Ten Cybersecurity Predictions for 2025 That You Need to Prepare For

Attackers Have Evolved – But Most Companies Have Not

The greatest gift a cyber attacker gets during the holiday season is another year of largely unfettered access to company data.

While we ring in 2025 with the renewed sense of promise a new year brings, threat actors are also celebrating – because while they’ve been honing their techniques to be as successful as possible, most companies still haven’t addressed existing security issues from 2024 (or earlier).

For that reason, my cybersecurity predictions for 2025 all fall under the umbrella of “address your security issues” – and address them correctly. You can expect the same repertoire of attack tactics that we saw in 2024, but with greater severity and slightly different execution.

Ten Cybersecurity Predictions for 2025

The top ten cybersecurity predictions I’m making for 2025 fall into the following trends among threat actors:

  1. Attacker techniques have become better, faster, and stronger than ever before, while security solutions are less so.
  2. GenAI creates a dichotomy between boosting cybersecurity resilience and increasing your attack surface which can be hard to reconcile.
  3. Companies are still struggling with how to afford and staff the implementation of proper security measures.

When attackers get savvier, your company should too, and the most important takeaway for this post is to revisit your security posture. Attackers often find it far too easy to break in and steal your company and customer data right out from under you.

Here are my expectations for security threats in the new year:

1. Vendor Compression of Security Solutions

Big vendors like Fortinet and Cisco often acquire other security companies to strengthen their existing solutions, but these add-ons can create greater security risks for customers. For example, according to Top10VPN, 133 security vulnerabilities were reported in 2023, marking a 47% increase compared to the average over the previous two years. In 2023, vulnerabilities were identified in PAN, Fortinet, CheckPoint, Ivanti, Cisco, and Citrix products. All saw active exploitation within hours of disclosure, and required immediate patching.

Other risks include:

  • A lack of customization, as these more standardized vendor solutions may not adequately address your specific security needs.
  • A slow or nonexistent response to new threats.
  • A greater potential for misconfigurations that can lead to system vulnerabilities.

While solution acquisition is not a new trend among vendors, the concurrent strengthening of cyber attacks is only highlighting the vulnerabilities in these solutions. Many vendors are struggling to protect their products and keep their customers safe.

If you’re one of those customers, don’t wait until a vulnerability is discovered to assess your security solutions.

What can you do?

  • Leverage your vulnerability management program and conduct external posture assessments to catch abuses, monitor MFA abuse cases, and identify unpatched systems. If you don’t have a vulnerability management program, you need one.
  • Prevent abuse by regularly patching your firewall and VPN solutions.
  • Check your configurations and adjust poor or default settings that would allow attackers to get into your network and move around easily.

2. Attackers are Getting Faster, Better, and Stronger

We talked about compression in the cybersecurity vendor world that’s causing some problems, but there is also a compression of cyber attack tactics that’s making those problems worse.

Threat actors are compressing their techniques to become faster, better, and stronger, largely through their own investments in AI and with the goal of fighting back against law enforcement’s efforts to break apart cyber criminal networks (more on this below).  

Improved attack strategies have compressed the average time from initial access to full control of a domain environment to less than two hours. And while a couple of years ago it would take a few days for attackers to deploy ransomware, it’s now being detonated in under a day and even in as few as six hours.

Attackers are optimizing their techniques and going after the biggest payout potential – and with such short timeframes between the attack and the exfiltration of data, companies are simply not prepared.

What can you do?

  • Invest in or reevaluate MFA for your company, especially if it is required by your insurance provider as part of a cyber insurance policy.
  • Implement an annual password change. A good, strong password is more effective over a year than frequently changing simpler passwords, since these can be easily breached and are often forgotten, necessitating a recovery process.
  • Utilize other phishing-resistent techniques for authentication, including employee security training and phishing simulation exercises.
  • Have your SOC monitored 24/7.

3. Attackers Have a “Gloves Off” Approach

There was a time when attackers would choose not to breach industries like healthcare, utilities, and critical infrastructures because of the direct impact to people’s lives. But as mentioned above, law enforcement’s efforts in 2024 to stop cyber criminal activity has caused attackers to adopt a retaliatory “gloves off” approach that puts every industry in jeopardy.

Operation Endgame, a coordinated multinational effort by the FBI and law enforcement groups in multiple countries to disrupt malware and dismantle cyber criminal networks, led to multiple raids, and the issuance of significant warrants and arrests of top-level threat group leaders.

Attackers have responded by going after those industries they previously left alone. American Water Works, the largest supplier of drinking water and wastewater services in the U.S., was hit by attackers in October. While the breach was quickly identified and mitigated, it’s a clear example of what’s at stake.

Similar attacks on hospitals and other healthcare facilities interrupt essential workers’ ability to do their jobs – at best – and at worst lead to potential loss of life.

What can you do?

  • Any critical industry whose operation is essential for people’s livelihood should take action to improve its security posture and align personnel on a response plan in the event of an attack. The healthcare industry is especially vulnerable to extortion because bad actors know they can get a big payout by stealing data and threatening to disclose it.

4. Data Exfiltration & Extortion

We now know that the ransomware threat actors who execute headline-worthy damage on companies are getting even better and faster at what they do.

Ransomware used to be the endgame – the way attackers would get their payout. Now, they’re using ransomware as a means to an end, deploying it only after they’ve exfiltrated company data as a “calling card” to show they were there. Companies in highly-regulated industries like healthcare know they have to disclose the breach if their data is released, so attackers are able to get paid by exfiltrating data and leveraging it for extortion.

What can you do?

  • Evaluate specific ransomware technologies like Halcyon and make sure your SOC can monitor and manage that platform for you.

5. AI for Good

AI is helping cut through the noise and highlight the alerts you need to pay attention to, which minimizes the repetitiveness of security analyst roles.

It also standardizes vendor terminology for different vulnerabilities; for example, you know a vulnerability as CVE 2024, but three of your vendors are calling it something different and just referencing the CVE number. AI will treat those vulnerabilities the same for analysis, review, and prioritization, ultimately creating consistency across tools so you can flow more freely from one technology to another.

However, any time you implement a new solution or tool, you’re widening your attack surface, and because AI services collect, control, and use your data, that data is at greater risk of being leaked to or stolen by attackers or third parties.

These risks have led to an effort in Europe to update its General Data Protection Regulation (GDPR) to hold AI providers accountable for how they’re using inputted data.

What can you do?

  • Consider creating a department in your company focused on AI. If you’re going to invest in AI to accelerate your communications, you need your own support for that environment to limit and monitor what’s being sent out.

“Data discovery and data visibility is becoming extremely blurred because of AI licensing and the use of AI broadly across the world at this point.”

6. AI for Bad

In 2025, companies will have to reconcile the benefits of AI with its many risks.

While AI is helping organizations monitor security threats more effectively, threat actors are using AI just as efficiently, to the point where any AI employee training you may have conducted is already outdated. All the red flags you’re taught to look for, like grammatical errors, misspelled words, non-regional speech or writing, and a lack of context to your organization, are no longer happening because of AI.

GenAI and deepfakes are taking phishing scams to new heights, and even savvy, well-trained employees can fall for a phone request from a deepfake asking for a password reset.

What can you do?

  • AI is being integrated into the new releases of operating systems across phones, tablets, and computers, but you can manually turn off this feature.
  • Microsoft is creating a sandbox in Azure where you can direct and then monitor all queries for better control over data going out.
  • Update employee training with recent information (nothing more than a year old). Use quarterly content or relevant updates from your training provider.

7. MFA Is No Longer a Magic Bullet

Attackers are finding ways around MFA that have caused companies to rethink how it’s deployed and used. We discourage the allowance of support for SMS text messaging to deliver one time passwords or codes as the only barrier preventing account compromise is how well your cell phone carrier trains their retail employees. Any MFA protocol using text is not considered secure.

Business email compromise and phishing tactics remain the two most common ways attackers gain access to an organization. Once they’re in, continued support for default MFA settings only makes it easier for them to take over admin accounts and steal critical data.

What can you do?

  • Stop supporting SMS authentication for all users as part of MFA. Invest in YubiKey, Fido2, or passwordless solutions to verify your users through MFA with far less risk.
  • Ensure your SOC is monitoring and notifying when any changes are made to user settings.

8. Cloud Environments are Increasingly at Risk

Companies are moving to the cloud from traditional on-premise solutions, and this shift has created two big challenges.

First, they’re finding it more difficult to maintain visibility into their cloud environments. Most organizations have more than one cloud solution, and because Azure’s cloud suite is different from AWS, for example, security within each of those environments is also very different.

Consolidating visibility into those cloud environments requires a cloud posture assessment and continual cloud security monitoring, which can be expensive – giving rise to the second challenge: attackers are taking advantage of companies that don’t invest.

CrowdStrike reported a 75% increase in cloud environment attacks in 2023 compared to 2022, and we’re seeing adversaries directly attack unsecured containers and Kerberos installations, as well as a common method of attack on Google Suite and Microsoft 365’s Azure Active Directory platform.

Once an attacker gains access to an account, they install a backup solution like Veeam or Wasabi and begin backing up a user’s content. Often, threat actors gain access to admin services, such as Azure Portal, using default settings that allow global access.

The irony of these attacks is that companies moved to the cloud thinking it would reduce their costs, but between security protections for cloud and on-prem data, it can double or even triple the cost of just keeping everything under your control.

What can you do?

  • Turn off default settings and user rights in Microsoft 365 and Google Suite, and monitor for new apps being posted.
  • Use conditional access policies to restrict access based on IP addresses, geographical location, and approved devices to ensure only authorized users can access critical services.
  • Establish a “break glass” alert process for privileged access and monitor for changes to the conditional access policy.

9. Remote Working Remains a Vulnerability

As we exited the pandemic, an unprecedented number of U.S. workers also exited their jobs – and many took sensitive company data with them. Employees were able to commit intellectual property theft or steal company and customer information by copying files to their local USB devices such as flash drives or at-home NAS systems, with minimal visibility from corporate security solutions.

During the pandemic you may have invested in an MSP to manage your IT systems, or maybe you directly invested in remote monitoring and management platforms to oversee your environment, you are now at risk in a different way. Threat actors have learned to directly attack these RMM solutions by compromising your Single Sign-On (SSO) solutions or targeting your IT provider.

According to a recent CrowdStrike report, there has been a 70% increase in RMM tools used in endpoint attacks as threat actors hijack the tools through compromised providers or leftover installations.

There also still remains the issue of how to control remote employee activity, and unfortunately, like with many of my other predictions for 2025, gaining proper visibility is cost prohibitive for most companies. BYOD became popular years ago in an effort to cut costs and remains popular today, but due to privacy concerns and the dual use nature of BYOD devices, you can compel an employee to install MDM solutions but if they say “No” , what is your recourse?

What you can do:

  • Make sure the native visibility that’s built into Microsoft 365 and Google Suite is turned on – it wasn’t a default setting on M365 until after April 2017.
  • Monitor or block unapproved RMM tools and remove any unauthorized remote admin application immediately.
  • Ensure your MSP and MSSP monitors and reports on their access to RMM tools.

10. Third Parties Can Carry Big Risks

Third parties have provided attackers with gateways to corporate data for years, and it remains a problem despite all the red flags.

From the Target breach in 2014 where attackers got in via a vulnerability in the store’s HVAC vendor, to the aforementioned RMM attacks that leverage third-party IT providers, it’s clear these attack vectors remain popular – and successful.

How do you know what your vendor is using in their products? You should not only be aware of the access rights you’re giving to your third-party, but the solutions they’re leveraging and implementing inside your environment.

What you can do:

  • Create a vendor management process that requires vendors to provide information about the solutions they’re using inside your environment and how they’re monitoring access to those solutions.
  • Find out if their solutions are mature, and if they create enough audit artifacts to ensure you can conduct a thorough assessment if there are any security incidents. If you’re not happy with the answers, find another vendor.

Start 2025 on a Secure Footing

Now that we’ve reviewed my 10 cybersecurity predictions for 2025, I do have a shorter list of the top three things you should do right away to give your company’s security a boost in the new year.

  1. Get a test to find your vulnerabilities before an attacker does.
  2. Make sure you have 24/7 security visibility and monitoring – and if you can’t commit to that schedule, find software that can do it for you.
  3. Know where your data is and what the data is. Following an attack, you don’t want to be stuck manually indexing what may have been located on a compromised file server.

The best way to check off these items and deal with what’s coming in 2025 is by investing in an MSSP. An MSSP provides 24/7 network monitoring so you won’t miss a thing, and incident response planning and deployment to help you respond quickly and properly to get your organization back to business as soon as possible following a breach.

The biggest trend each year is companies being unprepared for security attacks. Break the cycle in 2025.

With decades in the business and a personalized service delivery model tailored to your business’s needs, DirectDefense can help prepare you for what’s already here, and what’s to come.

Contact us today to get started.

Prev
Shares

Combat Cyber Anxiety with our Expert Insights Report

X