3 min reading

Cybersecurity: Why It Must Become a Business Strategic Priority

Published on

13/11/25

“Business leaders must consider cybersecurity a key strategic priority.” says Amy Hogan-Burney, Corporate Vice President of Microsoft's Customer Security & Trust division.

This statement following the publication of the last Microsoft Digital Defense Report 2025, released on October 16, 2025, represents a clear and urgent warning for all organizations.

‍

‍

A Rapidly Evolving Context

Cyber threats are taking on an increasingly central role in geopolitical conflicts and criminal activities, generating systemic damage that jeopardizes the very survival of companies. According to the Microsoft report, the period between July 2024 and June 2025 saw an unprecedented evolution of attacks, characterized by:

Ransomware and Revengeware: malware motivated by blackmail and revenge;
Artificial Intelligence: used to increase the number, effectiveness and sophistication of digital assaults;
Deepfake: employed to damage reputation and increase psychological pressure on victims.

The 52% of the accidents is linked to data theft for the purpose of extortion, while only the 4% It is attributable to operations of espionage. Critical sectors such as healthcare, public administration and education have become privileged targets, with a direct impact on people's lives.

‍

The Call to Action: Mobilizing Boards

The report highlights the need to raise cybersecurity to an operational risk and a priority in corporate governance. This is no longer a technical issue that can be delegated to the IT department alone, but a strategic imperative that requires:

Investments targeted in advanced technologies, such as the integration of AI tools into defense systems;
Integrated resilience, right from the design of the infrastructure, to anticipate, resist and recover from attacks;
Information sharing between organizations to create collective deterrence.

‍

‍

What does it mean for an Italian SME?

For Italian small and medium-sized businesses, often with limited resources to dedicate to security, the Microsoft report offers concrete and alarming ideas:

They don't enter, they log in. Today, opponents 'don't hack systems, they access them': The theft of credentials (passwords, tokens) through malware”Infostealer“is the new main front door. This means that even an SME can be the victim of a serious attack not because it has insecure systems, but because an employee's credentials have ended up on the dark web. Companies that are infected with Infostealer are at high risk of future breaches.
The 'ClickFix' tactic is growing. This is a social engineering technique that deceives users into executing malicious code themselves, bypassing traditional anti-phishing protections. It's a reminder that employee cybersecurity awareness training is essential.
The recommendations: identity and preparation. Microsoft recommends protecting identities as a top priority, enforcing multi-factor authentication (MFA) for all accounts. It also stresses that an accident is a matter of 'when', not 'if'. For an SME, this means having to have a tested incident response plan, including specific scenarios for ransomware attacks, and isolated, restorable backups.
Safety is a shared responsibility. The report closes by highlighting how security is a shared responsibility between governments, industry and end users, based on transparency and collaboration. For an SME, participating in information circuits and comparison with other companies or trade associations can be a fundamental defense multiplier.

Conclusions: Innovation, Resilience and Partnership

As Hogan-Burney recalls, it is time to act: combining innovation, resilience and partnership is the only way to combat increasingly complex threats. Cyber security shall enter the corporate DNA, becoming an integral part of every decision-making and operational process. Only then can organizations protect not only their data, but their very existence.