PwC frames identity as sitting in "pole position" as the primary threat vector. The math is straightforward for criminals: one compromised account can unlock an organization's most critical systems. That single credential delivers maximum return with minimum effort. 18% of executives PwC surveyed now rank identity and access management as a top-three cybersecurity budget priority.

Throughout 2025, attackers clustered around four identity-based entry points. Human-focused attacks used credential harvesting through impersonation, phishing, and social engineering - often exploiting password reuse and weak MFA. Configuration weaknesses let attackers turn misconfigured authentication policies into access. Device-level exploitation targeted unmanaged endpoints to capture authentication tokens through infostealer malware. And token and session abuse manipulated cloud trust through malicious OAuth applications and adversary-in-the-middle proxy techniques.

One case study stood out. A threat actor called Luna Moth (tracked by PwC as White Dev 203) targeted US law firms, healthcare, and insurance organizations by simply calling employees and impersonating IT support. Using legitimate remote access tools like AnyDesk and Splashtop, they gained access and stole data without deploying any malware. No ransomware either - they just threatened to release the data unless paid. By April 2025, the number of legal sector victims on Luna Moth's leak site had nearly doubled from the end of 2024.

Russia-based actors abused Microsoft authentication workflows throughout 2025, using device code phishing and OAuth abuse to trick victims into generating access tokens. These operations targeted government, defense, education, and NGO entities, but the techniques transfer directly to any business running Microsoft 365. Generative AI made all of this worse - powering more convincing phishing messages, realistic voice impersonation for IT help desk calls, and faster credential-stuffing operations.

PwC's report dedicates an entire section to what it calls "slipstream spread" - attackers riding trusted third-party connections into organizations. About one-third of executives surveyed ranked cloud and connected product attacks in their top three least-prepared-for threats. That tracks with what we see in Cypress and West Houston businesses running 15 to 20 different SaaS applications with varying levels of access control.

The Salesloft Drift attack from August 2025 illustrated the risk perfectly. An attacker compromised Salesloft's GitHub repository, stole OAuth tokens from the Drift application, then used those tokens to pull data from the Salesforce instances of dozens of downstream companies - including major technology and cybersecurity firms. One vendor compromise cascaded into data exposure for an entire customer base.

A separate supply chain attack called Shai-Hulud hit over 600 NPM packages and 40 developer accounts in September 2025. It harvested credentials for GitHub, AWS, Azure, Google Cloud, Atlassian, and Datadog during routine software installation. A second wave appeared two months later. This is the kind of thing that hits engineering firms and technology shops running custom development environments without dependency scanning.

The numbers are hard to ignore. PwC tracked 7,635 ransomware leak site victims across 135 distinct ransomware operations in 2025, up from 4,837 victims across 92 operations in 2024. Monthly victim counts peaked at 858 in March 2025 - a 176% increase over the same month the year before. The number of active ransomware groups more than doubled.

But that fragmentation created something PwC calls a "death by a thousand cuts" dynamic. Individually, smaller groups cause limited damage. Together, they produce persistent, system-level risk across every sector. New operations like "The Gentlemen" emerged offering affiliates 90% profit sharing to attract experienced operators from a crowded criminal market. LockBit, Qilin, and DragonForce reportedly formed a "coalition cartel" to formalize cooperation.

Data theft-only attacks gained ground in 2025, particularly in healthcare where data sensitivity alone provided enough extortion pressure. One group called CodeFinger took things further by exploiting AWS cloud storage - using AWS server-side encryption with customer-provided keys to lock organizations out of their own S3 buckets. That approach defeats traditional backup strategies because recovery is impossible without the attacker's decryption key.

The geographic concentration is telling too. 78% of all ransomware victims in 2025 came from just 10 countries, with the United States holding the largest share by a wide margin. Manufacturing, professional services, and construction led the victim count - three sectors with massive footprints across the Houston metro.

PwC calls edge devices and infrastructure the "blind corners" of the modern attack surface. VPNs, load balancers, email gateways, firewalls, and identity proxies became favored entry points for both nation-state and criminal operations throughout 2025. Only 6% of organizations surveyed felt "very capable" of withstanding attacks across all known vulnerabilities.

The report catalogs a steady stream of critical vulnerabilities that were actively exploited in the wild. Ivanti Connect Secure VPNs were hit in January 2025. Palo Alto PAN-OS suffered a critical authentication bypass in February. CrushFTP had a major flaw exploited by March. SAP NetWeaver was targeted by Chinese state actors in May. A critical Cisco email gateway zero-day appeared in October. Fortinet FortiWeb got hit in November.

For a 50-person oil and gas company in Katy running a Fortinet firewall and an Ivanti VPN, these aren't abstract threats. They're specific product vulnerabilities that threat actors scanned for and exploited within days - sometimes hours - of public disclosure. PwC found that attack chains are shortening because adversaries now integrate proof-of-concept exploit code, reverse-engineer patches, and automate post-compromise tooling faster than ever.

Reconnaissance itself has become industrialized. Iran-based threat actors used custom mass-scanning tools to enumerate over 1,000 subdomains across 22 organizations, focusing on perimeter technologies like smart devices, audiovisual systems, automation platforms, and email tooling. The scale of vulnerability discovery - 45,988 new CVEs in a single year - makes prioritized patch management not just a best practice but a survival requirement for any business with internet-facing infrastructure.

AI was the number one cyber investment priority for security leaders PwC surveyed, and the most frequently raised forward-looking concern from incident response clients. That concern is justified. PwC reports the gap between when an AI company releases a new capability and when threat actors weaponize it shrank dramatically in 2025.

The practical impacts showed up across multiple categories. Criminals rapidly adopted tools like WormGPT, SpamGPT, and FraudGPT for generating convincing, linguistically accurate phishing content across languages. Deepfake technologies matured to the point where executive fraud, vishing scams, and identity manipulation cost a fraction of what they did two years ago. PwC notes that voice accent converters designed for call centers are being repurposed by attackers to make their social engineering calls sound more legitimate.

On the malware side, AI-generated code fragments appeared in the Lumma Stealer malware family in early 2025. A first-of-its-kind AI-written ransomware called PromptLock emerged - capable of dynamically generating scripts based on embedded prompts. Ransomware group DragonForce released an AI-powered data analysis service that lets affiliates generate risk reports on their victims using 300-400 GB of stolen data, helping them tailor extortion demands to each target's specific vulnerabilities.

North Korea-based operatives used AI to create fake personas, fabricated work histories, and deepfake videos convincing enough to pass job interviews at technology companies worldwide. PwC tracks this group as "Black Ara" and estimates tens of thousands of illicit remote workers are active globally, generating revenue for the North Korean regime while also positioning themselves for espionage and extortion.

PwC documents a concerning pattern: theft, fraud, and insider compromise have merged into a single threat category. Adversaries blend social engineering, deepfake impersonation, third-party compromises, and embedded insider access - sometimes simultaneously in the same campaign.

Multi-stage executive impersonation fraud has moved well beyond traditional business email compromise. What starts as a casual text message impersonating an executive escalates to polished follow-up emails, then to AI-generated deepfake video calls where attackers simulate executives with enough precision to authorize fund transfers. Each stage builds trust incrementally until the victim feels the transaction is legitimate.

North Korean crypto theft operations stole over $2 billion in 2025. The Bybit heist alone accounted for $1.4 billion - and it wasn't a direct attack on the exchange. Attackers compromised a developer at Safe{Wallet}, a third-party software provider, injected malicious code into the frontend interface, then waited for Bybit executives to approve what appeared to be a routine transfer. The code displayed the correct recipient address to users while silently redirecting funds to an attacker-controlled wallet. By mid-July, over 79% of the stolen assets had been successfully laundered and were considered untraceable.

PwC also flags growing physical security risks tied to digital exposure. A large-scale data leak in mid-2025 known as "The CEO Database" exposed detailed profiles of more than 1,000 corporate executives. Domestic extremist groups are increasingly publishing personally identifiable information about executives with the explicit intent of enabling harassment, stalking, or physical harm.

For wealth management firms, CPA practices, and energy companies across Houston, these converging threats require shared visibility across IT, finance, HR, and legal teams - not just the security team working in isolation.

CinchOps is a managed IT services provider based in Katy, Texas, serving small and mid-sized businesses across the Houston metro area. CinchOps specializes in cybersecurity, network security, managed IT support, VoIP, and SD-WAN for businesses with 10-200 employees.

Every major finding in PwC's report maps directly to services CinchOps delivers for businesses across The Woodlands, Richmond, Fulshear, and the greater Houston area:

• Identity and Access Management - We deploy and manage phishing-resistant MFA, conditional access policies, and identity governance across your Microsoft 365 and cloud environments. We harden IT help desk processes against the social engineering attacks PwC flagged as a top concern.
• Continuous Patch and Vulnerability Management - With 45,988 new CVEs published in 2025, prioritized patching is critical. We monitor, test, and deploy patches across your endpoints, servers, and edge devices on an accelerated timeline matching the speed at which attackers weaponize new flaws.
• Ransomware Prevention and Recovery - Isolated backup strategies, endpoint detection and response, network segmentation, and tested disaster recovery plans that account for both on-premise and cloud-based encryption attacks like the CodeFinger S3 tactic PwC documented.
• Third-Party Risk and SaaS Security - We audit OAuth permissions, monitor connected applications, and help you map where vendor trust concentrates risk - exactly the kind of visibility PwC says organizations need to counter supply chain attacks.
• Security Awareness Training - AI-powered phishing and deepfake impersonation demand updated training programs. We run ongoing simulations that reflect the actual techniques PwC observed in 2025, including ClickFix-style social engineering and executive impersonation scenarios.
• Edge Device and Network Hardening - Firewall configuration audits, VPN security reviews, and monitoring for the specific vulnerability classes PwC identified as top targets for nation-state and criminal operations.

PwC's report makes one thing clear: the organizations that will fare best in 2026 are the ones treating security as an agile, continuously tuned system rather than a set-it-and-forget-it checklist. That's exactly how we operate at CinchOps. If your business runs between 10 and 200 employees anywhere in the Houston metro - from Katy to The Woodlands - we'd welcome the chance to show you where your gaps are before an attacker finds them first.