teissTalk: Shielding sensitive data from ransomware – staying ahead of evolving threats

Please register or log-in to watch this on-demand episode

Views on news

 

Ransomware surged in Q3 2025, with just three groups accounting for the majority of cases (65%), and initial access most commonly achieved via compromised VPN credentials, according to Beazley Security. As per Q2, the use of valid credentials to access VPNs was the most common method of initial access, accounting for half (48%) of breaches – up from 38% the prior quarter. External service exploits were the second most popular technique, comprising 23% of cases. While VPNs are great technology extensively used for the past 20 years, they have become outdated – unless you have highly skilled tech experts behind them and the tools to detect anomalies in the network. One answer to the problem is ZTNA – which, in fact, stands for Zero Trust Network Architecture, where the perimeter of the network isn’t clearly defined. As a result, the perimeter now is the individual connecting to the network. When the connection is made via a ZTNA, the user has access only to one application and, therefore, can’t compromise the entire system, which can happen through a VPN link. 

Why security should be more proactive

Ransomware is a technique that can be enabled with various tools, now covering the latest AI-driven solutions as well. Ever longer stretches of the ransomware workflow are expected to be taken over by AI – first it just automates the job of access brokers, but it may take over the negotiation process too at a later point in the future. Currently, security professionals must fight with a blunt knife against genuine weapons – unethical agentic AIs know no boundaries, and they can be particularly dangerous in the hands of technologically unskilled individuals, while the good guys must wait for legislation and licences before they can raise their game. Businesses’ security posture is further weakened by shadow IT and employees injecting proprietary data into gen AI systems. 

The prevalence and frequency of recent outages may suggest that they weren’t purely accidental. The security industry should think ahead and find ways of getting more proactive, so the question they ask themselves when the worst happens is whether they are ALREADY on top of the particular problem? To accelerate the transition, businesses should do more active threat hunting and leverage threat intelligence more. They should aim for full visibility through continuous monitoring, micro-segmentation and vulnerability scanning to see what’s going on in every asset 24/7. 

The tools for full automation are available. What stands in the way is the fragmented nature of the defence ecosystem relying on a multitude of different tools. Lessons could be learnt from recent attacks by examining to what extent AI was involved in them. The AI attackers use is based on LLMs and, therefore, make mistakes that researchers should look out for to see how they have been fooled to break protocols. You must patch systems for privilege because they’ll look to escalate those, as well as for lateral movement. AI can also be used for reversing the system back to where the attack happened, wipe everything from that point onwards and get the system up and running in the matter of minutes. While insurance can provide you with coverage, you can’t get full protection against every risk. But you must also ensure that the money you put aside can help you manage the residual risks that you aren’t covered for. Email security has become key in fending off attacks too. 

The panel’s advice

• Don’t try to boil the ocean. Do what you can with what you’ve got.
• The questions you should consider for business continuity are who is responsible when an incident happens (CISO or risk function?), can you prevent criminals accessing your IP or patents while the CISO is busy getting the organisation back on its feet or if you have a solid relationship with partners to build on when responding to an attack.
• Micro-segmentation and particularly MFA are now table stakes in cyber defence – although there have been some attacks recently that bypassed it.
• Make the threat posed by ransomware attacks tangible through real-world examples.
• Replace manual workflows with a platform that combines all of them – surveillance, vulnerability scanning, remediation – into one unified ecosystem