While it may seem straightforward to anticipate the security threats of the coming year, these risks have been simmering for some time – and they’re not going away. Leading global security experts share their insights on where organisations should focus their efforts, but caution to stay vigilant and avoid tunnel vision. After all, the threats not on your radar are already brewing and could arise when least expected.
Derek Manky, Chief Security Strategist & Global VP Threat Intelligence, FortiGuard Labs
While threat actors continue to rely on many ‘classic’ tactics that have existed for decades, our threat predictions for the coming year largely focus on cybercriminals embracing bigger, bolder, and – from their perspectives – better attacks. From Cybercrime-as-a-Service (CaaS) groups becoming more specialised to adversaries using sophisticated playbooks that combine both digital and physical threats, cybercriminals are upping the ante to execute more targeted and harmful attacks.
- More attack chain expertise emerges: Cybercriminals have been spending more time ‘left of boom’ on the reconnaissance and weaponisation phases of the cyber kill chain. As a result, threat actors can carry out targeted attacks quickly and more precisely. We’ve observed many CaaS providers serving as jacks of all trades – offering buyers everything needed to execute an attack, from phishing kits to payloads. However, we expect that CaaS groups will increasingly embrace specialisation, with many groups focusing on providing offerings that home in on just one segment of the attack chain
- It’s cloud(y) with a chance of cyberattacks: While targets like Edge devices will continue to capture the attention of threat actors, there’s another part of the attack surface that defenders must pay close attention to over the next few years: their cloud environments. Although cloud isn’t new, it’s increasingly piquing the interest of cybercriminals. Given that most organisations rely on multiple cloud providers, it’s not surprising that we’re observing more cloud-specific vulnerabilities being leveraged by attackers, anticipating that this trend will grow in the future
- Automated hacking tools make their way to the Dark Web marketplace: A seemingly endless number of attack vectors and associated code are now available through the CaaS market, such as phishing kits, Ransomware-as-a-Service, DDoS-as-a-Service and more. While we’re already seeing some cybercrime groups rely on AI to power CaaS offerings, we expect this trend to flourish. We anticipate that attackers will use the automated output from LLMs to power CaaS offerings and grow the market, such as taking social media reconnaissance and automating that intelligence into neatly packaged phishing kits
- Playbooks grow to include real-life threats: Cybercriminals continually advance their playbooks, with attacks becoming more aggressive and destructive. We predict that adversaries will expand their playbooks to combine cyberattacks with physical, real-life threats. We’re already seeing some cybercrime groups physically threaten an organisation’s executives and employees in some instances and anticipate that this will become a regular part of many playbooks. We also anticipate that transnational crime – such as drug trafficking, smuggling people or goods and more – will become a regular component of more sophisticated playbooks, with cybercrime groups and transnational crime organisations working together
- Anti-adversary frameworks will expand: As attackers continually evolve their strategies, the cybersecurity community at large can do the same in response. Pursuing global collaborations, creating public-private partnerships and developing frameworks to combat threats are all vital to enhancing our collective resilience. Many related efforts – like the World Economic Forum Cybercrime Atlas initiative, of which Fortinet is a founding member – are already underway, and we anticipate that more collaborative initiatives will emerge to meaningfully disrupt cybercrime
Ravi Bindra, CISO, SoftwareOne
Cyberattacks remained a serious threat in 2024. Aided by the proliferation of AI technologies, cyberthreats grew in scale and severity, as malicious actors leveraged smarter more technically advanced tools as part of their approach. In 2025, CISO strategies need to keep pace – and this starts by investing in AI technologies to bolster cybersecurity practices.
As the use of AI grows, threat actors too are increasingly leveraging it to cause harm to businesses. With worldwide cybercrime costs expected to rise to nearly US$24 trillion by 2027, organisations can’t afford to sit still. In fact, Gartner predicts that by 2028, 25% of enterprise breaches will be traced back to AI agent abuse from both external and malicious internal actors.
To stay one step ahead, businesses must fight fire with fire and arm their defences with AI tools to protect against malicious attacks. AI does this by using advanced algorithms which detect, predict and tackle threats in real-time at much greater speed than traditional methods. As attacks on enterprises continue to grow in prevalence and sophistication, investing in AI to improve security processes, operations and defence is essential to any CISO strategy.
Today, technology is evolving faster than data governance frameworks and security protocols. With employees increasingly experimenting with AI in the workplace, secure AI integration demands a structured approach that encompasses security protocols baked into all processes and clear direction on accepted AI use. To achieve this, a CISO strategy must prioritise an effective training plan for staff, so employees understand their key role in keeping organisational data secure.
Finally, CISO strategies for the new year need to branch beyond 2025. CISOs need to be implementing technologies and processes today that your business will be thankful for in the years to come. A great example of this comes from the expected rise in Quantum Computing. Current cryptography methodology will inevitably be ‘debunked’ as quantum becomes available at scale and ‘quantum-capable’ threats will start to rise as the technology becomes more accessible.
We are already seeing evidence of threat actors adopting ‘store it now, crack it later’ strategies, gathering encrypted data passed across the Internet to be decrypted once quantum technology becomes viable in the next five to 10 years. So, although Quantum Computing sounds like a problem for the future, it needs to be a security concern now. As such, CISOs must work closely with cloud providers, looking into their post-quantum services offerings, future-proofing data today that will be difficult to crack in five years.
Lincoln Goldsmith, Director of Channels & Alliances APJ, Semperis
Firstly, Active Directory will become a prominent target for cybercriminals. Hackers will increasingly target Active Directory (AD) in 2025. AD is the most widely used authentication and authorisation solution in enterprise IT networks globally, and also a blind spot for many security teams.
For most organisations, Active Directory is at the heart of their operational resilience because it manages access to nearly all users, groups, applications and resources, which also makes it a top target for attackers. Yet, only one quarter (27%) of the companies surveyed globally by Semperis said that they maintain dedicated, Active Directory-specific backups, which hackers have recognised and are increasingly taking advantage of. The Australian Signals Directorate and Five Eyes Alliance have recently warned Australian businesses of an uptick in attacks on AD, demonstrating that this will be a key priority area for 2025.
The number of attacks on critical infrastructure will also increase, as will their sophistication. While hospitals, government agencies, electricity operators and the like are regularly targeted by cybercriminals, we will see a further increase in the number of attacks on Australian critical infrastructure in 2025 for a few reasons. Firstly, critical infrastructure networks often rely heavily on legacy software, which is only growing older and more insecure as the years go by. A large amount of this legacy software is no longer supported by the vendors who originally made it, meaning they are full of security vulnerabilities and frequently unable to be patched.
Furthermore, critical services such as hospitals and water treatment facilities operate on a 24/7 basis with zero room for downtime – which has unfortunately made them more likely to pay the ransom to get their systems back up and running, as opposed to a non-critical service which can wait. To add fuel to the fire, growing geopolitical instability has increased the likelihood of nation-state-sponsored hackers targeting the critical infrastructure of opposing countries.
