Key Cybersecurity Considerations for 2025

As we usher in a new year, it’s crucial to focus on key areas in cybersecurity that demand our attention. While there’s undoubtedly a long list of issues that all companies are dealing with, these are three topics – mitigating risks from vendors, navigating the complexities of AI, and combating phishing – that should be at the top of the list while planning for a successful 2025.

Mitigating risks from vendors. Relationships with vendors are constantly evolving as are the threats. Before the advent of cloud computing and SaaS there was a layer of separation between the vendor and customer. The vendor would have an update that could then be tested in-house to make sure it worked as intended before it was deployed, but with cloud computing, and more so with SaaS, there is no layer of separation now. If a vendor has an incident – cyber or otherwise – that incident is quickly and immediately passed on to the customer.

This also adds another layer of risk, as now hackers can go after a company by going after its vendors. This can cause collateral damage to companies that may not have been the intended targets. We’re now seeing third, fourth and even-fifth party risk getting a lot more complicated. The best way to combat this new threat is by using a tried-and-true tactic – trust.

Part of building trust includes thorough evaluation of your vendor’s environments by various means – questionnaires, audits, security ratings. These evaluations must assess both security and operational posture, and be repeated periodically to make sure they’re up-to-date. Trust can also be built through contractual agreements that transfer and/or assign liability to the right party through data agreements and service letter agreements.

All that said, no matter what the level of trust that is built, you still need a robust incident response plan and business continuity plan those accounts for potential disruptions and security incidents caused by a vendor.

Navigating the challenges of AI: The first thing to remember with AI is that the risk is still the underlying data. An AI system is a tool that exposes the underlying data to a potentially different type of risk, or exacerbates existing risk. In short, secure AI starts with secure data.

The combination of AI and cloud creates potential for unauthorized and unintended disclosure of data. Without appropriate data agreements, any data entered into an AI could potentially be used to train the system, thus compromising the confidentiality of the data.

Another area of concern when it comes to AI is the potential for misuse. Whether it’s the use of deepfakes to spread misinformation, crafting better phishing emails, or lowering the technological threshold for hacking – AI can be a very powerful tool that has the potential to work against your organization.

The area of AI regulation can also be challenging at times as it is still in its infancy, but is growing fast. Staying on top of upcoming regulations and ensuring we all meet said regulations will be a moving goalpost for some time.

At Brown-Forman we are focusing on data governance and enhanced data security first. Understanding who owns what data, and minimizing visibility to an as-needed basis helps us build AI systems that will only access the right data and present it to the right people.

Because of this, we are very focused on education and awareness. These spans opportunities presented by AI, how to use AI, and the risks of AI. The more our employees understand and learn how to use AI safely, the better we can make sure of the opportunities provided by AI while minimizing the risks.

Combating Phishing. Phishing has evolved over the years from mass emails – send a 1000 or more and hope someone “bites,” to spear phishing – more targeted emails that require research. Today, the targeting has continued to get better and generative AI has added another layer. We used to tell people to look for spelling and grammar errors, but with generative AI there are no such errors. Phishing emails look very, very similar to real emails.

Recognizing phishing emails for scams requires muscle memory. It’s not necessarily difficult to spot a phish, but you need to be vigilant about repeated training so you remember to check on a regular basis. You also need to be realistic and accept that people will fall for phishing one time or another. It is important to have layers of protection in place for when that does happen. Quick reporting helps activate those layers faster, and should be a focus of education and awareness efforts.

In 2025 we will continue to focus on “role-based training” for phishing, because the level of risk faced by and posed by different roles is different. For example, a salesperson who consistently receives external email that may or may not include attachments is more vulnerable, whereas a HR person likely has access to information that’s more valuable and faces more risk. We’re working with each team to see how we can better help them craft processes that minimize risk and impact of being phished.

As technology advances, so must our strategies for improving security. Sometimes the solutions are as simple as trust and training, and other times it’s a matter of implementing new governance, technology and strategies. In 2025 focus on the security issues that pose the largest threats and find the right solutions for your organization to be successful.

About the Author

Sailaja Kotra-Turner is the Chief Information Security Officer at Brown-Forman. Sailaja has been with Brown‑Forman since September 2020 as Chief Information Security Officer. She has been instrumental in shaping Brown‑Forman’s security posture and controls to date. Prior to joining Brown‑Forman, Sailaja’s leadership focused on IT Security teams in the areas of security engineering, operations and strategy, security awareness, and identity management. Sailaja holds a Bachelor of Technology in computer science and systems engineering from Andhra University and a master of business administration from Southern Methodist University. Our company website is https://www.brown-forman.com/