A new webinar added to the ISC2 Knowledge Vault, Top Five Cybersecurity Predictions for 2025, suggests that artificial intelligence (AI) is giving company security teams and vendors the upper hand – for now (this could change). They also predict the first verifiable human casualty will result from cyber-attack within the next three years. ISC2 is a global association for cybersecurity professionals.
In reviewing 2024 figures, Steve Piper, founder and CEO of research and consulting firm, CyberEdge Group says successful ransomware attacks have declined from a high of around 86 per cent of companies targeted during the pandemic, to 64 per cent of surveyed organizations being successfully compromised by ransomware in 2024. Sentiments among security personnel too, show that during the pandemic, 75 per cent felt a successful attack was more likely than not – this is also down to 67 per cent in 2024. “More than 80 per cent of organizations were successfully attacked and more than 60 per cent of organizations were victimized. We’re trending in the right direction, but it’s still bad,” he says.
Security budgets are rising among 89 per cent of the organizations surveyed, reporting an average yearly increase of 5.7 per cent. (Piper’s data is based on a survey of 1,200 security professionals from 17 countries, across 19 industries.)
As for whether or not companies got their data back after paying a ransom (ransom payments themselves have dropped, thanks to a number of legislative efforts around the world which prohibits their payment), he says only 57 per cent of the time this actually happened, down from 73 per cent of ransom payers who got their data back in previous years. “It’s almost like flipping a coin to see if you’re going to get your data back,” Piper points out.
Low security awareness
Standing in the way of success against such attacks, meanwhile, he says, is low security awareness among employees and a shortage of IT security talent.
Piper’s top five predictions for 2025 include the following:
- Artificial intelligence (AI) will give IT security teams the upper hand – for now. (The webinar discusses sentiment among IT security professionals; 50 per cent said AI benefits security teams more than threat actors, again, for the time being.)
- Vendors and threat actors will experiment with autonomous AI agents. In 2024 the first autonomous self-learning AI agents were developed for security operations, while a University of Illinois team developed an autonomous AI agent using ChatGPT 4.0 to scan for and exploit known vulnerabilities.
- Fewer organizations will make ransomware payments. This is in part thanks to legislative mandates around the world and also thanks to some cyber insurance providers which are starting to refuse ransomware payments as part of their policies.
- Passwordless authentication will become the new normal in 2025. Although 14 per cent of companies said they had no plans along these lines, Piper points out that there is a wide range of vendors and options to examine. Although there is no universal solution appropriate for every case, he says he urges those without passwordless plans to reconsider.
- Within the next three years, Piper predicts there will be the first undisputed human casualty caused by cyber-attack.
“We’ve already had one death where if the cyber-attack didn’t occur, that person would still be alive. And we’ve had some close calls,” he says, discussing attacks on hospital medical systems around the world. “It’s not just ransomware, there could be attacks on power grids. We’ve had lots of reports,” he adds. “There’s just so many potential avenues where cyber-attacks could result in human death. My prediction, unfortunately, is I think we’re going to see our first undisputed human casualty within the next three years.”
Looking at his “honourable mentions,” those which don’t make the top five in 2025, but which still bear watching, Piper goes on to discuss quantum computing by companies and threat actors (currently the costs and dearth of operating skills is a barrier for both, but it should be on the radar, he says). He also looks at managed detection and response services, saying this could be a solution for companies short on talent for threat hunting.
More boards are expected to include cybersecurity specialists in the future, and deepfakes are also expected to be included more often in cybersecurity training for employees.
No silver bullet
Piper wraps up by suggesting companies use advanced cybersecurity training as a recruitment and retention tool. “There is no silver bullet, security tool doing world class security awareness training,” he says. “We need to invest in our human firewalls because it makes a very big difference and deepfakes are only going to make the problem worse.”
Among his concluding remarks, Piper says organizations and the security industry need to do better in the realm of employee training. “Roughly half of organizations are not doing any security awareness training during onboarding. That has to stop,” he says. “Scare the hell out of your new hires. Security is everyone’s responsibility.”