From regulatory developments and the changing nature of hackers’ strategies to the evolving role of artificial intelligence (AI), the 2025 Financial Times Cyber Resilience Summit gave attendees much to consider in several important areas. These are the key cyber security trends that are setting the tone for next year.

AI is both a target and risk factor

One emerging tactic for hackers is to infect a target organisation’s AI models with malicious prompts or codes, which could then ‘poison’ the system’s database and make it obey the hackers’ instructions. The National Cyber Security Centre (NCSC) has published an explainer on prompt injections. 

Meanwhile, there is a risk that LinkedIn and similar professional portals could be used as blueprints for creating AI deepfake clones of senior corporate figures to deceive employees. However, that is unlikely to diminish the status of those resources as popular business tools.

Quantum computing is a looming threat

Lest AI hog the spotlight, a talk on emerging tech focused on quantum computers – revolutionary devices with immense, ultra-fast processing power.

Right now, the world is on the path towards ‘Q Day’: the point at which quantum computers will easily be able to overcome current encryption protocols. As such, large organisations with the resources to do so are preparing their systems for a ‘post-quantum’ environment with a deadline of 2035 – while countries such as Switzerland and the Netherlands are offering their citizens basic training on quantum computing.

The NCSC has published relevant guidance. In parallel, the National Institute of Standards and Technology (NIST) in the US has issued guidance on post-quantum cryptography. 

Cyber insurance is essential

Having cyber insurance is important. The event also highlighted an unintended consequence of cyber coverage: that hackers will deliberately strike a covered organisation to trigger a payout that they can subsequently delve into. As such, attendees were advised not to share any details of their cyber insurance policies.

They also heard that cyber insurance products have matured, offering greater choice and compatibility.

New legislation may strengthen defences

In November, the Cyber Security and Resilience (Network and Information Systems) Bill was introduced in parliament and aims to strengthen cyber defences for key public services, such as healthcare, water, transport and energy.

A few months earlier, the government outlined plans to ban public sector bodies and operators of critical national infrastructure from paying cash demands if struck by ransomware.

Public and private sectors need to share knowledge

Public and private sector organisations are taking different approaches to cyber. While the government-backed Cyber Essentials certification is the main cyber requirement for public bodies, companies with multinational links are having to adopt a whole range of jurisdictional protocols to underpin their security.

Encouragingly, according to the World Economic Forum’s Global Cybersecurity Outlook 2025 report, 78% of UK organisations agree that current domestic regulations provide a good security baseline.

However, the public and private sectors must be more closely aligned on regulatory requirements and knowledge sharing in the fight against cybercrime. For reputational reasons, corporates are keeping many details on their cyber posture to themselves – but more openness would work for everyone’s benefit.

‘Offensive cyber’ is here to stay

On 21 February this year, Lazarus Group, thought to be backed by North Korea, carried out the largest-ever crypto heist, stealing $1.5bn of digital tokens from the ByBit exchange and swiftly converting $300m of them into unrecoverable funds. It demonstrated that businesses have practically no shelter from state-sponsored hacks.

While full details are confidential, attendees heard that the UK is Europe’s leading nation for using an offensive cyber approach for national defence. For example, the tactic could be used to launch a cyber attack against a hacking group to retrieve data it has stolen – as in the case where the UK led an operation to disrupt Russia-based organisation Lockbit. 

The professionalisation of cyber security

Cyber is widely regarded as a very technical domain, which tends to deter people from joining the profession. However, the UK Cyber Security Council, the body responsible for overseeing competence in the field, offers a development pathway for both cyber professionals and managers within small businesses.

Amid concerns that AI is taking over skills and jobs, there is still a need to encourage young talent to get involved – even as roles are evolving as a result of new and emerging technology.

ICAEW Data Analytics and Tech Manager Bani Lamba, who attended the 2025 Cyber Resilience Summit, says: “Recent high-profile cyber incidents on well-known brands such as M&S, Co-op and JLR have rightly drawn attention to cyber security across nations, regulatory bodies and among the public. But cyber attacks aren’t limited to big names – in fact, SMEs may be at higher risk.”

She adds: “Cybercriminals continue to exploit weak links through familiar tactics like phishing, poor password practices, and missing multifactor authentication (MFA). Basic cyber practices remain essential, and we must keep reinforcing this message.”

Resources highlighted at the event:

• Fighting Cyber-Enabled Fraud: A Systemic Defence Approach – whitepaper from the World Economic Forum
• The FAIR Institute – insights and guides on cyber risk management