Here are my top 10 cyber security challenges for 2025. It would have been just as easy to write a top 20 or a top 50. The threats we have aren’t going away and the new threats which are emerging aren’t new, just becoming more common. This article isn’t about educating you to the risk, many column inches have been spent on them, I simply aim to provoke the question: “What is your plan?”.
- AI-Powered – The light and the dark.
Cybercriminals are increasingly using AI to create sophisticated phishing, malware, and deepfake attacks, making them harder to detect and more effective. The dark web is hosting enabler LLMs such as WormGPT, removing the need for time, resources and expertise to launch attacks.
Defenders are accelerating their use of AI to augment human responses, improving speed, accuracy and efficacy of response. The race is on and it’s one the dark-side are winning currently. They are less risk adverse and unconcerned by failure. As defenders we need to accelerate adoption, focusing on resilience and make a potentially very powerful tool work for us.
2. Quantum Computing Threats.
As quantum computing advances, it will pose a threat to current encryption methods, necessitating the development of quantum-resistant algorithms. Actually these already exist, but how many have a plan to migrate?
The UN has declared 2025 as the International Year of Quantum Science and Technology, which will draw Board’s attention to the issue. With Cyber Security funding already being diverted to AI projects, this is another potential hurdle to navigate for overworked Security teams.
Depending on your point of view we are either 5 years away from sustainable Quantum computing or the Chinese have already cracked it…the truth, inevitably, will be somewhere in the middle. So what’s your plan?
3. Supply Chain Attacks.
Targeting third-party vendors and suppliers will become more common, exploiting vulnerabilities to infiltrate your security from an otherwise trusted source. When you look at the major data breaches in 2024, there’s a common theme. It’s easy to see how your supply chain is very often your weakest link. Many of the affected companies are now facing lawsuits and regulatory actions from these data breaches. The danger is thinking that it’s your supplier’s problem to secure their estates, but when their poor posture lowers yours, if there’s a breach of your data as a result; well you get the picture.
How do you determine if your third-party vendors have implemented appropriate security controls? Many of the risks these vendors pose can be addressed with an appropriate and robust supply chain and third-party risk management (TPRM) program. It’s not complex and it doesn’t have to be expensive, but the action does sit with you.
Those are my top three, and in the interest of not boring you I’ll cover the rest in summary:
- Zero-Day Vulnerabilities: Exploiting unknown software vulnerabilities will remain a significant threat, allowing attackers to bypass security measures before patches are available. Actually that isn’t really the issue, the issue is the length of time it takes to patch once it is available. Many companies have a 14 days policy which they hit most of the time, but really 14 days, that feels like an eternity in today’s world. Time is a precious commodity we all do not have enough of, however fighting a patching battle on timeframes measurable in weeks and months is something we are doomed to fail at. 57% of breaches could have been prevented by a patch that was already available – integrating patching into everyday life and integrating your systems helps to bring this under control.
- Ransomware Evolution: Ransomware attacks will become more advanced, leveraging AI to automate and tailor attacks, increasing their speed and impact. This is linked to number 3 above and number 6 below. The human factor, whether in your Supply Chain or your own company, the risk of ‘clicking on something you shouldn’t’ is still the number one attack vector for threat actors. Awareness training which is engaging and ever present is the key.
- Insider Threats: Both malicious and accidental insider threats will increase, driven by complex IT environments and human error. We covered the accidental above. The deliberate is just as hard to mitigate. Good DLP (data loss prevention) policies, processes and tooling are essential to prevent data escaping to where it shouldn’t be and the use of AI in the work place, where data is shared with undiscerning LLMs is a new and accelerating threat.
- Cloud Misconfigurations: Misconfigured cloud services will continue to be a major security risk, exposing sensitive data and systems to potential breaches. AI has somewhat shifted focus from some of the challenges we had prior to the rapid growth in its popularity and cloud security is one of those areas. The cross over in data privacy, cloud security, threat detection and response as well as managing trust in cloud environments is still a real and present challenge to organisations. Added to that the infrastructure-as-code paradigm and you have a complex and rapidly changing attack surface that needs to be secured against misconfiguration, supply chain and insider threats. Check Point predict that in 2025, 90% of enterprises will operate in multi-cloud environments, we must balance business flexibility with security.
- OT/IoT/iIoT Vulnerabilities: The proliferation of non-IP devices and connection of low protection OT estates has expanded the attack surface exponentially, with many devices lacking robust security measures and almost no routine monitoring. We’ve ignored this threat long enough, 2025 is the year we need to act.
- Regulatory Compliance: Stricter regulations will require organisations to enhance their cyber security practices, with significant penalties for non-compliance. DORA, TSA, NIS2, CAF, DSP, there are many more. UK and European governments in particular, along with the rest of the World are publishing new regulation and controls in response to an ever evolving threat.
- Geopolitical Cyber Warfare: State-sponsored cyber attacks are escalating, targeting critical infrastructure and leveraging advanced technologies for espionage and disruption. These actors are intent on disruption. With the exception of North Korea who’s main aim seems to be obtaining cash to function despite economic sanctions, the aim of the main actors is to disrupt society. Iran, Russia and China have all been highly active in 2024 and show no signs of slowing down. This isn’t just about power grids and healthcare. This is about food distribution, bus schedules, financial access, manufacturing, even farming; anything which has an impact on daily lives and therefore government stability.
So there are my top 10 and I’ve only mention in passing jail-breaked LLM’s, Cryptocurrency vulnerabilities, the risk from SDN/NFV based 5G architecture, Deepfakes and a host of other things. The challenges facing security teams are considerable, from deployment of AI-augmentation to “never trust, always verify” approaches. The lack of skilled expertise and the availability of funding, let alone spending that funding well, are not new to security teams, they are ever present.
There is one final threat I’d like to highlight though, which covers across too many categories to be missed out and that’s Technology Obsolescence. According to specialist insurer Beazley 27% of global business leaders feel exposed to tech obsolescence challenges, ranking it as their top risk. There are twin threats here; aging technology which requires increasing levels of attention to maintain security and the purchase of tooling which is no longer effective or who’s effectiveness has reduced due to a lack of expertise. Technologies purchased 2-3 years ago are often already outdated and may provide a false sense of security. Companies risk sleepwalking into a breach if they don’t listen to the ever changing threat.
Technology obsolescence isn’t just opening up new attack vectors, it’s starving new initiatives of funding and oxygen.
The cyber security landscape in 2025 will be marked by increased sophistication and complexity, nothing new there. Companies must adopt advanced security measures, stay vigilant, and continuously update your defences to protect against emerging threats. That message has been consistent for 10 years or more. What’s new is the need to utilise your resources better, move to a resilience rather than protective posture, accept that attacks are coming and focus on minimising impact rather than prevention.
Zero trust is a mindset shift, one which many organisations are struggling with. My advice, the walls will never be high enough so we must shift to a mindset of resilience first and reduce our exposure.