Todd Moore | Vice President, Data Security Products, Thales
More About This Author >
Todd Moore | Vice President, Data Security Products, Thales
More About This Author >
Cybersecurity is a remarkably dynamic industry. New trends, technologies, and techniques reshape the landscape at an extraordinary pace, meaning keeping up can be challenging. Protecting data, the driving force of modern businesses, will continue to be the primary focus of organizations throughout 2025. So, as we race into the new year, and as technology and risks evolve, efforts will be focused on varying frontiers. Here are our predictions for data security in 2025.
Data Privacy Regulations Take Center Stage
The United Nations Trade and Development (UNCTAD) states that 80% of countries now have or are working on data protection and privacy legislation. These regulations mandate that data will be stored and processed within specific jurisdictions to address risks associated with international law enforcement.
These requirements have a profound impact. Cloud providers and businesses must comply with local data sovereignty laws. Organizations must embed privacy-by-design principles in new systems and applications. Privacy-enhancing technologies will be the leading technical measures implemented to mitigate these risks.
The U.S. has traditionally struggled to implement federal regulations concerning data privacy, often leaving this issue to be addressed state-by-state. Some states, like California, have introduced their own unique data privacy laws. However, in 2024, the U.S. Federal American Privacy Rights Act (APRA) was proposed but it is still pending approval. This act marks a significant step toward establishing federal data privacy regulations.
Although the future of APRA remains uncertain, it is reasonable to expect that APRA and data privacy will continue to be vital discussion topics in the upcoming year.
Companies Proactively Embrace Compliance
With the acceleration of cyberattacks, companies are taking steps to better regulate their digital space. They are adapting compliance frameworks to harmonize and enforce the responsibilities over their digital assets (workload, data, identities) while maintaining business continuity and resilience.
In response to these developments, the cybersecurity landscape in 2025 will see a shift from reactive to proactive measures. Continuous monitoring and getting ahead of potential threats will become standard practice, along with more robust authentication measures. Compliance with new regulations, such as NIS2, DORA, PCI DSS 4.0, the UK Cyber Resilience Act, and the EU AI Act, will be crucial. As a result, some organizations will move more data on-premises, necessitating the same or more stringent security postures as cloud environments.
Organizations Shift to a Risk-Focused Approach
As AI increases the frequency and scale of cyberattacks, organizations will face resource and staffing constraints in 2025. Relying solely on reactive measures to keep data secure will be unsustainable. Consequently, businesses will explore ways to prioritize risk effectively, focusing resources and efforts where they will have the most significant impact.
In 2025, organizations must transition from a purely compliance-focused approach to a more proactive risk-focused strategy. This requires a clear understanding of risks across key dimensions, including organizational, asset, and regulatory risks. Risk visibility must be prioritized according to its potential impact on the business. By leveraging key data risk indicators across the entire data estate, organizations can create an actionable view that empowers them to make informed and effective decisions to strengthen their data security.
As part of risk management, deploying a Zero Trust architecture will continue to be essential for most companies. Companies will adopt comprehensive security measures to protect data from the edge to the core of their IT systems.
AI Tools Support, Not Replace, Security Roles
AI and ML will play an increasingly central role in cybersecurity. They will enhance threat detection and response, improve threat hunting, and combine security posture management with behavioral analytics to help monitor and secure large datasets in real-time, spotting risks such as data exfiltration attempts or unusual data access patterns.
Cybersecurity vendors are increasingly integrating AI-assisted Copilots to enhance their services for customers. These tools are great for helping to fill talent shortage gaps, which ISC2 currently estimates at 4.8 million worldwide, but aren’t a replacement for internal teams. In the year ahead, it will be less about adopting these tools and more about how security teams leverage AI tools' capabilities. Those looking to remain agile will likely utilize these tools to bring their threat investigation abilities to the next level.
Gen AI-Powered Breaches Skyrocket
Adopting AI technologies is also a reality for cyber threats, with hackers leveraging AI to amplify their attacks and lower the skills bar through the development of automated scripts.
With enterprises being targeted by an influx of advanced phishing attacks, the likelihood that someone within their organization falls victim to an attack is at an all-time high, and we expect to see a steady rise in these across 2025. Once credentials are compromised, an enterprise’s entire network security crumbles, and with generative AI rapidly advancing social engineering methods, typical defense measures for credential compromise won’t be able to keep pace.
Critical Infrastructure Attacks Increase
Attacks targeting critical infrastructure have grown exponentially over the last few years. The overwhelming majority of these attacks start within the internal IT infrastructure. Given that critical infrastructure will always be a prime target for cybercriminals due to its potential for widespread impact, the disconnect between IT, OT, and geopolitical issues creates the perfect storm for insider threats to thrive in 2025. Addressing this gap will be crucial to safeguarding critical infrastructure in the year ahead.
Data Fortification and Supply Chain Resilience Intensify
In 2025, securing the software supply chain will be a top priority. Organizations will conduct more profound security assessments on their third-party vendors, including cloud providers, to ensure their software and services are secure. Protecting data from being compromised through uncontrolled third-party applications or services will become even more critical, with organizations needing more visibility into the services they rely on.
With the proliferation of data via collaboration platforms, companies will need to focus on data activity monitoring and data watermarking to protect sensitive information. Supply chain security will also be a significant concern, as vulnerabilities in the supply chain can lead to widespread security breaches. User generation of personal data through various apps and services will increase the risk of data exposure, necessitating stronger data protection measures.
Post-Quantum Cryptography Spotlights Crypto Agility
Earlier this year, NIST released its first set of post-quantum computing encryption algorithms, along with guidance to be prepared for a potential quantum computing attack as early as 2030. This timeframe drives the need to start planning for and building quantum safe networks now. Even though some protocols, like TLS and SSH, have already been updated to meet NIST's new standards, NIST is already working on its next set of algorithms, meaning that the algorithms implemented in protocols today may be different by the time a production quantum computer arrives.
This highlights the importance of crypto agility in adapting to these evolving security recommendations. Enterprises must place agility at the center of their quantum readiness strategy, making sure that crypto-agile solutions can keep up with the emerging quantum-resistant cryptographic standards. In 2025, Companies will need to invest time and resources to identify their exposure and take inventory of their assets. This will manifest in a steady rise of cryptographic centers of excellence among major enterprises.