Maturing Your Cyber Defense Strategy
An interview with a cybersecurity expert.
Amir Atzmon, VP Consulting Cyber Services at Matrix 2BSecure, sums up 2025: the year of phishing and ransomware, which saw a rise in AI as both an attack and defense tool, and the biggest missed insight: failing to understand that cybersecurity is business risk management. Plus: the critical challenges ahead for 2026.
The Most Common Attack in 2025: Phishing – Often Combined with Ransomware
What was the most common type of attack in 2025?
The most common attack in 2025 was phishing. These attacks attempt to gain access to sensitive information via email, SMS, WhatsApp, and similar channels, usually by including a malicious link. This can happen directly – by asking the target to enter a password or credit card details – or indirectly, by tricking them into clicking a link that installs malware on their computer or mobile device. This malware allows attackers to collect information from the compromised device, or use the device as a proxy to access additional devices and organizational systems.
It’s important to remember that phishing itself is rarely the end goal. It’s just a way for the attacker to obtain information that will allow him to advance the attack to the next level, for example, to take over organizational systems in order to cause substantial damage, and/or demand a ransom. This is where ransomware comes in – another major attack type in 2025 – the ultimate goal of which is to extort money from the victim. Like I said, ransomware may start with phishing, but it can also exploit vulnerabilities in network components, or in the external supply chain, or download of infected files. The attack may involve encrypting servers, endpoints, or databases, and/or stealing data and threatening to publish it.
Cybersecurity Is Not Just a Problem for IT and Cyber Professionals to Handle – It’s an Integral Part of Business Risk Management
What do you think is the most important thing the market still hasn’t fully understood about cyber defense?
In my view, many organizations still fail to grasp that cybersecurity is not a purely technical issue for IT or security teams; rather, it’s a core business risk management issue for the organization. Cyber risks must form an integral part of the organization’s overall business risk matrix, and be embedded in organizational education programs.
Organizations need to internalize that when analyzing business risks, cyber is an integral part of the picture. The organization’s cyber strategy must support the protection of the its core business processes, and go hand in hand with its overall business strategy.
One of the important processes that an organization needs to carry out is to build a business continuity plan based on the mapping of core business processes, and the ability to maintain functional continuity, even during a crisis or cyber incident.
The Evolving Cyber Professional: Equipped with AI Tools to Counter AI Threats, and a Risk-Management Mindset
How has the role of the cybersecurity professional changed in the past year?
There are a number of processes happening today which are expected to continue to develop in the coming years. These require cyber professionals to acquire new knowledge and adapt to the changing reality. I will mention only some of them. First and foremost is, of course, AI, which has an impact on several levels.
First, organizations are themselves increasingly using AI tools in their daily operations. This can streamline processes, but it also exposes them to new information security threats, such as data leaks and overreliance on AI tools that sometimes generate misleading results (the “hallucination” phenomenon). Second, attackers can now easily create many more, and increasingly sophisticated, attacks, for example, more complex phishing, malicious code written by AI, and more. As a result, organizations and cyber experts are starting to think about how to implement information security solutions, some of which are AI-based, in order to deal with the challenges of the era.
Another issue is automation. Today, there are more and more tools and systems (some using AI) that enable automation of information security processes, such as monitoring, responding to supplier questionnaires, threat hunting, and more. This enables organizations to improve the level of their information security, and free up their experts to focus on other things.
At the same time, expanding and changing standards and regulations, both in Israel and around the world, require information security professionals to have more than purely technical skills. They are required to understand and operate in a complex regulatory environment, where standards demand concrete evidence of performance, structured reporting on organizational processes, metrics, and compliance with requirements – not just generic questionnaires. Overall, information security professionals today are required to operate much more as risk managers, alongside their technical and technological management roles.
Key Challenges: Protecting the Organization in the Age of AI, and the Vulnerability Space Created in the Supply Chain
What do you think will be the main cyber challenges in 2026, and how should organizations prepare?
There are quite a few challenges that organizations will need to deal with in the coming year, but I will focus on two main ones: AI, and the supply chain.
As I mentioned above, the field of AI continues to gain momentum both in terms of attack capabilities, organizational uses, and recently also in terms of information security products that use AI as part of their defense capabilities. Given the increasing level of sophistication of attacks, organizations are required to strengthen the whole area of user and identity management, ensure the separation of capabilities and permissions, and generally advance to a Zero Trust approach. At the same time, it is important to implement detection capabilities as early as possible in existing defense systems (for example, in EDR) and to integrate detection and response automation (integrating SOAR into the existing SIEM system).
In parallel, many organizations want to use AI today, but do not really know or understand what or how. Only after they have carried out a clear process of what organizational use they intend to make of AI will it be possible to develop a strategy/ processes to protect the systems accordingly.
Another important issue is the supply chain, which is currently considered one of the weakest links in an organization’s information security system. Organizations sometimes work with dozens, hundreds, or even thousands of external suppliers (software, hardware, external service providers, etc.), who have access, one way or another, to the organization’s network. In many cases, at least some of these suppliers are relatively small entities for whom information security is not necessarily high on their priority list. These suppliers significantly expand the organization’s vulnerability, and increase the risk of a cyberattack.
As a starting point, it is very important to anchor into supplier agreements their information security responsibilities, and the organization’s right to inspect it at any time. Here too, one of the most important issues is to take a Zero Trust approach to identity management and the separation of permissions between the various suppliers.
Another key point is to conduct in-depth checks of key suppliers. Don’t just settle for a basic questionnaire sent to the supplier, but perform risk surveys and penetration tests on the supplier’s infrastructure. Of course, this isn’t feasible for the likes of Google or Microsoft, but for smaller suppliers that are critical to the organization, this is an essential step.
Best Part of the Workday: Conversations with People
Tell us about your role, what your day tends to look like, and what you enjoy most.
I currently serve as VP of Consulting at Matrix 2BSecure, leading a team of around 50 expert consultants who provide advisory services in information security fields such as penetration testing, risk assessments, GRC, incident response, secure development, cloud security, and more.
My days are very diverse, and include conversations and meetings with employees and clients, working on projects with our consultants, and continuous thinking about how to improve our existing services and identify new services our customers need today, or will need in the near future.
Besides the obvious joy of going home to my family, I really enjoy most of what I do. The most important key to my success is the people I work with, so the best part of my day is time spent meeting and talking with our staff and clients.
Major Accomplishment: Building a Multi-Year Cyber Strategy for a Key Israeli Organization
Tell us about a particularly meaningful project or initiative that you have worked on this year.
In the last quarter of 2024, we began building a multi-year cybersecurity strategy for a major Israeli organization. The project involved deep analysis of the client’s business processes, the core services they provide, their operations, and long-term business strategy. Together with the client, we mapped their threat landscape, and by combining all the information we’d collected in the previous stages, we prepared a strategic cyber plan for the coming years.
The project involved many professionals from both Matrix 2BSecure and the client organization, and lasted about six months. Strategic planning is one of my favorite types of work, and this project was especially meaningful given the organization’s importance to Israel.
For cybersecurity consulting with Matrix 2BSecure experts — click here.