Cybersecurity trends 2025: AI, supply chains, resilience
Experts from cybersecurity company Semperis have provided insights into anticipated trends for the industry in the coming year.
Dan Lattimer, Area Vice President at Semperis, highlighted the continued attention surrounding Artificial Intelligence (AI) in 2025.
He noted, "Artificial Intelligence (AI) will keep being talked about in 2025. However, a lot of it is buzzword bingo as the technology is not necessarily being used in a meaningful way - yet. While we are seeing cybercriminals increasingly trying to harness AI, many of those attacks will still be basic and clunky. And sadly, with everyone talking about AI, there is a risk that some of its really exciting applications will get lost in the general noise."
The focus on supply chain security is expected to intensify as organisations recognise vulnerabilities. Lattimer explained, "We will see more due diligence happening when it comes to securing the supply chain. Organisations have realised this is the soft underbelly that can leave them vulnerable to cyberattacks and as a consequence, there is now more scrutiny on the supply chain, meaning suppliers will have to drastically clean up their operations and tighten defences. DORA will apply as of January 2025 and I am hoping it will have some teeth to it; potentially resulting in fines for those that haven't adequately prepared or aren't even aware that DORA applies to them."
Amidst financial constraints, Lattimer urged security teams to focus on fundamental security measures.
"Finally, with budgets being looked at more stringently, security teams will need to put a renewed focus on getting the basics right rather than investing in shiny new tools. Fundamental security steps such as managing endpoints, immediate patching, enforcing strict access management policies and employee training may seem boring but they can be hugely effective."
"After all, the fanciest new technology won't make a difference if you don't pay attention to basic cyber hygiene measures," he stated.
Simon Hodgkinson, a Strategic Advisor at Semperis, pointed to a reduction in cybersecurity spending relative to organisational revenue as a continuing trend.
He said, "Cybersecurity spend will continue to reduce as a percentage of an organisation's revenue. While this is not a new trend, for security teams, it means even more pressure to do more with less. In addition, people are becoming desensitised to data breaches; this is a troubling phenomenon that you can see all the way down to the end consumer. As cyber incidents have become inevitable, boards are increasingly informed to accept an appropriate degree of risk – with cyber just being one of many business risks – and there are trade-offs to be made."
"We may see this shift in attitude have an impact on the ransomware market, potentially with a ramp-up in destructive extortion attempts."
Hodgkinson also indicated a shift towards operational resilience. "In 2025, the focus will move from cyber resilience to operational resilience overall. Improving their resilience will demand ongoing attention from organisations - not just to be compliant, although regulators will continue to have a big hand in driving the security agenda. There needs to be a focus not only on having the right defences in place, but on people, too: The talent shortage and high levels of stress and burnout amongst security professionals, including CISOs, means support mechanisms will be critical to building a resilient workforce," he observed.
Sean Deuby, Principal Technologist, North America at Semperis, warned of evolving ransomware threats. He remarked, "If you assume the threat actors' goals are to make as much money as quickly as possible, we will start to see the inclusion of physical coercion of the victim's organisation - in other words, threats or intimidation of the victim company's management. How do you decrease the amount of time to payment while also reducing the likelihood of decreasing the ransom? You threaten the other party. Ransomware payments have run into the billions in 2024 and record numbers of companies paid ransoms this year, yet there will be no end to attempts by threat actors to extract even more money in year ahead."
Guido Grillenmeier, another Principal Technologist at Semperis, noted enhancements to Microsoft's Active Directory in the latest Windows Server release.
He commented, "With Windows Server 2025, generally available since 1 November 2024, Microsoft has provided various security updates to Active Directory (AD).
This marks the first relevant AD security improvements since Windows Server 2016 and is a welcome step, as securing this business-critical identity service continues to be a huge headache for organisations. It's incredibly common for threat actors to go after AD, using it as a tool to elevate privileges and move laterally through their victim's network. While it's good to see that Microsoft has not given up on AD, it remains to be seen if this update will make a significant difference to organisations' overall identity security."