Emerging cybersecurity needs: What the market is telling us

The landscape of cybersecurity has undergone a dramatic transformation, moving far beyond the days of nuisance malware like the “Love Bug” or “Blaster Virus.” Cybercrime has evolved into a sophisticated, profit-driven enterprise worth billions.

According to a study in Cyber Risk and Cybersecurity: A Systematic Review (2021), global cybercrime cost nearly $1 trillion in 2020. The World Bank projects that number will rise to $10.5 trillion for 2025. This exponential growth highlights a massive gap between the financial toll of attacks and existing defense capabilities.

Early cyber threats were often driven by ideology. But once attackers discovered the profitability of cybercrime, monetization methods evolved—spam, botnets, crypto mining, and now ransomware-as-a-service. Today, organizations face a constant barrage of increasingly sophisticated threats, demanding a complete rethinking of security strategies.

For any Chief Information Security Officer (CISO), head of IT security, or Managed Service Provider (MSP) beginning a new role, the top priorities within the first 100 days are clear: stop as many cyberattacks as possible, make cybercriminals’ lives difficult, and do it without alienating the IT team. That’s only achievable through a proactive, prevention-first approach.

Proactive prevention through application and behavior control

A significant portion of cyberattacks—estimated at 70% to 90%—involve Office macros. Disabling them is a quick win that rarely disrupts workflows. Macros are often used to download executables or install remote access tools (RATs), which attackers use to gain persistence.

Instead of attempting to detect every malicious file, Application Allowlisting blocks all software by default and allows only explicitly approved programs. This automatically blocks malware, ransomware, and even legitimate tools like TeamViewer or GoToAssist that attackers often abuse.

Organizations also need to control what allowed applications can do. Ringfencing prevents apps like Microsoft Word from launching other programs such as PowerShell. This helps neutralize exploits like Follina that can execute malicious code without user interaction.

Network and endpoint control

Several low-effort changes can significantly reduce attack surfaces:

Disable SMBv1. This obsolete protocol was exploited in the WannaCry ransomware attack and is rarely needed today.

Control RDP and SMB ports. According to CyberSecurity Asia, which references Sophos data, remote encryption methods were involved in approximately 70% of ransomware attacks in 2024. Restrict access to trusted sources only.

Remove VPNs unless essential. VPNs have been leveraged in ransomware attacks due to unpatched firewalls and poor configurations. If required, restrict traffic by source and destination.

Block most outbound internet access from servers. In many cases, servers don’t need to reach the internet. Blocking outbound access prevents payload downloads, as seen in the SolarWinds and Exchange attacks.

Even seemingly internal devices can be exposed if users open ports to access work systems from home. This highlights the need for default-deny firewall and routing policies.

Identity and access management

Multi-factor authentication (MFA) is critical for all remote accounts, including Microsoft 365, Google Workspace, domain registrars, and remote access tools. Even if a password is compromised, MFA can block unauthorized access.

Removing local administrator rights also limits what attackers can do. While attackers don’t need admin rights to run ransomware, removing these privileges can prevent them from disabling security tools. Privileged access should be granted per application using elevation tools, not assigned to users broadly.

Data protection and access visibility

BitLocker or similar full-disk encryption should be enabled on all devices that support it. It helps prevent boot-level tampering and safeguards virtual hard disks from being mounted or copied.

Granular file access controls reduce risk by ensuring users and programs only access the files they truly need. For example, SSH clients like PuTTY should be restricted to log and text files. The CFO may need access to the company’s financial data, but someone in marketing probably doesn’t. This helps prevent data exfiltration and mass encryption attempts.

USB drives should be blocked by default. These devices can be used to introduce malware or steal sensitive information. Exceptions can be granted for encrypted, approved drives on a case-by-case basis.

Comprehensive file activity auditing—tracking reads, writes, deletes, and moves—across endpoints, cloud storage such as OneDrive, and removable media offers crucial insight during both incident response and proactive monitoring.

Vulnerability management and runtime visibility

Patching remains one of the most effective but inconsistently executed cyber hygiene practices. Many attacks succeed by exploiting vulnerabilities that have had patches available for months or years. Organizations should automate patching for operating systems and third-party applications, including portable software.

Legacy systems remain common, even years after official support ends. Security solutions must account for modern infrastructure as well as older platforms like Windows XP that still exist in production environments.

Security teams also need real-time visibility into what’s running, not just what’s installed. Unmonitored browser extensions, unsigned executables in the Downloads folders, or tools with encryption capabilities can all pose serious risks.

Web content filtering should extend beyond malicious domains to block unapproved cloud tools and file-sharing platforms. Shadow IT remains a leading source of data governance issues.

Managed detection and response

Endpoint Detection and Response (EDR) tools are only effective if someone is watching the alerts. A 24/7 Security Operations Center (SOC) or Managed Detection and Response (MDR) provider is essential to contain attacks in real time. Rapid isolation of infected machines or user accounts can prevent mass compromise.

The cybersecurity market is moving toward a model that emphasizes prevention by default, granular control over applications and identities, and real-time managed detection and response. With clear policies, continuous monitoring, and automated enforcement, organizations can eliminate entire categories of risk before attackers even get a foothold.