Adapting to the New Age of
AI-Powered Cyber Threats

When you log in to your computer on a Monday morning and see that ransomware screen demanding payment, you should realize that the attack didn’t start that weekend. As Net at Work CISO Michael Powell explains, “To stage an attack, it’s not uncommon for a threat actor to have been in the environment up to 90 days.” 

For weeks or months, threat actors may have been cataloging your data and exfiltrating files. With U.S. ransomware attacks up 149% year-over-year as of early 2025, understanding how these attacks work has never been more critical. 

Most attacks follow predictable patterns. Once you understand the playbook, you can build defenses that work. 

In this article you will learn: 

• Why even well-funded cybersecurity efforts struggle to keep pace with evolving threats 
• How the “double extortion” ransomware model puts organizations at risk even with backups 
• Why AI has made business email compromise nearly impossible to detect 
• Simple defensive strategies that dramatically improve security posture 
• How to evaluate readiness and find the right security partners 

Why This Keeps Happening 

“Why is it hard? Why are we still trying to solve this problem?” Powell asks. His answer: “We’re effectively in an arms race.” 

Organizations invest heavily and close vulnerabilities. Yet as one gap closes, attackers adapt. Cyber attacks per organization increased 47% in Q1 2025, reaching 1,925 weekly attacks on average. 

The real challenge is asymmetry. Powell explains, “There could be more people trying to attack your organization than you have to play defense.” 

The Ransomware Reality 

During the 30-90 day reconnaissance phase, attackers aren’t randomly grabbing files. “They pull a file listing and then based on the file names and the file structures, they go for the information that they think is pertinent,” Powell explains. They systematically identify personally identifiable information, financial records, and commercially sensitive data, then slowly exfiltrate copies. 

When attackers are ready to strike, timing matters. “We often see spikes around weekends, around evenings, around holidays.” Powell notes, “This is because reconnaissance and encryption take time.” They choose moments when you’re least likely to respond quickly. 

The Double Threat 

Even with robust backups, you face what Powell calls the “double extortion threat.” 

“Your data is encrypted, and you need to decrypt it to continue to do business,” he explains. “But the threat actor knows these days people put reasonable technology controls in place. They’re betting you have backups, so they add a second pressure point: pay up, or we leak everything.” 

The consequences go beyond embarrassment. Depending on your location and the data involved, you may face legal obligations to notify affected individuals. The average ransom demand in 2024 was $4.32 million, but legal costs and reputational damage can dwarf that figure. 

Nearly one in five small businesses that suffered a cyberattack filed for bankruptcy or closed. This isn’t an IT problem; it’s a serious business survival issue. 

How AI Changed Business Email Compromise 

While ransomware grabs headlines, business email compromise (BEC) operates quietly and is equally devastating. BEC was the second-costliest cybercrime in 2023, with nearly $3 billion in losses. 

AI has fundamentally transformed the threat. Attackers compromise an email account and download sent items. Previously, analyzing that information manually took time. Now? “You download that information, you throw it into AI, and then you can ask it questions,” Powell explains. 

The AI builds a complete profile and generates emails that perfectly mimic executives’ communication. “Where we used to be able to spot those emails with relative ease,” Powell says, “AI helps the threat actor be a lot more convincing with very little additional work.” 

With 73% of reported cyber incidents in 2024 being BEC attacks, and organizations with 1,000+ employees facing a 70% weekly probability of at least one BEC attack, this demands constant vigilance. 

Your People: Vulnerability and Solution 

“Most of the compromises we see occur because a person takes an action,” Powell says. “But they’re rarely doing it with malicious intent.” 

Most breaches happen because employees respond to what appears urgent. “Pretty much every phishing test I have ever been a part of, at least one person has clicked the email, and you only need one.” 

The solution lies in changing the culture around reporting threats rather than carrying out punishments. “People shouldn’t feel that if they raise a security threat, the IT team is going to pounce on them,” Powell emphasizes. 

“Every person is a sensor,” Powell explains. Train people to recognize what normal looks like, then empower them to speak up. Modern training uses gamification: You click something, and then there’s just-in-time training that shows you why that was good, or why that was bad.” 

Building Defenses That Work 

Effective defense requires layered approaches that create multiple “tripwires.” 

“The more visibility you have, the more chances you’ve got of spotting an anomaly,” Powell explains. Each layer, including endpoint detection, email security, patching, backups, network segmentation, increases the likelihood you’ll catch attacks before they succeed. 

But technology alone isn’t enough. Organizations need clear procedures. Powell shares an example of a company with excellent technology but no response plan: “Person A looks at person B, they don’t know who’s responsible. Can we turn the system off? We don’t know who approves that.” 

His advice: “If you don’t know who to inform in case of a breach, find out.” Conduct tabletop exercises revealing gaps. “Have people sit around a table and practice what they would do if a ransomware email came in.” 

Where to Start 

Powell offers a straightforward evaluation framework: 

• Evaluate what you have. “There are so many times I’ve gone into an organization where they’re paying for something, but they’re using less than 10% of it.” Understand current capabilities before buying new solutions. 
• Define risk tolerance. What’s acceptable downtime for different systems? Document thresholds in advance. 
• Conduct regular audits. Most insurance carriers require annual assessments and often help with scanning. 
• Leverage available expertise. Your insurance company often provides guidance. If working with technology providers, understand what expertise they have that they could bring to bear in the event of an incident. 
• Consider cybersecurity as a service. For many businesses, working with a managed security service provider offers specialized skills without building an in-house team. “What they’re effectively doing is delivering the speed, delivering the skills and reducing the cost,” Powell explains. 

When evaluating providers, Powell emphasizes fit over features: “Look for the one that suits your business and your processes.” And be sure to verify responsiveness: “There’s nothing worse than receiving a ransomware attempt on a Friday night and then realizing that the partner says they’ll deal with it Monday morning.” 

And be sure to check references. “Try to find an organization they’ve worked with and talk to that organization. When you’re buying into cybersecurity as a service, you’re buying into trust.” 

Moving Forward with Confidence 

Understanding that attacks follow patterns, defenses can be layered effectively, and preparation dramatically improves outcomes will put you in a stronger position. With 86% of cyber incidents involving business disruption, the question isn’t whether to invest in security, but how to invest wisely. 

Take the Next Step 

Net at Work helps organizations build resilient security strategies that balance protection with practical business needs. 

For a limited time, we’re offering complimentary assessments: 

• IT Infrastructure Assessment: Comprehensive evaluation identifying vulnerabilities and opportunities 
• Email Security Assessment: In-depth analysis of your email security posture—the primary attack vector for both ransomware and BEC 

Don’t wait for a breach to discover where your defenses fall short. Contact Net at Work today to schedule your assessment and start building security that protects your business without compromising operations. 

Ready to strengthen your security? Contact Net at Work to claim your complimentary assessments and speak with experts who understand your challenges. 

Key Takeaways 

• Understand the timeline: Ransomware attacks involve 30-90 days of reconnaissance before encryption. Early detection is everything. 
• Prepare for double extortion: Even with backups, data leaks trigger legal obligations and reputational damage. 
• Take AI seriously: BEC attacks now use AI to perfectly mimic writing styles, making traditional detection nearly impossible. 
• Build culture, not just controls: Encourage reporting without punishment. Every employee is a sensor who can spot anomalies. 
• Layer your defenses: Multiple security controls create “tripwires” that increase chances of catching attacks early. 
• Rehearse your response: Tabletop exercises reveal gaps and build muscle memory for critical decisions. 
• Leverage external expertise: Insurance carriers and managed security providers offer prohibitively expensive skills and resources. 

 Sources 

1. TechTarget, “Ransomware trends, statistics and facts,” 2025. 
2. Check Point Research, “Q1 2025 Global Cyber Attack Report,” May 2025. 
3. Spacelift, “50+ Ransomware Statistics for 2025,” July 2025. 
4. Fortinet, “Ransomware Statistics 2025,” 2025. 
5. The SSL Store, “Business Email Compromise Statistics,” March 2024. 
6. Hoxhunt, “Business Email Compromise Statistics 2025,” March 2025. 
7. LastPass, “Protect against business email compromise in 2025,” May 2025. 
8. Palo Alto Networks Unit 42, “Extortion and Ransomware Trends,” April 2025.