Cybersecurity company ThreatDown has reported that 2025 marked a record year for ransomware attacks, with incidents increasing by eight percent compared to the previous year, affecting organizations across 135 countries. The landscape of cyber threats has evolved, with factories now being targeted by nation-states, rampant identity theft, and the vulnerabilities introduced by cloud computing and artificial intelligence heightening the risks for businesses.
Gavin Millard, VP of Intelligence at exposure management firm Tenable and a former ethical hacker, highlights the need for companies to reassess their approach to evolving vulnerabilities within the enterprise attack surface. Millard suggests that this reassessment may require companies to adopt a mindset of “active inertia,” focusing on immediate vulnerabilities rather than simply complying with regulatory mandates.
Millard noted that regulated industries typically demonstrate a stronger cybersecurity posture due to compliance requirements. He states, “Regulated industries have to comply with mandates for a certain level of cybersecurity to remediate vulnerabilities in certain timeframes, whereas non-regulated organizations have to want to do that.” This compliance-driven approach does not guarantee security; however, it encourages regulated firms to invest more in cybersecurity, driven by higher risk profiles and lower appetites for risk.
In discussions with a chief information security officer (CISO) in the insurance sector, Millard noted the financial implications of ransomware attacks on firms that provide cyber insurance. While some organizations may not prioritize reputational damage, Millard emphasized that an entity’s risk profile and appetite for risk significantly influence their cybersecurity investments.
The nature of ransomware has shifted. Millard explains that ransomware groups are increasingly targeting large organizations, demanding higher payouts to justify the economic risks associated with breaking in. “Ransomware groups target large organizations and the payouts have to be larger to justify the economics of breaking in,” he said. The impact of these attacks extends beyond financial loss; for instance, targeting hospitals poses a risk to lives if ransoms are not paid.
Millard advocates for ransom payments only in extreme cases where human life is at risk, cautioning that paying ransoms without necessity merely fuels future attacks. “When companies pay when they don’t need to, this funds the next attack,” he argues. He also countered the notion that paying a ransom expedites business operations recovery, citing that organizations often lack robust cyber resilience and incident response plans. “It is better to spend a proactive penny than a reactive pound,” he stated, asserting that a well-prepared incident response framework should minimize operational downtimes to a matter of days rather than months.
Adding to the complexity of ransomware threats is the rise of AI-enabled attacks. Millard expressed concern about the growing scale and automation of these attacks, which capitalize on known vulnerabilities. “Ransomware groups are making money hand over fist and this is fueling more attacks,” he said. The rapid increase in attacks is less about innovative tactics and more about leveraging existing vulnerabilities, exacerbated by AI tools that allow for greater scale.
To defend against these evolving threats, Millard suggests a shift in strategy, rooted in the concept of “active inertia” proposed by Don Sull. Rather than adhering to rigid compliance timelines, he advocates prioritizing the resolution of key vulnerabilities swiftly. “Instead of patching thousands of vulnerabilities within 90 days, how do you find the 10 most important vulnerabilities and patch them in hours?” he asked, emphasizing the importance of proactive measures to mitigate automated attacks.
Millard argues for a programmatic change in vulnerability management, suggesting that organizations should define service-level agreements (SLAs) based on desired security outcomes rather than on conventional timelines. “Ransomware vulnerabilities need to be corrected within minutes,” he stated, urging that organizations focus on the most critical vulnerabilities utilized by ransomware groups.
He also raised questions about the role of regulators in addressing ransomware threats, suggesting that current compliance frameworks could be counterproductive. “A 90-day SLA is the problem,” Millard remarked, advocating for regulations that incentivize timely action rather than punitive measures for breaches.
In his parting remarks, Millard cautioned against blaming employees for security breaches, likening it to blaming chickens for the fox getting into the henhouse. “If an employee clicks on malware, that is a programmatic security failure,” he stated, insisting that organizations need robust controls in place, such as multi-factor authentication, to limit the damage from such incidents.
Millard’s insights underscore a pragmatic approach to cybersecurity that emphasizes effectiveness over compliance. His advice to prioritize investment in incident response and disaster recovery is a call to action for executive boards and shareholder committees as they navigate the increasingly perilous landscape of ransomware threats.
See also
Anthropic’s Claims of AI-Driven Cyberattacks Raise Industry Skepticism
Anthropic Reports AI-Driven Cyberattack Linked to Chinese Espionage
Quantum Computing Threatens Current Cryptography, Experts Seek Solutions
Anthropic’s Claude AI exploited in significant cyber-espionage operation
AI Poisoning Attacks Surge 40%: Businesses Face Growing Cybersecurity Risks
