Quick Summary:
- SoSafe’s 2025 Cybercrime Trends Report pulls back the curtain: cybercriminals have shifted their focus, weaponizing third-party dependencies and personal devices in almost every company surveyed. Forget “enterprise perimeters”—they’re dead, and the attackers know it.
- 93% of organizations now rely on third-party services, exposing gaping holes in digital supply chains. It’s not just your crown jewels at risk—it’s every vendor and, by extension, every vendor’s vendor. Blind spots run deep.
- 83% of security professionals have dealt with security breaches originating on employees’ personal devices, and 95% have seen multi-channel attacks—including AI-powered deepfakes—rise dramatically. If it’s connected, it’s a viable threat vector.
- Action: Organizations must get ruthless about vetting third parties, eliminate BYOD naïveté, and train users for a world where any channel—email, WhatsApp, voice—can be ground zero. Security teams must own the expanded attack surface, not just patch it.
The Dam Has Burst: Attackers Ignore Your Perimeter, So Should You
If your security strategy still revolves around “locking down the network,” you’ve already lost. The findings from SoSafe’s 2025 Cybercrime Trends Report (surveying 500 security professionals across nine countries) paint an unambiguous picture: attackers aren’t battering the gates—they’re quietly walking in through the tradesmen’s entrance and the staff exit. 93% of organizations now depend on third-party services to deliver their value, and every SaaS tool, API hookup, or payment provider is a liability. It’s not just about keeping your own environment patched and monitored—every external dependency is a risk multiplier, particularly when those vendors themselves are several degrees less mature than your team.
Andrew Rose, CSO at SoSafe, hammers it home: “Attackers are increasingly targeting software and service supply chains to amplify the scale and impact of their attacks—knowing these often lack the robust defenses and resources of larger organizations.” It’s an old playbook, but one the industry keeps failing to learn from. The concentration risk is enormous: one exposed piece in your digital ecosystem can crater not just your security but your uptime and the trust your customers have in you. And let’s not discuss fourth-party risk—the vendors of your vendors. Most security teams can’t even map this web, let alone control it.
Read this twice: the average security team still has only partial visibility into their supply chain dependencies, and even less leverage to force better practices. Doubt it? Just scan recent headlines of catastrophic supply chain attacks and see how easy it is to fall victim because you trusted the wrong link.
BYOD, Brought to You by Breach: When Personal Devices Mean Professional Disaster
Here’s the reality: 83% of organizations reported security breaches linked to employee personal devices. It’s not just about careless texting or the odd dodgy app—cybercriminals have realized that blurred lines between work and home are a goldmine. Niklas Hellemann, SoSafe CEO, puts it bluntly: “While employees may be protected by their organization’s technical controls, their personal devices and accounts are often left vulnerable. They have become prime targets for attackers looking to gain access to corporate information.”
Bring your own device (BYOD) sounded innovative a decade ago. In today’s threat landscape, it’s morphed into a gaping liability, and most organizations pretend that an MDM or EDR agent can paper over the cracks. But employees save passwords, open company files, and receive phishing emails on unprotected devices all the time—and it only takes one slip for an attacker to get a toe in the door.
And before you think, “But we have MFA, right?”—remember, attackers now combine phishing, social engineering, and even AI-powered deepfakes to bypass second factors. The smartphone isn’t secure by default, and multi-factor fatigue is all too real. If your response is just another policy document, you’re bringing a rubber knife to a gunfight.
The kicker: 95% of organizations have witnessed a rise in multi-channel attacks. These aren’t your mother’s phish. Modern campaigns sequence touchpoints—WhatsApp to grab trust, Microsoft Teams for the look of legitimacy, and finally, a deepfaked phone call that seals the trick. Case in point: in 2024, attackers used AI-driven voice cloning to impersonate the CEO of WWP, stringing staff along via coordinated messaging and ultimately wrangling out sensitive info and even money. These “3D phishing” attacks are nightmare fuel: you aren’t just defending an inbox, you’re defending every digital conversation your staff has, anywhere, any time.
What Needs to Change: Own Every Inch of Your Expanded Attack Surface
Let’s stop pretending that piecemeal security awareness campaigns or checkbox vendor questionnaires are enough. The modern attack surface isn’t just your SOC dashboard—it’s every SaaS app, contractor, smartphone, and the invisible connections tying them together. If 94% of organizations are seeing a rise in multi-channel attack strategies (as SoSafe’s report makes blindingly clear), the only workable stance is persistent skepticism and aggressive ownership. Here’s what must happen—now:
- Get uncompromising about supply chain vetting. Stop rubber-stamping vendor security reviews. Implement continuous, automated assessment tools—not annual self-attestations. Demand transparency about their fourth-party dependencies. If a vendor balks, walk away. Better to lose a feature than gain a breach. For further detail, check out these practical tips to prevent third-party data breaches.
- Re-engineer BYOD from the ground up. Assume compromise on every unmanaged device. Mandate containerization, zero-trust network access, and endpoint monitoring. Make “personal” devices really personal: no business data leaves your protected bubble—period.
- Breed a paranoid, threat-aware culture. Regular, scenario-based training isn’t a nice-to-have; it’s your last line of defense—and it needs to reflect current attacks, not last year’s. Simulate multi-channel, AI-enhanced phishing. Reward those who spot the needles; retrain those who hand over the haystacks.
- Break the illusion of delegated responsibility. Every leader, not just the CISO, owns third-party and BYOD risk. Bake it into procurement, HR, vendor onboarding, and incident response. If it touches your data or your people, it’s your problem. No more “IT will sort it.”
If you only remember one thing, let it be this: The expanded attack surface isn’t something you can cordon off, delegate, or insure away. SoSafe, WWP, and every breached company they cite prove it: ignoring the cracks in your extended enterprise is what gets you gutted—quietly, efficiently, and before most defenses are even activated. In 2024 and beyond, CISOs and risk leaders who thrive will be those who assume that “out of sight” isn’t “out of threat.” Tear down the blinders, own every inch, and force third parties and staff to meet your paranoia—anything less is just waiting for your name in the next report.
Join our LinkedIn group Information Security Community!
