Cybersecurity in 2025 – A New Era of Complexity

As the world steps into 2025, the cybersecurity landscape is set to evolve at an unprecedented pace, driven by the convergence of emerging technologies, sophisticated threats, and tightening regulations. The fourth edition of this report delves into the critical trends shaping the industry, offering key insights to help organizations navigate the challenges ahead.

From the rising threat of insider attacks and the vulnerabilities within global supply chains to the disruptive potential of quantum computing and the transformative role of artificial intelligence, the stakes have never been higher. At the same time, regulatory frameworks worldwide are becoming more stringent, urging businesses to adopt proactive and transparent approaches to risk management.

This fourth edition takes a look at what the experts say about these dynamics, and the opportunities and risks that will define cybersecurity strategies in the coming year. Whether grappling with quantum resilience, enhancing AI governance, or fortifying against evolving threats, entities must stay ahead of the curve to secure their future.

Ross Moore, Cyber Security Support Analyst III at Passageways

“One of the largest risks comes through the use of third parties. With the burgeoning AI industry and the increased use of third parties, there will be demand for better vendor management processes.”

There is widespread integration of AI, at times without knowing what all is entailed in that integration. And that leads to fear. This requires more contractual agreements and oversight regarding data usage, both corporate and customer. Due care and due diligence have to be increased as third-, fourth-, etc. parties are engaged. 

Criminals know full well that, with all the hosted infrastructure, a valid attack path is the hosts and vendors themselves. Threat actors have an extra way in to a company – via its outsourced resources. Outsourcing is a great tool, but it’s always an increased attack surface. 

MOVEit, TicketMaster, AT&T, Okta – these and other major players were breached in 2024, and some of those vulnerabilities are still out there. 2025 will bring at least a few major third-party breaches. Crime has always and always will happen, and it’s not a name-and-shame show but rather a call to be prepared. Companies need to be ready with an incident response plan and a well-thought public notice. 

Curtis Dukes, Executive Vice President and General Manager of Security Best Practices at the Center for Internet Security

“Third-party risk management, supply chain management, and increased regulatory requirements will drive the need for companies to focus on and mature their governance, risk, and compliance programs.”

There are potential regulatory or compliance changes impacting the industry. Eighteen States currently have data or health privacy laws on the books. Organizations will need to invest in data discovery, classification, and protection tools to ensure compliance with the subtle differences in State privacy laws as well as at the national level (Europe and China). 

Europe recently enacted the Cyber Resiliency Act (CRA) to safeguard consumers and businesses buying or using products with a digital component. China’s cybersecurity laws tend to be more focused on government oversight and control, potentially requiring companies to submit more detailed information about their product vulnerabilities. It’s clear that global cyber regulations are becoming stricter. Much of the legislation focuses on geopolitics and national security interests. Showing compliance with varying national regulations comes at an additional cost to the industry. 

Randy Rose, Vice President of Security Operations and Intelligence at the Center for Internet Security 

“In 2025, expect to see the application of quantum computing outside of the university research lab. Advances in quantum are expected to challenge current cybersecurity measures by potentially breaking common cryptographic algorithms.”

In response, there will be a surge in the adoption of quantum-resistant algorithms (aka post-quantum cryptography) to protect sensitive data across all industries. Additionally, quantum computing will enhance threat detection and predictive analytics; it will be marketed as a means to enable a shift from being reactive to being proactive. In software development, quantum computing will drive innovation in algorithm design, improving efficiencies in code execution and problem-solving capabilities. Expect well-resourced early adopters to start implementing soon and less-resourced followers to face technical and financial challenges in updating systems to keep up the pace. 

Also, Generative Artificial Intelligence (GenAI) has all but eliminated the traditional markers for identifying social engineering attempts, such as typos, formatting mistakes, and misuse of British versus American English in text-based scams. Open access to GenAI platforms combined with the development of Large Language Models (LLMs) for nefarious purposes and significant advancements in voice and video deepfakes has created an environment where bad actors are now well equipped with tools that make their attacks nearly impossible to rapidly decipher from legitimate traffic. One of the attack vectors where I expect to see the biggest impact is Business Email Compromise (BEC), given GenAI’s ability to mimic the style of text inputs. An actor can feed the LLM examples of legitimate emails and have it pump out new emails used to manipulate victims into taking actions on the threat actor’s behalf. In this sense, humans remain the weakest link in the cybersecurity chain… they just have more weapons to defend against. 

Jon Miller, CEO & Co-founder of Halcyon

“In the past, the most prominent ransomware threat actors were identified by the number of targets, price of the ransom demand, or the sophistication of their techniques. In 2025, we will likely see a major shift. The threat actors targeting the most vulnerable sectors like healthcare or other critical infrastructures will likely be seen as the most dangerous players because of the threat they impose on human lives, regardless of what tactics and techniques they use.” 

While critical infrastructure like healthcare, manufacturing, and education will remain the primary targets of ransomware attacks and large sources of ransom payments, one industry that we may see more highly targeted is legal. Law firms and legal departments often hold the keys to very sensitive information and data. While they have been a target in the past, they are often kept hush because of the privacy of the information they are dealing with. In 2025, this may come to a head with more ransomware groups targeting legal information.

Tomas Gustavsson, Chief PKI Officer at Keyfactor

“Organizations will prioritize agility in their 2025 encryption strategies, leveraging emerging post-quantum cryptographic (PQC) standards to prepare for the shortened transition timeline set by NIST.”

The finalization of the first suite of post-quantum cryptographic algorithms has set the stage for a transformative shift in encryption practices, and 2025 will see organizations taking significant strides toward post-quantum cryptography (PQC) adoption. With additional algorithms expected to be released this year by NIST, companies must act decisively to assess the maturity of their PQC postures and the security hygiene of their public key infrastructure (PKI). Waiting to transition is no longer an option, as NIST’s proposed migration deadline of 2035 – in which RSA, ECDSA, EdDSA, DH, and ECDH will be officially disallowed – leaves little room for delay, mirroring past decade-long cryptographic transitions as we saw with the transition from SHA-1 to SHA-2.  

Industries such as IoT, with diverse use cases and unique security demands, will increasingly adopt tailored quantum-safe solutions to address evolving threats. The once-static cryptographic landscape will be disrupted by continuous innovation, creating “gotcha” moments that challenge established security norms. Organizations that embrace agility, iterative improvements, and proactive integration of PQC will be best positioned to meet regulatory expectations and safeguard their ecosystems. 

As we move further into 2025, companies that delay their PQC transition risk falling behind in compliance and resilience, making this year a critical turning point for the adoption of quantum-safe standards.” 

Chris Wysopal, Chief Security Evangelist & Founder at Veracode  

“Developers will learn less about secure coding because they’ll rely more on generative AI to remediate flaws automatically. This progression is analogous to the task of calling someone on the phone.”

While a few decades ago, we all needed to remember someone’s number to reach them, today, all we need to do is tap a contact on our phone. For developers, the equivalent will be to produce secure code without learning how to code securely from scratch.  Instead, they will adopt processes to find, test, and fix vulnerabilities automatically, meaning it won’t be as important to know about secure coding—or even to know if generative AI has learned how to write secure code.”  

Also, as AI-fueled code velocity increases, the number of vulnerabilities and level of critical security debt will also grow. With more code created at a rapid pace, developers will become inundated with compliance risks, security alerts, and quality issues. Identifying a solution to help will be key. As security debt grows, so too will the demand for automated security remediation, however, using GenAI to write code is still two years ahead of using the same technology for security hardening and remediation. This is why, in 2025, we can expect a rapid increase in the adoption of AI-powered remediation to fix vulnerabilities faster and materially reduce security debt.”  

Paul Underwood, VP of Security at Neovera

“Although Zero Trust has been a hot commodity for some time now, 2025 will bring the revolution and evolution of Zero Trust Network Access (ZTNA).”

Wider adoption of ZTNA will enable fine-grained access control, granting permissions based on real-time user context and device security posture. In the upcoming year, we’ll also see more organizations invest in advanced biometric authentication, including facial recognition, voice analysis, and behavioral biometrics, which will become key components of Zero Trust Architecture (ZTA).

Organizations will start to prioritize implementing centralized IAM systems to manage user identities and access privileges across all systems and applications. These small but meaningful steps will strengthen identity and access management protocols, putting organizations into a better position to thwart attacks and secure their ecosystems.”    

Panagiotis Soulos, IS GRC Senior Manager | Deputy CISO at STEELMET

“AI and Machine Learning technologies will enhance threat detection and response, enabling quicker analysis of data to identify cyber threats. Techniques such as behavioral analytics will be employed to detect anomalies in user behavior, while automated incident response systems will streamline the process of addressing security breaches. However, attackers will also use AI to develop more sophisticated attacks.”

As implicit trust becomes obsolete, organizations will adopt zero-trust models that require continuous verification of user identities and devices; also, ransomware attacks will grow in complexity, often involving double extortion tactics. Robust backup strategies and employee training will be essential. Next, with the shift to cloud services, securing cloud environments will be critical as attackers exploit vulnerabilities in these architectures. 

The rise of IoT devices will create security challenges due to their often weak protections, necessitating enhanced security measures, and as quantum computing advances, organizations will need to adopt quantum-resistant encryption to protect data. Insiders are another problem, as both malicious and unintentional insider threats are increasing, prompting the need for better monitoring and training. 

The demand for cyber insurance will rise as organizations seek protection against financial losses from breaches, and stricter compliance requirements will emerge as data breaches become more common, requiring businesses to adapt quickly. Especially in the EU, the NIS 2 Directive, DORA, CRA, and AI Act will keep organizations busy, which may also lead to regulatory fatigue. Finally, the cybersecurity skills gap will persist, making it vital for organizations to invest in training, talent acquisition, and maintaining their cybersecurity workforce.