Here is collection of some cyber security trends and predictions for 2025 from various sources:
Pimeän verkon keskustelut paljastavat: Tällaista kyytiä on luvassa vuonna 2025
Keskustelut paljastavat ensi vuoden uhkakuvat.
https://www.is.fi/digitoday/tietoturva/art-2000010908617.html
VPN provider NordVPN has partnered with researchers at NordStellar to predict the cyber threats of 2025. The companies analyzed the largest dark web forums to identify the most talked about and trending topics. These include:
Advanced disinformation services
Stolen digital identities
AI-based social engineering
Smart home vulnerabilities
The state of connected homes is already fragile, NordVPN warns.
Kyberturvallisuuden ja tekoälyn tärkeimmät trendit 2025
https://www.uusiteknologia.fi/2024/11/20/kyberturvallisuuden-ja-tekoalyn-tarkeimmat-trendit-2025/
Security firm Palo Alto Networks has released a comprehensive list of emerging threats and the impact of advances in artificial intelligence (AI) for the coming year. While they present their own risks, they also help malicious actors seek help to exploit the new capabilities of AI.
Cyber infrastructure is focused on one unified security platform
Large amounts of data give an advantage against new entrepreneurs
Businesses are increasingly adopting secure enterprise browsers
In 2025, more attention will be paid to the energy impacts of artificial intelligence
The realities of quantum technology will become clearer in 2025
Security and marketing directors work more closely together
Kyberhyökkäykset ovat entistä laajempia, röyhkeämpiä ja vahingollisempia.
https://www.verkkouutiset.fi/?p=694453#9c1dc2d3
Cybersecurity company Fortinet has published a cyber threat forecast for 2025. According to it, threat actors will continue to rely on many traditional tactics that have been used for decades.
According to the report, the following cyber threats will be increasingly seen around the world starting next year.
Cybercriminals specialize in certain stages of the attack chain
Attacks on cloud environments are becoming more common
Automated hacking tools on dark web sales platforms
Real-life threats become part of attackers’ tactics
Anti-attack groups expand cooperation
A grim forecast for 2025
Security company warns of new-age cyberattacks.
https://www.iltalehti.fi/digiuutiset/a/3ba5142e-f0ee-43fe-8bd2-4468a9d2d5bd
According to security company Fortinet, many cybercriminals are making better attacks than before, which is not a good thing at all. In addition, old protection methods may not be enough as criminals find new ways to attack.
The company’s Fortiguard Labs team has compiled an updated threat forecast report for 2025, which underlines that cyberattacks are becoming more targeted and harmful, for example, as turnkey cyberattack services become more common.
1 Specialization
2 Cloud and artificial intelligence as themes
3 Real-life threats are part of the tactic
Fortinet reminds us that the responsibility for ensuring information security lies with everyone, not just corporate security and IT teams.
– No single organization or security team can prevent cybercrime on its own, it underlines.
Guidance to survive 2025:
Product Security Bad Practices
https://www.cisa.gov/resources-tools/resources/product-security-bad-practices
MITRE shares 2024′s top 25 most dangerous software weaknesses
https://www.bleepingcomputer.com/news/security/mitre-shares-2024s-top-25-most-dangerous-software-weaknesses/
Six password takeaways from the updated NIST cybersecurity framework
https://www.bleepingcomputer.com/news/security/six-password-takeaways-from-the-updated-nist-cybersecurity-framework/
84 Comments
Tomi Engdahl says:
Why CISOs Must Think Clearly Amid Regulatory Chaos
Even as the rule book changes, the profession of the CISO remains unchanged: protecting the organization in a world of constant, continually evolving threats.
https://www.darkreading.com/cybersecurity-operations/cisos-must-think-clearly-amid-regulatory-chaos
Tomi Engdahl says:
Cybersecurity is tough: 4 steps leaders can take now to reduce team burnout
https://www.csoonline.com/article/3631614/cybersecurity-is-tough-4-steps-leaders-can-take-now-to-reduce-team-burnout.html
A happy team makes for a happy CISO, which reduces burnout and staff turnover at all levels. Here are some low-budget approaches top professionals have taken to ease the stress.
Tomi Engdahl says:
https://www.csoonline.com/cloud-security/
Tomi Engdahl says:
How to Build a Real-Time Intrusion Detection System with Python and Open-Source Libraries
https://www.freecodecamp.org/news/build-a-real-time-intrusion-detection-system-with-python/
Tomi Engdahl says:
Stratoshark: Wireshark for the cloud – now available!
Stratoshark is an innovative open-source tool that brings Wireshark’s detailed network visibility to the cloud, providing users with a standardized approach to cloud observability.
https://www.helpnetsecurity.com/2025/01/22/stratoshark-wireshark-cloud/
Tomi Engdahl says:
Näin tunnistat botin
https://etn.fi/index.php/13-news/17075-naein-tunnistat-botin
Lähes puolet internetliikenteestä on koneiden generoimaa ja haitalliset botit muodostavat lähes kolmanneksen kaikesta liikenteestä. Sosiaalisen median botit ovat erityisen yleisiä, ja jopa 65 prosenttia näistä boteista on haitallisia, kertoo tuore tutkimus.
Asiantuntijat AI-kehitystyökalu AIPRM:ltä ovat jakaneet vinkkejä, joiden avulla sosiaalisen median botin voi tunnistaa. AIPRM:n perustaja Christoph C. Cemper myös varoittaa bottien mahdollisista huijauksista.
Botit voidaan tunnistaa monista erityispiirteistä. Näiden tuntomerkkien avulla voit arvioida, onko kyseessä ihmisen sijaan automaattinen tili:
Botit käyttävät usein geneerisiä tai satunnaisia käyttäjänimiä, heikkolaatuisia kuvia tai internetistä otettuja varastokuvia, ja niiden profiilitiedot ovat vajaita.
Bottien viestintä on usein kömpelöä, ja viesteissä esiintyy paljon kielioppivirheitä, kömpelöitä käännöksiä ja oudon rakenteisia lauseita.
Botit vastaavat usein viesteihin välittömästi ja julkaisevat sisältöä epätavallisiin vuorokaudenaikoihin. Lisäksi bottien lähettämissä viesteissä ei näy kirjoitusilmaisinta, koska botit eivät kirjoita vaan lähettävät viestit suoraan.
Botit julkaisevat usein paljon sisältöä lyhyessä ajassa, mikä poikkeaa ihmisten käyttäytymisestä. Myös bottitilien sitoutumisasteet voivat olla epänormaaleja, koska niiden seuraajat ovat usein muita botteja tai passiivisia tilejä.
Haitalliset botit jakavat usein samanlaista tai identtistä sisältöä eri tileillä ja alustoilla. Tämä toisteisuus erottuu ihmisten luonnollisesta sisällöntuotannosta.
Jos epäilet, että olet kohdannut botin, voi käyttää verkosta löytyviä bottientunnistustyökaluja.
Teknologian kehittyessä botit herättävät yhä enemmän kysymyksiä yksityisyydestä ja turvallisuudesta. Haitalliset botit voivat kerätä suuria määriä dataa, eikä usein tiedetä, miten tietoja säilytetään tai käytetään. Botit ovat myös merkittävä väline väärän tiedon ja haitallisen sisällön levittämisessä.
Your Cheat Code for AI
https://www.aiprm.com/
Tomi Engdahl says:
Cyber Insights 2025: Cybersecurity Regulatory Mayhem
Cybersecurity regulations are facing a tipping point. There are too many and they are too complex to manage – and it’s getting worse.
https://www.securityweek.com/cyber-insights-2025-cybersecurity-regulatory-mayhem/
Tomi Engdahl says:
Endor Labs and Allies Launch Opengrep, Reviving True OSS for SAST
Opengrep is a new consortium-backed fork of Semgrep, intended to be and remain a true genuine OSS SAST tool.
https://www.securityweek.com/endor-labs-and-allies-launch-opengrep-reviving-true-oss-for-sast/
Tomi Engdahl says:
Mobiilivarmenteen käyttöön iso muutos
Mobiilivarmenne tulee tarjolle myös sovelluksena, mikä mahdollistaa sormenjäljen tai kasvojen käyttämisen tunnistautumiseen.
https://www.iltalehti.fi/digiuutiset/a/11c53dd3-a5b2-4478-a297-2c1284d6f569
Elisa ja DNA lanseeraavat Mobiilivarmenne-sovelluksen alkuvuoden 2025 aikana. Sovelluksen avulla voi tunnistautua digipalveluihin myös puhelimen sormenjälki- tai kasvontunnistusta käyttäen.
Ennen sovelluksen lanseeraamista luvassa on ulkoasumuutos mobiilivarmenteen tunnistautumisnäkymään. Sen vaiheittainen käyttöönotto on alkanut 14. tammikuuta, ja monissa palveluissa onkin jo käytössä uusi tunnistautumisnäkymä.
Telian asiakkaille ilmainen
Mobiilivarmenne on puhelimen SIM-korttiin liitettävä digitaalinen tunnistautumistyökalu, jonka suosio on kasvanut parin viime vuoden aikana vauhdilla. Sen avulla voi tunnistautua yli 20 000 kotimaiseen digipalveluun, ja se on tarjolla Elisan, DNA:n ja Telian asiakkaille.
Telian asiakkaille palvelu on ilmainen, kun taas DNA ja Elisa veloittavat siitä pari euroa kuukaudessa.
– Mobiilivarmenteen räjähdysmäinen suosio on vuoden 2024 tietoturvailmiö ja suurin muutos suomalaisten tietoturva-asenteissa vuosikymmeniin. Tietoisuuden kasvu on positiivinen asia koko yhteiskunnan huoltovarmuudenkin kannalta, Elisan tietoturvajohtaja Teemu Mäkelä hehkutti tiedotteessa vuodenvaihteessa.
Viranomaiset sekä pankit suosittelevat mobiilivarmenteen käyttämistä verkkopankkitunnusten sijaan. Mobiilivarmenne pitää pankkitunnukset paremmassa turvassa, sillä sitä käyttäessä ei tule paljastaneeksi pankkitunnuksiaan henkilöllisyyttä vahvistaessaan, mikäli sattuukin olemaan huijaussivustolla.
Mobiilivarmenteen avulla palveluihin voi tunnistautua puhelinnumeroa sekä valitsemaansa tunnuslukua käyttäen.
Tomi Engdahl says:
Cyber Insights 2025: Artificial Intelligence
Artificial intelligence is upending cybersecurity. It is used by adversaries in their attacks, and by defenders in their defense.
https://www.securityweek.com/cyber-insights-2025-artificial-intelligence/
Tomi Engdahl says:
10 Best Vulnerability Assessment and Penetration Testing (VAPT) Tools in 2025
https://cybersecuritynews.com/best-vapt-tools/
Vulnerability Assessment and Penetration Testing (VAPT) tools are an integral part of any cybersecurity toolkit, playing a critical role in identifying, analyzing, and remediating security vulnerabilities in computer systems, networks, applications, and IT infrastructure.
These tools enable organizations to proactively assess and strengthen their security posture by uncovering weaknesses and potential attack vectors before malicious actors can exploit them.
By leveraging VAPT tools, businesses can stay one step ahead of cyber threats, ensuring the safety of their sensitive data and systems.
Tomi Engdahl says:
OpenSSL Cheat Sheet
https://gist.github.com/Hakky54/b30418b25215ad7d18f978bc0b448d81
Tomi Engdahl says:
Finnish university launches security technology programme
The University of Jyväskylä is introducing a degree programme in security technology next year, marking a first for Finland.
https://yle.fi/a/74-20139363
Tomi Engdahl says:
https://www.defensenews.com/opinion/2025/01/29/trump-20-and-the-fracture-of-us-cyber-power/
Tomi Engdahl says:
BloodyAD: Open-source Active Directory privilege escalation framework
BloodyAD is an open-source Active Directory privilege escalation framework that uses specialized LDAP calls to interact with domain controllers. It enables various privilege escalation techniques within Active Directory environments.
https://www.helpnetsecurity.com/2025/01/28/bloodyad-active-directory-privilege-escalation/
Tomi Engdahl says:
https://forum.eset.com/topic/1816-safe-software-download-sites-%E2%80%93-beware-of-deceptive-download-links-pups/
So we then come to the question – which are the safe software download sites. Well today, if I have to download freeware, I usually prefer to download it from the developers website. This ensures that I get the latest version too.
But if I have to visit a download sites, I prefer and trust the following:
Majorgeeks.com
Softpedia.com
TechSpot.com
Filehippo.com
SnapFiles.com
fileforum.betanews.com
downloadcrew.com
I am sure that there maybe a few more clean download sites. If you know of any other safe software download sites, please do share them with us in the comments, for the benefit of others. I am open to updating this list of safe software download sites.
Tomi Engdahl says:
Security pros more confident about fending off ransomware, despite being battered by attacks
Data leak, shmata leak. It will all work out, right?
https://www.theregister.com/2025/01/28/research_security_pros_gain_ransomware/
Tomi Engdahl says:
https://www.darkreading.com/vulnerabilities-threats/automated-pen-testing-improving-slowly
Tomi Engdahl says:
The cybersecurity skills gap reality: We need to face the challenge of emerging tech
https://www.csoonline.com/article/3810857/the-cybersecurity-skills-gap-reality-we-need-to-face-the-challenge-of-emerging-tech.html
Tomi Engdahl says:
https://www.pcworld.com/article/2592565/nordvpns-new-protocol-is-designed-to-evade-vpn-restrictions.html
Tomi Engdahl says:
https://www.csoonline.com/article/3809187/cisos-top-12-cybersecurity-priorities-for-2025.html
Tomi Engdahl says:
Trump Administration Faces Security Balancing Act in Borderless Cyber Landscape
What challenges will the new administration face and what might President Trump’s record on cybersecurity indicate about the likely approach in 2025 and beyond?
https://www.securityweek.com/trump-administration-faces-security-balancing-act-in-borderless-cyber-landscape/
Tomi Engdahl says:
Yli puoli miljardia käyttäjää Windows 10 -loukussa
https://etn.fi/index.php/13-news/17101-yli-puoli-miljardia-kaeyttaejaeae-windows-10-loukussa
Windows 10 -käyttäjillä on edessä merkittävä muutos, sillä Microsoftin virallinen tuki päättyy 14. lokakuuta 2025. Tämän jälkeen käyttöjärjestelmä ei enää saa tietoturvapäivityksiä, ellei käyttäjä maksa erillisestä jatkopäivityspalvelusta. Microsoft tarjoaa mahdollisuuden pidentää tietoturvatukea maksamalla 30 dollarin lisämaksun, joka antaa yhden lisävuoden tietoturvakorjauksia. Tämä vaihtoehto voi olla hyödyllinen erityisesti niille, joiden laitteet eivät täytä Windows 11:n laitteistovaatimuksia.
Monille käyttäjille paras ratkaisu on päivittää Windows 11:een, mikä on edelleen mahdollista ilmaiseksi, jos laitteen tekniset ominaisuudet sen sallivat. Microsoft on kuitenkin vihjannut, että tämä ilmainen päivitysmahdollisuus saattaa päättyä tulevaisuudessa, joten aikaikkuna päivitykselle voi olla rajallinen. Samalla yhtiö markkinoi uusia Copilot AI -optimoituja Windows 11 -koneita ratkaisuna niille, jotka haluavat päivittää sekä ohjelmiston että laitteiston kerralla.
Kaikki Windows 10 -käyttäjät eivät kuitenkaan voi siirtyä uuteen käyttöjärjestelmään ilman haasteita. Monet laitteet eivät täytä Windows 11:n tiukkoja vaatimuksia, kuten TPM 2.0 -turvasirua tai moderneja suoritinteknologioita. Vaikka on olemassa epävirallisia tapoja asentaa Windows 11 myös laitteille, jotka eivät virallisesti täytä vaatimuksia, Microsoft ei suosittele tätä, eikä se takaa järjestelmän turvallisuutta tai vakaata toimintaa.
Tammikuussa 2025 Windows 10:n käyttöaste lähti pitkästä aikaa laskuun, kun noin 40 miljoonaa käyttäjää päivitti Windows 11:een. Tästä huolimatta yli 500 miljoonaa käyttäjää on yhä kiinni vanhassa käyttöjärjestelmässä. Tämä voi muodostua suureksi turvallisuusriskiksi, kun lokakuu 2025 lähestyy ja viralliset päivitykset loppuvat.
Tomi Engdahl says:
Ransomwaren kasvu jatkuu – uudet ryhmät lisäävät uhan vakavuutta
https://etn.fi/index.php/13-news/17103-ransomwaren-kasvu-jatkuu-uudet-ryhmaet-lisaeaevaet-uhan-vakavuutta
Kyberrikollisten toiminta ei osoita hiipumisen merkkejä, sillä vuoden 2024 aikana ransomware-hyökkäysten uhrien määrä kasvoi peräti 26 prosenttia. Cybernewsin Ransomlooker-työkalun mukaan viime vuonna raportoitiin lähes 5 300 uutta ransomware-iskun uhria, huolimatta viranomaisten laajoista toimenpiteistä rikollisryhmien toiminnan rajoittamiseksi.
Maantieteellisesti tarkasteltuna Yhdysvallat oli ylivoimaisesti eniten ransomware-hyökkäysten kohteena. Ransomlookerin datan mukaan yli 1 700 yhdysvaltalaista organisaatiota joutui uhriksi, mikä on moninkertainen määrä verrattuna muihin maihin. Seuraavina listalla olivat Kanada ja Iso-Britannia, joissa uhrien määrä oli kymmenen kertaa pienempi kuin Yhdysvalloissa.
Vaikka viranomaiset pyrkivät torjumaan ransomware-toimintaa, uusien ryhmien jatkuva nousu ja toiminnan hajautuminen tekevät siitä vaikeasti hallittavan uhan. Alan asiantuntijat painottavat, että yritysten ja organisaatioiden tulee tehostaa kyberturvallisuustoimiaan, sillä ransomware-hyökkäysten kasvu jatkuu edelleen vuonna 2025.
Tomi Engdahl says:
Security Needs to Start Saying ‘No’ Again
The rush to say “yes” allows cybersecurity teams to avoid hard conversations with business stakeholders but also risks losing their ability to effectively protect organizations.
https://www.darkreading.com/cyber-risk/security-needs-start-saying-no-again
Tomi Engdahl says:
Cyber Insights 2025: Quantum and the Threat to Encryption
2025 is an important year – it is probably our last chance to start our migration to post quantum cryptography before we are all undone by cryptographically relevant quantum computers.
https://www.securityweek.com/cyber-insights-2025-quantum-and-the-threat-to-encryption/
SecurityWeek’s Cyber Insights 2025 examines expert opinions on the expected evolution of more than a dozen areas of cybersecurity interest over the next 12 months. We spoke to hundreds of individual experts to gain their expert opinions. Here we discuss what to expect with Quantum computing and the threat to encryption.
We (probably) will not get a cryptographically relevant quantum computer (CRQC) in 2025. Public key encryption (PKE) will (probably) remain safe through 2025. But… Well, there are issues. It is those issues we wish to explore here.
Quantum decryption is getting perilously close. This article is a call to arms. We need to arm ourselves with quantum safe encryption – and crypto-agility – in 2025.
Quantum’s relevance to cybersecurity
It is a given that a sufficiently powerful quantum computer will be able to decrypt current PKE (such as RSA 2048) in or within 24 hours using Shor’s quantum algorithm or a derivative or improvement. That will upend cybersecurity as we know it today. All encrypted data that has been stolen and stored (harvest now, decrypt later) will be accessible to the group that stole it. Ongoing trust in and on the internet – its communications, its digital signatures, its transactions – would all be destroyed.
This will happen if / when PKE is broken, regardless of how it is broken. The only generally accepted certainty is that it will be broken by a sufficiently powerful quantum computer. This is why NIST has been instrumental in developing new, stronger encryption algorithms based on mathematical problems that are thought to be resistant to quantum computers. This is NIST’s post quantum cryptography (PQC).
Cybersecurity must migrate from using PKE to using PQC. But the urgency is still not fully understood by everyone, because the quantum threat is not fully understood by almost anyone. We’re going to shine some light on this and its progress through 2025.
(Quick warning: quantum computers and encryption involve more acronyms than the three-letter agencies.)
The timeline toward CRQC
For CRQC, Martin Charbonneau, head of quantum safe networks at Nokia, suggests, “A good estimation of this timeline was constructed in the Global Risk Institute’s Quantum threat timeline report. In 2024, it estimated that by 2034, there was between a 17% and 34% chance that a cryptographically relevant quantum computer (CRQC) would exist capable of breaking RSA 2048 in 24 hours. The probability increases to 79% by 2044.”
An alternative approach to timeline estimation could come from federal agency requirements. “The National Security Memorandum 10 (NSM-10) sets a clear deadline for the full migration to PQC by 2035. By this date, all cryptographic systems used by federal agencies must be quantum-resistant to ensure the security of sensitive information,” comments Carlos Aguilar Melchor, chief scientist, cybersecurity at SandboxAQ.
He adds that specific agencies have tighter deadlines. “The Department of Homeland Security describes on its website a shorter transition that ends by 2030. Finally, the Commercial National Security Algorithm Suite 2.0 (CNSA 2.0), required for National Security Systems, has set PQC as preferred as soon as 2025 and as mandatory by 2030 to 2033 (depending on the application).”
These dates range from now until 2035. The implication is that government is expecting CRQC any time after ten years from now.
Meanwhile, on December 9, 2024, Hartmut Neven, founder and lead at Google Quantum AI, announced the Google Willow chip with two claims. First, it is super-fast: “Willow performed a standard benchmark computation in under five minutes that would take one of today’s fastest supercomputers 10 septillion years – a number that vastly exceeds the age of the Universe.”
Second: “Willow can reduce errors exponentially as we scale up using more qubits. This cracks a key challenge in quantum error correction that the field has pursued for almost 30 years.”
Does this affect already vague timelines, or have the already vague timelines already anticipated such events already? Frankly, we don’t know. Melchor comments, “This year theoretical advances have divided the number of required qubits by three and reduced the theoretical stability needed by a factor 10. Quantum computers steadily progress and sudden reductions on the target brought by theoretical advances can suddenly change the estimations, and strongly increase the urgency.”
For cybersecurity defenders the standard adage remains true – you may hope for the best, but you should expect and prepare for the worst. CRQCs are getting closer at an unknown rate.
The problem with qubits
The reason it is difficult to predict a date for CRQC’s arrival is the nature of the quantum computer’s fundamental unit of calculation: the qubit. A qubit uses the unique quantum properties of superposition and entanglement to allow a greater number of possible states than the classical bit’s two-states. And the more qubits you have doing this, the greater the processing potential of the computer. That potential is almost unimaginable to anyone brought up on the limited two-state binary digit driven capability of classical computing.
But qubits are not stable.
This will surprise no-one who has looked at quantum mechanics – but it is this instability that causes the biggest problem in creating a usable quantum computer. Put simply, the stability of qubits is negatively affected by everything around them, from physical jolts to atmospheric noise. This leads to the phenomenon known as decoherence (basically, the loss of the quantum state) which introduces errors into computations involving qubits. These errors must be ‘corrected’ before the computational output can be trusted. And that is very, very difficult.
One approach is to use error correcting software – but this is incredibly complex and requires a huge number of additional qubits to correct the errors in just one qubit. In loose terms, a large number of additional physical qubits are necessary for every logical (useful) qubit. A second approach is more mechanical – to develop and use qubits that are naturally more stable and resistant to decoherence.
We can expect further progress, like Willow, on both fronts during 2025 – progress but probably no timeline-altering breakthrough. The engineering problem of having enough logical qubits operating together and able to practically unleash the full theoretical potential of quantum will be measured in years – we just don’t know how many or how few.
As Jason Soroko, senior fellow at Sectigo, explains. “Not all qubits are created equal… consider the following attributes of those qubits: Coherence Time (the duration a qubit can maintain its quantum state); Gate Fidelity (the accuracy in quantum gate operations); Error Rates (the frequency of errors during qubit operations)’ and Scalability (the ability to maintain qubit quality as the system scales up).”
Gate fidelity is important. “Shor’s algorithm requires gated qubits to complete its task, using a Quantum Fourier Transform which is part of what does the factorization work necessary to break RSA-2048,” says Soroko.
“2024 saw significant quantum advances, including Quantinuum’s achievement of 99.9% 2-qubit gate fidelity in a production environment – an industry first,” says Duncan Jones, head of cyber at Quantinuum. “In 2025, we expect to build on these successes and make additional improvements in hardware, software, quantum tokens, cybersecurity, and other areas.”
Adding AI to the development mix
Skip Sanzeri, co-founder of QuSecure
Skip Sanzeri – co-founder and COO at QuSecure
While declining to make any predictions (“There is no single roadmap that we have seen which will absolutely determine when a CRQC will emerge”), Skip Sanzeri – co-founder and COO at QuSecure, adds, “With AI developing so quickly we are seeing ways in which AI will speed time to a CRQC. For example, AI can help design more efficient algorithms and machine learning can simulate large numbers of quantum states enabling faster and more optimal quantum circuits.”
AI, he adds, “will also play a role in hardware development (noise reduction and more stable qubits), optimization (quantum experiments, qubit manipulation), and quantum simulation of complex systems.” AI’s benefit to quantum technology could begin to be realized in 2025.
It is worth noting this synergy between contemporary technology’s biggest innovations – quantum and AI. Quantum computers benefitting AI may well precede CRQC, but probably not this year. Neven, who named the Google lab he founded ‘Quantum AI’, has explained, “Both will prove to be the most transformational technologies of our time, but advanced AI will significantly benefit from access to quantum computing.”
Sanzeri adds, “In our opinion, consensus of when a CRQC will be available will most likely be overestimated since we cannot determine the effect technologies like AI will have on the timeline. As such we believe a CRQC will be here in less than 5 years.”
Karl Holmqvist, founder and CEO at Lastwall, is also wary of the combination of quantum and AI. “The combination of quantum and AI will produce cryptographically relevant results faster than either alone,” he suggests. It is entirely possible – although for cybersecurity we still hope unlikely – that CRQC will be achieved within just a few years.
Cryptography’s own uncertainty principle
NIST’s quantum proof encryption competition has focused on developing new algorithms to replace the current PKE that will fall to quantum computers. The focus is on algorithms that can serve the same purpose but be based on mathematical problems that are thought to be resistant to quantum computers. This is conceptually similar to current PKE, which is based on the mathematical difficulty of factoring very large numbers with just a classical computer.
But there are two assumptions here: that PKE has not already quietly been broken by an adversary using classical computers and AI; and that the same or another adversary has not already secretly achieved CRQC. We believe that neither has happened – but we still need to ask the question.
Sanzeri does not believe breaking PKE without quantum power is possible. “Breaking PKE will require an exponentially powerful computer, and our existing CMOS structures, even with AI optimized, cannot become exponentially powerful. The subatomic properties of superposition and entanglement enable quantum computers to reach exponential power.”
But he also adds, “Cryptography has a long history of unexpected breakthroughs – algorithms once thought secure for decades have fallen to novel attacks. While other approaches like advanced classical algorithms haven’t demonstrated feasibility for breaking PKE yet, we can never be completely certain.”
It is this lack of absolute certainty over any encryption algorithm that is the concern.
He believes that any secret adversarial ability to break PKE will more likely come from a quantum computer than from a classical computer. But therein lies our second unprovable assumption – that despite the billions of dollars being spent on quantum development, no adversarial nation has yet, secretly, developed CRQC. We don’t believe it, but we cannot prove it. “As with all things security: assume the breach has already happened, and act accordingly,” says Roer.
Holmqvist agrees that there is some uncertainty over adversarial capabilities. “The prize for breaking encryption is very high, and we know nation-state level entities are engaged in research on quantum computational systems. This means that if there were any significant breakthroughs in 2025 that might enable a system to be developed – it is possible – we might not know about them.”
Thomas Matheus, CTO at Cystel Limited, believes the bigger threat comes not from the algorithms but from their implementation. “It is more likely to happen that organizations implement post-quantum cryptographic solutions or other quantum products (such as quantum key distribution or quantum VPN) and do not configure these solutions or products correctly.”
But that assumes that the PQC algorithms are sufficiently strong, and that is yet one more uncertainty. Are NIST’s PQC algorithms themselves secure? After all, the SIKE candidate was broken with a classical computer and AI.
Agility is key
While cryptography’s uncertainty principle means that we cannot know for certain, however fervently we believe it, that PKE has not already been broken by a well-resourced adversary, we are similarly uncertain that NIST’s PQC algorithms are genuinely safe. Put simply, we may believe that NIST’s PQC algorithms are quantum safe (probably safe against quantum decryption), but we cannot prove they are quantum secure (provably secure against quantum decryption). In short, PQC algorithms up the ante in ongoing encryption, but do not provably solve the problem.
In compensation, a second approach to the use of encryption systems has been quietly bubbling in the background: crypto-agility. This is not a new idea, dating from around the turn of this century. Cryptographic systems fall to attackers – that’s a fact proven by history. So, it makes sense to have an alternative encryption system ready, waiting, and easily usable. That is the concept known as crypto-agility.
What is different today is that we know our current PKE encryption is going to fall with quantum computers. We are getting ready for this event by migrating wholesale to new algorithms. But although tested and scrutinized in laboratories, these algorithms are not yet proven in the battlefield. So, if anything, the need for crypto-agility is greater than ever – something NIST recognized from the beginning.
Chen defines crypto-agility as, “the ability for machines to select their security algorithms in real time and based on their combined security functions; the ability to add new cryptographic features or algorithms to existing hardware or software, resulting in new, stronger security features; and the ability to gracefully retire cryptographic systems that have become either vulnerable or obsolete.” In short, it is “the flexibility to implement, update, and replace cryptographic components within IT-systems, without affecting its functionality.”
Jones puts this into context. “NIST’s PQC algorithms have undergone rigorous evaluation against both quantum and classical attacks. However, no algorithm is entirely immune to unforeseen vulnerabilities.” (The breaking of SIKE during the competition proves this.)
“This reinforces why crypto-agility is critical,” he adds. “Organizations must be able to adapt their infrastructure as algorithms evolve. Focus should be on building agile systems that can integrate new standards and algorithms when needed.”
Summary – the encryption threat in 2025
It is ironic that the arrival of CRQC loosely suffers from quantum uncertainty. If we focus on powerful quantum computers, we do not know when we will get them. If we focus on a point in time, we do not know what we will have at that point. All we do know is that at some time within the next fifteen years, and possibly the next five years, classical PKE will fall to quantum decryption – and if we are not prepared, that could be disastrous.
Progress toward CRQC in 2025 will not be loud, but will be punctuated by occasional claims – like a new type of qubit that is more stable (such as neutral atoms), or new error correction capabilities (like Willow), or more qubits per processor (IBM is expected to introduce its ‘Kookaburra’ processor with more than 4,000 qubits).
There is now a possibility that CRQC could arrive in as little as five years. There is an equal possibility that a full migration to PQC will take some companies longer than five years. In 2025, as Kevin Bocek, chief innovation officer at Venafi points out, for those who haven’t yet started their PQC migration, “Given this uncertainty, the journey to becoming quantum-proof must start now.”
We have delved into the problems and potential solutions involved in quantum computer manufacture not because we expect any dramatic CRQC announcement during 2025, but to show how that date is getting closer. 2025 is an important year – it is probably our last chance to start our migration to PQC before we are all undone by CRQC.
Postscript: It won’t stop there. Shor’s quantum algorithm will break our current asymmetric encryption (PKE). Grover’s algorithm can attack symmetric keys (such as AES 256). But Grover ‘merely’ increases the speed of decryption – effectively halving the key length and reducing AES 256 to AES 128.
That’s a key still considered long enough – for now – and explains why NIST has concentrated on asymmetric algorithms. But that key length won’t be long enough to withstand quantum computers powerful enough to run Shor’s algorithm and with additional help from artificial intelligence, searching for methods to attack AES.
We may have some wiggle room if we can increase the AES key length beyond 256 bits. Technically this should be possible since AES’ underlying cipher is Rijndael, and Rijndael will support a wider range of key and block sizes.
Nevertheless, this whole process may need to be repeated at some point in the future, courtesy of the power of quantum computers.
Tomi Engdahl says:
Cyber Insights 2025: The CISO Outlook
There has never been a single job description for the CISO – the role depends upon each company, its maturity, its size and resources, and the risk tolerance of boards.
https://www.securityweek.com/cyber-insights-2025-the-ciso-outlook/
The role of the CISO in 2025
There has never been a single job description for the CISO – the role depends upon each company, its maturity, its size and resources, and the risk tolerance of individual boards. Nevertheless, the primary function of the CISO has continuously expanded from the original technical defense of IT systems to the wider purpose of managing business risk and ensuring business profitability in the face of cyberattacks.
The CISO is no longer just a technical expert but a jack of all trades who must also understand business management, business finance, the legal implications of regulations, the concept of personal privacy, the psychology of company employees, the impact of geopolitics, the potential of artificial intelligence… and the list keeps growing.
Sometimes, the CISO has actual responsibility – for example, for privacy and regulations, and increasingly for artificial intelligence – but always now with a consultative responsibility championing security to other company leaders. So, in addition to this expanding role, the CISO must be an expert communicator able to speak business to other leaders and tech to the security and IT teams. Nevertheless, the CISO often has responsibility without authority, but with liability.
In 2025, only the details are likely to change.
Tomi Engdahl says:
Exploitation of Over 700 Vulnerabilities Came to Light in 2024
The number of vulnerabilities first reported as exploited surged last year amid a decrease in zero-day reports.
https://www.securityweek.com/exploitation-of-over-700-vulnerabilities-came-to-light-in-2024/
Tomi Engdahl says:
CISO Forum Webinar: Defenders on the Frontline – Incident Response and Threat Intel Under the Microscope
Join this panel of CISOs and threat-intel professionals for a deep-dive on aligning incident response and threat intelligence with broader business objectives.
https://www.securityweek.com/ciso-forum-webinar-defenders-on-the-frontline-incident-response-and-threat-intel-under-the-microscope/
Tomi Engdahl says:
Texas Governor Orders Ban on DeepSeek, RedNote for Government Devices
“Texas will not allow the Chinese Communist Party to infiltrate our state’s critical infrastructure through data-harvesting AI and social media apps,” Abbott said.
https://www.securityweek.com/texas-governor-orders-ban-on-deepseek-rednote-for-government-devices/
Texas Republican Gov. Greg Abbott issued a ban on Chinese artificial intelligence company DeepSeek for government-issued devices, becoming the first state to restrict the popular chatbot in such a manner. The upstart AI platform has sent shockwaves throughout the AI community after gaining popularity amongst American users in recent weeks.
Tomi Engdahl says:
Government
Trump Administration Faces Security Balancing Act in Borderless Cyber Landscape
What challenges will the new administration face and what might President Trump’s record on cybersecurity indicate about the likely approach in 2025 and beyond?
https://www.securityweek.com/trump-administration-faces-security-balancing-act-in-borderless-cyber-landscape/
Tomi Engdahl says:
Lopulta tietoturvasta tulee itseään korjaava
https://etn.fi/index.php/13-news/17115-lopulta-tietoturvasta-tulee-itseaeaen-korjaava
Kyberturvallisuus on siirtymässä kohti täysin autonomisia järjestelmiä, joissa tekoäly valvoo, ennakoi ja torjuu hyökkäyksiä itsenäisesti. Check Pointin visiona on luoda itseään korjaava tietoturva, joka ei ainoastaan reagoi uhkiin, vaan ehkäisee ne jo ennen syntymistään, kertoi yhtiön tutkimusjohtaja Nataly Kremer CPX2025-tapahtumassa Wienissä.
Check Pointin kehityssuunnitelman keskiössä on hybridi mesh -arkkitehtuuri, joka yhdistää pilvipalvelut ja paikalliset järjestelmät turvallisesti. – Kaikkea dataa ei kannata laittaa pilveen. Siksi uskomme avoimeen alustaan, joka mahdollistaa erilaisten tuotteiden, myös muiden valmistajien ratkaisujen, yhteistyön, Check Pointin edustaja kertoo.
Tietoturvan kehitys nojaa Check Pointin Infinity-alustaan, jonka ydin muodostuu kolmesta keskeisestä periaatteesta: yhtenäinen tuote, keskitetty hallinta ja saumaton yhteistyö eri tietoturvaratkaisujen välillä. Check Pointin yhdyskäytävät eivät vain estä haitallista liikennettä, vaan ne myös ilmoittavat uhkista muiden valmistajien tietoturvatuotteille – ja kaikki tämä tapahtuu automaattisesti.
- Tätä me tarkoitamme alustalla: kyky yhdistää ja automatisoida tietoturvan hallinta niin, että uhkat torjutaan yhteistyössä eri järjestelmien kesken ilman manuaalista puuttumista, Kremer selventää.
Tekoäly on yhä tärkeämpi osa tietoturvaa. Viime vuonna Check Point toi markkinoille AI Copilotin, joka auttaa analysoimaan uhkia ja nopeuttaa reagointia. Tämänhetkinen tekoäly on kuitenkin vielä reaktiivinen – seuraava askel on proaktiivinen suojaus.
- Tekoäly voi jo nyt tunnistaa, jos reitittimessä on vuoto, tai jos tietoturvapolitiikat ovat vanhentuneita. Joillakin asiakkailla on jopa yli kymmenen vuoden ikäisiä sääntöjä, joita ei ole päivitetty. AI ei ainoastaan valvo näitä sääntöjä, vaan myös päivittää ne automaattisesti uusien uhkien mukaisiksi, Kremer kertoo.
Tomi Engdahl says:
Konsulttiyritys BearingPointin mukaan vasta yksi kolmesta eurooppalaisesta uskoo käyttävänsä digitaalista euroa tulevaisuudessa, jos sellainen olisi maksuvälineenä käytettävissä. Suomi on tutkituista maista ainoa, jossa käteisen osuus on edelleen kasvanut viime vuoteen verrattuna.
https://www.uusiteknologia.fi/2025/02/05/kuluttajista-vasta-kolmannes-on-kiinnostunut-digieuroista/
Tomi Engdahl says:
Cyber Insights 2025: OT Security
Just as OT technology differs from IT technology, the threats, likely adversaries, and potential harm also differ.
https://www.securityweek.com/cyber-insights-2025-ot-security/
SecurityWeek’s Cyber Insights 2025 examines expert opinions on the expected evolution of more than a dozen areas of cybersecurity interest over the next 12 months. We spoke to hundreds of individual experts to gain their expert opinions. Here we discuss what to expect with operational technology (OT) cybersecurity.
OT risk is more extreme than IT risk. It could lead to social chaos, harm to individuals, damage to the national economy, and threats to national security. Welcome to OT security.
By operational technology, we mean the hardware and software that is used to operate physical devices, typically in industrial settings. This includes the full range of ICS and SCADA systems and their components, the IoT devices that collect data from, and deliver instructions to the factory floor; programmable logic controllers, and the Human-Machine Interface (HMI) devices that allow human operators to monitor and control the rest of the OT systems.
The nature of these systems means they are heavily concentrated within the critical infrastructure sectors. And just as OT technology differs from IT technology, so the threats, likely adversaries, and potential harm also differs. This is what we mean by OT security.
OT security in 2025 – an overview
All cybersecurity is a constant battle between adversaries and defenders. All battles ebb and flow. It will be the same for OT in 2025: there will be wins for the defenders and wins for the adversaries. David Redekop, founder and CEO at ADAMnetworks, describes 2025 as a ‘mixed bag’ for OT.
“As older equipment reaches end-of-life and is replaced, the new defaults will eliminate the criminals’ low-hanging fruit of easy-to-compromise credentials” he explains. “On the flipside, attacker tools will continue to advance; so, the moment an attacker succeeds with a network implant, the discovery of exploitable hosts and services is more efficient than ever, leading to shorter dwell times and faster attacks.”
John Gallagher, VP at Viakoo fears that OT is still viewed as the poor relative of IT. “OT often lacks the protections of traditional IT systems and is often configured and managed by non-IT people (making it more likely to be exploitable). That’s why IoT devices often use default passwords, are not on segmented networks, and are behind on firmware patches.”
He is particularly concerned that already compromised systems – especially IoT devices – will be leveraged in 2025. “OT systems are often used for launching DDoS attacks, and these devices have botnet armies already in position and waiting to be activated. In 2025 these botnets will likely be capable of more sophisticated attacks, and will be harder to detect because of methods like polymorphic encoding.”
Joe Saunders, founder & CEO at RunSafe Security, is clear on his view of the threats. “We can be certain that nation-states, adversaries, and APTs will target OT devices, the software supply chain, and critical infrastructure itself to potentially disrupt it,” he warns.
But don’t forget that the AI effect is a new threat to OT. “In 2025, says Vivek Ponnada, SVP Growth & Strategy at Frenos, ‘it is likely more sophisticated attacks will leverage AI for increased accuracy – rather than using the technology to create malicious code – with the aim of making attacks harder to detect and defend against.”
John Terrill, CSO at Phosphorus Cybersecurity, worries about new OT-focused malware. “Over the next year, I’m anticipating we will see more sophisticated OT malware.” It has been evolving over the last ten years with more support for different devices and protocols that until recently were thought to be obscure and difficult to manipulate.
Regulations
Where there are threats, so there are regulations. OT is automatically subject to most IT regulations, but there are additional regulations for specific critical industries, and some for specific OT devices.
“As the threat landscape for OT systems expands, regulatory bodies around the world are introducing stricter compliance requirements for OT cybersecurity,” says Carlos Buenano, CTO for OT at Armis. He cites the continuing evolution of NERC CIP in the US and the NIS2 and CER directives in the EU as examples.
The latest CIP-003 version 9 has an effective date of April 1, 2026. NIS2 (Network and Information Systems) expands its remit to include OT-heavy critical industry sectors such as energy, transport, healthcare, manufacturing and water. CER (the Critical Entities Resilience Directive), closely linked to NIS2, became active on October 18, 2024. (NIS2 came into effect on October 17, 2024 – although since it is a Directive rather than Regulation, actual implementation (that is, when it becomes active) can vary in detail and date between the different EU member nations).
“In 2025, organizations must not only implement these protections but also demonstrate compliance through audits and continuous risk assessments,” adds Buenano.
Secure-by-design is an implicit rather than explicit requirement for both hardware and software. “It will be a huge focus for manufacturers of OT products in 2025,” says Trevor Dearing, director of critical infrastructure at Illumio. “Manufacturers will be expected to address vulnerabilities, provide auto-updates, and contain potential threats, while ensuring that these practices don’t negatively impact the performance of such devices.”
While ‘secure-by-design’ is not specifically required by law (difficult when there are no measurable objective metrics that can be applied), it is nevertheless urged and encouraged. CISA, for example, published a Secure by Design Pledge on May 8, 2024, “a voluntary pledge focused on enterprise software products and services…” It states, “Physical products such as IoT devices and consumer products are not scoped in the pledge, though companies who wish to demonstrate progress in those areas are welcome to do so.”
There are signs that some regulatory progress is being made, but doubts over whether they can enforce more secure OT hardware continue. “Although there has been some good progress on the manufacturing side of things – with the UK’s Product Security and Telecommunications Infrastructure (PSTI) Act and the US proposed Cyber Trust Mark for IoT devices – they are only a first small step and almost entirely focused on smart consumer IoT products and not on mission-critical OT cyber-physical systems like PLCs, HMIs, RTUs, and SCADA systems,” says John Vecchi, security strategist at Phosphorus Cybersecurity.
“Laws like the UK forcing organizations to not ship with default passwords is a start,” adds Gallagher: “but there is a very long way to go. Even if manufacturers improve the inherent device security, users are often not IT people and are not natives when it comes to staying on top of password changes, firmware updates, and use certificates.”
This will be a problem for both suppliers and users of OT in 2025. Regulations implicitly require security but offer little advice on how to achieve it.
IoT/IIoT
IoT devices, often referred to as IIoT (Industrial Internet of Things) for devices in industrial settings, and their inherent issues (lost and forgotten but still connected, insecure and frequently with default passwords) play an important role in business transformation and the elevation of OT. But they will be a particular pain point for OT in 2025. “The explosion of IoT devices will expand the attack surface significantly,” warns Ihab Shraim, CTO at CSC.
“Securing interconnected systems, particularly in critical infrastructure, will be a top priority for the private and public sectors.” He offers smart cities as an example: “Cybercriminals will exploit weaknesses in municipal IoT infrastructure, targeting traffic systems, public utilities, and surveillance networks.”
The principle will apply across all OT domains, from factory floors to critical services – IoT is widely considered the low-hanging fruit of OT.
Paul Savill, global network and edge computing practice leader at Kyndryl, quantifies the growth of IoT. “The global deployment of IoT devices is forecast to climb to more than 25.4 billion in 2030, almost triple from 8.74 billion devices in 2020.”
But he adds the concomitant rise of private 5G networks for communication with and from IoT devices to the problem. “The proliferation of private 5G networks will create a double-edged sword,” he says. “While they offer untapped potential to accelerate digital transformation, the automation enabled by private 5G networks also allows hackers to run autonomous searches for exposed networks.”
Furthermore, “As organizations continue to leverage private 5G networks in an effort to build more reliable connections compared to legacy network technology, its vulnerabilities can have a ripple effect across the entire connected infrastructure. A single software or equipment hack can take down all mission-critical assets across an organization.”
Geopolitics and OT
We cannot ignore the effect of geopolitics on security in general, but OT in particular. “The current geopolitical landscape is having a serious impact on the security of industrial organizations. This will continue in 2025,” warns David Neeson, senior SOC analyst at Barrier Networks.
“A big threat in relation to this comes down to the work Russia is currently conducting to harm countries that ally with Ukraine. We can expect to see Russian state sponsored actors increase their sights on NATO member targets, with the aim of taking out critical supplies, such as water, gas and electricity,” he continued.
He believes that attacks will likely target the traditional IT networks and then pivot to OT through the routes opened by business transformation. “These attacks will be dangerous and, if industrial organizations are not prepared, they could seriously harm the target country and its citizens.”
But it’s not just Russia that should concern us. “Whether it is war between Ukraine and Russia, Chinese efforts to have backdoors and compromised devices around the world under their control, North Korean activities, Israeli offensive cyber capabilities, and others, it is clear that the battlefield has been growing into cyberspace,” warns Gallagher.
“The cost and effort to root out already compromised ICS/OT/IoT devices is extraordinary; therefore, the issue is in who controls them (and for what intent), and whether there are effective mitigations in place (if not remediations).”
He expects to see a growth in OT focused, geopolitically motivated nation state activity in 2025. “The trend seen from the Russia / Ukraine conflict can be a good learning example,” he suggests. “Initially, cyberattacks were data focused, then moved to using OT devices to gather intelligence, and are now becoming more physical – as demonstrated by the ‘skyscraper-high’ plume of sewage sprayed over Moscow (assumed to be from a Ukrainian cyberattack, as reported by The Register).”
Russia has also been active, both within and around Ukraine. “During 2024, Russia-affiliated threat actors executed a campaign of physical sabotage throughout the European Union (EU) targeting critical infrastructure, the defense industry, and other elements of EU society,” notes John Sheehy, SVP Research & Strategy, IOActive.
Destructive cybercrime
Since OT involves cyber-physical devices, the potential for destructive cyber damage to become destructive physical damage is obvious – and in times of both hot and cold international warfare, the potential of nation state aggression for nation state purposes is equally obvious. But the potential for criminal activity against OT is also high.
Before business transformation, OT was separated, often air-gapped, from the rest of IT, using arcane technology. Attacking OT was limited to the elite attackers. This no longer applies. “As OT systems and IT systems become more converged, attackers have stumbled on ways to cause disruption without having to rely on the sophisticated attack-craft,” says Oakley Cox, director of product at Darktrace.
Oakley Cox, director of product at Darktrace.
Oakley Cox, director of product at Darktrace.
“That’s why some of the most disruptive attacks of the last year have come from hacktivist and financially-motivated criminal gangs – such as the hijacking of internet-exposed PLCs by anti-Israel hacking groups and ransomware attacks resulting in the cancellation of hospital operations.”