Projections: Cybersecurity In 2025
12–30–2024 (Monday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, December 30, 2024, and it would seem like we’re all ready to bring the year to a close. Instead of looking back at the year that was, I thought we’d spend a couple of minutes looking at the year ahead, with a few projections about cybersecurity in 2025.
Before we jump in, just a quick note that our friends at BlueYonder have not updated their incident page for more than 2 weeks - and they’re now approaching six weeks with this open incident. I don’t raise this to wag my finger at them, but to remind all of us of the actual impact these events have, including a much longer duration that you plan for in your tabletop.
Projections: Cybersecurity In 2025
While I’m a bit hesitant to do predictions - and am plenty happy to leave that to Scott Galloway and others - I do think some projections about the year ahead can be helpful, particularly for those who are in charge of cyber efforts at their organizations.
I’ll cover three big ones here and am happy to chat through any of them on LinkedIn or directly.
Ransomware Remains a Reality
While we would all love to put this behind us, the reality is that ransomware isn’t going anywhere. And - in many ways - is likely to continue to intensify and grow in its impact.
Despite, in the closing weeks of 2024, seeing an arrest in Israel of an alleged LockBit team leader, we’re also seeing new groups (Play, Fog) emerge and old groups come back using new zero-day vulnerabilities (Clop with 60+ new victims using the Cleo zero-day).
So from a projections standpoint, the things that you need to do to reduce your exposure to ransomware remain relevant for the year ahead - perhaps event more so.Getting The Reps In Matters Most
Building on that previous point around reducing your ransomware risk, the real way forward here is getting the reps in. As folks are busy making New Year’s resolutions around fitness and health, much of those same analogies apply in the cyber world.
What do I mean by reps? It’s things like having an accurate asset inventory, regularly scanning for vulnerabilities, and being able to patch your machines in a reasonably short amount of time. Newly discovered vulnerabilities aren’t going to stop in 2025 (and, in fact, are likely to increase) - being able to quickly update your infrastructure and endpoints is going to be very important. You need those tools, processes, people, communications templates, and other things in place ahead of the “big one” - which means getting the reps in.
It means enrolling devices into Intune, or ensuring MFA is everywhere for everyone every time, that your backups are actually backing up and that you know how to restore from them, etc. These reps, like reps in the gym, aren’t glamorous in and of themselves, and doing it once won’t make you anything but sore, but getting them in regularly, over time, will make a difference.Regulations Aren’t Coming, Won’t Save You
Given what we’re seeing from the incoming administration here in the US, it seems unlikely to me that we’re going to get new Federal legislation that has cyber implications in the next year. What does that mean for you? Well - if you’re in a regulated industry, carry on but with the knowledge that maybe enforcement efforts won’t be quite as stringent in 2025. If you’re not regulated yet? Probably won’t happen in 2025.
That can be both a good thing and a bad thing from a cyber perspective. On the “good” side - it means that you won’t have to scramble to meet those compliance requirements you’ve been putting off. On the “bad” side, it means you won’t have those regulatory obligations to use to drive change, increase budget or headcount, etc.
The overall theme, looking towards 2025, seems to be clear that you’re really on your own out there, and you need to develop a sense of self-sufficiency in terms of managing cyber risk. It’s up to you, in the end, to run the defensive playbook for your organization, for better or worse.
I know that’s not a particularly positive position to take as the year ends, but I’m of the mind that we should be practical and realistic about these things. It’s going to be hard. Knowing that ahead of time gives you a chance to prepare accordingly.
That said - we’ll keep covering the things that matter in 2025 and beyond, and defenders are in this together - so stay tuned and stay vigilant.
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and with that - I hope you all have a Happy New Year, and we’ll see you next year for another edition of the Intentional Brief.
Links
https://blueyonder.com/customer-update
https://www.securityweek.com/lockbit-ransomware-developer-arrested-in-israel-at-request-of-us/
https://www.securityweek.com/cl0p-ransomware-group-to-name-over-60-victims-of-cleo-attack/