Three Key Cybersecurity Predictions For 2025 (And What You Need To Do)

0
Three Key Cybersecurity Predictions For 2025 (And What You Need To Do)

John Bruggeman, CISSP, consulting (CISO) for CBTS and OnX, both are MSPs and MSSPs.

As the new year approaches, it’s time for me to peer into the future and do my best to anticipate the top threats that will challenge CISOs and CIOs in 2025. Although I have my own insights, I’ve cross-referenced them with the predictions of industry giants like Gartner, Palo Alto Networks and Check Point.

Based on industry trends and my experiences this past year talking with CIOs, IT directors and CISOs, I believe these cybersecurity risks will demand the most attention in 2025:

1. Artificial Intelligence: How will businesses protect their newly deployed AI tools from cybercriminal attacks? When using AI tools with third-party suppliers and vendors, how can data privacy be secured?

2. Quantum Computer Cryptography: As new projects begin to get funding in 2025, what security concerns will arise? How do we prevent them?

3. Supply Chain And Third-Party Cybersecurity: These sources will face increased risks in 2025. How can we prepare to prevent security breaches?

Artificial intelligence is unstoppable.

It’s been the topic of the year for the past two years, and I don’t see that trend stopping in 2025. The risks presented by AI and generative AI tools like ChatGPT, Copilot and Claude are essentially the same as they were in 2024. I covered these risks in a Forbes Technology Council article in mid-2024.

Gartner and Check Point researchers agree and have listed AI as a top concern for 2025. As thought leaders, it’s nice to see we’re in agreement on the risks AI poses to unprepared organizations and companies.

A key point to remember is that the risk of a poorly designed or developed AI project is significant. Most cybersecurity professionals focus on the attacker and the risk they pose to an organization, which makes sense for the team tasked with defending the company. But an AI project that’s poorly designed and deployed exposes an equal risk to an organization. It’s easy to imagine an AI tool built by an organization for one purpose but ends up costing more than originally budgeted or increasing the risk to the organization more than planned because the information security team wasn’t involved early in the development process.

The rewards from AI and generative tools are significant, and it’s understandable why companies are in a rush to deploy their own AI tool to help accelerate growth or improve customer service with a chatbot. But the risk to an organization from quickly deploying a tool is that they may waste time and money because the goal of the project wasn’t clear. Gartner analysts even estimate that 30% of generative AI projects will be deserted in 2025 after the proof-of-concept stage.

What the CIO and CISO should do before starting an AI project is seek agreement on the goals and the risks before investing any real resources into the project. In other words, have the goal in mind before you begin your journey.

Quantum computers are inevitable.

Quantum computers are coming. I’ve been talking about them since July 2022, when NIST announced four post-quantum-cryptography (PQC)-resistant algorithms, and I’ve been writing about them here on Forbes since December 2023.

The major players—like Gartner and Palo Alto Networks—also agree that PQC is a top concern for 2025. Although quantum computers aren’t a dominant threat at this point, organizations must start planning for how they’ll implement quantum-resistant encryption algorithms.

CIOs need to think about quantum computers as an emerging threat that must be addressed holistically. Upgrading your cryptography and encryption algorithms is a major project along the lines of Y2K projects some 25 to 30 years ago. The main reason leaders need to think about this threat as a project is that quantum computing-resistant cryptography isn’t easy to implement.

There’s no “drop-in” replacement that takes you from current encryption ciphers to quantum-resistant ciphers. NIST noted in a whitepaper that “there are multiple candidate classes for post-quantum cryptography. Unfortunately, each class has at least one requirement for secure implementation that makes drop-in replacement unsuitable.”

When I talk with my customers, they want to know where to start. The answer is straightforward: Find out where your data is and inventory what you use to encrypt it. Develop an inventory and then start the process of identifying how you can upgrade the encryption that’s in use.

Rising risks are unavoidable.

Supply chain and third-party risks will continue to grow for all organizations. When you look at the major data breaches in 2024—exposing millions of customer records—it’s easy to see how your supply chain is very often your weakest link. Many of the affected companies are now facing lawsuits and regulatory actions from these data breaches.

How do you, as a company or organization, determine if your third-party vendors have implemented appropriate security controls? Many of the risks these vendors pose can be addressed with an appropriate and robust supply chain and third-party risk management (TPRM) program. A great Forbes Technology Council article outlines how to assess and address third-party cybersecurity risk.

I hope these three things help you focus on what you need to do in 2025 to stay secure. I look forward to another year of tackling cybersecurity challenges with you!


Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?


link

Leave a Reply

Your email address will not be published. Required fields are marked *