Bernard Montel, EMEA Technical Director and Security Strategist at Tenable, breaks down the cybersecurity trend that could define 2025.

When looking back across 2024, what is evident is that cyberattacks are relentless. We’ve witnessed a number of Government advisories of threats to the computing infrastructure that underpins our lives. Cyberattacks targeting software that took businesses offline. 

We’ve seen record breaking tomes of data stolen in breaches with increasingly larger volumes of information extracted. And in July many felt the implications of an unprecedented outage  due to a non-malicious ‘cyber incident’, that illustrated just how reliant our critical systems are on software operating as it should at all times while also a sobering reminder of the widespread impact tech can have on our daily lives.

Why Can’t We Secure Ourselves?

While I’d like to say that the adversaries we face are cunning and clever, it’s simply not true. 

In the vast majority of cases, cyber criminals are optimistic and opportunistic. The reality is attackers don’t break defences, they get through them. Today, they continue to do what they’ve been doing for years because they know it works, be it ransomware, DDoS attacks, phishing, or any other attack methodology. 

The only difference is that they’ve learned from past mistakes and honed the way they do it for the biggest reward. If we don’t change things then 2025 will just see even more successful attacks.

Against this the attack surface that CISO’s and security leaders have to defend has evolved beyond the traditional bounds of IT security and continues to expand at an unprecedented rate. What was once a more manageable task of protecting a defined network perimeter has transformed into a complex challenge of securing a vast, interconnected web of IT, cloud, operational technology (OT) and internet-of-things (IoT) systems.

Cloud Makes It All Easier

Organisations have embraced cloud technologies for their myriad benefits. Be it private, public or a hybrid approach, cloud offers organisations scalability, flexibility and freedom for employees to work wherever, whenever. When you add that to the promise of cost savings combined with enhanced collaboration, cloud is a compelling proposition. 

However, it doesn’t just make it easier for organisations but also expands the attack surface threat actors can target. According to Tenable’s 2024 Cloud Security Outlook study, 95% of the 600 organisations surveyed said they had suffered a cloud-related breach in the previous 18-months. Among those, 92% reported exposure of sensitive data, and a majority acknowledged being harmed by the data exposure. If we don’t address this trend, in 2025 we could likely see these figures hit 100%.

In Tenable’s 2024 Cloud Risk Report, which examines the critical risks at play in modern cloud environments, nearly four in 10 organisations globally are leaving themselves exposed at the highest levels due to the “toxic cloud trilogy” of publicly exposed, critically vulnerable and highly privileged cloud workloads. Each of these misalignments alone introduces risk to cloud data, but the combination of all three drastically elevates the likelihood of exposure access by cyber attackers. 

When bad actors exploit these exposures, incidents commonly include application disruptions, full system takeovers, and DDoS attacks that are often associated with ransomware. Scenarios like these could devastate an organisation. According to IBM’s Cost of a Data Breach Report 2024 the average cost of a single data breach globally is nearly $5 million.

Taking Back Control

The war against cyber risk won’t be won with security strategies and solutions that stand divided. Organisations must achieve a single, unified view of all risks that exist within the entire infrastructure and then connect the dots between the lethal relationships to find and fix the priority exposures that drive up business risk.

Contextualization and prioritisation are the only ways to focus on what is essential. You might be able to ignore 95% of what is happening, but it’s the 0.01% that will put the company on the front page of tomorrow’s newspaper.

Vulnerabilities can be very intricate and complex, but the severity is when they come together with that toxic combination of access privileges that creates attack paths. Technologies are dynamic systems. Even if everything was “OK” yesterday, today someone might do something, change a configuration by mistake for example, with the result that a number of doors become aligned and can be pushed open by a threat actor. 

Identity and access management is highly complex, even more so in multi-cloud and hybrid cloud. Having visibility of who has access to what is crucial. Cloud Security Posture Management (CSPM) tools can help provide visibility, monitoring and auditing capabilities based on policies, all in an automated manner. Additionally, Cloud Infrastructure Entitlement Management (CIEM) is a cloud security category that addresses the essential need to secure identities and entitlements, and enforce least privilege, to protect cloud infrastructure. This provides visibility into an organisation’s cloud environment by identifying all its identities, permissions and resources, and their relationships, and using analysis to identify risk.

2025 can be a turning point for cybersecurity in the enterprise 

It’s not always about bad actors launching novel attacks, but organisations failing to address their greatest exposures. The good news is that security teams can expose and close many of these security gaps. Organisations must bolster their security strategies and invest in the necessary expertise to safeguard their digital assets effectively, especially as IT managers expand their infrastructure and move more assets into cloud environments. Raising the cybersecurity bar can often persuade threat actors to move on and find another target.

  • Cybersecurity
  • Infrastructure & Cloud

Related Stories

We believe in a personal approach

By working closely with our customers at every step of the way we ensure that we capture the dedication, enthusiasm and passion which has driven change within their organisations and inspire others with motivational real-life stories.