2025 Predictions from Dan Lattimer, Area VP, Semperis:
AI buzzword bingo
Artificial Intelligence (AI) will keep being talked about in 2025. However, a lot of it is buzzword bingo as the technology is not necessarily being used in a meaningful way - yet. While we are seeing cybercriminals increasingly trying to harness AI, many of those attacks will still be basic and clunky. And sadly, with everyone talking about AI, there is a risk that some of its really exciting applications will get lost in the general noise.
More eyes on the supply chain
We will see more due diligence happening when it comes to securing the supply chain. Organisations have realised this is the soft underbelly that can leave them vulnerable to cyberattacks and as a consequence, there is now more scrutiny on the supply chain, meaning suppliers will have to drastically clean up their operations and tighten defences. DORA will apply as of January 2025 and I am hoping it will have some teeth to it; potentially resulting in fines for those that haven’t adequately prepared or aren’t even aware that DORA applies to them.
Back to basics – once again
Finally, with budgets being looked at more stringently, security teams will need to put a renewed focus on getting the basics right rather than investing in shiny new tools. Fundamental security steps such as managing endpoints, immediate patching, enforcing strict access management policies and employee training may seem boring but they can be hugely effective. After all, the fanciest new technology won’t make a difference if you don’t pay attention to basic cyber hygiene measures.
2025 Predictions from Simon Hodgkinson, Strategic Advisor, Semperis:
Increasing acceptance of cyber risks
Cybersecurity spend will continue to reduce as a percentage of an organisation’s revenue. While this is not a new trend, for security teams, it means even more pressure to do more with less. In addition, people are becoming desensitised to data breaches; this is a troubling phenomenon that you can see all the way down to the end consumer. As cyber incidents have become inevitable, boards are increasingly informed to accept an appropriate degree of risk – with cyber just being one of many business risks – and there are trade-offs to be made. We may see this shift in attitude have an impact on the ransomware market, potentially with a ramp-up in destructive extortion attempts.
Resilience in focus
In 2025, the focus will move from cyber resilience to operational resilience overall. Improving their resilience will demand ongoing attention from organisations – not just to be compliant, although regulators will continue to have a big hand in driving the security agenda. There needs to be a focus not only on having the right defences in place, but on people, too: The talent shortage and high levels of stress and burnout amongst security professionals, including CISOs, means support mechanisms will be critical to building a resilient workforce.
Guido Grillenmeier, Principal Technologist, Semperis:
Security-focused enhancements to Active Directory
With Windows Server 2025, generally available since 1 November 2024, Microsoft has provided various security updates to Active Directory (AD). This marks the first relevant AD security improvements since Windows Server 2016 and is a welcome step, as securing this business-critical identity service continues to be a huge headache for organisations. It’s incredibly common for threat actors to go after AD, using it as a tool to elevate privileges and move laterally through their victim’s network. While it’s good to see that Microsoft has not given up on AD, it remains to be seen if this update will make a significant difference to organisations’ overall identity security.