7 Security Actions to Take in 2026 to Exponentially Reduce Your Risk

At-Bay Security observed dramatic shifts in the threat landscape during 2025, with a surge of ransomware cases in Q3 focused on the exploitation of edge devices and an increase in actors focusing on data theft over encryption by the end of the year.

As we head into 2026, threat actors are aggressive, organized, and opportunistic. However, most attacks follow predictable patterns. We spoke to At-Bay’s Director of Threat Intelligence, Laurie Iacono, to understand what concrete steps organizations can take right now to close the gaps threat actors are exploiting.

We’ve organized these seven actions, detailed below, into three strategic categories that address different stages of the attack lifecycle: stopping threats before they start, detecting anomalies in real-time, and preventing data loss when attackers get in.

Pre-Breach Visibility

Pre-breach visibility means identifying threats, vulnerabilities, and compromised credentials before attackers can exploit them to breach your network. “The best defense is knowing about threats before they reach your network,” says Iacono.

1. Monitor for Leaked Credentials

Why it matters: 53% of breaches in 2025 started with purchased credentials¹. Your credentials are likely already for sale on the dark web, and the average time from credential theft to network compromise is just 3-14 days.

What to do:

• Use dark web monitoring services to detect when employee credentials appear in breach databases
• Check critical accounts against Have I Been Pwned (HIBP)
• Implement automated password resets when credentials are detected
• Require immediate password changes for affected accounts

At-Bay Stance™ Managed Detection and Response (MDR) for Identity includes continuous leaked credential monitoring and automated alerting, helping you act before threat actors do.

2. Patch VPN Infrastructure (and Consider Moving to SASE/Zero Trust)

Why it matters: In H2 2025, approximately 80% of Akira cases investigated by At-Bay Security’s Response & Recovery team were associated with SonicWall VPN for initial entry. Threat actors are actively scanning for known vulnerabilities in edge devices, and traditional perimeter-based VPNs present an attractive attack surface.

What to do:

• Apply all critical patches to VPN appliances immediately
• Set up automated patch notifications from your vendor
• If you’re running end-of-life VPN hardware, prioritize replacement or migration
• Evaluate moving to SASE (Secure Access Service Edge) or Zero Trust architectures that reduce your attack surface entirely

In Q3, when the Akira SonicWall campaign peaked in activity, At-Bay Security observed that 28% of organizations impacted had patched to the most recent version, but 72% remained vulnerable to known exploits. Don’t assume you’re current — verify it.

3. Inventory and Control Remote Access Tools

Why it matters: Threat actors routinely use legitimate remote access tools (AnyDesk, TeamViewer, RClone) to maintain persistence and exfiltrate data. If you don’t know what remote access software exists in your environment, you can’t detect anomalies.

What to do:

• Use software inventory management tools to catalog all remote access and administration software
• Turn on built-in inventory capabilities in Windows via Settings > Apps or PowerShell commands
• Check for more comprehensive visibility through third-party solutions (like Microsoft Intune, Jamf, or specialized asset management tools) 
• Create an approved list and block or alert on unapproved tools
• Remove unnecessary remote access software from endpoints

“When threat actors deploy tools your organization doesn’t normally use, they should ‘stick out like a sore thumb’ to monitoring systems, but only if you know what’s normal first,” says Iacono.

Context & Correlation

Even with strong pre-breach visibility, attackers will find ways in. The following actions can help you detect and respond to threats in real-time by correlating behavior patterns and anomalies.

4. Enforce MFA Everywhere

Why it matters: “Multi-factor authentication (MFA) is your first line of defense against stolen credentials being used to access your systems,” says Iacono. Valid username and password combinations look legitimate to most security tools, but MFA adds the critical second verification layer.

What to do:

• Enforce MFA on VPNs, RDP, and all cloud admin consoles — not just email
• Use authentication apps or hardware tokens (avoid SMS when possible)
• Review exception lists monthly and eliminate unnecessary bypasses
• Pay special attention to service accounts and privileged access

Most organizations already have MFA capability in their tools, they just haven’t enforced it everywhere. “At a minimum, organizations should enforce MFA for VPN and admin accounts,” says Iacono. “Many tools and applications have MFA as an option, but it’s not always the default, so administrators should periodically review configurations to ensure that when MFA is available, it’s turned on.”

Read: How Multi-Factor Authentication Can Bring Out the Best in Your Cyber Insurance Plan

5. Enhance VPN Logging

Why it matters: When an incident occurs, insufficient logging makes forensic analysis difficult or impossible. You need to capture enough detail to understand what happened, when it happened, and what the threat actor accessed.

What to do:

• Enable comprehensive VPN access logs (user, timestamp, source IP, destination, duration)
• Configure log retention for at least 90 days (longer if possible)
• Forward logs to a SIEM or centralized logging system
• Test your ability to query and analyze these logs before you need them

This is typically a configuration change, not a purchase, making it one of the most cost-effective improvements you can make.

6. Deploy Managed Detection and Response (MDR)

Why it matters: 57% of organizations that fell victim to Akira’s ransomware attack in 2025 had Endpoint Detection and Response (EDR) deployed². “Detection alone isn’t enough,” says Iacono. “You need active threat hunting, behavioral analysis, and 24/7 response capability to correlate suspicious activity and stop attacks before they escalate.”

What to do:

• Evaluate MDR providers that offer endpoint, identity, and network visibility
• Look for services that include active threat hunting, not just automated alerts
• Ensure your MDR service can respond to threats in real-time, not just notify you
• Consider packages that cover both endpoints and identity (many attacks now bypass endpoints entirely)

The two organizations in our data set that weren’t encrypted by Akira had one thing in common: active 24/7 managed response with threat hunting, not just detection tools.

Read: MDR vs. MXDR vs. EDR vs. XDR: What’s the Difference?

Data Movement Detection

The final layer of defense focuses on detecting and preventing data exfiltration. Iacono cautions that, with the rise of pure extortion attacks that skip encryption entirely, preventing data loss is now just as critical as preventing ransomware.

7. Implement Data Loss Prevention (DLP) and Egress Controls

Why it matters: Pure extortion groups like PEAR Team are exfiltrating up to 1.2TB of data per victim without ever encrypting anything. Once your data is out, backups don’t help you — the damage is done.

What to do:

• Deploy DLP solutions that monitor data movement to cloud storage, external drives, and email
• Configure alerts for unusual egress patterns (large data transfers, especially to personal cloud accounts or unfamiliar destinations)
• Block or restrict access to common exfiltration tools (Mega, Dropbox, personal file transfer services) unless business-justified
• Monitor for legitimate tools being used maliciously (RClone is a common example for data exfiltration)
• Establish baseline data transfer patterns so anomalies are easier to spot

Traditional ransomware focused on encryption. Pure extortion groups skip encryption entirely, making data loss prevention your primary defense against this growing threat.

Read: A Simple Guide to Network Security

The Implementation Reality

Here’s what we learned from analyzing hundreds of incidents in 2025: Organizations that were compromised often had many security controls in place. The problem wasn’t missing tools, it was inconsistent implementation.

Common gaps we observed:

• MFA was enabled, but not enforced on VPNs
• Patches were applied, but months after release
• EDR was deployed, but no one was actively monitoring alerts
• Password policies existed, but “password” was still the shared IT team credential

“Security is not a checklist,” says Iacono. “Having the right tools matters, but implementing them correctly and maintaining them consistently across all three defense layers — pre-breach visibility, context and correlation, and data movement detection — is what actually stops attacks.”

Start Where You Are

You don’t need to tackle all seven actions simultaneously. We’ve organized them strategically so you can:

1. Start with Pre-Breach Visibility (Actions 1-3): These help you identify and close vulnerabilities before attackers exploit them.
2. Build Context & Correlation Capabilities (Actions 4-6): These detect and respond to threats that make it past your perimeter.
3. Layer in Data Movement Detection (Action 7): This catches threats that evade your other defenses and prevents the damage from pure extortion attacks.

Each layer reinforces the others, creating defense in depth that makes it exponentially harder for threat actors to succeed.

Not sure where your biggest gaps are? At-Bay policyholders with Embedded Security can schedule a complimentary security assessment with one of our Cyber Advisors to identify the highest-priority actions for your business in 2026.

Book Your Assessment →

¹ Source: At-Bay Response & Recovery Q3 2025 Threat Intelligence Insights

² Source: At-Bay Security Response & Recovery