#Infosec2025: High Six Cyber Traits CISOs Must Know

This 12 months’s Infosecurity Europe 2025 noticed business consultants come to collectively to debate the most recent tendencies, challenges and successes within the discipline.

Listed below are six key tendencies from the present that Infosecurity Journal discovered most distinguished from conversations with consultants on the expo ground.

Amid important technological developments, an enormous theme was the continued have to give attention to the fundamentals, comparable to human behaviors and id controls.

Safety leaders ought to pay attention to these tendencies, and guarantee they think about whether or not their methods are prioritizing these areas sufficiently.

Attackers Utilizing Telephone Calls to Launch Assaults

The character of social engineering is continuous to evolve, with risk actors shifting to utilizing telephone calls both alone or together with emails to provoke the assaults.

These are designed to realize victims’ credentials to realize preliminary entry right into a goal group’s community.

Erhan Temurkan, Expertise & Safety Director at Fleet Mortgages, informed Infosecurity that he’s notably involved about phone calls impersonating IT departments, requesting workers reset their passwords.

These scams have been exacerbated by bettering deepfake know-how, making the fraudster sound precisely like somebody they know of their staff.

Such malicious telephone calls are tough to cease coming in, in comparison with conventional e mail phishing messages.

“We are able to put an e mail gateway to cease these phishing assaults coming in, however there’s not a lot you are able to do to dam a telephone name since you don’t wish to block professional prospects,” Temurkan defined.

It’s vital that organizations implement further layers of protection to mitigate these email-based scams, basically their very own multi-factor authentication (MFA).

Temurkan famous this might embrace pre-agreed phrases or passcodes with people within the enterprise.

Id Continues to be an Essential Battleground

Analysis has proven that credential compromise continues to be the first approach for attackers to infiltrate organizations.

Rapid7 analysis revealed throughout Infosecurity Europe discovered that 56% of all compromises in Q1 2025 resulted from the theft of legitimate account credentials with no multi-factor authentication (MFA) in place.

Thom Langford, CTO for the EMEA area, at Rapid7, famous: “It all the time comes all the way down to the fundamentals. Preliminary entry is usually by means of username and password assaults. They fairly merely trick individuals into giving it to them.”

That is an particularly frequent method within the cloud. Dr Beverly McCann, Director of Product at Darktrace, defined: “A very good entry into a corporation is compromising SaaS accounts and escalating privileges to get to admin function which then permits you to entry delicate information.”

On this setting, it’s not solely vital to deploy MFA, but additionally guarantee it’s the proper kind of MFA.

Temurkan mentioned he’s involved a few rise of SIM-swapping attacks, through which attackers are capable of make the most of stolen data intercept SMS-based two-factor authentication (2FA) codes.

“That solely will increase the driving force for organizations to get off SMS 2FA. It’s higher than nothing in any respect, however with SIM swapping on the rise, that could be a actual hole,” Temurkan commented.

The strongest phishing-resistant MFA applied sciences use Fast IDentity Online (FIDO) standard protocols. These choices embrace biometrics and bodily safety keys, which have change into extra accessible and simpler to combine lately.

The Must Make Cybersecurity Frictionless

For cybersecurity measures to be actually impactful, they should guarantee they don’t negatively influence workers’ work. In any other case, practices are unlikely to be adhered to.

Langford commented: “The most important problem I feel now we have in safety is that each protecting measure we put in will increase worker friction – that’s problematic.”

Consumer expertise ought to subsequently be a key consideration for safety leaders of their resolution making.

There are alternatives for this, notably within the id area with passwordless authentication methods comparable to biometrics and single signal on.

 “If you wish to maintain introducing further controls, we as a safety business have to proceed to make it straightforward for hanging that steadiness between safety and value,” mentioned Temurkan.

Defending In opposition to Rising AI Dangers

AI safety dangers to organizations are rising because the know-how continues to advance.

This firstly pertains to attacker use of AI. McCann mentioned there was a notable development within the scale and velocity of assaults on account of AI.

“They’re beginning to use extra automated instruments, extra AI instruments and leverage these,” she informed Infosecurity.

This contains utilizing AI instruments to seek for vulnerabilities, looking for exploitation earlier than fixes are utilized.

“As a substitute of focusing on one group you goal 100 organizations and see what sticks,” added McCann.

Defenders should have the ability to maintain tempo, which is more likely to require making use of their very own AI safety instruments.

One other concern is the rising embrace of AI instruments in companies, together with agentic AI. These brokers function with a excessive diploma of autonomy. An agentic system may select the AI mannequin it makes use of, move information or outcomes to a different AI software, and even take a choice with out human approval.

With out enough controls and oversight, these autonomous instruments can enlarge AI information safety challenges comparable to immediate injection, poisoning, bias and inaccuracies.

With AI evolving at such a speedy tempo, it’s incumbent on business and governments to advertise accountable and safe use of AI forward of deployment. In April, European requirements group ETSI launched a brand new set of technical specs designed to function an “international benchmark” for securing AI fashions and techniques.

AI dangers aren’t simply an inner concern. Organizations additionally have to be conscious of the potential AI information dangers throughout their third-party suppliers.

“What concerning the distributors we’ve been utilizing for 10, 15 years, have they got AI on their backend that we don’t learn about?” Temurkan famous.

He emphasised the necessity to uncover any new AI deployments throughout provider assurance processes, and whether or not these third events are adopting safe practices, comparable to tackling points highlighted within the Open Worldwide Utility Safety Venture (OWASP) Top 10 list for large language models (LLMs).

Transferring Past Consciousness Coaching to Enhance Behaviors

Given the superior social engineering ways being employed, consultants informed Infosecurity that consciousness coaching alone shouldn’t be enough to make sure workers are empowered to guard themselves.

Organizations ought to think about choices like nudges, guaranteeing workers are reminded in actual time to keep away from dangerous behaviors, comparable to inputting delicate information into AI fashions. Such intelligence led interventions are often called human risk management.

As well as, a tradition of safety must be established whereby workers are all the time may be trusted to all the time undertake really useful actions, exterior of coaching.

Andrew Rose, CSO at SoSafe, advocated for a ‘Simply Tradition’ mannequin, through which workers are inspired to report safety errors with out concern of punishment. As a substitute, this method ought to give attention to treating an error as an organizational downside relatively than a person error, and take motion for enchancment sooner or later, comparable to new coaching or processes.

This might embrace accidently clicking on a phishing hyperlink.

“Studying classes from close to misses, and having a tradition of once we study one thing, we repair it,” Rose commented.

Vulnerability Exploitation to Proceed Exploding

Consultants emphasised that surging vulnerability exploits, notably of edge units, will solely proceed for the foreseeable future.

Instruments like AI are serving to risk actors uncover and exploit vulnerabilities shortly, reducing limitations to this assault vector.

“There’s going to be plenty of new vulnerabilities, the criminals at the moment are storing zero days simply as a lot because the nation states are,” Langford famous.

Organizations should give attention to maturing their patch management programs in accordance with enterprise wants, and in the long run, demand security by design practices from their software suppliers.