Cyber security trends for 2025

Cyber security remains essential to protecting charity operations. Without effective cyber security in place, everything is at stake.  TwentyFour IT services share the arresting impacts, noting  that around one-quarter of charities have experienced an attack in 2023. From a small business perspective, intrusions are costly. Each successful penetration costs around £21,000.

 

Over the past year, we’ve covered how artificial intelligence (AI) and machine learning may be applied to security. But the focus here is on emerging cyber security trends. 

 

 

Transition from private networks to zero-trust

 

Zero-trust network access (ZTNA) is based on the premise that nobody is trusted – even if they are already within the network. CloudStrike sums it up: “Zero Trust is a security framework requiring all users, whether in or outside the organisation’s network, to be authenticated, authorised, and continuously validated.”

 

ZTNA diverges from the ‘moat-and-castle’ security arrangements where the moat acts as a security guard. Under the traditional structure, once a hacker has gained access they can roam the entire premises.

 

ZTNA focuses on trusting no one. Access is on a need-to-know basis. Areas are further protected despite being inside the system.

 

On implementation, Cisco outlines a few key areas to consider: 

• Identifying assets: The process includes making a manifest of all devices and performing a risk assessment on potential intrusion
• Verifying devices and users: At this stage, organisations need to consider what steps to take to shore up access. Protecting user credentials is key
• Mapping out workflows: Workflows determine who has access to what, which might include multiple layers of accessibility or sectioning off certain virtual areas

Top tip: When designing architecture, cybersecurity technologies should be combined.

 

 

Beware of advanced phishing threats

 

Phishing threats are those that typically come in through communication channels. They look, sound, and feel authoritative so that charity staff give away sensitive information. According to the Information Commissioner’s Office (ICO), 91% of companies have already experienced attacks. At Charity Digital we expect these to be even more pervasive.

 

Advanced phishing makes use of social media and legitimate websites to fool the recipient into revealing information. ESET describes the common techniques that perpetrators deploy: spearphishing, whaling, smishing, pharming, and deceptive phishing.

 

Each of these phishing techniques are more advanced than the generic, typo-filled email of a previous generation. Cyber criminals typically do their research on targets. Harvesting names, emails, and telephone numbers from social media and websites, information requests appear to be from real people. Some prey on mid-level employees and trick them by using authority figures.

 

When considering cyber security, preventing phishing requires a great deal of staff training. Educate everyone on what phishing looks like and use examples to illustrate how threats may appear. Remain suspicious when extraordinary information is being asked.

 

Top tip: Review our guide on phishing and fraud.

 

 

Passwords need additional protection

 

On average, a single internet user has 168 passwords for personal use, reports Yahoo Finance.

 

The trend in having many passwords, too many for memory, is impacting how cybersecurity measures are developing.

 

UK Government has acted. Devices and tech that come with hackable passwords like “admin” and “1234” will be banned. New passwords must be of certain sophistication. Essentially: “manufacturers of phones, TVs, and smart doorbells, among others, are now legally required to protect internet-connected devices against access by cybercriminals,” reports the Guardian.

 

The trend continues with sophisticated password protectors. Bitwarden, 1Password, Keeper Security, and others address that threat. These systems are expanding beyond individual use and into business.

 

1Password aggregates access to apps, sites, and anything that requires a sign-on. The app creates a randomised password for each log-on. 1Password is accessible by a single master password. From a business perspective, it means many of the work-related systems are protected from intrusions. Going forward, we expect more of these platforms to be deployed.   

 

Top tip: Check out how to review password security and how to know whether it’s been compromised.

 

 

Multi-factor authentication remains popular

 

Multi-factor authentication (MFA) still reigns supreme. Under this arrangement, systems require a demonstration of two elements, as described by the National Cyber Security Centre. A known, correct secret password needs to be validated in addition to users being present at the network.  

 

In practice, users need something more than just their usual password. Typical secondary MFA requirements are token-based codes, fingerprints, facial recognition and may be linked to other channels (ie email, text, etc).

 

The prevalence of MFA is connected to how businesses are operating. MFA typically is part of reaching a VPN or cloud-based network, which is a core component of hybrid working accessibility.

 

Top tip: Combined both MFA and password protection to increase security.