The 7 Biggest Cybersecurity Threats for 2025, According to The Experts

This is proof of just how challenging the role of a cybersecurity leader is in today’s landscape: so many significant threats, so little clarity on where exactly to focus, and inevitably not enough resources to do everything with.

So if you’re also unsure on what to focus on in the year ahead, start here: the seven biggest cybersecurity threats right now, according to our experts.

‍

1. Shadow IT 

‍“I believe you'll see a heavy emergence of "shadow IT" really surface again in 2024 going into 2025 as IT, Security, and Privacy teams struggle to understand AI technologies, update policies, and practically apply risk management. Users adopt free tools and cheap tools to increase productivity on their own, and may succeed in doing so, but the terms and data protections in place for these tiers are often not in alignment with company policies. This adds fear, some warranted and some not warranted, and the application of control that slows velocities and has users going outside of processes for what they want. But leaking your customer's data into a third-party AI tool, if even not the "riskiest" thing in the world, has implications on those customer relationships.” —Anonymous, VP Security 

Shadow IT covers employees' use of software, services, and devices without the approval of the organization’s security department. It’s nothing new. But it’s a fast-growing issue as we move into 2025, with AI tools emerging faster than security departments can vet them. Our meetings are being transcribed, our contracts scanned, and our data summarized. Keen to optimize their productivity and stay one step ahead of competitors, teams are rushing to test the latest tools—but the security risks are a concern. Approximately 101,000 users were impacted by a ChatGPT hacking incident in May 2023 alone. 

‍

2. AI-enhanced phishing and malicious attacks

“Malicious actors will learn to use AI more effectively in their operations. We are already seeing this in crafting more effective phishing attacks. While we have not seen the same in effectively automating malicious software and exploit development, we will likely start to see increases in this activity in the near future.”—Brandon Wu, Founder and Principal Consultant

Phishing and pretexting attacks are already reportedly responsible for some 73% of all security breaches. And Generative AI has—to borrow one of its favorite words— “supercharged” these attacks. They’re significantly more convincing: free of the usual tell-tale poor grammar and spelling, and even adopting the tone and writing style of the person they’re imitating (with frankly terrifying accuracy). It doesn’t stop in the written form, either; deepfake videos have already had devastating consequences, both within companies and outside of them. Perhaps most famously is the case of the finance worker who mistakenly transferred $25 million to hackers after a call with deepfake recreations of his colleagues. But we’re seeing this happen on a more widespread and less elaborate basis, too. Deepfakes of trusted UK finance expert Martin Lewis have been used to create social media ads and scam regular people out of their money. They’re crude, but convincing enough to an audience that’s green in AI. 

‍

3. Attacks from governments or nation-state actors

Cyberattacks within the transportation industry currently account for a relatively low share of the total at just 4.3%. We predict this share to increase in 2025, and for there to be more high-profile attacks within this space. In September 2024, a cybersecurity attack on Transport for London—which is responsible for running almost all public transport across the city—compromised the bank details of 5,000 customers, and reportedly came close to bringing the city “to a standstill”. Just a few weeks earlier, Seattle-Tacoma International Airport grappled with the impact of widespread system outages following a cybersecurity attack, all in the run-up to their busiest Labor Day weekend on record. These targeted infrastructure attacks are often attributed to nation-state actors looking to cause widespread disruption. It’s no surprise that the increased need for cybersecurity is tipped to dictate investments within the airport industry in the years ahead. 

‍

4. Zero-day vulnerabilities

In 2023, exploited zero-day vulnerabilities accounted for over half of the total exploited for the first time in recent years.This was a big deal—particularly given they were dubbed ‘more rare and expensive than ever’ way back in 2017, after the number of zero-day vulnerabilities fell for the third consecutive year. Today, posts selling zero-day vulnerabilities account for 51% of all posts on the dark web, with one of the most expensive being a Microsoft Outlook vulnerability priced at $2 million. With this amount of money up for grabs—significantly more than earned by bug bounty hunters—it’s no surprise our experts are concerned about this rise moving into 2025.

‍

5. Pace and carelessness

“A new generation of developers blindly using open-sourced code in cloud environments without proper vetting or understanding introducing risks to applications.”—Anonymous, Exec Director

As cybersecurity experts, we know that the threat landscape is expanding from all sides; more attackers, more threat avenues, and more sophisticated attempts.But try telling that to the startup founder who wants to launch next week. Or to the product manager who wants that shiny new feature by this afternoon. Or to the developer fighting bug reports arriving from all sides.  Pressured, inexperienced, unsupervised or simply unaware teams don’t build secure products. And while this might save time and costs in the early stages, as Phillip Miller explains, it catches up with them sooner or later: “Businesses continue to iterate fast and the new ideas and solutions arrive before commodity-based protection is available. As cybersecurity teams attempt to lower the residual risk, they add layers of solutions (often with immature processes) which add to the complexity and cost. This, in turn, stifles innovation in companies that cannot afford to take large financial risks.” —Phillip Miller, CISO 

‍

6. IoT exploitation

“Exploitation of IoT and Critical Infrastructure: The increasing number of connected devices and smart infrastructure opens up new vulnerabilities. AI can be used to launch large-scale, coordinated attacks on critical infrastructure such as energy grids, healthcare systems, and financial institutions.” —Frank Offei, Cybersecurity Analyst EME

While security teams have their eyes firmly on the company website, their next breach could come from somewhere altogether more unexpected: a smart coffee machine, an IP camera, or a digital watch, for example.IoT attacks are nothing new; perhaps most terrifyingly was the high-profile hacking of pacemakers way back in 2017. But with the number of IoT devices set to grow by 18% between 2024 and 2025, it’s a threat that’s looking nearly a fifth more problematic going into the next year—and that’s before you even take malicious actor behavior and trends into account. 

‍

7. Shrinking budgets  

“Frequency and types of attacks will increase... If we do not have comprehensive self-learning ID proofing techniques, I see a magnitude of deepfakes being prevalent everywhere emulating users’ identity…” —Guatam Dev, CEO

We asked 21 cybersecurity experts for their biggest threat predictions going into 2025, and we received a wide range of answers. Experts are not united in what will cause them the most issues in the year ahead. One thing’s for sure, though: arming against each of these threats, and the many more that exist, requires resources. It requires buy-in and budget. Tools and time. People on the ground. And that’s something leaders tell us will be an issue for the year ahead. They tell us they should be automating more, but their staff are too busy doing the things that need automating to work out how to automate them. They tell us prioritization has never been more important, but they don’t know what to prioritize. Shrinking budgets lead to frazzled teams, cut corners, missed weaknesses, and playing catch-up against competitors. It lowers the barrier for any of the threats covered above, increasing the likelihood of them becoming a costly issue for companies.