- How global threat actors are weaponizing AI now, according to OpenAI
- The viral Air Purifier Table is my smart home's MVP (and it's on sale for $179)
- Grab the Galaxy S25 Edge for $170 off and get a free Amazon gift card - but act fast
- How I learned to stop worrying and love my health tracker
- I found a free iPhone 16 deal that doesn't require a trade-in (and applies to Pro models, too)
#Infosec2025: Top Six Cyber Trends CISOs Need to Know
This year’s Infosecurity Europe 2025 saw industry experts come to together to discuss the latest trends, challenges and successes in the field.
Here are six key trends from the show that Infosecurity Magazine found most prominent from conversations with experts on the expo floor.
Amid significant technological advancements, a big theme was the continued need to focus on the basics, such as human behaviors and identity controls.
Security leaders should be aware of these trends, and ensure they consider whether their strategies are prioritizing these areas sufficiently.
Attackers Using Phone Calls to Launch Attacks
The nature of social engineering is continuing to evolve, with threat actors shifting to using phone calls either alone or in combination with emails to initiate the attacks.
These are designed to gain victims’ credentials to gain initial access into a target organization’s network.
Erhan Temurkan, Technology & Security Director at Fleet Mortgages, told Infosecurity that he is particularly concerned about phone calls impersonating IT departments, requesting employees reset their passwords.
These scams have been exacerbated by improving deepfake technology, making the fraudster sound exactly like someone they know in their team.
Such malicious phone calls are difficult to stop coming in, compared to traditional email phishing messages.
“We can put an email gateway to stop those phishing attacks coming in, but there’s not much you can do to block a phone call because you don’t want to block legitimate customers,” Temurkan explained.
It is vital that organizations implement additional layers of defense to mitigate these email-based scams, essentially their own multi-factor authentication (MFA).
Temurkan noted this could include pre-agreed phrases or passcodes with individuals in the business.
Identity Continues to be an Important Battleground
Research has shown that credential compromise continues to be the primary way for attackers to infiltrate organizations.
Rapid7 research published during Infosecurity Europe found that 56% of all compromises in Q1 2025 resulted from the theft of valid account credentials with no multi-factor authentication (MFA) in place.
Thom Langford, CTO for the EMEA region, at Rapid7, noted: “It always comes down to the basics. Initial access is often through username and password attacks. They quite simply trick people into giving it to them.”
This is an especially common approach in the cloud. McCann explained: “A really good entry into an organization is compromising SaaS accounts and escalating privileges to get to admin role which then allows you to access sensitive data.”
In this environment, it is not only important to deploy MFA, but also ensure it is the right type of MFA.
Temurkan said he is concerned about a rise of SIM-swapping attacks, in which attackers are able to utilize stolen information intercept SMS-based two-factor authentication (2FA) codes.
“That only increases the driver for organizations to get off SMS 2FA. It’s better than nothing at all, but with SIM swapping on the rise, that is a real gap,” Temurkan commented.
The strongest phishing-resistant MFA technologies use Fast IDentity Online (FIDO) standard protocols. These options include biometrics and physical security keys, which have become more accessible and easier to integrate in recent years.
The Need to Make Cybersecurity Frictionless
For cybersecurity measures to be truly impactful, they need to ensure they do not negatively impact employees’ work. Otherwise, practices are unlikely to be adhered to.
Langford commented: “The biggest challenge I think we have in security is that every protective measure we put in increases employee friction – that’s problematic.”
User experience should therefore be a key consideration for security leaders in their decision making.
There are opportunities for this, particularly in the identity space with passwordless authentication methods such as biometrics and single sign on.
“If you want to keep introducing additional controls, we as a security industry need to continue to make it easy for striking that balance between security and usability,” said Temurkan.
Defending Against Growing AI Risks
AI security risks to organizations are growing as the technology continues to advance.
This firstly relates to attacker use of AI. Dr Beverly McCann, Director of Product at Darktrace, said there has been a notable growth in the scale and speed of attacks as a result of AI.
“They are starting to use more automated tools, more AI tools and leverage those,” she told Infosecurity.
This includes using AI tools to search for vulnerabilities, seeking exploitation before fixes are applied.
“Instead of targeting one organization you target 100 organizations and see what sticks,” added McCann.
Defenders must be able to keep pace, which is likely to require applying their own AI security tools.
Another issue is the growing embrace of AI tools in businesses, including agentic AI. These agents operate with a high degree of autonomy. An agentic system might choose the AI model it uses, pass data or results to another AI tool, or even take a decision without human approval.
Without sufficient controls and oversight, these autonomous tools can magnify AI data security challenges such as prompt injection, poisoning, bias and inaccuracies.
With AI evolving at such a rapid pace, it is incumbent on industry and governments to promote responsible and secure use of AI ahead of deployment. In April, European standards organization ETSI released a new set of technical specifications designed to serve as an “international benchmark” for securing AI models and systems.
AI risks are not just an internal concern. Organizations also need to be mindful of the potential AI data risks across their third-party suppliers.
“What about the vendors we’ve been using for 10, 15 years, do they have AI on their backend that we don’t know about?” Temurkan noted.
He emphasized the need to discover any new AI deployments during supplier assurance processes, and whether these third parties are adopting secure practices, such as tackling issues highlighted in the Open Worldwide Application Security Project (OWASP) Top 10 list for large language models (LLMs).
Moving Beyond Awareness Training to Improve Behaviors
Given the advanced social engineering tactics being employed, experts told Infosecurity that awareness training alone is not sufficient to ensure employees are empowered to protect themselves.
Organizations should consider options like nudges, ensuring employees are reminded in real time to avoid risky behaviors, such as inputting sensitive data into AI models. Such intelligence led interventions are known as human risk management.
In addition, a culture of security needs to be established whereby employees are always can be trusted to always undertake recommended actions, outside of training.
Andrew Rose, CSO at SoSafe, advocated for a ‘Just Culture’ model, in which employees are encouraged to report security errors without fear of punishment. Instead, this approach should focus on treating an error as an organizational problem rather than an individual error, and take action for improvement in the future, such as new training or processes.
This could include accidently clicking on a phishing link.
“Learning lessons from near misses, and having a culture of when we learn something, we fix it,” Rose commented.
Vulnerability Exploitation to Continue Exploding
Experts emphasized that surging vulnerability exploits, particularly of edge devices, will only continue for the foreseeable future.
Tools like AI are helping threat actors discover and exploit vulnerabilities quickly, lowering barriers to this attack vector.
“There’s going to be lots of new vulnerabilities, the criminals are now storing zero days just as much as the nation states are,” Langford noted.
Organizations must focus on maturing their patch management programs according to business needs, and in the longer term, demand security by design practices from their software suppliers.
