Date: 2 January 2025
Abstract: As 2025 unfolds, cyber security remains a battleground for innovation and exploitation. For those who approach technology with caution—or a healthy dose of scepticism—the year’s biggest threats require not just vigilance but thoughtful strategies.
This guide examines the major risks on the horizon, drawing on the insights of experts and credible sources.
AI has surged in growth in recent years, with 2024 marking a pivotal year for the technology. According to TechRadar, AI’s capabilities have expanded rapidly, particularly with advancements like GPT-4 (released in March 2024), capable of producing human-like text and even creating complex code TechRadar2024. By 2025, AI-driven threats are expected to dominate the cyber security landscape. The same source predicts that AI will be increasingly used by cyber criminals to automate phishing campaigns, impersonate individuals, and create malicious code TechRadar2024. As we saw with the rise of generative models, the next frontier will likely involve AI creating tailored attacks that make it difficult for traditional security systems to differentiate between genuine and malicious activity.
The late Ross Anderson reminds us that in the arms race between attackers and defenders, both sides are leveraging AI. He states that as AI becomes more sophisticated, attackers will find ways to exploit it, while defenders will use AI to bolster defences (Anderson, 2020). However, the real challenge comes in human oversight: no matter how advanced the tools, if AI-generated attacks are not recognised by human operators, they can slip under the radar. In 2025, this dual-use nature of AI will likely blur the line between human ingenuity and machine-driven threats.
Practical advice: Using machine learning to enhance your defences is encouraged if properly implemented, but don’t let it replace human judgement. I expect in 2025 we will see a huge uptick in "Super awesome AI powered 50-in-1" products which will aim to replace valuable skilled teams of humans.
Invest in proper human-to-human training for staff to recognise AI-generated threats, which often mirror legitimate communications. Moreover, be prepared for AI-driven attacks to become more targeted and convincing, demanding sophisticated defences.
The rapid expansion of IoT devices in 2024 set the stage for a dramatic increase in the attack surface in 2025. With Gartner predicting that 25 billion IoT devices will be connected by the end of 2025, the potential for breaches is skyrocketing (Gartner, 2024). Vulnerabilities in IoT devices are already a prime target for attackers, as seen with the Mirai botnet that caused widespread outages in 2016 (Kolias, 2017). Since then, devices have become more integrated into both personal and professional lives, yet security often remains an afterthought.
Anderson has pointed out that "IoT devices frequently suffer from weak security and poor patching practices," a concern that continues to plague the sector (Anderson, 2020). In 2024, vulnerabilities in IoT devices were responsible for over 60% of all data breaches in critical infrastructure sectors, according to a 2024 report by the IoT Security Foundation (IoTSF, 2024).
Practical advice: Treat IOT devices like they are already hacked (because they probably are). Change default passwords, disable unnecessary connectivity, and separate IoT devices on isolated networks. If a device doesn’t absolutely need to connect to the internet, unplug it. Be vigilant about firmware updates and patch vulnerabilities regularly to prevent exploits.
Phishing remains one of the most effective methods of cyber attack. In fact, Verizon’s 2023 Data Breach Investigations Report highlighted that phishing was involved in 36% of all data breaches (Verizon, 2023). With AI’s rapid development, phishing attacks are expected to become increasingly sophisticated by 2025. As noted in the TechRadar 2024 report, AI-powered phishing attacks are likely to be personalised at a scale never seen before, mimicking individuals' writing styles or generating fake voices through deepfakes (TechRadar, 2024).
Anderson points out the central role of social engineering in cyber crime, arguing that while technology improves, human vulnerability remains a constant target (Anderson, 2020). AI will enable attackers to carry out highly personalised social engineering attacks, making them harder to detect.
Practical advice: The rise of deepfake-based social engineering highlights the critical need for robust operational security and the application of critical thinking skills to ensure the continuation of operations. To learn more about how to protect your organisation, visit Boudica Cybersecurity for practical operational security strategies.
Some good mitigations can include: implementing regular training to teach users how to spot phishing attempts, multi-factor authentication and behavioural email filtering can act as secondary safeguards. AI-powered detection systems can also be used as a secondary defence where appropriate but should not be relied upon.
Quantum computing is moving out of the research phase and into the realm of early-stage prototypes. In 2024, IBM unveiled its 1,121-qubit quantum computer, setting the stage for major breakthroughs in computational power (IBM, 2024). While this is still a long way from practical large-scale use, the potential implications for cryptography are profound. As Shor’s algorithm is capable of breaking current encryption methods, organisations must begin preparing for a post-quantum world.
In response, the National Institute of Standards and Technology (NIST) has accelerated efforts to standardise post-quantum cryptography, with candidates for quantum-resistant algorithms being evaluated in 2024 (NIST, 2024). This is a critical development as organisations prepare for the day when quantum computers could potentially break the encryption protocols that protect everything from personal data to financial transactions.
Practical advice: Begin testing post-quantum algorithms in non-critical systems. Stay updated on developments in quantum-resistant encryption to avoid being caught unprepared. In 2025, expect a gradual transition to these new standards in key industries like finance, healthcare, and government. The following algorithms, that are still widely used in production environments, should be phased out as a matter of urgency:
Ransomware continues to plague organisations, and 2024 saw a surge in ransomware-as-a-service platforms, enabling even low-skill cyber criminals to launch sophisticated attacks (Europol, 2024). The trend towards double-extortion attacks, where hackers not only encrypt data but also threaten to release it publicly, shows no signs of slowing down.
According to the latest Verizon Data Breach Investigations Report (2023), ransomware now accounts for nearly 50% of all attacks in certain sectors, including healthcare and finance (Verizon, 2023). Europol's 2024 report emphasised the growing sophistication of these attacks, predicting that the rise of AI will only make these extortion campaigns more efficient (Europol, 2024).
Practical advice: Regularly test and update backups, ensuring at least one copy is offline or immutable. Network segmentation can also limit an attack’s ability to spread. Finally, ensure that people are trained to recognise early warning signs of ransomware attacks, as fast response is crucial.
Social engineering remains one of the most successful attack vectors. In fact, Canfield et al. (2016) found that social engineering attacks are successful in over 70% of targeted organisations (Canfield, 2016). In 2024, we saw a surge in these tactics, with attackers using AI to craft messages that are eerily convincing, mimicking the tone and style of familiar contacts.
Anderson highlights that no matter how sophisticated technology becomes, social engineering attacks will always rely on human trust (Anderson, 2020). By 2025, attackers are likely to deploy deepfake technologies to manipulate video and audio, further blurring the lines between real and fabricated communications.
Practical advice: Foster a culture of scepticism, where people are encouraged to question requests for sensitive information. Conduct simulated phishing and social engineering exercises to help people recognise red flags before they become breaches.
As technology evolves, so too do the threats we face. Anderson reminds us that effective security is about managing risk, not striving for perfection (Anderson, 2020). Meanwhile, sources like Europol and NIST highlight the importance of staying proactive and informed in an increasingly complex digital world.
For the critically minded, 2025 is not a year to fear technology but to understand and navigate its risks with confidence. Stay sceptical, stay prepared, and above all, remember that the best defence often involves simple, actionable steps—like not trusting that email from a long-lost prince.