Cybersecurity 2025: Six Critical Trends for CISOs to Monitor

This year’s Infosecurity Europe 2025 gathered industry experts to discuss the latest trends, challenges, and successes in the cybersecurity domain. The following six key trends emerged from conversations across the expo floor, emphasizing the imperative for security leaders to reassess their strategies and focus on foundational areas, including human behaviors and identity controls.

The nature of social engineering is evolving. Threat actors are increasingly using phone calls, either alone or in combination with emails, to initiate attacks aimed at gathering credentials for initial access into target networks. Notably, Erhan Temurkan, Technology & Security Director at Fleet Mortgages, expressed concern over scams where fraudsters impersonate IT departments to prompt employees into resetting their passwords. These attacks have been further complicated by advancements in deepfake technology, enabling impersonators to sound convincingly like trusted colleagues. Unlike traditional email phishing attacks, these malicious phone calls present a significant challenge as organizations struggle to implement preventive measures without inadvertently blocking legitimate communications.

Research indicates that credential compromise remains the primary method for attackers to infiltrate organizations. Data from Rapid7 reveals that 56% of all compromises in Q1 2025 arose from the theft of valid account credentials, often occurring without multi-factor authentication (MFA) in place. To preempt these attacks, organizations must ensure robust MFA protocols are deployed. Temurkan highlighted the growing threat of SIM-swapping attacks, which can undermine SMS-based two-factor authentication (2FA). As such, adopting phishing-resistant MFA technologies utilizing Fast IDentity Online (FIDO) protocols—including biometric measures and physical security keys—has become essential.

Another vital consideration is ensuring cybersecurity measures do not create unnecessary friction for employees, as increased complexity can lead to non-compliance with security best practices. Langford noted that the challenge lies in balancing security solutions with user experience. Therefore, security leaders should prioritize passwordless authentication methods and tools that enhance usability without compromising security.

The proliferation of AI technology has introduced new security risks to organizations, particularly as attackers exploit AI to increase the speed and scalability of their operations. As AI tools become more prominent, defenders must integrate their own AI solutions for effective threat mitigation. Additionally, organizations must remain vigilant regarding the AI capabilities of third-party suppliers, ensuring their practices align with secure deployment standards to mitigate potential risks from automated systems.

In response to advanced social engineering tactics, mere awareness training is insufficient. Experts advocate for real-time interventions—nudges—to discourage risky behaviors among employees. Cultivating a culture that encourages open communication regarding security errors is crucial, fostering a ‘Just Culture’ model where mistakes are treated as organizational issues rather than individual failings.

Lastly, vulnerability exploitation is expected to surge, especially concerning edge devices, as tools like AI enable swift vulnerability discovery and exploitation. Organizations must enhance their patch management programs and advocate for ‘security by design’ practices from their software providers, ensuring they are equipped to address the increasing array of cyber threats effectively.