From AI risks to quantum computing, explore the key cybersecurity developments that will shape the industry’s landscape in 2025.
In cybersecurity, we know planning is everything. We know that to be forewarned is to be forearmed. At Dubai’s GITEX Global 2024 in October, we heard familiar warnings of escalating threats. Several ransomware groups, including Lockbit 3.0 and Rhysida, had been found aggressively targeting the region.
Meanwhile, AI is, in many respects, a boon to businesses, but in the wrong hands, it has also been feared to be a bane. As we shall see, however, much of this fear has been unfounded. As the years progress, industry experts also continue to fret over the implications of quantum computing. So, as in previous festive celebrations, CISOs and their teams enter the new year on a knife-edge, looking to protect environments that are more vulnerable from a more sophisticated attack landscape. Let’s delve into nine developments shaping the security industry in 2025.
CISOs enjoy a tentative “phew” moment over the AI threat
Some industries have undoubtedly benefited from AI. However, outside of these specific use cases, even the benefits of the GenAI technologies that made such headlines in the previous two years are now being seen in some quarters as overblown. In 2025, expect businesses to return to more proven narrow-AI use cases to restore predictability to the ROI of AI projects. Automation and the upskilling of business functions are likely to be among the most common implementations. In parallel, we can expect threat actors to return to using narrow AI to soften entry barriers in an attempt to minimize their costs. Therefore, the fear of generative AI catalyzing a volume explosion in targeted, bespoke attacks is unfounded.
Also Read: Fragmenting Tech Giants: A Self-Inflicted Wound for US Innovation?
Quantum creep
Previous estimates suggest that where a digital machine would take 300 trillion years to crack 2-megabit RSA encryption, a 4,099-qubit quantum computer would only need 10 seconds. This post-quantum reality could be with us by the early 2030s, so we will probably continue to see individuals and organizations urge action on this critical future problem because of its implications for societies. We could see critical-infrastructure organizations, such as regional banks, telcos, and government agencies, form exploratory committees to examine NIST’s post-quantum encryption standards. These will be important first steps on the long road to adoption — a road that will likely be signposted with many new regulatory standards built around post-quantum cryptography.
Farewell Windows 10
October 2025 will see end-of-life (EOL) announcements for Microsoft Windows 10. Only the most recent machines — those with Secure Boot and TPM (trusted platform module) will be eligible for Windows 11 upgrades, meaning everyone else will lose access to updates, including security patches. If this sounds like a recipe for vulnerability, that is because it is. Expect a fire sale of obsolete PCs in the second half of 2025. The forced obsolescence will be good news for the hardware market, especially ARM, which will likely see a volume shift to its mobile-friendly processors. Alternative OSes like Linux and Ubuntu will also benefit from organizations trying to minimize replacement costs.
Digital cloning
Breach data repurposed to create fake online personas. It is a new approach to identity theft called “reverse identity theft”, in which an identity is linked to another without the knowledge of the legitimate party. Campaigns are underway to merge fictitious data with legitimate data, especially where names are common. We can expect this to escalate in 2025.
Nation vs nation: the critical infrastructure problem
As regions like the GCC build their national infrastructures in line with economic diversification “Vision” programs, critical infrastructure sectors like healthcare and finance will be shiny objects for threat actors, especially those backed by nation states. Critical infrastructure is the first target in cyberwarfare, and legacy systems are the most tempting. In 2025, government funding for cybersecurity will concentrate on boosting the cyber-maturity of critical-infrastructure organizations as they continue to merge their OT and IT environments.
Also Read: Responsible AI, Not AI-First: Why the White House’s Executive Order Needs Guardrails
Chancing in the moonlight
With its large expat populations, the GCC may experience overemployment, with residents taking on multiple remote jobs. While many regional employment contracts explicitly prohibit it, the workers who operate this way will be tempted to outsource some of their workload to AI. This will likely occur under the employer’s radar and may include creating fake employees. Such moonlighting will give rise to more shadow IT, all the security implications it implies, and legal issues surrounding content creation that failed to observe risks, such as plagiarism.
Guarding the Paths to Privilege
As identity compromises increase in frequency, 2025 will be the year CISOs begin to consider the Paths to Privilege™ that allow lateral movement — the insidious practice of gaining increasingly greater access rights. Privilege escalation is an issue that must be addressed through rigorous examination of trust relationships, configurations, and the processes by which entitlements are granted. Attackers are adept at manipulating cloud permissions, roles, and entitlements. Their attacks are preventable through a thorough re-evaluation of hygiene.
Too many tools
Cybersecurity investments will continue to favor multiple point solutions that do not play well together. This will lead to detrimental effects on reporting and visibility, and security teams will bear the brunt — more gaps, vectors, and paths to privilege.
Cyber-insurance — some changes
The way cyber-insurance providers calculate risk will see some changes in 2025 to factor in AI and quantum computing. Expect to see more “acceptable use” clauses regarding these technologies and prepare for a long hunt for policies without such restrictions or exclusions for incidents where either AI or quantum computing is involved in a breach.
Also Read: How Digital Twins and VR Are Revolutionizing Network Operations
Prepare for a bumpy ride
Threat actors are not waiting. They are not trend-watching. They are creating the trends. Defenders must create some trends of their own or invite disaster. They should make cyber hygiene their New Year’s resolution.
