teissTalk: The emerging 2025 threat landscape

On 5 December 2024, Teiss Talk host Thom Langford was joined by Richard Absalom, Principal Research Analyst, Information Security Forum (ISF); Michael Covington, Vice President, Portfolio Strategy, Jamf; and Tom O’Driscoll, Head of Security Strategy and Intelligence, National Highways.

Views on news 

Richard Horne, the head of GCHQ’s National Cyber Security Centre, will cite a trebling of “severe” incidents amid Russian “aggression and recklessness” and China’s “highly sophisticated” digital operations. One expert described the comments as a “klaxon” call to companies and public sector organisations to wake up to the scale of the cyber-threat facing the UK. There seems to be a shift as state actors are increasingly hitting business and individuals too. Also, because of the close interconnectedness of businesses, it’s no longer only large companies that fall victim to attacks, which may have no security processes in place at all.

Another concern is the rapid growth of the attack surface thanks to IoT and the proliferation of end points. As national infrastructure is now often run by private companies, they are in charge of protecting critical infrastructure too. However, some state actors may only be after money and not interested in warfare. In addition to highly complex supply chains, software supply chains involving patching and updates compound the cyber risk situation further. 

How is discourse about cyber security expected to change?

Rather than making cyber security a taboo topic, we should pull everyone into the conversation to create a security culture. Cyber security should be embraced at the top too and be incorporated into the company’s strategy. Cyber incidents, if they happen, can give momentum to implementing new controls and changing the culture. Security professionals must know their place in the pecking order and shout about security when it really matters for the business.

They should also search different business functions to find opportunities to work collaboratively on improvements. 2024 can be regarded as the year of mercenary spyware and its impact on mobiles, a trend that raised the awareness of mobile’s vulnerabilities. A completely new angle is also emerging with the rise of deep fakes and fake employees. 

In 2024, many companies have set up review boards to control the permission to deploy any new AI tools, which may create bottlenecks in the adoption of AI. This policy may even lead to withholding security patches just because there is an AI feature involved. AI can further enable attackers in 2025 to up their game by offering them the capability to scale up quickly and at little extra cost. With IT becoming one of the most polluting industries, another emerging threat for the next few years may be green hacktivism. 

The panel’s advice

• There are excellent frameworks, but the real challenge is implementing them.  
• Cyber should become an integral part of operational excellence, which is a top board priority.  
• Businesses must find the sweet spot between AI avoidance and rapid adoption.
• Make your people stop and think a bit before they click on or respond to anything.
• Never see the cyber security problem as insurmountable. Start with implementing the basics.