ICAEW.com works better with JavaScript enabled.

Major cyber security risks and trends in 2025

Author: ICAEW Insights

Published: 07 Oct 2024

Cyber Security Awareness Month: Organisations need to address risks through processes, protocols and procedures and not just buy that latest shiny technology.

In recent years, cyber-security risks have been sustainably fruitful for criminals. This is primarily because efforts on the part of businesses and authorities to counter these threats haven’t been effective.

James Bore, cyber-security expert and Managing Director of Bores Ltd, says: “We’ve not made a significant difference to the current criminal threats, so there’s no reason for criminals to change their tactics. We’ll be looking at more instances of ransomware and of it becoming more sophisticated. Criminals will just continue developing and deploying these threats because they keep on making money.” 

Ransomware as a service – a commercial offering available to criminals – is a growing phenomenon. Cyber fraud also remains a huge threat, ranging from invoice fraud, where someone sells something they don’t have, to CEO fraud, where someone pretends to be the CEO either via email or deep fake audio or video calls.

“Those are the most common ones. They’re not going to go away and there’s unlikely to be anything really transformative because if you look at the criminal side as a marketplace, they’ve got a very solid market. There’s no reason for them to change tactics,” says Bore, who is author of cyber-security anthology The Cyber Circuit.

Four-fifths of reported fraud are cyber-enabled, according to the National Fraud Intelligence Bureau. With only about 1% of police funding going into counter fraud, it’s clear to see why businesses need to take steps to protect themselves.

“We’ve got some protections in place, but frankly companies don’t invest as much effort into security. It’s not about the money. Companies tend to buy products rather than actually looking at their processes, procedures and training. Organisations are very heavy on security technology, but the technology doesn’t help protect them against certain threats because criminals just adapt to the technology,” Bore says.

As seen in high-profile attacks such as the recent Harvey Nichols breach, once criminals get into a system, they often take customer data and use that for further cyber attacks. So the impact of these attacks can be wider than the immediate damage caused.

People are still your weakest link

It’s not so much about shiny new cyber technology to counter threats, but rather about better staff training and better authentication. “It’s about the very basics of cyber security and information security, which get overlooked. It’s about the baseline security hygiene,” Bore says.

Organisations and individuals need to consider not just their security technology, but the physical vulnerabilities, too. Penetration testing, where experts assess the physical security of buildings and staff, is an area that companies need to think about on an equal footing with their technology.

“People will click on the hyperlinks that allow malware in or let unknown people in the front door. It’s widely accepted now that as part of a security regime you need to understand how your network is vulnerable to physical threats,” says Rick Mounfield, Director of Optimal Risk.

Organisations need to assess and monitor the vulnerabilities in their security officers, reception desk, delivery bay and office floors, too.

“People will break into buildings by social engineering to steal equipment. Corporate espionage and hostile state actors will use all means to break into your business premises because it’s easier to plug something in or access server rooms inside buildings that are not aware of that physical risk, although they might be very aware of cyber risk. The converged approach to security is tying together the same vulnerabilities,” Mounfield says.

Insider threat is another consideration; people might obtain employment with the sole aim of stealing your intellectual property. Generally, these kinds of insiders tend to have vulnerabilities such as gambling addictions and other financial debts that can be manipulated or blackmailed to coerce people to commit crimes for a third party as a proxy.

Create a security culture

Company chiefs need to take security culture as seriously as health and safety. They must have a clear and accessible policy on security culture that is regularly reviewed, monitored and updated as well as offering staff continuous training.

“If a CEO were to sign off the security policy, not just for the digital assets, but for behaviours of access, control and challenging people in the workplace, then you’re going to deter criminals because criminals risk assess the likelihood of being caught, too,” Mounfield says.

Creating a work environment where everybody feels empowered or obligated to challenge unusual activity is vital for tighter security.

Managers should also avoid a culture of punishing staff for accidental breaches. If an employee accidentally clicks on a hyperlink and they worry they might be punished, they’re less likely to report it. Encourage immediate reporting without any kind of shame attached to it. 

Phishing emails nowadays are so sophisticated thanks to AI tools that there are few spelling mistakes, as in the past. The sooner security staff know about such incidents, the quicker they can deal with them.

“Organisations need to sit down and take a good hard look at what they're doing and what they understand about security,” Bore says. “One of the problems is that there is a lot of bad advice out there which focuses on these sophisticated, advanced threats, which are not where the problem lies.”

Latest cyber security articles

Further resources

Resources
Cyber Security Awareness month 2023
Cyber security awarness

Each year ICAEW marks Global Cyber Security Awareness month with dedicated resources to help you know what to do when a cyber attack happens.

Browse resources
ICAEW Community
Data visualisation on a smartphone
Data Analytics

Helping finance professionals develop the advanced data analytics and visualisation skills needed to succeed in this insight-driven era.

Find out more
ICAEW support
A person holding  a tablet device displaying various graphs
Training and events

Browse upcoming and on-demand ICAEW events and webinars focused on making the most of the latest technologies.

Events and webinars A-Z of CPD courses
Open AddCPD icon

Add Verified CPD Activity

Introducing AddCPD, a new way to record your CPD activities!

Log in to start using the AddCPD tool. Available only to ICAEW members.

Add this page to your CPD activity

Step 1 of 3
Download recorded
Download not recorded

Please download the related document if you wish to add this activity to your record

What time are you claiming for this activity?
Mandatory fields

Add this page to your CPD activity

Step 2 of 3
Mandatory field

Add activity to my record

Step 3 of 3
Mandatory field

Activity added

An error has occurred
Please try again

If the problem persists please contact our helpline on +44 (0)1908 248 250