CISO's guide for defending against the top 8 cyber threats in 2025

As we move further into 2025, the cyber threat landscape changes continuously and alarmingly. This isn’t anything new for those of us who've been around a while. Adversaries evolve and push the envelope using cutting-edge technologies, exploiting new, unpatched, and unmitigated vulnerabilities. They find creative ways to bypass traditional defenses. For busy security leaders, staying ahead means not just understanding emerging threats but also taking actionable steps to fortify defenses before an attack occurs.

Below, we highlight some of the most pressing threats that my CISO colleagues and I are learning about from our peers and the practical strategies that your security teams can use to help mitigate risk and enhance resilience.

1. AI-powered cyber attacks: The rise of autonomous threats

Artificial intelligence (AI) has revolutionized cybersecurity—but it’s also empowering attackers. To date, I think we are seeing more AI-enabled attackers versus seeing AI itself doing the attacking. This isn’t to say that we’re not expecting to see fully autonomous threats in the days ahead, just don’t hear about them today (the start of Q2 2025).

2025 is being defined by:

• AI-driven phishing campaigns that generate highly convincing, real-time spear-phishing messages based on a target’s digital footprint. We’re also seeing whale-phishing ‌attacks targeting executives like CFOs and other non-technical leaders.
• Autonomous malware that adapts its behavior in response to security controls, looking to avoid detection by traditional and even adaptive endpoint security solutions. Attackers are using the same tools that the good guys are using, such as VirusTotal, to upload malware and confirm that their new malware strains are not being detected before they inflict it upon the ‘net.
• Deepfake social engineering that convincingly mimics executives and other trusted individuals to execute fraudulent transactions or manipulate employees. You may already have heard of or even been targeted with whale-phishing, smishing, and deepfakes purporting to be an executive where you work. Thankfully, attackers aren’t always brilliant or change their tactics, and having a deepfake of a CEO of a multi-billion-dollar company asking for gift cards or postage stamps to be purchased is still a dead giveaway that these are not legitimate. Let’s hope attackers continue to give themselves away with these behaviors.

How to respond to AI-powered cyber attacks

• Invest in AI-driven detection tools: Use AI against AI by deploying behavioral analytics and anomaly detection tools that can spot AI-generated attacks. To fight AI-assisted attackers, we need AI-assisted defenders.
• Strengthen phishing training: Traditional phishing training is becoming outdated. Implement advanced simulations that incorporate AI-driven attack methods. Continue to teach the fundamentals while helping people to use intuition (Malcolm Gladwell’s book, Blink is a good recommendation). If something just doesn’t feel right, don’t click or process it!
• Enhance authentication mechanisms: Use MFA with phishing-resistant options like hardware security keys. If identity is going to be the new perimeter, then we need to make certain we’re doing everything we can to make it as strong and secure as possible. Using hardware tokens can be a way to make a user’s workflow better as it can reduce the number of authentication requests too!

2. Supply chain attacks: Exploiting vendor weaknesses

In 2013, we saw Target get breached via an HVAC vendor. In 2020, a SolarWinds breach  allowed attackers to infiltrate hundreds (thousands?) of companies. Attackers are increasingly targeting third-party vendors and suppliers to compromise organizations indirectly. And with more businesses relying on cloud services, SaaS platforms, and third-party software providers, the attack surface continues to expand.

From a marketing perspective, listing your partners and customers on your website makes sense. From a reconnaissance perspective, attackers know which companies could be used to stage an attack on a larger organization.

How to respond to supply chain attacks:

• Implement continuous vendor risk assessments: Move beyond point-in-time evaluations and establish continuous monitoring of third-party security posture. And implement a fourth-party review process, too! Friends of your friends need to be assessed as risky partners.
• Require SBOMs (Software Bill of Materials): Mandate that vendors provide SBOMs to gain visibility into dependencies and potential vulnerabilities. Understand what open-source tools or libraries are being used and what dependencies exist. Track this in a risk register or GRC (governance, risk, compliance) solution.
• Zero trust for third-party access: Apply least-privilege principles and network segmentation for third-party integrations. Don’t extend your network. Don’t allow traditional VPN clients that connect to unknown, unmanaged, and unprotected devices to connect to your network. Connect identities to resources.

3. Quantum computing and the encryption crisis

While practical quantum computing isn’t widespread yet, adversaries are stockpiling encrypted data today (“harvest now, decrypt later”) in anticipation of future quantum breakthroughs. For instance, in 2025, the OPM breach (Office of Personnel Management) saw data loss covering 21 million individuals. This data is a treasure trove and, if it truly was encrypted, when it can be accessed could lead to a lot of identity theft or targeted attacks against those impacted or their loved ones with the nature of the data that was included.

This risk is especially high for organizations handling sensitive financial, government, or intellectual property data, particularly hospitals or healthcare-related businesses.

How to respond to the quantum encryption crisis:

• Start transitioning to quantum-resistant encryption: Follow NIST’s post-quantum cryptography standards and begin migrating critical systems. Day may be expected around 2030, yet advancements in technology could see it arriving much sooner. Don’t delay.
• Implement crypto agility: Design systems with the flexibility to swap encryption algorithms as standards evolve. Like the previous recommendation, don’t wait and don’t rely on “industry best standards” as we know that that is the minimum standard, not the best standard.
• Identify and classify sensitive data: Know what needs protection the most and prioritize protective controls and efforts (such as encryption) accordingly.

4. API attacks: Exploiting the backbone of digital business

APIs are the foundation of modern digital services, yet many remain unprotected or poorly secured. Attackers are increasingly targeting APIs for data exfiltration, account takeovers, and service disruptions. These are connections which, by design, have deep access to data or systems yet can be accessible externally. Unfortunately, many organizations which enable an API for a PoV (proof of value) or development purposes will forget to disable said API which leads to unintended exposures.

How to respond to API attacks:

• Conduct API security assessments: Regularly scan for exposed APIs and misconfigurations. Be curious, stay curious.
• Implement strong authentication and authorization: Use OAuth, OpenID Connect, and Zero Trust principles to secure APIs. When new capabilities are released, determine if they are appropriate.
• Adopt API threat monitoring: Deploy tools that detect and block anomalous API activity in real-time. Feed this into your operations team and integrate (if possible) into your SIEM.

5. Insider threats: The human factor in cybersecurity

With the rise of remote and hybrid work, insider threats—whether malicious or well-meaning/accidental—remain a significant concern. Employees, contractors, and even AI assistants with too much access can become a risk. Accidental exposure of confidential data is a real possibility, especially with public LLMs. Elsewhere, issues can spawn when an outgoing employee, for instance, takes with them a populated version of a template they’ve created rather than an innocuous blank copy (without getting into IF they should take a blank template or not).

How to respond to insider threats:

• Enhance user behavior analytics: Use machine learning to detect unusual activity patterns that may indicate insider threats and review anything suspicious. At some point, automate and allow auto-blocking.
• Implement just-in-time (JiT) access: Restrict access based on necessity rather than providing broad, long-term permissions. We’re huge advocates of JiT access. This is even better than separate accounts for normal usage versus administrative usage. With JiT access, even if the administrative account is compromised, the blast radius is still reduced.
• Foster a strong security culture: Educate employees on insider threat risks and encourage reporting of suspicious activity, even if it’s a roommate/flatmate that they suspect may have had access to their device when they forgot to lock the screen when at home and they left the device unattended.

6. Cloud jacking & identity-based attacks

As businesses migrate more workloads to the cloud, attackers are shifting their focus to identity-based attacks—targeting IAM (Identity and Access Management) misconfigurations, stolen credentials, and session hijacking. This, we believe, is an indicator that attackers are willing to adjust their methods to attack quickly than we (the defenders) are.

How to respond to cloud-jacking & identity-based attacks:

• Adopt Identity Threat Detection and Response (ITDR) - even if the acronym isn’t our favorite as it’s not got anything to do with disaster recovery): Actively monitor identity-related threats beyond traditional SIEM solutions.
• Enforce least privilege and continuous verification: Apply zero trust principles to identity management and require step-up authentication for high-risk activities, or, you know, back to using different accounts for administrative activities.
• Monitor cloud configuration drift: Continuously scan for misconfigurations in cloud environments to prevent security gaps. Use tools like Wiz and Orca to support the monitoring AND integrate into your SOC and ticketing systems (e.g., ServiceNow).

7.  Ransomware 3.0: Double, triple, and AI-powered extortion

Ransomware attacks have evolved beyond simple encryption. In 2025, we’re seeing double extortion, which means encrypting and exfiltrating data before demanding a ransom). More diabolic is triple extortion, which is when adversaries add threats to customers, partners, regulators, or even employees OR perform other attacks such as a DDoS to force a decision or faster payment). Here too, AI can theoretically create ransomware that autonomously spreads, adapts, and avoids detection, but thankfully no cases of it have come up.

How to respond to ransomware 3.0:

• Implement robust backup and recovery strategies: Ensure backups are immutable and regularly tested for effectiveness. Don’t ignore the second half; test it! Know where your backups are, how quickly you can get them back, and if you have the equipment to restore them. If you have tapes in a secure location, yet you don’t have a way to restore them, then you don’t have a backup.
• Enhance ransomware detection: Deploy AI-driven security tools that can detect abnormal file encryption activity. Feed this into your SOC / SIEM.
• Leverage deception technology: Use honeypots and decoy data to detect ransomware activities before they escalate. Zscaler has a tool for that :). This is where the term negative trust comes in. If an attacker gets access to your network and they are browsing around and seeing a juicy target, we want them to have to think “is that real? Is this too good to be true? Should I attack that or would that give away my presence?”

8. Emerging nation-state threats & cyber warfare

Geopolitical tensions are driving more sophisticated nation-state cyber operations. Critical infrastructure, financial systems, and healthcare networks are primary targets. As much as we tell people to not ONLY focus on nation-state actors as one needs to be able to stop the standard cybercriminals, they also do need to be able to detect, deflect, and deter nation-state actors.

How to respond to nation-state threats and cyber warfare:

• Strengthen critical infrastructure defenses: Follow CISA, NIST, and industry-specific guidelines to protect essential services. Having tools is wonderful. Having and executing ‌a plan is foundational to the success of any program.
• Participate in threat intelligence sharing: Join ISACs (Information Sharing and Analysis Centers) to stay informed on emerging threats. We’re all better together. Use your network. Share more than you consume! STIX & TAXII for the win.
• Develop an incident response plan for cyber warfare: Be prepared to operate in a degraded environment during a cyber conflict. Practice. Refine. Do it again.

Final thoughts: Ensure cyber resilience in 2025

The threats we face today are sophisticated, AI-driven, and faster-moving than ever before.Your security team must embrace proactive defense, zero trust principles, and continuous adaptation to stay ahead (or at the very least tread water).

Cyber resilience isn’t just about preventing attacks—it’s about detecting, responding to, and recovering from incidents quickly and effectively, not just efficiently.

By staying informed, leveraging cutting-edge security technologies, and instilling and fostering a security-first culture, cyber leaders can build stronger, more resilient organizations in 2025 and beyond.