As technology continues to evolve, so too does the threat landscape in the cybersecurity sector. In recent years, we’ve witnessed an increasing variety of attacks targeting organizations, individuals, and infrastructure. While the overall number of cybersecurity incidents remained comparable to previous year’s record-breaking levels, already in 2024, the number of individuals affected surged dramatically, reaching 1.3 billion victim notifications, making it a staggering 211% increase.
When building cyber resilience, organizations must consider a range of factors: business processes, operational scale, level of digitalization, and the degree of decentralization, among others. However, no matter the size or sector, every CISO should keep a close eye on the following concerns.
1. AI-Assisted Cybercrime
In 2024, the UK engineering firm Arup reportedly lost $25 million in a single AI-powered scam, highlighting how cybercriminals are weaponizing the same technology behind viral deepfake videos like the Tom Cruise impersonations on TikTok. These tools can convincingly mimic voices and faces, making scams far more difficult to detect.
According to a Deloitte survey, 51.6% of companies reported an increase in deepfake-related attacks, including extortion attempts. Moreover, 25.9% of executives said their organizations experienced at least one deepfake incident in the past 12 months. As generative AI becomes more accessible and sophisticated, attackers are increasingly using it to impersonate executives, manipulate employees, and automate fraud at scale.
Arup’s Chief Information Officer, Rob Greig, underscored the shift in tactics, stating:
“What happened at Arup – I would call it technology-enhanced social engineering. It wasn’t even a cyberattack in the purest sense. None of our systems were compromised and there was no data affected.”
This highlights a key concern: attacks are evolving beyond traditional hacking. Instead of breaching networks, attackers are manipulating people using AI-generated personas and scenarios, effectively bypassing even the strongest technical defenses.
As generative AI becomes more accessible and sophisticated, it enables scalable, believable impersonation, posing serious risks to organizations globally. CISOs must counter this by prioritizing employee training, implementing verification protocols for high-risk communications, and adopting a zero-trust mindset across all internal processes.
2. People Remain the Weakest Link
Despite advances in security tools and technologies, human error remains one of the primary factors for breaches. The recent attack on Australian airline Qantas, which exposed data from over a million customers, is suspected to be linked to the hacker group known as Scattered Spider (also identified as UNC3944). This group specializes in social engineering tactics that are disturbingly effective.
Their methods include impersonating employees to trick IT help desks into resetting passwords or granting unauthorized access. Such attacks don’t rely on technical exploits, but rather exploit trust, habits, and a lack of awareness. The group has been associated with attacks on UK retailers such as Marks & Spencer (M&S), Co-op, and Harrods, and has also reportedly targeted airlines and insurance firms.
This underscores the ongoing need for robust security awareness programs, clear protocols, and tighter identity verification for internal processes. CISOs should ensure that staff at all levels–especially customer service and IT support–receive continuous training on recognizing manipulation tactics and responding appropriately.
3. Rising Interdependencies in Supply Chains
According to the World Economic Forum, 54% of large organizations cite supply chain complexity as their biggest obstacle to achieving cyber resilience. In our hyperconnected economy, third-party risks are multiplying. The more vendors, platforms, and external partners an organization relies on, the wider its potential attack surface.
What’s more, ensuring third-party compliance with internal security standards remains a significant challenge. Many organizations lack visibility into their suppliers’ security postures, particularly in less regulated industries. While some sectors (like finance or healthcare) are making progress on third-party oversight due to regulatory pressure, others remain vulnerable, creating weak links in the broader ecosystem.
CISOs must treat third-party risk management as a strategic priority. This includes conducting regular audits, integrating cybersecurity clauses into vendor contracts, and investing in tools that provide continuous monitoring of supplier risk.
How Can You Prepare?
As highlighted in the World Economic Forum’s 2025 Global Cybersecurity Outlook, ransomware continues to top the list of cyber threats to organizations. Close behind are cyber-enabled fraud and supply chain disruptions. Identity theft is also on the rise, now ranking as both a personal and organizational cyber risk.
Facing a rapidly evolving threat landscape, CISOs must move beyond reactive security and adopt a proactive, strategic approach. Here are several key steps organizations can take to prepare for the challenges ahead:
1. Invest in Continuous Security Awareness Training
With social engineering attacks on the rise, especially those involving deepfakes and impersonation, regular staff training is no longer optional. Educate employees at all levels on how to identify suspicious behaviour, verify unusual requests, and escalate incidents. Tailor training to specific roles, especially those in IT support, finance, and executive assistance.
2. Strengthen Identity and Access Controls
Implement multi-factor authentication (MFA) across all critical systems, enforce least-privilege access, and regularly audit user permissions. Behavioural biometrics, step-up authentication, and AI-driven access controls can also help mitigate identity-based threats.
3. Assess and Monitor Third-Party Risks
Establish a formal third-party risk management framework. Require suppliers and partners to meet minimum security standards and conduct ongoing monitoring, and not just one-time assessments. Supply chain visibility tools and shared risk registries can improve oversight and accountability.
4. Test Your Response Plans
A robust incident response plan is crucial, but it’s only as good as your team’s ability to execute it. Conduct regular tabletop exercises and red team simulations to identify gaps, clarify roles, and ensure coordination under pressure. Involve key business units beyond IT, including legal, communications, and executive leadership.
5. Build a Culture of Cyber Resilience
Cybersecurity is not just an IT concern, but rather it’s a business imperative. Promote security as a shared responsibility, integrate risk discussions into strategic planning, and empower all departments to contribute to resilience efforts. Board-level engagement and cross-functional collaboration will be essential in 2025 and beyond.
Interconnected challenges highlight the need for a multi-layered, proactive security posture. As the lines blur between digital, human, and organizational vulnerabilities, CISOs must think beyond firewalls and anti-virus software. Success in 2025 will depend on strategic planning, cross-functional collaboration, and the ability to adapt to rapidly evolving threats. AI-generated deception, social engineering attacks, and interconnected supply chains demand a holistic approach to cybersecurity.
While no defence is perfect, awareness, preparedness, and continuous adaptation will be key to staying ahead of threat actors. By staying vigilant and addressing these three critical concerns, organizations can build the resilience needed to withstand what’s coming next.
About Us: Human Risks
Human Risks is a leading end-to-end security risk management platform built to enable teams to make faster, smarter decisions – including around complex issues such as economic uncertainty. Designed with the modern security team in mind, Human Risks integrates eight core modules, integrations with leading intel providers and tailored industry solutions to streamline workflows across both local and global asset footprints.
Interested in learning more? Connect with the team to see how organisations are already using Human Risks to improve the way they manage security. And drive robust organisational resilience.
