Given the recent spate of high-profile cyber breaches, such as the attack on Jaguar Land Rover that halted production and required a government bailout, Microsoft’s 2025 Digital security report is urging IT departments to ensure cyber risk is managed at boardroom level.
Microsoft recommended that IT leaders treat cyber security as a business risk on par with financial or legal challenges. “It is important that corporate boards and CEOs understand the security weaknesses of their organisation,” it said in the report.
The company urged IT leaders to track and report metrics such as multi-factor authentication coverage, patch latency, incident counts and incident response time to develop a comprehensive understanding of both the organisation’s potential vulnerabilities and its preparedness in the event of a cyber security incident.
Other recommendations include enforcing phishing-resistant multi-factor authentication across all accounts, including administrative accounts, and auditing the perimeter accesses granted to trusted partners.
Over the past year, Microsoft reported that it has continued to see actors intensify their development of new and novel techniques to challenge the defences organisations are implementing to detect and prevent them. It noted that the daily threats organisations face largely remain the same, and that attacks tend to be opportunistic, with threat actors targeting known security gaps.
“While users globally are at risk, we’ve observed most attacks in the last six months focused on the United States, the United Kingdom, Israel and Germany,” Microsoft said.
The report found that governments and the public sector suffered the most cyber attacks. Microsoft warned that many local governments operate on legacy systems that are difficult to patch and secure, and budget constraints and small IT teams often mean delayed updates, minimal threat monitoring, and limited incident response capabilities. This makes them high-value targets for both nation-state actors and financially motivated cyber criminals.
The Microsoft study found that the main attack vectors for hackers were perimeter web-facing assets (18%) and external remote services (12%), as well as – to a lesser degree – supply chains (3%).
Nevertheless, Microsoft said it has continued to observe threat actors targeting the trusted relationships with upstream managed service providers, remote access services such as virtual private network or virtual private server systems, remote monitoring and management tools, cloud backups, continuous integration and continuous delivery pipelines, and third-party deployment software providers to gain access through trusted or commonly deployed IT systems.
Microsoft warned that these intrusions generally compromise privileged supplier accounts, exploit unpatched software, or insert malicious code into legitimate components. The report’s authors recommended that organisations audit access privileges, validate software bills of materials, maintain dependency hygiene and perform runtime integrity checks.
In a blog post discussing the findings, Amy Hogan-Burney, corporate vice-president of customer security and trust at Microsoft, said: “Organisational leaders must treat cyber security as a core strategic priority – not just an IT issue – and build resilience into their technology and operations from the ground up.”
She also warned that the use of artificial intelligence is accelerating malware development and creating more realistic synthetic content, enhancing the efficiency of activities such as phishing and ransomware attacks. “Opportunistic malicious actors now target everyone – big or small – making cyber crime a universal, ever-present threat that spills into our daily lives,” said Hogan-Burney.
