2025 in review: why cyber-security became a boardroom crisis 

While 2024 hinted at growing digital fragility, 2025 removed any remaining doubt. Cyber-security moved decisively from a technical concern to a core business risk, capable of disrupting revenue, operations and trust at speed. Ransomware attacks became more damaging, supply-chain exposures deepened and artificial intelligence reshaped how both attackers and defenders operate. 

Rather than being defined by a single catastrophic event, the year was marked by a constant flow of incidents. Each breach reinforced the same message: modern organisations are deeply interconnected, and that interdependence has become a source of systemic vulnerability. 

Ransomware’s evolution from disruption to business sabotage 

Ransomware remained the most visible and financially damaging threat throughout 2025. Even as more organisations improved resilience and refused to pay ransoms, attackers adapted quickly.

 Double- and triple-extortion tactics became routine, with criminal groups threatening to leak sensitive data, disrupt customers or target suppliers and partners. Industry reporting indicates that ransomware featured in close to half of all major breaches during the year, continuing a steady upward trend. 

High-profile incidents pushed ransomware firmly into everyday boardroom discussions. In the UK, Marks & Spencer suffered an attack that disrupted digital services and internal systems, underlining how cyber-incidents can directly affect revenue and brand reputation.

 In the US, the University of Phoenix disclosed a breach affecting millions of individuals after attackers exploited a zero-day vulnerability in Oracle software. The incident highlighted a broader shift towards more technically sophisticated intrusion methods, rather than reliance on basic phishing alone. 

Supply chains, geopolitics and the expanding attack surface 

Ransomware was only part of the picture. 2025 also exposed how tightly cyber-risk is bound to modern supply chains. As organisations relied more heavily on software-as-a-service platforms, managed service providers and complex third-party ecosystems, attackers increasingly targeted those dependencies. In several cases, compromising a single vendor provided access to dozens, or even hundreds, of downstream organisations. 

Cyber-security risks also became more closely entwined with global politics. Sustained campaigns against Taiwan’s infrastructure drew attention to the role of cyber-operations in geopolitical competition. Healthcare systems, financial services and government platforms were among the targets, raising concerns that civilian infrastructure is now firmly within scope during periods of international tension. 

At the same time, data breaches continued to rise across all sectors. Healthcare and education were particularly exposed, often due to ageing systems and chronic underinvestment in security. Millions of records were confirmed compromised over the course of the year, while many more incidents are likely to have gone undetected or unreported, creating long-term risks for organisations and individuals alike. 

What boards must do differently in 2026 

The lesson from 2025 is not simply that cyber-attacks are becoming more frequent or more sophisticated, but that cyber-security can no longer be treated as a standalone technology issue. Boards are being forced to confront cyber-risk in the same way they assess financial exposure, regulatory compliance and operational resilience.

 That means clearer accountability, better visibility of third-party risk and a stronger focus on how cyber-incidents translate into real-world business impact. As organisations enter 2026, the question for leadership is no longer whether a serious cyber-incident will occur, but how prepared the business is to absorb disruption, respond decisively and maintain trust when it does.