The 2026 Independence Annual Brief

Each year, cybersecurity organizations release reports on metrics and activity observed in the previous year. We have reviewed and consolidated key findings from the IBM X-Force report, Mandiant M-Trends, Crowdstrike Global Threat Report, The World Economic Forum Global Cybersecurity Outlook, and the FBI IC3 Report. As you can see, many of these reports come from vendors. This can open the door for bias in the data they provide and the takeaways they recommend. However, reading them side-by-side reveals broader trends that are incredibly useful for preparing for the year ahead. This report aims to gather those insights to arm you with the facts.

It is easy to get lost in the noise, but the numbers from this past year reveal a broader story. We noted a massive divide in how attackers operate. On one hand, they are moving faster than ever. The CrowdStrike Global Threat Report shows that the average breakout time, which is the window between an attacker hitting one machine and moving to the next, has dropped to just 29 minutes. That represents a 65 percent increase in speed over the previous year. In one extreme case, an attacker was through the door and moving across the network in just 27 seconds. This increase in speed supports the reality that future attacks will happen at machine speed. Human response will simply not be quick enough to stop them, so defense will need to be automated at machine speed to counter these attacks.

On the other side of the spectrum is a second group of attackers playing the long game. According to Mandiant’s M-Trends Report, the global median time an intruder stays hidden in a network is about 14 days. However, for state-sponsored espionage, that number jumps to 122 days. The discovery of North Korean IT workers was a significant driver for this metric. You can read more about them here.

There are other adversarial groups interested in long-term persistence in your environment. One common thread in how they stay hidden for months is that they have shifted their focus toward blind spots. They target edge devices like firewalls and VPNs because these systems often lack the sophisticated monitoring we put on our laptops and servers. This allows attackers to camp out undisturbed. Zero Trust principles need to apply to infrastructure. You cannot trust your firewall or VPN implicitly. Additional monitoring like logging to your SIEM or network-based detection should be implemented if not already implemented.

The data from the reports should shift how we look at financial risk. Ransomware is often talked about as the biggest security threat, but the FBI IC3 Report for 2025 tells a different story about where the money is actually going. Total reported losses hit a record $20.8 billion. However, investment fraud accounted for $8.6 billion of that total, and Business Email Compromise took another $3 billion. Ransomware accounted for a much smaller fraction of the direct losses reported to the Bureau by comparison.

The takeaway here is that it is often more profitable for a criminal to trick a person than it is to fight a technical security control. As we discussed in our recent article on how AI is changing the landscape in 2026, generative AI has made social engineering attacks nearly impossible to spot with the naked eye. Deepfakes and perfectly written emails are becoming the new normal. Securing the human layer with training and processes is more important than ever.

Adversaries can’t pull off $20 billion of crime without a getaway vehicle. Cryptocurrency remains the lifeblood of modern cybercrime. Complaints involving cryptocurrency accounted for $11.36 billion in losses in 2025, representing more than half of the total losses reported to the FBI. One attack alone saw a threat actor compromise a cryptocurrency wallet service’s development environment to alter a smart contract, successfully redirecting $1.46 billion in a single transaction. If your business is leveraging crypto, it is a target.

When attackers do decide to use ransomware, their goal has shifted from simple encryption to recovery denial. Adversaries know most companies have better backups now. To counter this, IBM X-Force found a 44 percent increase in attacks targeting public-facing applications and the systems that manage them. Hypervisors, backup servers, and identity providers that manage access/passwords need to be considered crown jewels. Even strong security controls may not be enough to prevent severe disruption if any of those are compromised. Recovery will become slow, costly, and in the worst case, impossible. This is exactly what ransomware operators want. 

Lastly, we have to address the ever-growing problem of the supply chain. The World Economic Forum notes that 65 percent of large organizations see third-party and supply chain vulnerabilities as their greatest challenge. You can have a strong security program, but you are still at the mercy of the software and services you buy. This is exactly why we focus so much on vendor-optimization at Independence Cyber. Owning more tools usually just means having more access to give away and more trusted identities to manage. Both provide an easy avenue in for an attacker. Third Party risk is not going away and organizations need to be evaluating each relationship for more than just ROI. 

What is the Action Plan for 2026?

The numbers suggest a few clear steps to take to harden your organization against the threats that are likely in 2026. 

First, review edge infrastructure such as firewalls, routers, and VPN appliances. These systems increasingly must be rigorously patched, continuously monitored, and tightly controlled. Their administrative interfaces and configurations should receive security attention comparable to other critical systems. 

Second, ensure recovery systems are treated as tier 0, crown jewel assets. Isolate management interfaces through network segmentation, dedicated administrative accounts, and privileged access controls. Where appropriate, minimize dependencies on the primary Active Directory environment, and protect them with independent recovery authentication paths, immutable backups, and just-in-time privileged access.

Third, understand vendor risk. Audit your solutions for redundancy, privilege overlap, and integration sprawl. Reducing unnecessary vendors can simplify operations and reduce the attack surface. Any consolidation needs to be balanced against the risk of creating single points of failure and excessive dependency on a single provider. 

Finally, financial losses increasingly stem from social engineering attacks that bypass technical defenses and target human decision-making. High-value transactions and sensitive changes should require strong, out-of-band verification and multi-person authorization using pre-validated channels and dedicated approval systems. Traditional assumptions such as trusting phone calls or email-based confirmations are no longer sufficient, especially as attackers leverage AI to create highly convincing impersonation and phishing attempts. Security must extend “never trust, always verify” to human workflows through structured, resistant approval processes rather than informal checks.

We trust that this comprehensive consolidation of the year’s top threat reports will be of value. At Independence Cyber, we actively choose to remain vendor agnostic. We appreciate the immense amount of work these organizations put into tracking and reporting this intelligence. Security as a field is fundamentally stronger when we share information. Our annual brief will always strive to find and highlight data that is accurate and relevant to your operations. If you want to move toward a more resilient strategy this year, we are always here to help you turn these trends into a practical plan for your business. Drop us a note if you think there are other intelligence reports out there that deserve to be included in our future annual briefs. Thank you for reading.