Next year is upon us, and we want to face it well prepared. Last month, a group of our Fortra experts met to discuss the trends and forces that would come to bear in 2025, and four salient topics rose to the surface:
Every year the threat landscape is formidable, but this year’s technological and cybercriminal developments make it especially noteworthy as organizations plan their next twelve months. Global supply chains continue to grow, making small security details even harder to track. Service providers continue to face immense competition from — well, each other, making strong security an increasingly competitive advantage. Threat actors finally know what to (really) do with all that personal data floating around, and AI just finds a way to make it all more complex.
Needless to say, all industries are in for an eventful 2025 unless they study the trends on the horizon and plan their defensive maneuvers now.
Prediction #1: Targeting Vulnerabilities in Information Supply Chains
Supply chains are the universal railroads by which goods and services, technology, and code can reach all over the world. However, just like in old Westerns, sometimes bad guys jump on the train and steal the goods en route — or poison them. Today’s supply chain-targeting threat actors are no different. But now, we’re seeing more and more attackers go after software and small companies in order to get to the “big game” upstream.
Speaking of software, John Wison, Senior Fellow of Fortra Threat Research, notes,
“As we look to the future, I see scenarios where little bits of software that are used by thousands of companies will intentionally be hacked and have bad code inserted...That way, cybercriminals can have the equivalent of a back door in a thousand different products just by updating one little Python library that these folks are using.”
He notes that not just small bits of code, but small companies, are increasingly going to feel the heat of these supply chain attacks.
This brings up the issue of customers asking for software bills of materials (SBOMs), as Bob Erdman, Associate VP of Fortra’s Research and Development, points out, which is apparently happening sooner in the game. Says Theo Zafirakos, Cyber Risk and Information Security Expert at Fortra, “Organizations are starting to ask supply-chain questions early on in the process now, not after they engage [with a vendor]. They want to understand what’s being done, especially with open-source code and software, and making sure it’s resilient and that the service provider is mitigating attacks. They’re asking those questions, what is the business impact if your system gets compromised or if the data gets compromised?”
As supply chain attacks continue to make the news, this trend of more cyber-educated (and concerned) customers will likely continue — especially where shared-risk partnerships are involved.
Prediction #2: Increased Security Scrutiny on Service Providers
This was one alluded to in the last section with customers taking intense interest in the supply-chain security of their future partners, but this is only the beginning.
The market is saturated with service providers, making it a buyer’s market for digital customers of all sizes. The days of having point-in-time vendor security assessments are soon going to be a thing of the past as companies start to look towards continuous assessment.
John Wilson explains the problem, stating how things often go in perfunctory vendor security validations. He explains, “This cannot be a simple checkbox item that you do once a year. That’s because they can be absolutely, perfectly clean when they fill out the form and then three weeks later somebody makes a slight update, and suddenly one of the things they said on your SIG [Standard Information Gathering] is no longer true.” Instead, Wilson suggests moving to a more continuous assessment when asking questions like:
Does your company do phishing simulation training?
If you’re going to be our vendor, we require that you do this.
Do you do DAC (Discretionary Access Control)?
Do you do SPF? DKIM? Things of that nature?
Keep in mind that while the answer might be yes today, that could change on a dime. Point-in-time questionnaires are out; continuous forms of security monitoring need to be on their way in.
And as customers start to drill deep into the cybersecurity practices of the third parties they contract with, we might also start to see an increased focus on “practical security” rather than on-paper compliance. Chris Reffkin, Chief Security and Risk Officer at Fortra, elaborates when he says, “As I learned at a security conference I spoke at many years ago, compliance folks don’t like to hear that compliance doesn’t equal security. So, the challenge is to get your lawyers to understand, well here’s the risk, and here’s what we really need.” He explains, “I don’t care if they have the certification, but if they can meet these 10 essential requirements, that’s a lot easier to negotiate on than some nebulous compliance with industry-leading standards that you’re not sure can actually do it.”
As service providers face increased scrutiny, it would benefit them to prove a continuous cybersecurity stance and show what everyone in cybersecurity is looking for these days — that they have the skills to get the job done, regardless of certifications.
Prediction #3: The Evolving Impact of AI On the Current and Future Threat Landscape
The advancement of AI (and generative AI, more specifically) is turning every criminal into a smooth criminal — at least where phishing is concerned. One of the dead giveaways of phishing tactics used to be these non-dialectically correct phrases that denoted that the attacker was likely from a different country (and not “Linda from Microsoft”). However, GenAI is changing not only that but widening the scope, so attackers sound perfect in nearly any language.
Speaking to that point, John Wilson notes, “Well, there still are scammers out there who use kind of clumsy phrases, but in the last year or so we’ve seen fewer of those and a lot more where it comes across much more naturally.” He adds that the even bigger news is that “We’re not seeing it just in English. We’re seeing it in a huge variety of languages, and it’s not just simply copy-pasted into Google Translate where you take what you get out and send it.”
And if AI making the written word more convincing is bad, AI making voice and video more convincing is worse. With these alterations of reality, Theo Zafirakos says, "People are more susceptible to responding to an audio or a video compared to a text message or an email because human reaction tends to be 95% intuition and 5% analysis. So, these deepfakes are going to make us act much, much quicker than we have in the past.”
That’s a problem as deepfake tools are increasingly being leveraged to spread misinformation, undermine democratic processes, and defraud individuals. Adds Zafirakos, “This could also generate general skepticism about legitimate content, even if it’s real.” How can we stay safe?
The answer is to stay sharp and apply the same rules at home and out of the office as we do at work. It’s easy to get lax, but as more and more devices connect directly to a corporate network and more mobile apps act as inroads into an enterprise environment, staying savvy everywhere really is key. As Reffkin points out, “I’m sure a span of 10,000 spam messages goes out in a second and it only costs a nickel to send that. That’s all it takes, right? And when it’s something plausible for the general population, say an email from ‘Netflix’ or something, people will start forgetting what they learned at work and clicking on things at home.”
As AI makes phishing an even more commonplace trend, the fight in the coming year will be to not get so used to the ploys that we don’t see them anymore.
Prediction #4: Leveraging Widely Available Breach Data to Launch Blackmail-type Extortion Attacks
Speaking of playing on the human psyche, threat actors are stepping it up when it comes to bully-type tactics. No more luring us with honey — these cybercriminals are reporting to vinegar. On top of word-perfect English (and the ability to create convincing media in any language), threat actors are now leveraging our personal information against us in ways that seem very much like blackmail.
John Wilson shares his observations from the field, explaining that
“The big change that we saw in September was attackers saying something like, ‘It’d be a real shame if I showed up at your doorstep at XYZ Main Street, in such-and-such a town,’ and then including a Google Street View picture of the person’s house.” Where are they getting the information from? Wilson continues, “This is obviously just combining all that breach data, but making it far more personalized. I have to think that the response rate of those is probably as much higher because the person now has that sort of feeling like, ‘Gee, they actually know who I am.’ Well, I see that going to the Nth degree and just getting far worse in the future.”
Once they trick the person into complying, the attacker will ask for something like the org chart of the company they work for, or sensitive information that the employee has access to. When sophisticated, enterprise-level cybersecurity solutions are too hard to breach, attackers pick off individuals and try to infiltrate that way.
Another way they can infiltrate doesn’t include old breach data, but new; this is data gleaned from hacking smart devices and connected IoT. Think about it: “Your fridge knows what you eat, and your oven knows when dinnertime is, and your TV knows when you’re watching and when you’re not. What happens if somebody remotes in and gets access to that data?” asks Wilson.
Attackers can then analyze our patterns of behavior and target our houses when we’re not home. Says Wilson, “It can get pretty crazy pretty fast.”
Conclusion
The ubiquity of information as we round out the end of this year is staggering and can be used for a myriad of purposes. The same could be said of evolving technologies and tactics. As we can expect that cybercriminals will use it to no good end, we as users, employees, and organizations need to ensure that we are constantly educating ourselves as to how these threat actors will attack next.
View the Full 2025 Cybersecurity Predictions Webinar
Watch the Webinar
Let's Talk About How We Can Help
Fortra is here to help you simplify your security strategy through optimizing innovative technologies. Check out our extensive portfolio of solutions and let us be your relentless ally on your journey to cyber maturity.