As One Cybersecurity Year Ends, Another Begins

Learn cybersecurity fundamentals in minutes and empower your team to stay one step ahead of cyber threats. Fortra offers a free security awareness training toolkit that includes expert tips, practical examples, and engaging materials on phishing, ransomware, and more. Let's start out strong in 2025! Access the Hub

 

As One Cybersecurity Year Ends, Another Begins

As 2024 comes to a close, we look at the year ahead and some of the industry discussion about how technology, threats, regulation and changes in usage may shape the cybersecurity landscape in 2025.

As this article is being written, NORAD’s Santa Tracker countdown timer says 12 days, 12 hours, 6 minutes and 15 seconds to go. Which can mean only one thing: it is time to look ahead to the coming year and the cybersecurity trends and issues that will take center stage.

First, let us address the obvious ones in a few sentences, because most cybersecurity professionals will already be thinking of them. Artificial Intelligence/Machine Learning (AI/ML) became massive in 2024 and will continue to be a major consideration in 2025 – the technology arms race will continue as AI in cyber defense tries to keep pace (or surpass) the use of AI by bad actors. Supply chain security will continue to be a massive risk, but that is nothing new because it has been a major issue for quite some time now. The market for cyber defense products will continue to grow at a substantial pace. Ransomware will continue to sit at the top of every organization’s cyber risk league table.

On we go, then, to some less conventional predictions that perhaps don’t appear in every “2025 cyber predictions” blog and article on the internet.

Regulation

First, for any European cyber professionals, we have DORA – the Digital Operational Resilience Act – which comes into effect on 17 January 2025. DORA is not a pureplay cyber law but an IT resilience law. Cybersecurity teams will be tasked with large portions of the work required for DORA compliance. This is because DORA has significant requirements around risk assessment and management, and IT risk tends to land with the cybersecurity team (after all, cybersecurity is all about risk management) rather than the core IT team.

Next, access management – particularly privileged access management. This will likely see significant migration into the security team during 2025 … though things will not yet go as far as a fundamental reshuffle of reporting lines in IT and cybersecurity. Given that segregation of duties is a key element of security management, separating the management of privileged access from those who use it is logical. For non-privileged access management, this will be increasingly automated. We will hopefully see new and reasonably priced new tools arrive on the market to help make this happen.

Pressure on CISOs

Moving on, the responsibility for security breaches will continue to rest with the CISO, even when the issue sits outside of IT and cybersecurity teams. Generally speaking, it is not the cybersecurity team that fails to do patching properly (especially in an increasingly cloud-centric world), or to disable deprecated versions of encryption algorithms or security code libraries, but this is often overlooked when something bad happens.

The average cost of a cyber attack will continue not to be $2.574 million. That’s just a random number, because most reports will have significantly different numbers upwards of a million dollars. The true cost is somewhere between zero and something approaching infinity, as a data breach will impact companies in significantly different ways, while most of the ‘cost of a breach’ data that is in the public domain comes predominantly from surveys of large incidents in big companies. Documenting the cost of data breaches for smaller organizations that are the core of the economy is far harder, but it’s much easier to say with confidence that these smaller companies will inevitably find it far harder to recover both technologically and reputationally from a breach, regardless of the final cash figure associated with it.

Education

Predictions for the year ahead should include people: the staff across our organizations will continue to become increasingly knowledgeable in the areas of cybersecurity that affect them. Aside from training at work, there is such an enormous amount of cyber-related information constantly flowing to everyone – on TV, in newspapers, all over the internet, at dinner parties with friends, in the local bar – that the only possible outcome is a better general understanding among the public and hence the workforce. There is no question that cybersecurity will continue to be a mainstream subject in the year ahead.

Cyber product vendors will merge. Just as, for example, Cisco acquired Splunk or Palo Alto acquired IBM’s QRadar security area, more consolidation will happen in the industry.

Quantum Computing (QC) in cybersecurity will become much more relevant in 2025 than anyone expected. A couple of years ago, predictions of when QC will become a reality were of the order of 10-15 years. Now they are more like 5-10 years. Prepare for the predicted dates to become even more imminent and start reading up on QC.

From Supply Chain to AI - Again

Let us close with three final industry predictions.

First, supply chain. The focus in 2025 will grow farther upstream: fourth, fifth, sixth parties and so on. Many supply chain threats are not with the third parties we deal with, but somewhere up the chain that they do business with. If you are an upstream supplier, expect to be asked far more searching questions than before by the customers of the people you supply. Expect to see supplier threat information brokers to become popular – agencies that obtain and store cyber risk information about companies and then respond on behalf of those companies, so the latter are not constantly fielding cyber risk questionnaires.

Second, we have covered this before but ransomware will encrypt less and exfiltrate more. Data theft is easier to do than encrypting files, and unlike ransomware there is no after-the-fact mitigating activity the victim can take other than paying up.

The final word goes to AI. As we said earlier, a significant reason for the use of AI for bad is because it can perform attacks faster and with much higher quality than manual approaches or traditional automation such as scripting. This will continue, but for an additional reason: aside from the sheer speed and quality AI brings, attackers will focus more on the unpredictability of AI – that is, the fact that the whole point of using AI is that for a given set of inputs, it is difficult to predict the output. A new entry on the risk registers of organizations introducing AI will be that the benefits are usually tangible but one of the costs, risk-wise, is that in a system like this, it is difficult or impossible to distinguish between a valid output and one that has been adulterated by a bad actor.