E64 - A Billion Accounts Without MFA

By FIR Risk Advisory | Cybersecurity Fraud Intelligence

Weekly Risk Intelligence Brief  

Source: Trend Micro — 2025 Cyber Risk Report (February–December 2024 data)

The 30-Second Brief  

Trend Micro’s 2025 Cyber Risk Report quantifies what many organizations feel but can’t measure: the gap between knowing your risks and actually fixing them. The average Cyber Risk Index sits at 38.4 out of 100 (medium risk). Over 1 billion accounts lack MFA or password expiration. All ten of the riskiest CVEs in 2024 were patchable — yet remained widely unpatched.

The data tells a clear story: most organizations know what to fix. The problem is speed of execution.

The Risk Landscape  

Cyber Risk Index: 38.4 (Medium)  

Trend Micro’s CRI scores organizations on a 0–100 scale. The global average of 38.4 places most organizations in medium risk territory. But averages hide the outliers:

• High-risk industries: Education, Construction, Agriculture, Insurance
• Most improved region: Europe — driven by regulatory compliance pressure
• Takeaway: Regulation works. Industries without compliance mandates are falling behind.

INTEL [TREND]: Trend Micro’s Cyber Risk Index averages 38.4 (medium risk) globally, but high-risk industries — education, construction, agriculture, insurance — cluster significantly higher. Europe’s improvement confirms that regulatory pressure drives measurable risk reduction. Industries without compliance mandates should benchmark against CRI data proactively.

A Billion Accounts Without MFA  

Over 1 billion accounts lack MFA or password expiration protocols. 10+ security settings are regularly left unoptimized across endpoints. These aren’t sophisticated attack surfaces — they’re open doors.

INTEL [VULNERABILITY]: Over 1 billion accounts lack MFA or password expiration controls. This isn’t a technology gap — it’s a governance gap. Identity hygiene at this scale represents the single largest addressable risk surface in most organizations. Automate stale account retirement and enforce MFA universally.

Patch Times Tell the Story  

Mean time to patch critical vulnerabilities by region:

All ten of the riskiest CVEs in 2024 were patchable — yet remained widely unpatched. Larger organizations patch slower, not faster.

INTEL [SECTOR ALERT]: Large enterprises (>10K employees) take 41.3 days on average to patch critical vulnerabilities — nearly double Europe’s 23.5-day average. Every riskiest CVE of 2024 had patches available. This is a governance and process problem, not a technical one. Automate patching workflows and escalate unpatched critical CVEs to leadership.

Email Threats Surging  

57 million high-risk emails blocked — a 27% year-over-year increase. Email remains the #1 delivery mechanism for initial access, and volume is accelerating.

INTEL [ATTACK TECHNIQUE]: High-risk email volume increased 27% YoY to 57 million blocked. AI is making phishing more convincing and harder to detect. Email security must evolve beyond signature-based filtering to behavioral analysis and real-time link detonation.

Top 5 Enterprise Risks for 2025  

1. Risky cloud application access — most frequently detected risk event
2. Stale and weak account credentials — the identity hygiene crisis
3. Email-based threats — primary surge area at +27%
4. Endpoint misconfiguration — 10+ settings regularly unoptimized
5. Cloud infrastructure misconfigurations — AWS, Azure, GCP policy drift

Ransomware: Still Industrialized  

Active groups in 2024: LockBit, RansomHub, Black Basta

Primary targets: Retail, Technology, Industrial, Transportation

The intrusion pattern is consistent: endpoint compromise through unpatched vulnerabilities, then lateral movement through identity weaknesses. The same hygiene gaps that appear in the CRI data are the same ones ransomware operators exploit.

INTEL [GLOBAL RECOMMENDATION]: LockBit, RansomHub, and Black Basta continue to dominate ransomware activity. Their playbook is consistent: exploit unpatched endpoints, move laterally through weak identity controls. Closing the hygiene gaps in patching and identity governance directly reduces ransomware exposure.

What Leaders Should Do Now  

1. Operationalize Cyber Risk Index as a board metric — CRI gives executives a single number to track. Report it quarterly alongside financial risk metrics.

2. Automate patching workflows — 41.3-day patch times for large organizations are unacceptable. Automate critical CVE patching with SLA escalation.

3. Enforce universal MFA — 1 billion accounts without MFA is a governance failure. Automate stale account retirement and mandate MFA for all active accounts.

4. Invest in AI-powered SOC tools — Analyst fatigue is real. AI-driven triage and automated response playbooks reduce mean time to respond.

5. Extend identity governance to inactive accounts — Stale credentials are the #2 enterprise risk. Automate discovery and deprovisioning.

6. Establish cyber hygiene as a cultural priority — The top 5 risks are all addressable with basic hygiene. Make it a leadership accountability metric, not just an IT metric.

The Bottom Line  

Cybersecurity is no longer about stopping breaches. It’s about staying ahead. Trend Micro’s data shows most organizations know their risks — the gap is execution speed. A billion accounts without MFA. 41-day patch cycles. 57 million high-risk emails. The risks are quantified. The patches exist. The question is whether leadership will treat cybersecurity as a business resilience imperative or continue managing it as a technical function.

Find all editions on FIR Risk Tuesday | GitHub