Why attackers don’t need to “break in” anymore: key lessons from Annual Threat Dynamics 2026

Hi everyone and warm welcome to this LinkedIn live. My name is Ulrika Fejne and I work in PwC's cyber security team here in Sweden and I will moderate this session today. Today we're tackling a topic that is very close to CISOs and CIOs hearts. It's why do hackers nowadays log in and not hack. And, what does this mean for business leaders and how do we manage cyber risk. We'll be drawing from our findings from PwC's Annual Threat Dynamics Report from 2026 and I'm very happy that I have my colleague Matt Carey with me here today. Can you please introduce yourself? Thanks Ulrika. Hello everyone my name is Matt Carey. I'm PwC's threat intelligence lead for Europe and the Middle East and Africa and I'm based here in Sweden. Great and during these 20 minutes or so we'll cover four different themes from the report. It's why identity have become the new front line, how AI is changing both attack and defense and how the growing risk from SaaS platforms, digital supply chains and edge infrastructure as well as what is happening with ransomware and the geopolitics. But if we start off with the title of this session, why attackers don't need to break in anymore. Can you unpack a bit more what this is about? Yes, I think if we look back 10-15 years ago many organizations were based on premise so there wasn't like a huge number of organizations that were in the cloud and therefore a lot of the data was sitting on servers that were sitting somewhere in the organization and therefore hackers would actually aim to find vulnerabilities in those servers or in applications that were there to then be able to get into the network, find the sensitive data they wanted to steal and then take it. These days a lot more organizations have digitalized. They're not all completely on the cloud but a lot of them have moved most of their sensitive data to the cloud and it's not a hacker can't just like hack into the cloud and hope to find the data that they look in the way that they used to on premise. So they literally have to go in via a legitimate identity or a legitimate authenticated session to be able to have access to the network and find the things that they want. So in terms of not breaking in, they're basically using authenticated identities or authenticated sessions to get into the network so they're actually literally using something that's already put in place to get into the network in the first place to actually have access. Yeah and in the report we cover this as well but how do you kind of see the main ways of using identities to actually exploit identities nowadays? Yeah so I think the key thing is that there's a lot of phishing that goes on out there obviously and there's a lot of vishing so use of like ringing up people and then pretending to be from the IT help desk or pretending to be a legitimate employee ringing the IT help desk to get passwords changed to then hijack a a legitimate identity. Yeah. And then also use of kind of men in the middle type attacks where they will essentially ring up the person they will say we're from the IT help desk we there's something wrong with your account can you log in I'll push the actual link to the web page with you it will look like it's a legitimate web page for the organization but it will actually be a hackers kind of web page that the person is logging into once the person is in there they're logging in thinking they're on their legitimate sort of organizations website they put in all their detail and then the hacker actually takes that information and puts it into the real website and then they'll get them to use their by sms code or other thing that they need is the multi-factor authentication and then basically once they're once they've got that they can then log in as the person so it is effectively a way of using the person or tricking the person fraudulently into giving them access to the account so that's one way and there are a variety of other ways including a worth hijacks and other type of session hijacks that they can do something very similar. Yeah and what because this is quite common nowadays but what are the normal consequences of these types of attacks if we think financially but also operational and what consequences can this have on companies? So the first thing is if an attacker has legitimate access to the whole environment then they inherit the person's roles as well which means they can get into anything that that person can get into and then there's a point at which they will try and escalate their access somehow so they may even be able to create new identities within the organization using the the person's access depending upon who they are. So obviously people in the IT help side of things or administrators are like key targets because they've got a lot of access to a lot of the network. Yeah. So once that it means that basically your whole network is exposed then to anything that a hacker potentially wants and can then do something with and because there are a lot of trust relationships that exist inside the network so that means that on the outside the network there's a lot of protections preventing someone from trying to get in and trying to detect if there's like an unwanted intruder unauthorized intruder coming in but once you're inside the network because the way that SaaS applications are set up and the cloud works a lot of the the basically the access is a trusted access is once you're inside therefore other person can do whatever they want so the consequences are they'll have full access to like whatever the the person has they can steal whatever they want and then they can can create other identities which actually if the intrusion is discovered or it's a ransomware attack and you finally realize you've got a ransomware actor in there it's extremely expensive to try and fix that from an incident response perspective yeah and it takes it costs a lot of money a lot of time and then there's a lot of regulatory implications that happen after that so a lot of the implications are effectively very similar to what it would be for a non-identity intrusion except the fact that you've got the identity angle and that uh fact of having to deal with the cloud and try and root the intruder out which from a cloud platform can be quite difficult yeah interesting and many companies are struggling with this area so if there's a CISO or CIO who is kind of thinking that this is our weak spot what what should they focus on for the next six to twelve months to kind of get better in this area and try to be a bit more practical yeah absolutely I think the first thing is to understand that identity is one of the primary planes that they need to control yeah on the network and they need to have a lot of monitoring around the identity side of it and there are obviously tools out there both from cloud providers and on-premise kind of security focused vendors that do that for you but you should have absolutely something in place second thing is to be monitoring what kind of like roles exist in the network and be able to make sure that people don't have excessive permissions because people have permissions to access things that they shouldn't then an attacker basically who compromises that person gets those same permissions and that can lead to a cascading effect and I think the third thing which is really important is also to focus on so we know that identity could be a problem where is it actually a problem on the network so it may be that you have a whole bunch of third-party providers that have some kind of privileged access to the network because they maintain the network for you or they're a provider of like managed software transfer type file applications etc so monitoring those key points where like a third-party supplier might have access you don't know what their cybersecurity is like necessarily is another point for CISOs I think and security professionals to focus on very good tips and it sounds like identity and access management is quite a yeah hot topic currently but another one is AI and and one of the strong themes of the report is also AI and how that is both helping and maybe creating problems but how are you seeing that threat actors are currently using AI to their strength yeah so threat actors are ultimately using AI in much the way that we do to scale their operations better and be more effective at what they do so we see it in them creating very legitimate looking phishing kind of like emails and that look like they come from the organization replicating documents that are used by the organization so it looks like a legitimate document even if it happens to be like a phishing lure yeah we also see them using it to make corrections to their malware and develop malware so that they can find use it to exploit vulnerabilities in the systems more effectively and so they've got less coding problems we also see it in terms of creating fake websites and fake personalities in order to lure for example somebody who's going for a job interview that they think is a job interview but it's actually a lure by a threat actor there'll be a proper web like professional website with AI personalities that have been created behind it and they may even do a job interview with like uh like basically threat actors having AI kind of like creations or deep fakes of people within the organization that they might use as well and then the last one and actually i think it's like a really important overlooked one is that um they take uh like they're able to take information in bulk obviously and they have been able to do that in the past but now they can use AI to work out what is the most important stuff in this uh huge hoard of information that i've just stolen what is the easiest to exploit what is its value on the market and therefore how much should i sell it for so it's actually actually being uh giving them a bigger business advantage from the point of like the criminal perspective than they ever had in the past and they're able to do it much much faster and more effectively than they ever did before yeah so they're the key things and noting that they've also got access to their own AI uh LLM tools um that are sort of dark web versions of them that are have specialized prompts to enable them to do this better and that lowers the barrier of entry for anybody wanting to use them as well it makes hacking much easier basically for even a very low skilled person or a complete novice yeah does it affect kind of the scale of their tax as well or and the speed of them or is it more their background work that is getting better yes uh so the scale and speed is increased by the fact that they can automate a lot of what they're doing like phishing emails etc may turn them into different languages and send them to huge numbers of potential victims at the same time so they get a much bigger spread of potential victims as a result of sending it out yeah um and they also end up with um the ability to exploit uh or potentially identify um exploits in more software and applications so we heard this week about um for example of a version of claude uh that's that exists now or is coming which can find zero-day vulnerabilities in all sorts of different software and applications obviously that's useful for defenders to be able to defend themselves but it's also useful for an attacker yeah so that gives an extra advantage for them to scale and do more of what they're actually trying to do in the first place via ai means interesting and if we think a bit more on the defense side uh what can what are some smart ways organizations could use ai to defend themselves and kind of build up their defense in a better way it's a great question everyone's thinking about obviously the the part of the solution to defeating ai attackers is to be able to use ai to defend uh and there's a lot of like uh the standard sort of um security offerings out there that are building in ai to make the um defenders better at spotting vulnerabilities on the network and then automatically patching them quite quickly especially for clouds so that's actually like a great thing but it won't fix some of the basic security controls around identity and other things so if you haven't done good secure good basic security in the first place ai is not going to help you no but it will definitely sort of um accelerate and improve your ability to respond uh because of all the the things that it offers and including sort of extra knowledge about things that you might be uncertain of and the ability to scan large amounts of the network and then offer up uh ways of like fixing things that are obviously clear vulnerabilities or problems in the first place the other thing i would say though is it is a um it's a vulnerability in itself because obviously employees are pushing in a lot of sensitive information into uh ai tools in order to do their normal work and as a normal sort of productivity tool like here in pwc i'm sure that we all use it every day so if you get an attacker that manages to compromise that ai tool and sit in the in -between where the information is going between the user and the ai tool then that's obviously a very sweet spot for the attacker to steal loads of sensitive information like here in pwc it could be contracts it could be tax audits it could be all sorts of things so it's super important that um that we treat ai tools as a crown jewel application that needs to be very heavily monitored and secured as part of the network makes sense very much and in the report we also talk a bit about the the sauce ecosystems and digital supply chains which we're kind of covering now as well and it's described as high speed trust networks for a business leader that maybe isn't that deep into cyber what does this really mean if you describe it in practical terms yeah in practical very basic terms it means that all your applications are often now in the cloud yeah the only like authorization that you need to access most of them is the initial access when you actually log in to the cloud in the first place and then you've got access to loads and loads of different secure applications inside it so it means that once you've got that first login then you've got to log into everything else whereas in the past we might have had to put separate logins for every single application that we're going to use separate passwords separate multi-factor authentication so that's why it's a high speed sort of trust network and i think the other thing about it is again some of the applications that we use these days like managed file transfer services are already kind of trusted yeah and have like a trusted sort of intersection with the cloud which means that um it's easy for data from those uh from those applications to be shifted out or um to end up in places where you're not even thinking about it so i'm trying to defend um my network i think i know where all my data is and i've got controls around it but guess what a lot of your customer data or other things is actually sitting in a mild managed file transfer service in a company somewhere up the road that you've got like a contract with and this is what's happened here in sweden a little bit with the milio data breach with the cruft net uh breach etc there's a lot of cases where our customer data is involved and is at risk yeah and third parties that's quite like a hard area to work around and can be hard but what do you see as the most problematic exposures in this third party exposure and integrations the key uh kind of exposure in my experience is where you haven't done your criticalities work in the first place to understand where a supplier has data that's actually critical to your business functions and the operation of your business yeah so you end up um crippled by the fact that a hacker has hacked an organization that has your some of your data or has hacked a supplier that you're very dependent on that you never realized was going to be so critical to your business operations in the first place and then you end up being a victim as a result of that so it's about really understanding where your data is mapping that back to critical business functions and making sure you've got controls in place and good relationships with those suppliers so that you understand that they've got the right controls in place to protect your data as well yeah and in particular government um is is is not as good as it should be at doing this sometimes so we end up with a lot of cases of government organizations losing client data or their own data because a supplier has been hacked and they haven't the supplier has failed to basically provide the protections that are necessary for that personal information to be protected on the internet yeah interesting uh the high it's also highlighted the edge infrastructure in the report uh and and that that is a favored entry point for hackers uh why are these systems and and attractive for attackers uh so my honest opinion is that a lot of the um the coding around some of these edge devices like vpns etc isn't as good as it should be yeah so it's not so much a matter of the um threat actors are geniuses at like finding zero days in a lot of this it's actually they're just bothering to to look in some cases yeah and we see with some vendors there's a continuous like every single second month there's like another zero day that's focused on a specific sort of vpn a brand of vpn edge device etc so they are the parts of the network that connect uh other other networks together so often it's like the connection between the it and the ot network for example but it's also like the the lead into different segmented parts of the network um so it's a place that attack is obviously focused on uh it's also a place that attackers focus on for finding zero days and it's a place that then therefore often gets exploited with those like zero day exploits increasing um hundreds and thousands by hundreds and thousands per year now yeah and especially with ai it's going to get even more significant the way that that's going to be i think affected is by um hopefully the cyber resilience act here in europe when that comes in where vendors will be forced to like um be very much more kind of um uh compliant with uh good software uh coding practices before they actually put their product out and for people to actually use them in the eu and also with the ai tools that will find these zero days so hopefully they will use those tools vendors i mean in order to find these kind of potential vulnerabilities before they even like hit the market in the first place and we'll get more secure tools going out into the environment as a result yeah that's very good and if you're going to give two or three concrete kind of things that organizations should be getting better at if we think both of the sauce suppliers and supply chain and edge what do you see as the key points protect your identities so we've already spoken about that that's the first key point um the second key point is understand where uh your key trusted relationships are in your network and make sure that they're secure as well particularly with privileged uh access and that need to be managed and also who's got roles to access your most important data or potentially disrupt it yeah and really monitor those sorts of accounts the third thing is exercise exercise exercise and i'm talking about ai as well um and make sure that you've got that those uh incident response plans and disaster recovery plans in place and that you've involved the board in sort of exercising those things so that when something happens they know that what their role is and what they're supposed to do yeah i think they're my top three yeah good and we are talking quite a lot about ransomware in the report as well and it's obviously not something new uh but the report kind of suggests that there's a new ecosystem around it and new tactics and that it's kind of shifting uh and it's more on cloud etc uh what does the evolution evolution look like from your point of view yeah so ai is obviously going to lower the barrier for a lot of these uh groups to be able to do what they do yeah at the moment they rely on a load of different specialists to complete different parts of the ransomware attack in like from encryption through to um like the extortion bit to the malware development but they're going to be able to use ai to do a lot of those things without having to rely on so many others within the ecosystem and they're not going to need as much skill it's a very safe form of crime so it's not like selling guns or um trying to sell drugs or anything like that you can do it without being picked up by the authorities uh very easily if you're in Russia and other places so there is uh like an incentive for criminals to invest in this because the payouts can be huge because like criminals using ai also have the ability to understand how much an organization or how long an organization can go before they really start to hit their profit margins and will charge a ransom accordingly to get that and there's huge money in that if it's manufacturing for example or other organizations that are critically dependent on access to their operations in order not to lose a lot of their profit yeah interesting and you mentioned that it can be done globally etc how is the geopolitics affecting the overlap of like cyber risk and the geopolitics and what's happening in the world right now so what you see in the report is that wherever there is like a geopolitical a geopolitically sensitive operation that's uh erupted whether we talk about the uh the the war in the ukraine or whether we talking about the middle east there is cyber activity that accompanies that some of that is state-sponsored activity where states are going against states but also and using that as part of a like an augmentation to their military campaigns for example or in order to cause some kind of destructive activity that puts pressure uh politically on the uh on the the local um government or the government that's being attacked and then we've got uh the other side of it which is um uh uh basically pro whichever side you're talking about hacktivists so pro-russia hacktivists pro um you know iranian hacktivists etc who are then sort of uh basically following some kind of pattern of targeting organizations that belonged that are in israel or in ukraine or supporting ukraine etc and going after them with ddos or some other kind of tools that might not be um really sophisticated but they can cause disruption destruction as a way of supporting the cause and so this is where a pattern that we're seeing sort of continuously happening and of course with the iran situation we saw like a medical technology provider in the us attack the other week they only need to attack one uh particular victim in a sector to make the whole sector very very frightened and uh basically start to panic so it's like shoot one pigeon and all the other pigeons fly around and get get worried so there's that effect as well that they can have as part of it and of course it feeds disinformation campaigns where they steal information and then put it out with like a different slant on it in order to basically win the political sort of argument by those means as well interesting very interesting and all these topics that we have covered i assume that boards etc uh start to ask questions regarding this uh what kind of questions do you get when talking with senior leadership nowadays i think um senior leaders are starting to see cyber risk in the same way that they see other cross-organisational risks like finance risks or safety risks etc so they're taking it as a whole of an organizational risk that needs to be addressed which i think is correct um and so they're much more interested i think now in are we following a good cyber standard what is our progression within in terms of maturity of the organization and where we go next and what sort of um budget and uh and finances do i need in order to uh to invest in order to prevent that happening most boards are really worried about where is this going to hit my bottom line in terms of profits and am i investing enough in order to manage that risk and make that happen so that's always like a bit of an existential question and often one that's quite difficult for CISOs to answer and one that they need to think about quite seriously yeah and if you would advise a CEO or a board chair who wants to become better prepared for the cyber risk that exists what like are the essential capabilities that should exist within the organization and what can they do to kind of improve in this area so often the most important things actually aren't technical so the technical interventions are obviously very clearly important however educating the staff more than anything else to ensure that they understand what does a cyber attack look like what what could the potential consequences uh be what what does it look like when someone's trying to fish someone um how do i react if i get if i think i've been compromised who do i report to that's actually like the first line and the most important line of defense um the other the other thing i think is um is focusing more on uh as an organizational risk where does this sit in response in terms of responsibility in terms of budgeting and other things how do i invest in this in the right way to take this seriously because if you don't give the security team enough budget or enough uh like airtime on the board to actually manage the risk then it doesn't really matter what technologies you've got you're going to you're going to fail at that level before you even fail at the technology level but of course there's a lot of technology out there that a lot of vendors out there that are providing solutions to every kind of attack at every level of the kill chain so it's obviously good to make sure that you've got all of that covered as well and see says are in a good place to sort of understand what that market looks like and what they need interesting um very good tips and i think we've covered quite a lot during this uh short time that we've had here uh but to make it very very practical and to kind of summary it up uh what would be the top five kind of practical things to go do going forward yeah identity and access yeah we've spoken about it yeah uh definitely um exercising and making sure that you can recover from an attack and that you're going to be resilient to one and so that you know what will happen on the day and that you're quick to react uh third thing would be um following a proper cyber security standard and making sure that you're covering all the key areas the fifth thing is making sure that you've got enough like resources invested in your uh cyber security effort and that means people as well as actually tools because if there's no one to answer the alerts it doesn't matter how many tools you've got you'll still get like finished off and the other thing is to take a look at the regulatory uh picture and understand what your obligations are at the regulatory level uh to stay within the law and also stay within whatever your specific sort of critical infrastructure if you're a critical strip infrastructure organization what you need to be uh answer to especially those national level ones of light nice two and other regulations uh dora that we all need to follow at the moment make sure that they're in the right place as well very good thank you very much matt you're welcome and thanks to all of you have been listening and joining us here uh if you would like to dive a bit deeper into this topic uh you can download PwC's Annual Threat Dynamics 2026 reports and reach out to us directly here on linkedin have a great rest of the day, thank you.