What the Latest Global Cybersecurity Data Tells Business Owners – And What To Do About It
Every year, one of the world’s leading cybersecurity companies publishes a detailed analysis of everything that went wrong the attacks that succeeded, the techniques that worked, the sectors and geographies that were hardest hit, and the trends that will define the year ahead.
The Acronis Cyberthreats Report H2 2025, produced by the Acronis Threat Research Unit from data gathered across more than one million endpoints worldwide, is that report. It is 84 pages of detailed, evidence-based threat intelligence aimed primarily at IT professionals and managed service providers.
We have read it carefully. And we want to share the four findings that matter most to business owners translated out of technical language and into the terms that actually affect decisions: risk, cost, and what to do about it.
We are also making the full report available to download at the end of this post. No form to fill in. No email required. Read our interpretation, then read the original. If anything does not add up, we want to know. That is what transparency looks like.
1. The UAE is Not Immune — It Is Just Different
The Acronis report contains specific data on the UAE and it tells a more nuanced story than most cybersecurity coverage of the region.
The UAE does not experience the same relentless, sustained malware pressure as Germany, the United States, or India the three most affected markets in the Acronis dataset. Instead, the UAE’s threat profile is characterized by short, sharp campaign bursts. Attackers hit hard for a concentrated period using phishing emails disguised as invoices, payment requests, and logistics notifications then move on as their infrastructure gets blocked and their lures lose effectiveness.
| Period | % Clients Affected | What it means |
| March 2025 | 9.9% | Peak month — business-themed phishing and invoice lures. Highest malware execution rate of the year. |
| April – June 2025 | 5.7–8.2% | Sustained elevated exposure. URL-based threats remain high even as endpoint infections begin to decline. |
| July – August 2025 | 6.6–7.2% | Campaign fatigue sets in. Infrastructure blocked and lures lose effectiveness. |
| September –November 2025 | 3.5–5.2% | Significant improvement. Defenses catching attacks earlier in the chain before malware executes. |
| December 2025 | 3.9% | Low but not zero. URL-based threats remain consistently present exposure continues even as infection rate drops. |
The data also shows something encouraging: by the second half of 2025, UAE defenses were improving. Attacks were being stopped earlier in the chain before malware reached and executed on endpoints. URL-based threats phishing links, malicious redirects, fake login pages remained consistently present throughout the year, but fewer of those encounters translated into actual infections.
The practical implication for UAE businesses: the threat is not constant background noise it comes in waves. But those waves can hit fast and hard. The businesses that were protected in early 2025 were the ones that already had defenses in place before the campaign started, not the ones that responded after the first incident.
The report also shows that the UAE’s threat profile aligns with what Candor sees across its client base: business-themed social engineering delivered by email, targeting employees who handle invoices, payments, and supplier communications. This is not a technical problem. It is a process and awareness problem and it is one that can be meaningfully reduced with the right combination of technical controls and staff training.
2. Phishing is Now 83% of All Email Threats and It Has Nothing To Do With Technology
of all email threats globally in H2 2025 were phishing attacks up from 77% in H1 2025 and 74% in H2 2024.
The trend is consistent and accelerating.
That single statistic contains a significant insight that most cybersecurity conversations miss entirely.
Phishing is not a technology problem. It is a human problem. No firewall blocks a convincing email that appears to come from your CEO asking the finance team to process an urgent payment. No endpoint protection software prevents an employee from clicking a link in what looks like a Teams notification from IT support. These attacks succeed because they are designed to exploit the way people behave under time pressure, with incomplete information, and in environments where they are trained to be helpful and responsive.
| Threat type | Share | Context | What it means for your business |
| Phishing | 83% | Of all email threats globally in H2 2025 | Deceptive messages designed to trick people into revealing credentials or clicking malicious links. Increasingly convincing often indistinguishable from legitimate internal communications. |
| Social engineering / BEC | 11% | Of all email threats globally in H2 2025 | Targeted impersonation attacks. An attacker pretends to be your CEO, your finance director, or a trusted supplier to authorize a payment or share sensitive data. No malware required. |
| Collaboration platform attacks | 31% | Of threats on platforms like Microsoft Teams in H2 2025 | The sharpest growth area in 2025. Attackers are now using Teams, Slack, and similar tools to impersonate IT support and pressure employees into giving access. Your inbox filters do not protect you here. |
| Malware | 5% | Of email threats globally in H2 2025 | Traditional malicious software delivered via email. A declining proportion because attackers have found more effective methods that do not require the victim to download anything. |
Of all global email threats in H2 2025.Deceptive emails remain the dominant threat, using highly convincing fake communications to steal credentials or trigger malicious actions.
Of all global email threats in H2 2025.Executive impersonation and supplier fraud are increasingly used to manipulate staff into transferring funds or disclosing sensitive information.
Of threats targeting Teams, Slack, and similar platforms in H2 2025.Attackers increasingly exploit workplace collaboration tools where traditional email security controls offer little protection.
Of global email threats in H2 2025.Traditional malware remains present but is declining as attackers shift toward credential theft and manipulation techniques.
The most significant development in the Acronis data is not the volume of phishing it is where phishing is now happening. Collaboration platforms — Microsoft Teams, Slack, Google Workspace experienced a dramatic increase in advanced attacks in 2025, rising from 12% of platform threats in H2 2024 to 31% in H2 2025. These attacks are not mass volume campaigns. They are targeted, sophisticated, and designed to exploit the implicit trust people place in their internal communication tools.
The Acronis report documents a specific pattern that appeared repeatedly in 2025: an attacker contacts an employee through Teams, impersonates IT support or a helpdesk technician, and walks them through a process that ends with the attacker gaining remote access to the employee’s machine or credentials. The entire interaction happens inside a platform that feels internal, trusted, and legitimate.
The business owner question this raises: your email security filters phishing from external email. Does it also cover your Teams channel? Your SharePoint notifications? Your Slack workspace? If the answer is no or not sure that is the gap attackers are currently targeting most aggressively.
The report also introduces a technique called ClickFix a social engineering approach where attackers convince users to execute what appears to be a routine troubleshooting step. The user believes they are fixing a problem. They are actually giving the attacker access. This technique bypasses technical security controls entirely because the user is executing the action voluntarily. The only defense is training, awareness, and clearly documented procedures for what IT will and will not ask employees to do.
3. Ransomware Hit 7,677 Businesses Publicly in 2025 and the Real Number Is Much Higher
Organizations were publicly named as ransomware victims between January and December 2025. The Acronis Threat Research Unit notes the real number is significantly higher — most incidents are never publicly disclosed.
The sectors targeted most heavily in 2025 tell a consistent story about what makes a business an attractive ransomware target.
| Sector | Share of victims | Why attackers target this sector |
| Manufacturing | 21% | High operational pressure to restore availability quickly making ransom payment more tempting. |
| Technology | 20% | Broad supplier connectivity and heterogeneous patching maturity across distributed sites. |
| Healthcare | 12% | Critical data and high disruption sensitivity. Regulatory consequences of a breach are severe. |
| Financial services | 9% | High-value data and strong ransom leverage. Regulatory notification requirements increase attacker pressure. |
| Business services | 10% | Includes IT service providers and MSPs — high value targets because one compromise reaches many clients. |
| Construction, logistics, education | 20% | Increasingly targeted as defenses in primary sectors improve and attackers seek softer paths. |
The common thread across every targeted sector is the same: high operational pressure to restore availability quickly. Businesses that cannot function without their IT systems are businesses that are more likely to pay a ransom or that face catastrophic losses if they cannot recover quickly. Attackers understand this better than most business owners do.
The report also documents an important strategic shift in how ransomware groups operate.
Encryption: locking systems and demanding payment to restore them is increasingly being supplemented or replaced by data theft and extortion. Attackers steal data first, then use the threat of public disclosure, regulatory notification, or sale to competitors as the primary lever. This means having good backups is necessary but no longer sufficient. Even if you restore your systems in hours, the attacker may still hold your client data, your financial records, or your staff information and be in a position to cause significant harm by releasing it.
The Acronis report identifies the three defining characteristics of the 2025 ransomware landscape: scalability — attacks that can be replicated at volume rather than bespoke intrusions; fragmentation nearly 100 active ransomware groups making law enforcement disruption less effective; and extortion primacy — data theft increasingly driving outcomes rather than encryption. All three point in the same direction: resilience, not just backup, is the right frame.
For context on what a real ransomware recovery looks like and the gap between having a backup and having a genuinely tested recovery capability see our post on business continuity and geo-redundancy.
4. Your IT Partner Is Now a Target and That Makes You One Too
This is the finding in the Acronis report that we think deserves the most attention from business owners and the one that connects most directly to a question we raise with our own clients.
The report documents 143 managed service provider and telecommunications provider victims in 2025, IT companies and partners that were compromised specifically because of the access they had to their clients’ systems. Phishing was the initial attack vector in 52% of MSP incidents. In 27% of cases, the entry point was an unpatched vulnerability in the tools the IT partner used to manage their clients’ environments.
MSP ransomware victims in 2025 were attacked via Akira a ransomware group specifically known for targeting IT service providers to gain access to their managed client environments downstream.
The mechanism matters. When an IT service provider is compromised, the attacker does not stop at that provider’s own systems. They use the provider’s legitimate access the remote monitoring tools, the administrative credentials, the trusted connections into client environments to move into every business that provider serves. The Acronis report describes this as
‘one-to-many propagation’: one compromise of the management plane becomes a compromise of every managed endpoint.
The report describes a specific documented case in 2025 where attackers used a compromised IT provider’s remote management software to simultaneously deploy ransomware across multiple client environments. The clients had strong perimeter controls. Those controls were bypassed entirely because the attacker was using the trusted IT partner’s own tools, which were whitelisted by design.
This is a question we ask on behalf of our own clients and we ask it about ourselves. If Candor’s systems were compromised, what protections exist to prevent that compromise from cascading into your environment? We maintain documented answers to that question and share them with clients who ask. We believe every IT partner should be able to do the same. If yours cannot or has never raised the question that is worth a conversation.
The practical questions this raises for any business with an IT partner:
- Does your IT partner maintain immutable, isolated backups of your environment that are not accessible from the same systems used for day-to-day management?
- Are your credentials and access controls separated from your IT partner’s so that their compromise does not automatically mean your compromise?
- Has your IT partner ever walked you through what would happen to your environment if their systems were breached?
- Can your IT partner demonstrate that their own security posture not just their advice to you is regularly tested?
These questions are not adversarial. A good IT partner welcomes them because they demonstrate exactly the kind of accountability that builds a genuine long-term relationship. If the questions make your current IT partner defensive or evasive, that is itself an important data point.
For a deeper look at the six questions every business owner should be asking their IT team, see our previous post in this series.
5. AI Is Now Being Used Against Businesses — Not Just by Them
The Acronis report dedicates a significant section to documented cases of artificial intelligence being embedded into criminal operations in 2025. This is not a prediction. These are verified incidents.
A ransomware group called GLOBAL GROUP deployed an AI-driven chatbot to manage victim negotiations. Rather than human negotiators handling ransom conversations, the AI system responded immediately, maintained psychological pressure, and guided victims toward payment with human operators only intervening for high value targets or stalled negotiations. The operational effect was the ability to run more concurrent extortion campaigns with fewer people.
A separate documented case involved a criminal group using AI tools including coding assistants to generate attack scripts, assist with credential harvesting, rapidly analyses stolen data to identify the most sensitive and valuable material, and tailor extortion demands to each specific victim. AI did not replace the attacker. It made a small team capable of operating at a scale that would previously have required a much larger operation.
The Acronis report’s conclusion on AI is measured and important: AI is not replacing attackers it is changing the balance between effort and impact. Smaller teams can now operate at greater scale and speed. The response timeline for defenders is compressing. Decisions that used to be made over hours are being forced into minutes. That is a business operations problem as much as it is a technology problem.
For business owners the practical implication is not that AI is inherently threatening. It is that the people trying to attack your business are now using AI systematically and the gap between attacker capability and defender readiness is wider for businesses that have not kept pace with both the threats and the defenses.
The most immediate AI-related risk for most businesses is not a sophisticated ransomware operation. It is a phishing email convincing enough to fool a trained employee, or a Teams message impersonating IT support that comes with just enough internal detail to seem credible. AI lowers the cost and effort of producing convincing social engineering content at scale. The volume of attempts is increasing. The quality is improving. The human judgement required to detect it is becoming harder to apply reliably under time pressure.
A Note on Transparency — Read the Data Yourself
We have paraphrased and contextualized five key findings from an 84-page technical report. In doing so, we have made editorial choices about what matters most for a business owner audience and what is better left to IT professionals to interpret.
Those choices reflect our genuine view of where the most commercially relevant signals are in the data. But they are our interpretation not Acronis’s.
The full report is available to download below. It contains the complete data, the methodology, the country level breakdowns, the malware family analysis, the vulnerability landscape, and the 2026 predictions in their full technical detail. We have not cherry-picked statistics to support a predetermined conclusion but you should be able to verify that for yourself.
Download the full report — read the data for yourself
Every statistic in this post comes directly from the Acronis Cyberthreats Report H2 2025, produced by the Acronis Threat Research Unit from data gathered across more than one million endpoints worldwide.
We have translated the most relevant findings into plain language for business owners. But we believe transparency matters so we are making the full 84-page report available to download.
Read our interpretation, then read theirs. If anything does not add up, we want to know.
Download the Acronis Cyberthreats Report H2 2025
The full report is free. No form to fill in. No email required. Just the data.
What This Data Means in Practice
Global cybersecurity intelligence is only useful if it translates into decisions. Here is what the Acronis data argues for in practical terms.
- Test your recovery capability, not just your backup. The data shows attackers are now targeting backups specifically. Knowing data exists somewhere is not the same as knowing you can recover from it under real incident conditions.
- Extend your security awareness beyond email. Phishing has moved into collaboration platforms. If your staff training covers email but not Teams or Slack, you have a gap that attackers are already exploiting.
- Ask your IT partner the hard questions. The data is explicit: IT partners are being targeted specifically to gain access to their clients. A good partner has considered this and has answers. A concerning partner will not have raised the question at all.
- Quantify what a failure would cost. The report documents the real cost of incidents not just the technical recovery but the revenue loss, client attrition, regulatory consequences, and reputational damage. Most businesses have never done this calculation. Most businesses that have done it invest in resilience more seriously as a result.
- Do not wait for a campaign to hit. The UAE data shows that attacks come in fast, concentrated waves. The businesses that were protected were the ones ready before the wave arrived.
The most important line in the Acronis report for a business owner is not a statistic. It is this: ‘organizational maturity ultimately determined impact.’ The businesses that experienced the worst outcomes were not necessarily the ones that were most targeted. They were the ones that were least prepared. That is entirely within your control.
Find out where your business actually stands — Free Infrastructure Resilience Assessment
The data in this report describes a threat environment that is real, active, and relevant to businesses of every size, in every sector, in every geography. Reading it is the first step. Understanding what it means for your specific infrastructure is the next one.
The Candor team offers a complimentary 30-minute Infrastructure Resilience Assessment — an honest, plain language conversation about where your business stands across resilience, security, compliance, and vendor dependency. No sales pitch. No obligation.
We work with businesses globally. Wherever you are, if the conversation makes sense, we are interested.
👉 Get in touch with our team today.
Further reading — the Candor cybersecurity and IT resilience series:
→ The Six Questions Every Business Owner Should Be Asking Their IT Team
→ Business Continuity & Geo-Redundancy — a real UAE client story
→ Cloud Migration — what most businesses get wrong before they move
→ Building an Incident Response Plan
→ Vulnerability Assessment & Penetration Testing — finding your gaps
Data source
All statistics and findings in this post are drawn from the Acronis Cyberthreats Report H2 2025, produced by the Acronis Threat Research Unit. The report covers data gathered from January to December 2025 across more than one million unique endpoints distributed globally. All figures are those reported by Acronis and have been paraphrased in context — no statistics have been altered or misrepresented. The full report is available to download from Acronis Cyberthreats Report H2 2025 PDF.
Candor is a full-service IT and digital agency headquartered in Dubai. We work with businesses globally — helping leaders build IT infrastructure that is genuinely resilient, compliant, and built to support growth.
