Freely subscribe to our NEWSLETTER

SHUTTERSTOCK

Dr. Aleksandr Yampolskiy, Co-Founder and CEO of SecurityScorecard

Regulatory pressures will intensify, with potential software bans on the horizon.

Governments worldwide will create strict security regulations in 2025, requiring both organizations and their suppliers to follow enhanced safety standards. Some software, including open-source programs with known security flaws, may face outright bans. These regulations will make organizations responsible for thoroughly evaluating their software selections and supplier partnerships as governments take steps to protect critical infrastructure and reduce system vulnerabilities

Nation-state espionage will lurk beneath the surface of U.S. infrastructure.

In 2025, the Trump administration’s national security priorities will lead to direct action against Chinese cyber operations. China will target more U.S. infrastructure systems through hidden network access points, particularly in compromised routers. Rather than launching immediate attacks, these concealed entry points serve as strategic assets for potential future conflicts. This approach of establishing quiet network access, combined with rising international tensions, this passive infiltration strategy will underscore the urgent need for vigilant monitoring of infrastructure vulnerabilities — vulnerabilities that could be activated when tensions reach their breaking point.

Third-party breaches will reach critical mass, threatening entire supply chains.

As attackers zero in on the weakest links in supply chains, third-party breaches are set to shatter previous records. Vulnerable, smaller partners — often less equipped to fend off sophisticated attacks — are becoming backdoors to infiltrate larger organizations. This trend will force companies to rethink their risk management strategies entirely.

In 2025, annual security reviews alone will no longer suffice as organizations adopt continuous monitoring of their supplier networks. This real-time approach to risk detection will become essential. Companies that rely on traditional security methods face two major threats: costly business disruptions and lasting reputation damage. As attacks spread through interconnected systems, even a single gap in supplier security could expose entire business networks.

Steve Cobb, CISO

Mounting pressure on CISOs will turn the position into a revolving door

In 2025, the pressure on security leaders will intensify as companies continue to hold CISOs personally liable for breaches, using them as convenient scapegoats to deflect blame from organizational failings. These high stakes will lead to a sharp decline in interest from seasoned security professionals

But here’s the catch: as breaches become more frequent and public scrutiny heightens, CISOs are often hindered by organizational structures that limit their direct access to the C-suite and boards. This lack of support and communication undermines their ability to drive meaningful change. Companies that fail to adapt by empowering their CISOs with greater authority and resources will find themselves scrambling to replace key leaders and more vulnerable to critical cyber threats.

AI-driven recruitment scams will move from LinkedIn to Zoom as threat actors get bolder

In 2024, AI impersonation on LinkedIn took a startling turn, with threat actors posing as recruiters to target developers and engineering talent. These attackers used AI-generated personas to reach out under the guise of recruiting tests, tricking victims into downloading malicious files. What was once an email scam is now a fully immersive recruitment scam, underscoring the accelerated pace at which threat actors are maturing their use of AI.

AI-generated social engineering attacks will evolve far beyond LinkedIn scams in 2025. As threat actors leverage more sophisticated AI, expect to see realistic AI-generated Zoom meetings used to deceive and exploit targets. These immersive attacks will bypass traditional security controls, creating a new wave of trust-based breaches. Companies relying on outdated defenses will be caught off guard as AI moves into more interactive environments, fostering deception on an unprecedented scale.

Jeff Le, VP of Global Government Affairs and Public Policy

With a new administration, relentless cyber threats from nation-states will test U.S. defenses

The next U.S. presidential administration will face a surge in cyber aggression, with China, Iran, Russia and North Korea expected to ramp up their attacks. China may escalate operations against U.S. critical infrastructure as Taiwan tensions rise. Russia, exploiting Western divisions, is likely to deploy disinformation and DDoS assaults to destabilize NATO-aligned regions. North Korea, relying on cybercrime, will continue using ransomware and crypto theft to sustain its regime.

With adversaries embracing AI-driven disinformation and sophisticated tactics, U.S. defenses must adapt swiftly. A pivot toward offensive cyber tactics and reduced international cooperation may strain intelligence-sharing networks when they’re needed most. The administration will need to balance aggressive deterrence with strong public-private partnerships to protect critical assets, maintain stability, and the country’s current research and economic advantage.

State-Level AI legislation will ignite a new wave of AI legislation and test American AI leadership

California and Texas are poised to lead a transformative era of AI regulation, setting the pace for other states with legislation addressing urgent challenges like ransomware, LLM safety and oversight, and ethical AI use. However, state-specific rules may create friction with federal policies and complicate compliance for businesses operating across state lines, increasing costs, added compliance, and operational hurdles to navigate a state network of patchwork legislation.

The lessons of past state privacy legislation and federal inaction may be a comparable experience. As the patchwork of state laws grows, pressure on the federal government to act will intensify. A unified approach will be critical to minimize economic impacts and ensure innovation is not stifled. An outstanding question is whether the new Republican-controlled Congress can prioritize with the Trump Administration on rules of the road in a manner that can keep the United States ahead of its AI race with the Government of China. Concerns over Chinese AI advancements may create bipartisan cooperation, and establish potentially unlikely alliances, but the question is how quickly Congress can legislate when it is likely that the Trump Administration will revoke the current Biden White House AI Executive Order, which has worked in parallel with the Senate’s AI process, led by Senator Schumer (D-NY) and Senator Rounds (R-SD). While these federal regulations could create compliance challenges, they may also offer new opportunities by fostering a safer, more ethical AI landscape if it can satisfy fears of losing pace with Chinese innovation.

Governments will steer towards a new era of global regulatory harmonization

The year 2025 will mark a turning point in global governance as nations grapple with the complexities of regulating cyberspace. The sheer volume of disparate cybersecurity and data privacy laws has created a compliance nightmare for businesses operating across borders.

The urgency for harmonization has reached a tipping point. In response to these mounting challenges, there will be a growing push for greater regulatory harmonization in 2025. Governments, international organizations, and industry bodies will unite to create consistent standards and frameworks that can be adopted globally, particularly among the United States, Canada, Australia, the United Kingdom, and throughout many Asian nations. It remains to be seen whether there can be closer coordination and regulatory reconciliation with the European Union. While progress may be slow due to political and economic factors, streamlining regulatory requirements will be essential for businesses to operate effectively and mitigate risks.