AI, Quantum, Digital Cloning — Cataloging some of the biggest cybersecurity trends we can expect in 2025

Morey Haber - Chief Security Advisor - BeyondTrust
3 days ago

As 2025 approaches, we indulge in the traditional New Year habit of future-gazing. In cybersecurity, we know planning is everything. We know to be forewarned is to be forearmed. At Dubai’s GITEX Global 2024 in October, we heard familiar warnings of escalating threats. Several ransomware groups, including Lockbit 3.0 and Rhysida, had been found aggressively targeting the region.

Meanwhile, AI is, in many respects, a boon to businesses but in the wrong hands has been feared to also be a bane. As we shall see, however, much of this fear has been unfounded. As the years progress, industry experts also continue to fret over the implications of quantum computing. So, as in previous festive celebrations, Middle East CISOs and their teams enter the new year on a knife edge, looking to protect environments that are more vulnerable from an attack landscape that is more sophisticated. Let’s delve into nine developments that are sure to shape the security industry in 2025.

  1. CISOs enjoy a tentative “phew” moment over the AI threat

Some industries have undoubtedly benefitted from AI. But outside of these specific use cases, even the benefits of the GenAI technologies that made such headlines in the previous two years are now being seen in some quarters as overblown. In 2025, expect to see businesses return to more proven narrow-AI use cases to restore predictability to the ROI of AI projects. Automation and the upskilling of business functions are likely to be among the most common implementations. In parallel, we can expect threat actors, in an attempt to minimize their costs, return to using narrow AI to soften entry barriers. The fear of generative AI catalyzing a volume explosion in targeted, bespoke attacks is therefore unfounded.

  1. Quantum creep

Previous estimates suggest that where a digital machine would take 300 trillion years to crack 2-megabit RSA encryption, a 4,099-qubit quantum computer would only need 10 seconds. This post-quantum reality could be with us by the early 2030s, so we will probably continue to see individuals and organizations urge action on this critical future problem because of the implications it has for societies. We could see critical-infrastructure organizations, such as regional banks, telcos and government agencies, form exploratory committees to examine NIST’s post-quantum encryption standards. These will be important first steps on the long road to adoption — a road that is likely to be signposted with many new regulatory standards built around post-quantum cryptography.

  1. Farewell Windows 10

October 2025 will see end-of-life (EoL) announcements for Microsoft Windows 10. Only the most recent machines — those that have both Secure Boot and TPM (trusted platform module) will be eligible for Windows 11 upgrades, meaning everyone else will lose access to updates, including security patches. If this sounds like a recipe for vulnerability that is because it is. Expect to see a fire sale of obsolete PCs in the second half of 2025. The forced obsolescence will be good news for the hardware market, however, especially ARM, which will likely see a volume shift to its mobile-friendly processors. Alternative OSes like Linux and Ubuntu will also benefit from organizations trying to minimize replacement costs.

  1. Digital cloning

Breach data repurposed to create fake online personas. It is a new approach to identity theft called “reverse identity theft”, in which an identity is linked to another without the knowledge of the legitimate party. Campaigns are already underway to merge fictitious data with legitimate data, especially where names are common. We can expect this to escalate in 2025.

  1. Nation vs nation: the critical infrastructure problem

As regions like the GCC build their national infrastructures in line with economic-diversification “Vision” programs, critical infrastructure sectors like healthcare and finance will be shiny objects for threat actors, especially those backed by nation states. In cyberwarfare, critical infrastructure is the first target and legacy systems are the most tempting. In 2025, government funding for cybersecurity will concentrate on boosting the cyber-maturity of critical-infrastructure organizations as they continue to merge their OT and IT environments.

  1. Chancing in the moonlight

With its large expat populations, the GCC may come to experience overemployment, with residents taking on multiple remote jobs. While many regional employment contracts explicitly prohibit it, the workers that choose to operate this way will be tempted to outsource some of their workload to AI. This is likely to occur under the employer’s radar and may include the creation of fake employees. Such moonlighting will give rise to more shadow IT and all the security implications it implies, as well as legal issues surrounding content creation that failed to observe risks such as plagiarism.

  1. Guarding the Paths to Privilege

As identity compromises increase in frequency, 2025 will be the year CISOs begin to consider the Paths to Privilege™ that allow lateral movement — the insidious practice of gaining increasingly greater access rights. Privilege escalation is an issue that must be addressed through rigorous examination of trust relationships, configurations, and the processes by which entitlements are granted. Attackers are adept at manipulating cloud permissions, roles, and entitlements. Their attacks are preventable through a thorough re-evaluation of hygiene.

  1. Too many tools

Cybersecurity investments will continue to favor multiple point solutions that do not play well together. This will lead to detrimental effects on reporting and visibility, and security teams will bear the brunt — more gaps, more vectors, more paths to privilege.

  1. Cyber-insurance — some changes

The way cyber-insurance providers calculate risk will see some changes in 2025 to factor in AI and quantum computing. Expect to see more “acceptable use” clauses regarding these technologies and get ready for a long hunt for policies without such restrictions or without exclusions for incidents where either AI or quantum computing are involved in a breach.

Prepare for a bumpy ride

Threat actors are not waiting. They are not trend-watching. They are creating the trends. Defenders must create some trends of their own or invite disaster. They should make cyber hygiene their New Year’s resolution.