Cybersecurity under spotlight in 2025, says Semperis​

​

As we begin the New Year, we ask Dan Lattimer, Area Vice President, and Simon Hodgkinson, Strategic Advisor, Semperis, what can organizations expect on the cybersecurity front in 2025.

“AI continues to be buzzword bingo,” says Lattimer.  “Artificial Intelligence (AI) will keep being talked about in 2025.  However, a lot of it is buzzword bingo as the technology is not necessarily being used in a meaningful way – yet.  While we are seeing cybercriminals increasingly trying to harness AI, many of those attacks will still be basic and clunky.  Sadly, with everyone talking about AI, there is a risk that some of its really exciting applications will get lost in the general noise.”

“All eyes will be on the supply chain”, continues Lattimer.  “We will see more due diligence happening when it comes to securing the supply chain.  Organizations have realized this is the soft underbelly that can leave them vulnerable to cyberattacks and as a consequence, there is now more scrutiny on the supply chain, meaning suppliers will have to drastically clean up their operations and tighten defences.  DORA will apply as of January 2025, and I am hoping it will have some teeth to it; potentially resulting in fines for those that haven’t adequately prepared or aren’t even aware that DORA applies to them.”

With budgets being looked at more stringently, security teams will need to put a renewed focus on getting the basics right rather than investing in shiny new tools.  “Fundamental security steps such as managing endpoints, immediate patching, enforcing strict access management policies and employee training may seem boring but they can be hugely effective,” says Lattimer.  “After all, the fanciest new technology won’t make a difference if you don’t pay attention to basic cyber hygiene measures.”
 
Cybersecurity spend will continue to reduce as a percentage of an organization’s revenue,” adds Hodgkinson.  “While this is not a new trend, for security teams, it means even more pressure to do more with less.  In addition, people are becoming desensitized to data breaches; this is a troubling phenomenon that you can see all the way down to the end consumer.  As cyber incidents have become inevitable, boards are increasingly informed to accept an appropriate degree of risk – with cyber just being one of many business risks – and there are trade-offs to be made.  We may see this shift in attitude have an impact on the ransomware market, potentially with a ramp-up in destructive extortion attempts.”

In 2025, the focus will move from cyber resilience to operational resilience overall. “Improving their resilience will demand ongoing attention from organizations – not just to be compliant, although regulators will continue to have a big hand in driving the security agenda.  There needs to be a focus not only on having the right defences in place, but on people, too: the talent shortage and high levels of stress and burnout amongst security professionals, including CISOs, means support mechanisms will be critical to building a resilient workforce,” comments Hodgkinson.