2025 was a wild ride for cyber security. The landscape is shifting faster than ever, and several themes stand out when I think about the most important cyber security lessons from the year.
Nation-state risk remains constant. In June, US authorities urgently warned companies to prepare for Iranian cyber attacks. This is just one example of the environment we’re in. Security teams must be ready to defend at a moment’s notice. Threats will mix disinformation and low-level disruption with more sophisticated tradecraft, all of which combined can have destructive consequences.
Human vulnerability is a favourite target of attackers. We continue to see this point proved by the cyber criminal group Scattered Spider, who focused on the insurance sector last June, using classic social engineering techniques to prove that humans are oftentimes the weakest link. If you’re relying only on technology, you’re missing the mark: attackers will always find a way in through people.
AI’s rise pressures us to modernise, but introduces new gaps. Enterprise adoption of generative AI surged in 2025. Traffic to generative AI sites jumped by 50%, while 68% of employees used free-tier…
