Top 5 trends in cybersecurity in 2025

The developments in Generative AI open doors for innovations within cybersecurity, while also introducing new threats. For instance, Generative AI offers new ways to detect anomalies in data, enabling quicker detection of cyberattacks. Additionally, it provides significant opportunities for creating engaging content for awareness campaigns, helping organizations boost cybersecurity awareness more effectively.

At the same time, these advancements also enable the offensive side. Attackers can use Generative AI to more rapidly identify attractive targets and exploit vulnerabilities. Moreover, Generative AI is being utilized to make phishing emails even more realistic, and these can now be produced on a much larger scale.

A growing number of organizations are using AI systems, which introduces new risks. Employees, for instance, could inadvertently share confidential information with public large language models like ChatGPT. AI systems can also be manipulated, potentially leading to incorrect results or even sabotage. Furthermore, capturing the audit trail of AI systems is complex, making it difficult to trace how a particular result was reached. Additionally, AI systems pose a significant cybersecurity challenge due to their adaptive nature. This means an AI system might be assessed as secure before going live, but it can become unsecure while in use. Continuous monitoring for vulnerabilities is therefore essential throughout its use.

In 2025, new laws will be introduced in the field of cybersecurity. The NIS2 Directive has been established by the European Union and is expected to be translated into the Cyberbeveiligingswet for the Netherlands in 2025. This new law will impact a wide range of organizations, meaning many organizations will need to focus on improving their information security levels. For the public sector, the Baseline Informatiebeveiliging Overheid (BIO) will be revised, resulting in the BIO2. The BIO2 will define the duty of care stemming from NIS2 for government organizations. Additionally, financial institutions have until January 17th to comply with the Digital Operational Resilience Act (DORA) regulation. Thus many organizations will have to comply with new regulations.

As organizations mature in the field of information security and new legislation is introduced, customers will impose stricter requirements on their suppliers in 2025. Most organizations first focus on their own information security before addressing supplier risk management. In many sectors, organizations are maturing in terms of information security, which inevitably means they will pay more attention to the information security of their suppliers. This shift is also driven by the NIS2 and DORA regulations, which make supplier management a major focus. In other words, any organization not yet actively working on cybersecurity will certainly be doing so in 2025.

There will be a shift from an awareness strategy to a behavior change strategy. Many organizations structure their awareness campaigns by having experts tell employees what they need to do to ensure good cybersecurity. Employees are then expected to act on this advice. However, two major changes are slowly emerging in this approach. First, an awareness strategy is being developed based on a well-founded risk analysis, rather than just gut feeling, allowing a focus on the most high-risk behaviors that people may exhibit. Second, there is an increasing use of behavioral science theories, such as the COM-B model, to encourage desired behaviors among employees.

As we look to 2025, it's clear that cybersecurity will remain a critical focus for businesses across all industries. The trends we've outlined demand proactive strategies and constant vigilance. As cyber threats evolve, so too must our defenses.

Would you like to learn more about these trends and developments? Or could you use some help getting started? Feel free to reach out to Veroniek.Binkhorst@highberg.com.