Published : 15/04/2026 - 10 minutes read
From MFA fatigue to cyber fragility: 5 cyber risks we tend to underestimate
In 2025, the Centre for Cyber Security Belgium (CCB) registered 556 cyberattacks, an increase of nearly 58% compared to the previous year.
According to Inetum’s LiveSOC Threat Landscape 2025 Report, Belgium also ranks among the top ten targets worldwide for AI-driven ransomware and DDoS attacks. While the number of cyber threats continues to rise, many companies keep stumbling over the same - often basic - pitfalls. Peter Vandeput, Business Unit Lead Cybersecurity at Inetum Belgium, outlines the five most common risks and explains how organizations can avoid them.
1. MFA fatigue: when security becomes routine
More and more organizations are protecting their systems with multi-factor authentication (MFA). While this significantly improves security, it also introduces a new risk. Employees receive multiple verification prompts every day and increasingly click “approve” automatically, without stopping to consider whether the request is legitimate or whether they initiated it themselves.
This habituation makes life much easier for cybercriminals. MFA only works if users remain alert and use it consciously. Organizations should actively raise employee awareness of suspicious signals - such as login attempts from abroad or at unusual times - and teach them to question anything that seems off. Companies may also opt for biometric authentication or physical security keys, which require a more deliberate user action.
2. Email fraud: the classic attack that still works
Phishing and email fraud remain among the most widely used attack techniques. In 2025 alone, the CCB registered 9,929,354 suspicious phishing emails. Some of these messages contain malicious links or attachments that install malware, often leading to ransomware infections. That same year, Inetum’s LiveSOC team detected 8,054 ransomware attacks—almost double the number recorded in 2023 (4,143).
The strength of these attacks lies in their simplicity. A compromised mailbox—or even an email address that merely resembles that of a company’s CFO—can be enough to send convincing messages to partners or employees, such as requests to change a bank account number. With generative AI making it easier than ever to write persuasive emails, distinguishing between genuine and fraudulent messages is becoming increasingly difficult.
This is why the key does not lie in technology alone, but in critical thinking. Organizations need people who dare to slow down and ask: Does this make sense? Would this really happen this way? One alert link in the chain can make the difference between a minor incident and a major disaster.
3. Cyber fragility: when robustness is the only goal
Due to their growing dependence on complex digital ecosystems, many organizations today are cyber fragile. This means that a single incident can quickly escalate into significant damage.
For many organizations, “robustness” is the ultimate objective: systems that can absorb shocks without immediately breaking down. But in a world of unpredictable, AI-driven threats, this is no longer sufficient. By evolving from robustness to cyber antifragility, organizations can become stronger by learning from both successful and thwarted cyberattacks. Instead of merely securing systems, each attack in a cyber-antifragile environment leads to improved security. Much like endurance athletes, small stresses ultimately make systems stronger. By deliberately and controlledly exposing systems to stress and failure, organizations build resilience and reduce the likelihood of major incidents.
Cyber-antifragile systems deliberately build in reserves—for example, through multiple geographically separated backups or by using different cloud providers. They are also best designed in a modular way. If one component fails, others take over, or the impact is limited to a single part of the network. Such systems require an adaptive approach. Companies that, after a phishing incident, not only reset passwords but also rethink their processes and architecture to prevent future attacks—through a Zero Trust approach, for example—will be better prepared for the next incident.
4. Too few stress tests: reacting only when it’s too late
Many organizations, especially small and medium-sized enterprises, barely test their cybersecurity measures in practice. Yet this is precisely where a major blind spot lies. Without realistic testing, it remains unclear where the real vulnerabilities are.
By regularly conducting phishing simulations and ethical hacking exercises—such as penetration tests or red and blue teaming—organizations gain a much clearer picture of their resilience. External experts attempt to break into systems in a controlled manner, revealing weaknesses before they escalate into major incidents. This approach exposes small errors early, while there is still time to address them.
5. The supply chain: the weakest link may lie outside your organization
Companies rightly focus on their own security, but often pay insufficient attention to their digital supply chain, which includes external vendors, partners, and service providers. Attackers deliberately seek out these weaker links. There is little point in having perfectly secured internal systems if a single partner does not meet adequate security standards.
As a result, supply chain attacks are also on the rise. Organizations must therefore look beyond their own perimeter. This means imposing clear security requirements on partners, critically assessing new tools, and raising awareness among employees about the risks of uncontrolled software or AI applications. Cybersecurity does not stop at the company boundary.
Explore expert insights and perspectives
- Title
- Description
- Date
- 1
- 2