For this year’s “Cybersecurity Forecast 2025”, 1 Google Cloud Security gathered insights from its security leaders, alongside analysts, researchers, responders, reverse engineers, and other experts working on the frontlines of major cyberattacks.
Here’s a quick tl;dr summary:
Artificial Intelligence (AI)
Unsurprisingly, Artificial Intelligence remains a top influence in cybersecurity. Attackers are leveraging AI, particularly large language models (LLMs) and deepfakes, to elevate phishing, social engineering, and identity theft to unprecedented levels. At the same time, they are experimenting with these technologies to identify vulnerabilities, develop code, and enhance reconnaissance efforts. As AI tools become increasingly accessible, organizations will find it even more challenging to defend against more frequent and sophisticated threats.
In information operations, AI is proving to be a powerful weapon. Generative models enable threat actors to produce large volumes of content, create fake personas, and build seemingly legitimate websites. These technologies amplify disinformation and obscure its origins, making detection more difficult.
On the defensive side, security practitioners integrate AI into their processes to automate repetitive tasks, prioritize risks, and filter alerts more efficiently. While fully autonomous security systems remain a future goal, 2025 will mark the rise of semi-autonomous operations, where human teams can achieve much more with AI-enhanced efficiency.
The Big Four
Geopolitical tensions will continue to drive cyber activity around the globe, with Russia, China, Iran, and North Korea leveraging cyber capabilities to pursue strategic, political, and economic objectives.
Russia will likely prioritize cyber operations in 2025 tied to the Ukraine conflict, conducting cyber espionage, disruptive attacks, and information campaigns while continuing to target governments, politicians, and organizations in Europe and NATO. China is expected to drive high-volume attacks using advanced tactics to exploit vulnerabilities and target network edge devices. Iran’s cyber operations will likely center on the Israel-Hamas conflict, emphasizing espionage, disrupting attacks, and monitoring dissidents. North Korea will continue espionage, supply chain compromises, and cryptocurrency theft for revenue generation, targeting South Korea, the U.S., and other countries.
Global Forecasts
Ransomware and multifaceted extortion continue to dominate as the most disruptive cybercrimes. Driven by their high frequency and devastating impact, these attacks extend beyond initial victims, as seen in 2024 incidents affecting healthcare systems, patient care, and critical services. For more on the impact of ransomware in healthcare, check out our detailed blog post. With over 100 countries and all industries impacted in 2024, along with a doubling of data leak sites and new ransomware-as-a-service (RaaS) offerings, the ransomware threat landscape shows no signs of slowing down.
The rising threat of infostealer malware is becoming increasingly sophisticated and impactful, serving as a primary source for stolen credentials that enable high-impact intrusions. In 2024, these tools facilitated widespread breaches across major organizations, with stolen credentials easily accessible, even to low-skilled attackers. This trend is expected to persist into 2025, particularly in environments lacking two-factor authentication, leaving organizations vulnerable to significant data breaches.
As hybrid architectures combine on-premises and multi-cloud systems, the risks from compromised identities are escalating. Organizations must shift from traditional password-based, single-factor authentication to stronger, phishing-resistant multifactor authentication (MFA) and device verification. Shorter session durations, regular identity risk assessments, and validations are critical to protecting sensitive resources.
In 2025, the proliferation of cyber capabilities will lower entry barriers for less-skilled and new threat actors. Advanced tools, phishing kits, and “as-a-service” offerings will enable them to execute more efficient and sophisticated attacks, such as web skimming and MFA bypass. The professionalism of these resources will expand the pool of cybercriminals, increasing the pressure on defenders.
Cloud-native security information and event management (SIEM) solutions will see widespread adoption due to their scalability and cost-effectiveness. SIEM will become the central hub of security operations, integrating cloud logs and endpoint data. Security orchestration, automation, and response (SOAR) will evolve to handle complex tasks like automated malware analysis, phishing takedowns, and proactive vulnerability patching. Purpose-built tools and strategies will better address cloud-specific risks, including IAM misconfigurations, serverless vulnerabilities, and container escapes, enhancing overall cloud security.
As critical infrastructure increasingly relies on hyperscale cloud services, regulators will shift their focus directly to cloud providers rather than solely targeting their customers. In 2025, cloud providers will face more regulations and heightened expectations to ensure control and resilience. As Web3 and cryptocurrency organizations continue to grow, attackers will increasingly exploit smart contract vulnerabilities and steal private keys to carry out heists. With over $12 billion in digital assets stolen since 2020, these organizations remain high-value targets. Democratic People’s Republic of Korea (DPRK) threat actors are expected to continue using social engineering and supply chain attacks to infiltrate systems.
Faster Exploitation and More Vendors Targeted: The time-to-exploit (TTE) for vulnerabilities is expected to remain rapid, with the average dropping to just five days in 2024, down from 32 days in prior years. Both n-day and zero-day vulnerabilities remain lucrative for attackers, with faster exploitation timelines becoming the norm. The number of vendors targeted has also grown significantly, reaching an all-time high of 56 in 2023, more than double the 25 recorded in 2018.
Organizations will begin transitioning to post-quantum cryptography standards finalized by NIST in 2024 to counter potential quantum computing threats. While widespread quantum attacks are unlikely next year, businesses must assess their cryptographic usage, plan for quantum-resistant solutions, rotate encryption keys, and stay updated on quantum developments through threat intelligence.
EMEA Forecasts
The updated Network and Information Security Directive (NIS2) will fundamentally transform cybersecurity practices across EMEA in 2025. By introducing stricter requirements and expanding its scope to cover more sectors and organizations, it compels businesses to implement robust security measures, conduct risk assessments, and report incidents promptly.
Additionally, cloud security will remain a top priority for EMEA organizations as rapid cloud adoption accelerates. Key challenges in the region include misconfigurations, inadequate monitoring, credential reuse, and weak security practices in unmanaged cloud environments. To safeguard sensitive data and maintain customer trust, organizations must strengthen cloud security strategies, enforce stricter access controls, and enhance monitoring capabilities.
JAPAC Forecasts
The JAPAC region is expected to face an escalation in cyber threats in 2025, driven by diverse and evolving challenges. North Korean threat actors are increasingly targeting cryptocurrency exchanges, capitalizing on the region’s high adoption and growth rates of cryptocurrency.
In parallel, Chinese-controlled campaigns using fake “local news” outlets continue to disseminate pro-Beijing narratives. These networks of inauthentic websites and social media assets aim to influence global audiences, posing risks of unintentional amplification by legitimate media. Despite limited success in altering global perceptions, these campaigns are expected to persist, underscoring the need for vigilance.
Additionally, cybercriminals in Southeast Asia are innovating rapidly, incorporating technologies like generative AI, deepfakes, and advanced malware into their operations. They are also developing new underground markets and cryptocurrency-based money laundering solutions. Governments and enterprises must collaborate on intelligence-sharing to uncover these tactics and link them to illicit financial activities.
The tl;dr Series for IAM
The tl;dr series for IAM (too long; didn’t read) offers concise summaries of important and interesting articles related to Identity and Access Management. It aims to provide quick insights into key topics and trends. Feedback and recommendations for noteworthy articles are always welcome.