The internet cannot be separated from modern life. It’s a shared utility that connects, informs, and empowers us. But the more we rely on it, the greater the risks become. Every click, login, or search leaves a trail, and each device, app, or interaction can open the door (sometimes obvious, often unseen) to data breaches, identity theft, or other digital threats.
“Stay Safe Online” has become a survival skill.
This year, Cybersecurity Awareness Month is at a turning point. The tools that once protected us (antivirus, passwords, firewalls) now have to share space with generative AI, autonomous agents, and a digital underground where nation-state actors target our most proprietary secrets, and teenagers can cripple multinational entities.
Awareness is no longer enough. What’s needed is resilience, technological, social, and human.
The New Frontline of Cyber Awareness
If 2024 was the year AI hit the mainstream, 2025 is the year it became a security problem.
As Chloé Messdaghi, Founder & Principal Advisor at Thornbridge Advisory, warns: “As AI gets more involved in writing code, we can’t keep leaning on old security strategies. AI doesn’t just speed things up, it changes the game. It brings risks like prompt injection, hidden vulnerabilities, and unexpected behaviors that we’re only beginning to understand.”
The numbers are bleak. Nearly half of all AI-generated code carries a flaw. Bad actors, meanwhile, are using those same tools to scale exploits faster than defenders can respond.
“We need to stop thinking in terms of patches and start thinking in terms of resilience, building systems that can adapt, withstand, and respond to new kinds of threats as they emerge. A critical part of that is investing in upskilling security teams, and fostering a collaborative environment that breaks down silos so everyone is working together to ensure safety and security,” she adds.
AI is both the problem and, increasingly, the solution, a dual-use technology that challenges every assumption about risk, speed, and control.
The Human Equation: Awareness, Training, and Youth Risk
Cybersecurity has always been as much about people as technology, and in 2025, that human factor is under new strain.
Ian Thornton-Trump, CISO at Inversion6, argues that the conversation around awareness has missed a critical dimension: youth recruitment into cybercrime.
“So cybersecurity awareness wants, well my goodness, we’re certainly aware of all the data breaches. But increasingly my mind turns to the difficulty we’re having coming to grips with the next generation of bad guys. We now live in a world where a couple of 20-year-olds and a couple of teenagers can do 1.5 billion in damages to a company like Jaguar Land Rover. It’s unprecedented.”
He traces this wave of youthful cybercrime to a “perfect storm” of post-pandemic disaffection, economic hardship, and online criminal recruitment networks.
“We need to understand that youth are getting recruited into all sorts of criminality: violence-as-a-service, child exploitation, and cybercrime as the root of the poisonous tree. We’ve got to change the game. We need mental health support, afterschool programmes, positive role models, and mentorship. My cybersecurity awareness this month is: it’s time to be aware of the problem of youth cyber criminals.”
Awareness, then, begins long before a phishing email lands in an inbox. It starts with education, empathy, and opportunity.
At the organizational level, Tyler Reguly, Associate Director of R&D at Fortra, reinforces that culture-building is the real foundation of defense: “When it comes to raising awareness to cybersecurity threats within an organization, Security Awareness Training (SAT) is the obvious answer. The important thing to remember is that training needs to be fun and engaging. Outdated material may do more harm than good.”
He advocates creating open forums for discussion: “Providing a place where employees can post and discuss cyber topics encourages them to take ownership of the information. Then, having your security team provide context and clarity provides insight that the media may have missed.”
From classrooms to corporate corridors, awareness begins with conversation.
AI, Automation, and the Arms Race of Adaptation
AI has transformed cybersecurity, both as a weapon and a shield. But its velocity is forcing defenders to rethink what “awareness” even means.
Javvad Malik, Lead CISO Advisor at KnowBe4, points out that AI has effectively become a new attack surface: “AI tools are quickly becoming part of everyday work. But with convenience comes risk, and it is often humans, not machines, who make the biggest difference between safe use and a security incident. If a system takes inputs, it can be exploited, sometimes through something as simple as a cleverly worded prompt.”
He stresses the need for Human Risk Management (HRM), not just technical controls, but behavioral guidance: “Employees need clear policies, training, and the confidence to know what’s acceptable when using AI, so they don’t inadvertently put sensitive data at risk. Involve your security department early when experimenting with AI tools. They can help balance productivity with protection.”
As Benjamin Harris, CEO & Founder of watchTowr, says, the speed of modern cyberattacks has outpaced traditional defense cycles.
“Attackers are moving faster than ever. The time from disclosure to in-the-wild exploitation is now measured in hours. That speed gives adversaries a huge advantage: they can slip in, drop backdoors, and establish persistence before security teams have even finished testing and rolling out a patch.”
This is why resilience, not patching, is the new metric of readiness.
“Fixing the lock doesn’t help if the intruder already has a copy of the key. Cyber resilience means reacting rapidly, detecting, containing, and neutralizing compromise before it’s too late.”
By engaging with risk, rather than shutting it down, CISOs become enablers of safe innovation.
Resilience Over Reaction
If awareness is the first step, resilience is the ultimate goal.
Andy Lunsford, CEO of BreachRx, warns that most organizations are still relying on static incident response plans that crumble in a real crisis. “Decades of cybersecurity tradition have fed a dangerous delusion: thinking static incident response plans, buried in digital drawers, can protect organizations. The truth is, that paper plan is dead weight when a compromise occurs and executives need answers fast.”
He calls for living playbooks; systems of transparency, accountability, and practice. “Ditch the old playbook and build systems that truly prepare people for the moments that count. This is more than technical insurance; it’s reputation management, operational survival, and the defining test of modern leadership.”
“Every function (from IT and legal to HR and communications) needs clear ownership and a culture built on practice. Document every move. Measure what matters: how fast teams detect, respond, and communicate.”
Kevin Greene, Chief Cybersecurity Technologist at BeyondTrust, ties resilience directly to software and identity: “Two national security challenges demand urgent attention this Cybersecurity Awareness Month: software security and identity security. We’re at a crossroads. To stay ahead of threat actors, resilience must be coded into every layer. It’s time to move beyond ‘secure by design’ to ‘resilient by design’.”
Identity, he adds, is the new battleground.
“Compromised credentials are the skeleton key for nation-state espionage, ransomware, and consumer fraud. Without resilient software and robust identity protections, we’re leaving the door wide open for the next cyber crisis.”
For Mike Walters, Co-founder of Action1, resilience is also about execution: “Awareness alone is not enough. Organizations need action to stay protected. With today’s surge in exploited vulnerabilities, even a temporary expansion of automated patching capacity can make a lasting difference.”
Cybersecurity is a race, and most teams are still running uphill.
Culture, Collaboration, and the New Definition of Trust
If resilience is built through practice, it’s sustained through trust.
“The greatest innovation in cybersecurity today is not a tool or a technology,” says Elyse Gunn, CISO at Nasuni. “It’s a cultural shift – a deliberate move to harness risk rather than avoid it. That means saying, ‘Let’s see how we can make this work, safely and with the right controls,’ instead of defaulting to no. Saying no does not eliminate risk; it simply drives it underground.”
She adds that this mindset does more than reduce risk — it builds trust and collaboration across teams.
“When teams know they can bring ideas to the CISO and be met with an open mind, it builds trust and unlocks collaboration. Security becomes a partner in innovation and progress. The alternative? Shadow IT, insecure workflows, and risks that surface only after damage is done. Saying no does not eliminate risk; it simply drives it underground.”
That spirit of openness is echoed by echoed by Darren Guccione, CEO of Keeper Security, who draws a direct line between corporate security and national defense.
“Cybersecurity is national security. Nation-state adversaries and organized cybercriminals are launching more frequent and sophisticated attacks than ever before. Public-private collaboration is no longer optional – it is essential,” he says.
Meanwhile, Ellen Boehm, SVP of IoT & AI Identity Innovation at Keyfactor, warns that trust itself is under threat from AI autonomy: “With agentic AI now moving into production, autonomous systems can make decisions and execute tasks without human oversight. Without strong identity and trust controls, these agents can quickly become shadow AI, spoofing identities or initiating fraud at machine speed.”
Her solution? Identity-first defense.
“Certificate-based machine identity management allows organizations to verify every agent, enforce policies, and revoke trust instantly if compromise occurs.”
Trust, in this new world, must be continuously proven, not assumed.
Data, Devices, and the Expanding Attack Surface
The AI boom has unleashed an equally explosive growth in data, and exposure.
Anthony Woodward, CEO of RecordPoint, adds: “Data governance is the core of both cybersecurity and AI governance. The same foundation that secures data also makes AI trustworthy and governed. Your risk, cost, and AI outcomes are all results of how you manage data. Good data management — clear inventory, classification, lineage, least-privilege access, and defensible retention — shrinks your attack surface for security and supplies trustworthy, traceable inputs for AI. One foundation, two domains, three outcomes: lower risk, lower cost, and higher trust.”
He says today’s businesses face two intertwined challenges: protecting data from threats and using it responsibly in AI. “Both cybersecurity and AI governance succeed or fail based on the same principle: disciplined data management. Cybersecurity is only as strong as the data practices behind it. This applies equally to AI governance.”
Elizabeth Nammour, CEO of Teleskope, agrees that visibility is the linchpin: “Organizations now store petabytes of data across hundreds of fragmented systems, with limited visibility into what exists, where it resides, or how it’s being used. Many tools stop at visibility without offering any solution behind the countless threats security teams face each day.”
As data sprawls, so do devices. Daniel Dos Santos, Head of Research at Forescout, points to two emerging priorities: “Over 20% of newly-exploited vulnerabilities affect internet-exposed edge devices such as routers and VPNs. They’re critical because they’re often easy to exploit and can’t run security agents. At the same time, we’re seeing migration toward post-quantum cryptography, especially in finance and government.”
Dr Adam Everspaugh, Cryptography Advisor at Keeper Security, agrees: “Quantum computers won’t just change technology, they will upend the digital world. Cybercriminals are already capturing encrypted traffic now, with the intent to decrypt it later when quantum machines are commonplace. This ‘harvest now, decrypt later’ strategy can be better described as a “time-capsule attack.” In other words, organizations must act now.
Preparation means inventorying cryptographic systems and adopting “crypto-agility.”
“Tomorrow’s resilience,” says Everspaugh, “is built on today’s response.”
Everyday Awareness: From the Office to the Pocket
For all the advanced threats on the horizon, awareness still begins with small, everyday actions.
Tim Ward, CEO of Redflags, champions the basics: “Security awareness starts with recognising the everyday risks we all face online and taking small actions that add up to powerful protection. By learning to spot red flags such as unusual sender addresses, urgent requests, or suspicious links, everyone can help keep themselves and their organisation secure.”
He adds practical, actionable tips (from multi-factor authentication to questioning AI-generated content) and warns that AI-powered phishing, deepfakes, and supply chain attacks are growing rapidly.
“Keeping staff aware of these emerging threats and building healthy habits like questioning unusual requests is more critical than ever.”
Lucy Finlay, Director for Security Behaviour and Analytics at Redflags, reminds us that the biggest risks often sit in our pockets. “Our phones have our whole lives on them – photos, contacts, bank accounts, personal documents, yet often no more protection than a four-digit PIN. With phone theft on the rise, it pays to protect them more.”
Her advice is simple: limit exposure, use multiple devices for sensitive accounts, shorten screen timeouts, and enable anti-theft settings.
Awareness doesn’t always mean complex systems. Sometimes, it’s just locking your screen.
Staying Safe Online
Cybersecurity Awareness Month is a mirror that reflects how far we’ve come, and how far we still have to go.
The digital world is evolving faster than any awareness campaign can keep up with. But as every expert here reminds us, awareness isn’t passive. It’s an action, a mindset, and increasingly, a shared responsibility.
Staying safe online is about participation. It’s about resilient systems, informed users, ethical innovation, and a collective commitment to safeguarding the space we all now live, work, and dream in.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.