TL;DR

  • Attackers now move from initial access to data exfiltration in as little as 72 minutes — four times faster than the year before — according to Palo Alto Networks' 2026 Unit 42 Global Incident Response Report, which analysed 750+ major cyber incidents [1].
  • Identity weaknesses played a role in nearly 90% of investigated breaches — most attackers aren't breaking in, they're logging in with stolen credentials [1].
  • 23% of incidents involved attackers exploiting third-party SaaS applications and trusted integrations to bypass traditional defences [1].
  • 87% of intrusions involved activity across multiple attack surfaces simultaneously — endpoints, networks, cloud, SaaS, and identity [1].
  • The most effective controls are also the most accessible: strong MFA, reviewed access permissions, and continuous monitoring are the difference between a contained incident and a business-disrupting breach [1][2].

The 72-Minute Clock Is Running

The 2026 Unit 42 Global Incident Response Report — published by Palo Alto Networks on February 17, 2026, drawing on analysis of over 750 major cyber incidents across 50+ countries — documents a fundamental shift in how quickly cyberattacks unfold [1]. In the fastest cases investigated, attackers moved from initial access to complete data exfiltration in just 72 minutes. That is four times faster than the previous year [1].​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​​‍​‌‌​​​​‌‍

​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌

This acceleration is not abstract. It means that by the time a security alert is reviewed, escalated to a human analyst, and investigated, an attacker may already have copied the data they came for and exited the network. The traditional model of "detect, investigate, respond" — built around human decision-making timescales — is under extreme pressure.

The driver of this speed increase is AI. Palo Alto Networks' Unit 42 team observed AI being used in reconnaissance (identifying targets and vulnerabilities), phishing (crafting convincing messages at scale), scripting (automating exploitation steps), and operational execution (coordinating lateral movement across networks) [1]. AI enables "machine-like speed at scale" — an attacker with AI assistance can execute a sophisticated multi-stage intrusion in the time it takes a human to drink a coffee [1].​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌

For small and medium businesses, the implication is not that the situation is hopeless. It is that the controls you put in place before an incident — access management, monitoring, incident response planning — matter far more than reactive measures applied after the fact.

The Real Attack Vector: Your Passwords, Not Your Firewall

The most striking finding in the Unit 42 report is this: identity weaknesses played a material role in nearly 90% of cyber investigations [1]. In most cases, attackers are not penetrating sophisticated technical defences. They are logging in with stolen credentials.

Credentials are stolen through a variety of means: phishing emails that trick users into entering passwords on fake websites, credential stuffing attacks that test billions of username-password combinations (harvested from previous breaches) against new services, infostealer malware that captures credentials from browsers and password managers, and social engineering attacks that manipulate users or IT staff into revealing access information.

Once attackers have valid credentials, they look legitimate to most security systems. They use the same login portals, the same tools, and generate the same activity patterns as real employees — until they escalate privileges, access sensitive data, or deploy ransomware [1]. Recent analysis of ransomware incidents confirms this: the February 2026 attack on a Washington hotel in Japan followed the pattern of compromised credentials enabling lateral movement that bypassed standard perimeter controls [9]. Without controls that detect anomalous behaviour after authentication, credential compromise can go undetected for weeks.

According to the 2026 Cybersecurity Insiders Outlook, business email compromise (BEC) — which typically involves compromising an email account and using it to conduct fraud, redirect payments, or launch further attacks — "quietly inflicts greater financial damage" than ransomware for many organisations, precisely because it leverages legitimate identity rather than obvious technical intrusion [2].

The FBI's Internet Crime Complaint Center (IC3) has consistently reported BEC as the highest-loss cybercrime category. In 2024, BEC caused more than $2.9 billion in losses in the United States alone [3].

How Attackers Move Through Your Business: The Multi-Surface Attack

A key finding of the Unit 42 report is that modern attacks rarely stay contained to a single system. In 87% of intrusions investigated, activity was detected across multiple attack surfaces: endpoints, network infrastructure, cloud environments, SaaS applications, and identity systems simultaneously [1].

This matters for how you think about security. Organisations often have strong controls in one area — a well-configured firewall, for example — while having significant gaps in adjacent areas like cloud configuration, SaaS permissions, or privileged access management. Attackers are systematic about finding and exploiting these gaps.

The report identifies three specific patterns worth understanding:

Third-party SaaS exploitation: In 23% of incidents, attackers leveraged third-party SaaS applications — exploiting trusted integrations, vendor tools, and application dependencies to bypass traditional security perimeters and expand impact beyond the initially compromised system [1]. The Ticketmaster breach of 2024, in which attackers accessed contractor credentials and used them to penetrate Snowflake's cloud platform, exposing data tied to over 500 million customer accounts, is a large-scale example of this pattern [2].

Browser-based entry: Nearly 48% of incidents in the Unit 42 analysis included browser-based activity [1]. Modern attacks increasingly intersect with routine user workflows — email, web browsing, and SaaS application use — turning normal behaviour into an attack vector. Phishing links, malicious extensions, and session token theft all operate through the browser.

Privilege escalation via excessive trust: In many investigations, a single compromised account expanded into broad network access because of overly permissive roles and unmanaged access tokens [1]. The principle of least privilege — giving each account only the access it actually needs — is a critical control that is consistently underimplemented.

In over 90% of investigated incidents, "misconfigurations or gaps in security coverage materially enabled the attack" [1]. Most breaches are not failures of cutting-edge defences — they are failures to implement basic controls consistently.

Why 50+ Security Tools Is Not the Same as Security

Unit 42 notes that many organisations run 50 or more security products, making it "extremely difficult to deploy controls consistently or clearly understand what their data is telling them" [1]. This tool sprawl creates a counterintuitive problem: more security products, worse visibility.

Each additional tool creates integration complexity, alert fatigue (too many notifications, many of them low-quality), and accountability gaps (who owns the output from each tool?). The 2026 Cybersecurity Insiders Outlook identifies this directly, noting that 2026 will favour organisations that "simplify without sacrificing control, consolidating tools, workflows, and reporting in ways that reduce noise and strengthen accountability" [2].

For small and medium businesses, this is actually an advantage. You are not starting from a position of 50 overlapping security tools. You can build a lean, coherent security stack from the ground up — and the most impactful controls are the least complex.

Your Identity Security Action Plan

Unit 42's three recommendations from 750+ incident investigations distil to clear actions for businesses of any size [1]:

1. Reduce Exposure

Audit every internet-facing system, SaaS application, and third-party integration your business uses. Ask: does this need to be public? Does this vendor have access to our sensitive data? Is this integration actually in use? Unused integrations, forgotten SaaS subscriptions, and shadow IT (applications employees use without IT knowledge) are common footholds for attackers.

The 2026 Cybersecurity Insiders report found 77% of IT infrastructure services were outsourced as of 2024, and that most organisations use outdated methods — annual questionnaires, static risk scores — to evaluate vendor security [2]. Continuous monitoring of what your vendors actually have access to is increasingly the standard for responsible risk management.

2. Lock Down Identity

Multi-factor authentication (MFA) is the single most impactful identity control available, and it is free or very low cost to implement across most platforms. According to Microsoft, MFA blocks more than 99.9% of automated credential attacks [4]. If you are not running MFA on every business account — email, banking, cloud services, remote access — do that today, before anything else.

Beyond MFA: review every user account's permissions. The question is not "what might this person need someday?" but "what does this person actually need right now?" Remove admin rights from everyday user accounts. Audit service accounts (automated accounts used by applications) for excessive permissions. Review and revoke stale third-party integrations.

Password managers deserve mention here. Reused and weak passwords remain one of the most common entry points for credential stuffing attacks [1]. A business-grade password manager — Bitwarden Business, 1Password Teams, or similar — eliminates password reuse across the business and generates strong unique credentials for every service.

3. Build Response Speed

The 72-minute attack window means that detection and response processes need to be fast and, where possible, automated [1]. This does not mean every business needs a 24/7 Security Operations Centre. It does mean:

  • Centralised log collection: Ensure logs from key systems (email, identity provider, cloud services, remote access tools) flow into a single place you can actually review.
  • Baseline alerting: Configure alerts for obvious anomalies — logins from unusual locations or times, bulk data downloads, new admin account creation — even if it is just an email to the business owner.
  • An incident response plan: A one-page document that answers "if we think we've been breached, who calls who, what gets disconnected, and who is our outside help?" Written before an incident, not during.

Managed Detection and Response (MDR) services provide 24/7 monitoring and response for a monthly fee — many are accessible for SMBs at a cost comparable to a single day of downtime.

The Supply Chain Risk Is Real and Growing

The Unit 42 finding that 23% of incidents involved third-party SaaS exploitation [1] aligns with a broader trend that the 2026 Cybersecurity Insiders Outlook describes as "third-party risk taking centre stage" [2]. When your business uses external software, cloud services, and vendor tools, your security posture is partially defined by theirs.

The 2024 Ticketmaster incident — where contractor credentials were used to access Snowflake's cloud platform and expose data from more than 500 million accounts across multiple organisations — demonstrates the cascading impact of supply chain compromise [2]. More recently, the BeyondTrust CVE-2026-1731 vulnerability (CVSS 9.9, actively exploited as of February 2026) demonstrated that even tools designed to provide secure access can become the breach vector when unpatched [5].

For businesses relying on managed service providers, cloud platforms, or specialist SaaS tools for core operations, supply chain security hygiene means: asking vendors about their security certifications and patch cadence, reviewing what data and access you grant to third-party services, and ensuring contractual obligations around security incident notification are in place.

Related: How to Assess Your Vendor's Cybersecurity Posture Before It's Your Problem

FAQ

Identity security is the set of controls that govern who can access your business systems, what they can do once inside, and how you detect when legitimate credentials are being misused. According to the 2026 Unit 42 Global Incident Response Report, identity weaknesses played a material role in nearly 90% of investigated cyber incidents [1]. In most breaches, attackers do not break in — they log in using stolen or compromised credentials. Identity security controls like MFA, least-privilege access, and anomalous login detection are the most direct defences against this pattern.

The most common methods include phishing emails (fake login pages that capture credentials), credential stuffing (using billions of credentials stolen from other breaches to try against your services), infostealer malware (software that silently captures passwords from browsers and applications), and social engineering (convincing employees or IT staff to share access). A password manager enforcing unique, strong passwords for every service — combined with MFA — addresses the majority of these vectors.

A multi-surface attack is one where the attacker simultaneously targets or moves across multiple parts of an organisation's IT environment — endpoints (computers), networks, cloud services, SaaS applications, and identity systems. The 2026 Unit 42 report found that 87% of investigated intrusions involved multi-surface activity [1]. This makes attacks harder to detect and contain, because activity across disconnected systems may not trigger any single alarm threshold.

Yes, but not in the way the term might imply. AI-powered attacks do not look like science fiction. They look like faster, more convincing phishing emails, more efficient credential stuffing campaigns, and automated reconnaissance that finds your exposed systems before you know about them. The 2026 Unit 42 report noted AI being used across all phases of the attack lifecycle to achieve machine-like speed and scale [1]. The good news: the defences that work against AI-assisted attacks are the same as those that work against all attacks — MFA, access control, patching, and monitoring.

Immediately. The 72-minute average time to exfiltration in the fastest Unit 42 cases means that hesitation is expensive [1]. If you suspect a breach: isolate affected systems (disconnect from the network if unsure), preserve logs (do not delete, even if they show bad news), notify your cybersecurity contact or provider, and begin your incident response plan. Do not attempt to "clean" systems yourself before engaging professional help — forensic evidence is fragile.

References

[1] Palo Alto Networks Unit 42, "2026 Unit 42 Global Incident Response Report — Attacks Now 4x Faster," Palo Alto Networks Blog, Feb. 17, 2026. [Online]. Available: https://www.paloaltonetworks.com/blog/2026/02/unit-42-global-ir-report/

[2] Cybersecurity Insiders, "2026 Cybersecurity Outlook: A Maturity Reckoning," Cybersecurity Insiders, Feb. 19, 2026. [Online]. Available: https://www.cybersecurity-insiders.com/2026-cybersecurity-outlook-a-maturity-reckoning/

[3] FBI Internet Crime Complaint Center (IC3), "2024 Internet Crime Report," Federal Bureau of Investigation, 2025. [Online]. Available: https://www.ic3.gov/Media/PDF/AnnualReport/2024_IC3Report.pdf

[4] Microsoft, "Your Pa$$word doesn't matter," Microsoft Security Blog, Jul. 2019. [Online]. Available: https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/your-pa-word-doesn-t-matter/ba-p/731984

[5] BleepingComputer, "CISA gives feds 3 days to patch actively exploited BeyondTrust flaw," BleepingComputer, Feb. 17, 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-beyondtrust-flaw-within-three-days/

[6] Radware, "2026 Global Threat Analysis Report," GlobeNewswire, Feb. 19, 2026. [Online]. Available: https://www.globenewswire.com/news-release/2026/02/19/3240861/8980/en/Radware-2026-Global-Threat-Report-Shows-DDoS-Attacks-Jump-168-as-Cyber-Threats-Escalate-Across-Networks-and-Applications.html

[7] Deloitte, "Global Outsourcing Survey 2024," Deloitte, 2024. [Online]. Available: https://www.deloitte.com/content/dam/assets-zone3/us/en/docs/services/consulting/2024/us-global-outsourcing-survey-2024-report.pdf

[8] NIST, "NIST SP 800-207: Zero Trust Architecture," National Institute of Standards and Technology, Aug. 2020. [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-207/final

[9] Rescana, "Washington Hotel Japan Ransomware Attack: Impact, Response, and Cybersecurity Lessons for the Hospitality Sector," Rescana Blog, Feb. 17, 2026. [Online]. Available: https://www.rescana.com/post/washington-hotel-japan-ransomware-attack-impact-response-and-cybersecurity-lessons-for-the-hospit

[10] CISA, "CISA Adds One Known Exploited Vulnerability to Catalog (CVE-2026-1731)," CISA, Feb. 13, 2026. [Online]. Available: https://www.cisa.gov/news-events/alerts/2026/02/13/cisa-adds-one-known-exploited-vulnerability-catalog

Is your business running on strong identity hygiene — or banking on luck? lil.business provides identity security audits, MFA implementation, access control reviews, and incident response planning for Australian SMBs. Book a free consultation and find out where your access controls stand.

ELI10: Hackers Are Logging In, Not Breaking In

Explained Like You're 10 — by lilMONSTER at lil.business

Imagine your business office has a special entry card system. Every employee gets a card that unlocks the door. It's secure — or so you think.

Now imagine a stranger finds a copy of one of your employee's entry cards. They walk right through the front door. They look like a normal person. They walk to the filing cabinet. They copy everything. And they're gone in an hour.

That is how 90% of major cyberattacks work in 2026.

Not Hollywood hacking — just someone with your employee's password, walking right in.

The Speed Problem

A new security report released this week — by a company called Palo Alto Networks, which investigated over 750 major cyberattacks around the world — found something alarming: attackers now move from "got in" to "stole everything" in as little as 72 minutes.

That's four times faster than the year before.

The reason? AI tools. Attackers are using AI to automatically find weaknesses, craft convincing messages, and move through computer systems faster than any human could on their own.

By the time most businesses even realise something is wrong, the attacker is already done.

How Do Attackers Get Your Passwords?

You don't have to do anything obviously wrong. Here's how it happens all the time:

  • Fake login page. An employee gets an email that looks like it's from Microsoft, Google, or their bank. They click the link and type in their password — but the page is fake. Password stolen.
  • Old breach. Your employee uses the same password on five different services. One of those services got hacked years ago. Attackers try that password on your systems. It works.
  • Sneaky software. Someone downloads something dodgy. It quietly records every password they type and sends it to the attacker.

None of this requires the attacker to be a genius. With AI, even someone with no technical skills can run these attacks automatically at massive scale.

The Fix: A Second Lock on the Door

The single most effective thing your business can do right now costs almost nothing: turn on MFA (Multi-Factor Authentication).

MFA is like adding a second lock to your door. Even if someone has your password (the key), they also need your phone (the second lock) to get in. Microsoft found that MFA blocks 99.9% of automated password attacks.

Turn it on for:

  • Business email (Gmail, Outlook)
  • Cloud storage (Google Drive, Dropbox, OneDrive)
  • Banking and finance apps
  • Any remote access tools
  • Social media accounts

Most apps have a "Security" or "Two-Factor Authentication" setting. Enable it everywhere. Use an authenticator app (Google Authenticator, Microsoft Authenticator, or Authy) — not just SMS, which is slightly less secure.

The Second Fix: Give People Only What They Need

The report found that once attackers get in, they often roam freely because employees have more access than they actually need.

Ask your IT person: does every staff member only have access to the things they need for their job? Your junior receptionist probably doesn't need admin access to the server. Your salesperson probably doesn't need access to payroll files.

This is called the "principle of least privilege" — and it limits how far an attacker can go even if they do get in.

The Third Fix: Have a Plan

The attackers are fast. You need to be faster — and that means thinking about it before something goes wrong.

Three questions to answer today:

  1. If someone's email account gets hacked, who do we call?
  2. What do we disconnect first to stop the damage spreading?
  3. Do we have backups of our important data, and are they recent?

Written answers to these questions — even on a single piece of paper — are worth more than any expensive software if the moment comes.

The Big Picture

You don't need to build a fortress. You need a few strong, smart habits. MFA + reviewed permissions + a response plan covers the majority of what the world's biggest security firms see failing again and again in real attacks.

lil.business helps Australian small businesses get these basics right — quickly and without the jargon. Book a free 30-minute consult and walk away with a clear list of what to do first.

TL;DR

  • Explained Like You're 10 — by lilMONSTER at lil.business Imagine your business office has a special entry card syste
  • Now imagine a stranger finds a copy of one of your employee's entry cards. They walk right through the front door. The
  • Action required — see the post for details

FAQ

Q: What is the main security concern covered in this post? A:

Q: Who is affected by this? A:

Q: What should I do right now? A:

Q: Is there a workaround if I can't patch immediately? A:

Q: Where can I learn more? A:

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation