. Let's break down what matters for businesses like yours.
The Speed Problem: From Hours to Seconds
Here's the most eye-opening stat from the report: in 2022, when hackers gained initial access to a network, they typically waited over 8 hours before handing off that access to ransomware gangs or data thieves.
In 2025? That window collapsed to 22 seconds.
Think about that. Twenty-two seconds from "we're in" to "ransomware is deploying." Your monitoring tools won't catch it. Your security team won't have time to respond. By the time most detection systems send an alert, the damage is already done.
Why the change? Attackers have industrialized. Initial access specialists now pre-stage the ransomware operator's tools during the first infection. The moment the ransomware crew logs in, they're ready to execute. No setup time, no reconnaissance phase - just straight to encryption or data theft.
What This Means for You
Traditional "detect and respond" security isn't fast enough anymore. If your security strategy relies on catching attackers after they're already inside your network, you're fighting last decade's battle.
You need layered prevention that stops threats before they get in: properly configured firewalls, endpoint protection on every device, email filtering that actually works, and most importantly - staff who can spot phishing attempts before they click.
Voice Phishing Is Exploding
Email phishing dropped to just 6% of successful attacks in 2025. Know what replaced it? Voice phishing (vishing) jumped to 11%, making it the second-most common way attackers break in.
Here's how it works: an attacker calls your help desk or IT support line, pretending to be an employee who's locked out of their account. They sound stressed, they have some basic info about the company (pulled from LinkedIn or your website), and they're very convincing.
Your well-meaning IT person resets the "employee's" password or sends a multi-factor authentication (MFA) bypass code. Boom - the attacker's in.
Mandiant specifically called out groups targeting SaaS platforms like Microsoft 365, Salesforce, and other cloud services. Once inside these systems, attackers steal OAuth tokens and session cookies that let them stay logged in even after you change passwords.
How to Defend Against This
First, train your help desk and IT support staff to verify identity through multiple channels. If someone calls asking for a password reset, call them back at their known number before helping.
Second, implement proper MFA everywhere - but understand that SMS codes and phone calls aren't enough anymore. Use app-based authentication (like Microsoft Authenticator or Google Authenticator) or hardware security keys.
Third, set up monitoring for unusual authentication patterns. If someone's logging in from California at 2 AM when they normally work 9-5 in New York, that should trigger an alert.
We help clients configure these controls through our managed cybersecurity services - it's not complicated once you know what to watch for.
Ransomware Groups Are Targeting Your Backups
This one should concern every business owner: ransomware operators aren't just encrypting your data anymore. They're actively hunting down and destroying your backups first.
The M-Trends report documented multiple ransomware families (including Akira and Qilin) specifically targeting:
- Backup servers and storage
- Active Directory and identity services
- VMware hypervisors and virtualization management
- Cloud backup repositories
Why? Because if they destroy your ability to recover, you're far more likely to pay the ransom. No backups means no choice - pay up or lose everything.
Attackers are exploiting misconfigurations in Active Directory Certificate Services to create admin accounts that survive password changes. They're deleting backup objects from cloud storage. They're encrypting the hypervisor storage layer itself, which simultaneously crashes every virtual machine running on it.
Protecting Your Recovery Capability
Your backup strategy needs to assume attackers will target it. That means:
Air-gapped or immutable backups: Keep at least one copy of your backups completely disconnected from your network, or use immutable storage that can't be deleted even with admin credentials.
Test your recovery regularly: A backup you can't actually restore isn't a backup. We see this all the time - companies think they're protected until they need to recover and discover the backups are corrupted or incomplete.
Separate backup credentials: Don't use your domain admin account to manage backups. If attackers compromise your main admin account, they shouldn't automatically get access to backup systems too.
Monitor backup health: Set up alerts for failed backups, deleted backup jobs, or unusual access to backup infrastructure.
Our backup and disaster recovery service includes all of this, plus quarterly recovery tests to make sure everything actually works when you need it.
Attackers Are Living in Your Network Longer
The median dwell time - how long attackers hide in networks before being discovered - increased from 11 days to 14 days in 2025.
But that's the median. For sophisticated espionage attacks and certain targeted campaigns, dwell times exceeded 120 days. Some attackers maintained access for over 400 days.
How do they stay hidden that long? They're compromising edge devices that most companies don't monitor properly:
- VPN appliances
- Routers and switches
- Firewalls
- Virtual private network concentrators
These devices typically don't support endpoint detection and response (EDR) tools. They have minimal logging. They're often managed by separate teams or vendors. Perfect hiding spots.
Once an attacker compromises these devices, they can intercept traffic flowing through them - including credentials, emails, and sensitive data - without ever touching a workstation or server where your security tools could catch them.
Closing the Visibility Gap
Most small businesses don't have the expertise or tools to properly monitor network infrastructure. That's a problem, because attackers know it.
At minimum, you need:
- Centralized logging from all network devices (not just servers and workstations)
- Regular firmware updates for all edge equipment
- Network segmentation so a compromised firewall doesn't give access to everything
- Monitoring for configuration changes on critical devices
This is where a managed IT service provider adds real value. We monitor this infrastructure 24/7 because we see these attacks happening to other clients. When a new vulnerability gets exploited in the wild, we're patching it across all client networks within hours, not waiting for your internal team to read about it on the news.
They're Exploiting Vulnerabilities Before Patches Exist
Here's a statistic that sounds impossible: the mean time to exploit vulnerabilities dropped to -7 days.
Negative seven days. Attackers are exploiting security holes before vendors even release patches for them. These are called zero-day vulnerabilities, and their use is accelerating.
Mandiant documented multiple cases where threat actors exploited vulnerabilities in enterprise software and network devices within hours of discovery - sometimes even before the vendor knew the vulnerability existed.
You can't patch what doesn't have a patch yet. So how do you defend against this?
Defense Without Patches
When patches aren't available, you need compensating controls:
Network segmentation: Limit what an attacker can reach even if they exploit an unpatched vulnerability. If they compromise your VPN appliance, they shouldn't automatically get access to financial systems or customer data.
Principle of least privilege: Every account, service, and application should have only the minimum permissions needed to function. This limits damage when something gets compromised.
Behavioral monitoring: Instead of just looking for known threats, monitor for unusual behavior - like a VPN appliance suddenly connecting to internal databases it has no business accessing.
Vendor security monitoring: Subscribe to security advisories from every vendor whose products you use. When a zero-day gets discovered, you'll know immediately and can implement workarounds while waiting for a patch.
Our vulnerability management service includes all of this - we track your entire technology stack and monitor for emerging threats that could affect you.
The AI Question
The report addresses AI-powered attacks, but here's the reality: AI isn't fundamentally changing the threat landscape yet.
Yes, attackers are experimenting with AI. Mandiant documented malware that queries large language models to evade detection, and they've seen credential stealers that use AI to search for config files. But these are enhancements to existing attack methods, not revolutionary new threats.
The bigger AI risk right now is complacency. Companies get distracted worrying about futuristic AI threats while ignoring the basics: unpatched systems, weak passwords, missing backups, untrained staff.
Focus on fundamentals first. Once you've mastered those, then worry about AI-powered attacks.
What Good Looks Like: The Positive Trend
There is one encouraging finding in the M-Trends report: 52% of breaches in 2025 were detected by the victim organization's own security tools, up from 43% in 2024.
This means companies are getting better at seeing what's happening in their own environments. More organizations are investing in proper security monitoring and actually acting on alerts.
But it also means 48% of breaches were still discovered by someone else - usually law enforcement, industry partners, or customers reporting suspicious activity. You don't want to be in that 48%.
Where to Start
If these findings feel overwhelming, focus on three priorities:
1. Protect your backups: Make sure you can actually recover from a ransomware attack. Test it quarterly, not just when disaster strikes.
2. Train your people: Voice phishing only works because employees don't know what to watch for. Regular security awareness training makes a measurable difference.
3. Get visibility: You can't protect what you can't see. Implement proper logging and monitoring for all systems, not just the obvious ones.
These aren't expensive, complicated projects. They're foundational security practices that every business should have in place.
What We're Doing About It
At Burgi Technologies, we're already implementing defensive measures based on the M-Trends findings across our client base:
- Enhanced monitoring for voice phishing attempts targeting help desks
- Backup infrastructure audits to ensure recovery capabilities survive attacks
- Accelerated patching cycles for edge devices and network infrastructure
- Expanded behavioral monitoring to catch threats that bypass signature-based detection
If you're handling this stuff internally, make sure your team has seen the full report. It's freely available on Google Cloud's website.
If you'd rather have someone else handle the technical side while you focus on running your business, we're happy to help. Give us a call at (949) 381-1010 or reach out here.
Frequently Asked Questions
How much does it cost to implement the security controls mentioned in this article?
It varies based on your company size and existing infrastructure. For most small businesses (10-50 employees), a comprehensive security package including monitoring, backup protection, and regular training runs $3,000-$8,000 per month. That's typically less than the cost of one security incident. We offer free security assessments to give you an accurate quote for your specific situation.
Can't I just rely on my existing antivirus to catch these threats?
Traditional antivirus catches known malware, but the M-Trends report shows attackers are using custom tools and exploiting vulnerabilities before patches exist. You need layered security: endpoint protection plus network monitoring, proper backup strategies, user training, and regular vulnerability assessments. Antivirus is one layer, not a complete solution.
We're a small company. Why would attackers target us?
Small businesses are specifically targeted because attackers know you have weaker defenses than enterprises but still process payments, store customer data, and maintain valuable business information. The M-Trends report shows attackers don't discriminate by company size - they target whoever's easiest to compromise. Small businesses are often the easiest.
How long does it take to implement proper backup protection?
For a small to mid-sized business, implementing immutable backups with proper testing typically takes 2-4 weeks. This includes assessing current backup infrastructure, configuring immutable storage or air-gapped systems, setting up monitoring, and running a full recovery test. The timeline extends if you need to migrate to new backup platforms.
What's the difference between regular backups and immutable backups?
Regular backups can be deleted or encrypted by anyone with admin access - including attackers who compromise your admin accounts. Immutable backups use special storage that prevents deletion or modification for a set period (like 30 or 90 days), even if an attacker has full admin credentials. This ensures you can recover even if ransomware destroys everything else.
