If your company builds or sells software and connected devices in the EU, the new Cyber Resilience Act is something you need to pay close attention to. CRA introduces enforceable secure-by-design requirements across the entire product lifecycle. Here’s what product leaders and engineering teams should know to get ahead of compliance.

Remember the Raptor Train? 

A botnet of more than 200,000 compromised connected devices hijacked through unpatched vulnerabilities and insecure defaults, not because those companies lacked internal security policies, but because the products themselves were never designed or maintained with long-term security in mind.

This kind of large-scale product risk is exactly what the EU’s Cyber Resilience Act (CRA) is meant to address, especially given the fact some estimates claim there are nearly 21 billion connected devices in the world today.

So, let’s dig into how the CRA addresses the security of the connected devices.

What is Cyber Resilience Act? 

CRA is one of the most significant shifts in digital product regulation in years that sets mandatory cybersecurity requirements for digital products sold in the European market. 

While NIS2 and DORA regulate how organizations operate, CRA regulates what certain organizations build. 

It applies to nearly any “product with digital elements” (PDE) – a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately.

For product leaders, engineering teams, and security owners shipping digital products to the EU market, CRA will change how products are planned, developed, released, and maintained.

In other words, cybersecurity is no longer a “launch and forget” problem. It’s a product discipline.

What CRA actually requires

At its core, CRA turns cybersecurity into a product safety requirement. To sell in the EU, a product must meet baseline security expectations throughout its lifecycle. 

That includes:

Secure-by-design and secure-by-default

You must perform risk assessments early, design with security controls, strong configuration, authentication, and encryption in mind, test for vulnerabilities, and avoid shipping known exploitable vulnerabilities.

Transparent components

The supply chain is widely recognized as a significant cybersecurity risk today. Any included libraries, open-source packages, third-party modules, or firmware components must be documented and traceable through a Software Bill of Materials (SBOM). Managing these third-party components systematically, beyond just documentation, is what a third-party cyber risk management framework is built for.

Vulnerability management and long-term updatessecure-by-default

Manufacturers must document and patch newly discovered vulnerabilities and maintain security updates – typically for five years or for the expected lifespan of the product, all the while keeping up transparent communication towards their customers.

Clear reporting obligations

Actively exploited vulnerabilities and severe incidents must be reported quickly (24h early warning, 72h detailed report).

Conformity assessment and CE marking

Before you place a product on the EU market, you’ll need an internal or third-party assessment and to affix CE marking demonstrating compliance. Non-compliance can lead to fines up to €15M or 2.5% of global turnover and prohibiting the sales of products that do not meet mandatory requirements.

Who is impacted?

CRA applies to the entire digital-product ecosystem:

CRA classifies products by risk level, so higher-risk products (e.g., identity systems, password managers, browsers, network equipment, industrial devices) require independent conformity assessments, while lower-risk products can rely on self-assessment.

Additionally, not every digital product falls under the scope of the CRA, it mostly focuses on consumer products. 

Standalone websites and cloud services are exempt when they are not used to enable or operate a product with digital elements, as is non-commercial open-source software. Products that are already regulated under dedicated EU sector frameworks are also excluded. Organisations in the UK defence sector face parallel obligations under Cyber Security Model v4, which mandates cybersecurity controls for all MOD suppliers independently of CRA.

For more details on the above, the recently released CRA implementing act contains technical descriptions related to important and critical products.

Key dates

The biggest CRA challenges ahead

Based on the current cybersecurity trends and how most companies ship software today, CRA will expose several weaknesses:

How we help companies become CRA-ready

At Infinum, we work with organizations to build digital products that are secure by design – and now, compliant by design. Our cybersecurity offering supports CRA readiness across the product lifecycle, from threat modeling and secure architecture all the way to continuous monitoring and long-term maintenance planning.

CRA compliance isn’t just about meeting legal obligations; it’s about earning and maintaining customer trust in an increasingly competitive market by building safer, more reliable products.

Most teams don’t know where they stand today, so reach out for a CRA gap analysis or product security review to close the gaps before regulation becomes a blocker.Most teams don’t know where they stand today, so reach out for a CRA gap analysis or product security review to close the gaps before regulation becomes a blocker.

Cybersecurity in 2026 is no longer about what’s coming next, but about managing what’s already here. AI-driven attacks, stricter global regulations, supply chain exposure – here’s how to stay ahead when compromise is no longer hypothetical.

It’s 8 a.m. Your company’s email system goes down.

Minutes later, a poisoned update floods your development pipeline, silently embedding malware into every product your team touches.

AI-generated phishing emails land in employees’ inboxes, flawlessly mimicking the voices of their managers.

Customer data, vendor credentials, and financial records are exposed before anyone even realizes an attack has begun.

This is no longer science fiction.

Many of the trends we predicted in 2025 – large breaches, ransomware waves, rising supply-chain compromises, and AI-enabled cyber attacks have fully materialized. 

What was once the future of cybercrime is now simply the present. Here’s what that means as we step into 2026.

Regulations are still driving change

In 2026, cybersecurity regulations are moving toward greater global convergence and stricter enforcement. 

Key developments include the EU’s NIS2 Directive for critical entities and the EU Cyber Resilience Act (CRA), which mandates security for products with digital elements and reporting obligations starting September 11, 2026. 

Across the Atlantic, the U.S. Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) is coming into force, requiring rapid reporting of cyber incidents and ransomware payments.

Turning regulatory requirements into something teams can actually operate requires clear ownership, realistic controls, and alignment with how the business works.

AI still on both sides of the fence

Artificial intelligence has become both the sword and the shield.

Threat actors now rely on AI to scale phishing operations, localize social engineering campaigns at speed, evade detection by generating polymorphic malware, and automate reconnaissance across massive attack surfaces. 

Anthropic’s article on the first AI-orchestrated campaign says that this marks a pivotal shift in cybersecurity, highlighting the emergence of AI agents – systems that can be run autonomously for long periods of time and that complete complex tasks largely independent of human intervention.

Deepfakes, voice cloning, and identity fraud also became mainstream tools for deception, with deepfakes in particular growing increasingly difficult to detect.

The result is what many organizations now recognize as a crisis of authenticity – verifying identity, intent, and digital trust has never been harder.

At the same time, a new risk category has emerged: attacks targeting AI systems themselves. Data and model poisoning, prompt injection, model extraction, and compromised AI pipelines are becoming real concerns. 

Protecting AI systems is now inseparable from protecting core infrastructure.

On the defensive side, organizations are increasingly deploying AI-powered security operations platforms and agentic SOC tooling to process behavioral alerts, correlate signals, and accelerate incident response. 

AI now plays a central role in threat detection, analysis, and automated containment, helping defenders simply keep up with the scale of modern attack activity.

The rise of vibe coding and the speed-security tradeoff

We’re not done with AI quite yet.

AI-assisted development has transformed how software is built. Natural-language prompts replace detailed requirements. Entire features are generated instantly. Deployment cycles have collapsed from weeks into hours.

The productivity gains are enormous, but so is the risk. Wiz showed that almost 20% of vibe coded apps include serious vulnerabilities.

In 2026, the challenge is clear: organizations must preserve development speed without abandoning safety. 

Automated code security analysis, dependency scanning, AI-generated testing, and policy-based delivery guardrails are becoming mandatory to keep pace with modern development practices.

The evolution of phishing

Of all cyber threats in 2025, phishing remained the dominant force.

High-profile attacks, such as the Scattered Spider compromise of Marks & Spencer and the Co-Op incident, highlighted the enormous financial impact of credential-focused campaigns, with losses estimated at £300M and £270-440M, respectively. 

What changed in 2025?

Phishing became more sophisticated and precise:

In 2026, defending against phishing means putting identity security at the center of operational defense:

Identity has become the new firewall, the first line of defense in a landscape where trust is constantly under attack.

Modern supply chain security = owning risk beyond what you control

Cue Shai-Hulud 2.0 as a prominent recent example.

Shai-Hulud 2.0 demonstrated how upstream compromise of developer tooling can silently infect thousands of downstream projects, without attackers targeting the end organizations at all. 

By poisoning packages that developers trusted and pulled directly into production, the attack bypassed perimeter defenses entirely.

We can almost predict the headlines for 2026.

Security maturity is now measured not only by how well you protect your own assets, but by how deeply you understand and manage your entire vendor ecosystem, including your shadow IT. 

Dependencies are no longer just code libraries – they are hosted platforms, analytics services, support tools, collaboration APIs, and managed cloud infrastructure.

The axios npm supply chain attack in March 2026 shows exactly how this plays out — a single compromised npm account turned a library with 100 million weekly downloads into a malware delivery vehicle for under three hours.

In 2026, supply-chain security is operational security:

For a structured framework to manage this vendor exposure end-to-end, our guide to third-party cyber risk management walks through the full lifecycle from vendor identification to offboarding.

These steps now define baseline resilience.

Resilience meets prevention

The mindset around cybersecurity has changed.

While prevention remains critical, leadership teams now actively assume that compromise is possible, even likely, and design accordingly.

The breaches in recent years showed that many attacks operate without malware, relying instead on stolen credentials, social engineering, abused APIs, or compromised vendors. These techniques bypass traditional perimeter defenses and signature-based detection tools entirely.

In response, organizations should be prioritizing:

The focus is shifting from “How do we prevent every attack?” to “How quickly can we detect, contain, and recover?”

With ransomware-as-a-service still looming large and threat actors broadening their scope, robust resilience and incident response capabilities are becoming the new benchmark of cybersecurity maturity. 

Finding a holistic security partner

In this new environment, cybersecurity requires more than just point solutions or compliance checklists.

Organizations need a holistic security partner – one that understands modern application ecosystems, AI exposure, supply-chain complexity, and operational resilience.

That’s why Infinum’s emerging cybersecurity offering covers a wide-range of cybersecurity services. Here’s how we can help:

As we step into 2026, organizations need cybersecurity that is practical, adaptive, and deeply integrated with how modern products are built and operated.

If you need help to design, deploy, and operate secure digital products that can stand strong not only today, but through whatever innovations tomorrow brings – contact our experienced team.

Sometimes the most dangerous piece of software is the one you didn’t even write. With supply chain attacks on the rise, software supply chain security is now critical to protecting not just your code, but everything your code depends on.

When we talk about a “supply chain,” most people picture the journey of a physical product: from raw materials through manufacturing to assembling, distribution, and sale. Obviously, no company does it all alone; they rely on a network of partners to make it happen.

Software works the same way.

Modern applications aren’t built from scratch, they’re assembled. Behind every app is a complex ecosystem of developer tools, CI/CD systems, cloud services, and open-source code. As The Linux Foundation reports, 70 to 90% of most applications today are made up of third-party components.

We saw that risk explode into reality recently.

Cycode states that a phishing campaign led to the hijacking of core NPM packages like chalk, debug, and strip-ansi, libraries downloaded over 2 billion times per week. SC Media reports that days later, another attack infected more than 200 NPM packages, including those linked to CrowdStrike, using a self-replicating worm that exfiltrated data, created rogue GitHub workflows, and attempted to spread downstream.

It’s no longer just about writing secure code, it’s about securing everything you rely on to build, deploy, and maintain it. 

In this article, we’ll introduce supply chain security and cover best practices for reducing risk – from defining requirements all the way to development, deployment, and maintenance.

The topics we’ll cover include:

What is Software Supply Chain Security (SSCS)?

Software Supply Chain Security (SSCS) is the practice of securing all the components, tools, people, and processes involved in the development, deployment, and maintenance of software, from third-party libraries and CI/CD pipelines to developer environments and cloud infrastructure. 

If you’re only securing your app but ignoring the tools and dependencies you use to build it, you’re not secure. Modern software isn’t built from scratch. It’s assembled. And even a single vulnerable dependency can compromise your entire product.

That’s why SSCS is a critical part of secure software development. It ensures every link in the chain is trusted, verified, and resilient. It’s also why regulations like NIS2 or CRA put so much emphasis on it.

What are the most common threats in the software supply chain?

Software supply chain security goes far beyond writing secure code. It’s about making sure malicious actors can’t sneak in through the tools, environments, and people your app depends on.

Here are some of the most common entry points attackers exploit:

Most common types of supply chain attacks

Once inside, here’s what those attacks can look like in the real world:

And that’s not even an exhaustive list.

Many of these attacks exploit gaps in the development process itself.

Even if your code is secure and your infrastructure hardened, vulnerabilities can slip in when there’s limited visibility, inconsistent practices, or missing security checks — which is why integrating security throughout the Software Development Lifecycle (SDLC), often referred to as the Secure Software Development Lifecycle (SSDLC), is so valuable.

Integrating security at every stage of the SDLC

The SSDLC encourages embedding security practices at every stage of development. This approach, often referred to as “shifting left”, helps identify and remediate threats early, before they reach production. 

It doesn’t eliminate supply chain risks entirely, but it reduces the risk of vulnerabilities slipping through unnoticed and the likelihood that compromised dependencies, misconfigured pipelines, or weak controls turn into full-blown breaches.

Here’s what that can look like:

How to adopt secure software development lifecycle (SSDLC) practices

Let’s break it down through some high-level SSDLC phases and their security-minded steps:

1. Planning

Planning is arguably the most critical step for supply chain security, as it helps prevent hidden vulnerabilities through thorough due diligence.

2. Design

Design is your chance to build supply chain defenses into the architecture.

3. Development

Development is where insecure code or unvetted dependencies can silently enter your supply chain. 

4. Testing

Testing is where you validate not just your code, but the behavior of any external components or APIs. It helps expose risks before they become real threats

5. Build & deploy

Build and deployment pipelines are a prime target for supply chain attacks. Securing CI/CD is a non-negotiable for trust and integrity.

6. Distribution

Distribution is when your software becomes part of someone else’s supply chain. It helps build trust and transparency with clients and downstream users.

7. Maintenance

Maintenance ensures your supply chain remains secure over time. Nothing is more dangerous than running software that becomes forgotten.

You don’t need to get it perfect from day one. Just start building with intention, iterate often, and treat security as a shared responsibility across your stack.

Which industry standards and frameworks to explore for SSDLC?

Luckily for you, you don’t have to start from scratch.

There are frameworks built by security pros to help you get it right. Use OWASP SAMM, NIST SSDF, or Microsoft’s SDL as a baseline to evaluate your current practices and make steady, structured improvements.

How to build a response plan and keep your security policies sharp

The worst time to figure out your incident response plan is while the incident is happening.

Investing time into developing a clear, actionable incident response plan is non-negotiable. 

And that’s just the beginning.

As software evolves, so do the threats. If your security policies are stuck in last year’s playbook, you’re not protected. Review and update your practices regularly, from dependency management and access control to patching and third-party risk.

Stay informed, stay adaptable, and stay ahead before someone else forces you to.

How to manage human risk in the supply chain security

Technology alone isn’t enough. Security depends on people, and people are often the easiest way in.

Phishing and social engineering remain some of the most effective tactics in supply chain attacks. Recent incidents like the hijacking of chalk and debug began with a fake MFA email sent to a trusted maintainer. No zero-days. No malware. Just a well-crafted message and a moment of inattention.

That’s why security culture matters as much as security tooling.

Start with the basics:

Isn’t this all a bit too much?

Yes, it can feel like a lot. But you don’t need to boil the ocean, just start where it matters most. Use a model like OWASP SAMM to assess where you stand, identify your biggest risks, and go for a few quick wins.

Here are a few that pack a punch:

Security maturity comes from small, consistent moves in the right direction

Remember: you can outsource code, but you can’t outsource accountability. What matters most is building a culture where no one makes security the other person’s job.

Proceed to shift security left, raise awareness, automate what you can, patch early, and document everything. If you need some extra support, feel free to reach out to our certified experts. 

Picture this: every second, somewhere in the world, a system is being probed, a login page is under siege, or someone’s inbox is getting a phishing email that looks just convincing enough.

Cybercrime in 2025 isn’t just a risk; it’s a trillion-dollar economy more profitable than the global drug trade, which operates 24/7.

Cyberattacks per day: From thousands to hundreds of millions

When discussing cyberattacks, the definition is crucial. Are we counting every spammy probe, or only the ones that hurt?

And if you zoom out to victims, the Identity Theft Resource Center reports that 1.7 billion people were affected by cyber incidents in 2024. Do the math: that’s 4.6 million individuals per day, or 54 people affected every second. By the time you’ve finished reading this sentence, a handful more people just got pwned.

The price of a breach: $4.4M on average

Getting hacked isn’t just embarrassing; it’s expensive.

That 9% drop is attributed to improved detection and the rise of AI-powered defenses. But don’t break out the champagne yet: multimillion-dollar hits are still the norm.

Healthcare continues to top the charts, with breach costs hovering around $10M per incident. That marks a grim 14-year streak of leading the “most expensive” list. Finance, tech, and energy aren’t far behind.

Energy, utilities, and manufacturing face a compounding factor that purely digital sectors do not: many of their systems run on operational technology — industrial controls and SCADA platforms where a breach can trigger physical shutdowns, not just data loss. Understanding OT security and where IT networks intersect with these physical systems is what separates a recoverable incident from an infrastructure failure.

The cybercrime economy: $10.5 trillion in 2025

Here’s where it gets truly staggering: the total global cost of cybercrime is projected to hit $10.5 trillion annually by the end of 2025.

To put that in perspective:

This $10.5 trillion includes everything from ransomware payouts and fraud to downtime, recovery, and stolen IP. For context, cybercrime “only” cost $3 trillion back in 2015, which means damages have ballooned by 250% in a decade.

The bottom line

Cybercrime in 2025 isn’t just a line item in IT’s budget. It’s a planetary-scale economic drain bigger than natural disasters.

If the answer is unsettling, structured governance, risk, and compliance services are often where organisations start, defining what needs protecting, who owns what, and what happens when something goes wrong.

The good news? Smarter defenses are starting to bend some curves, as seen in the dip in average breach costs. The bad news? The scale of attacks means vigilance isn’t optional.

So here’s the uncomfortable question for decision-makers: When was the last time you pressure-tested your product, your defenses, or your people?

Because in 2025, resilience isn’t about whether you’ll be targeted. It’s about when and how ready you’ll be when it happens. The most direct way to measure that readiness is a red team exercise — a controlled simulation of a real attack that tests whether your detection and response would actually hold up.

One often-overlooked exposure is vendor risk, a single compromised third party can trigger the very breaches described above. Our guide to third-party cyber risk management explains how to get ahead of it.

The 2025 cybersecurity trends point to another high-stakes year. From the omnipresent AI helping both attackers and defenders to growing regulatory pressure, here’s what to expect – and how to stay one step ahead. 

From a cybersecurity standpoint, 2024 was a pretty wild ride. Around this time last year, we were mapping out the trends it might bring, spurred by the largest data breach in history. It turned out that it wasn’t the only record of the year – 2024 also gave us the largest IT outage of all time, which we also didn’t fail to address.

Twelve months have gone by, and while some of last year’s trends remain just as relevant, new challenges also appear on the horizon. Hopefully, by building awareness around these topics and continuing to make security a priority, we just might keep 2025 from serving up any more “largest-ever” incidents. 

On that note, let’s dive into the 2025 cybersecurity trends. Buckle up, because the ride is only getting faster.

AI between heaven & hell

There’s hardly a corner of the digital world AI hasn’t transformed, or at least disrupted, and cybersecurity is no exception. In this space, artificial intelligence is a tool for both sides of the fence, serving attackers as well as defenders.

AI in cyber defense

A key defense area in cybersecurity is tracking and analyzing massive volumes of data in real time to spot suspicious behavior – something AI excels at. By instantly processing network traffic, user activities, access logs, and various Indicators of Compromise (IoC), AI-powered security systems can detect anomalies, identify threats, and generate actionable intelligence far faster than humans can.

This job is performed by various advanced tools that have successfully integrated AI into their solutions. Beyond detecting threats, they’re also evolving to include capabilities such as:

And this is just the beginning. AI’s potential stretches toward advanced threat detection, autonomous security systems, proactive threat hunting, and AI-driven incident response – all on the horizon and ready to redefine what’s possible in cybersecurity.

AI in cyber attacks

The WEF Global Cybersecurity Outlook 2025 notes that:

Why manually craft social engineering attacks when AI can churn out endless variations with minimal time, effort, or investment? And it’s not just emails – deepfake attacks have also skyrocketed in 2024, with Entrust reporting one attempt every five minutes on average.

Pair that with McAfee’s study showing that 70% of people are unsure whether they can tell the difference between a cloned voice and the real thing, and you’ve got real cause for concern in the upcoming years.

And when it comes to threats to AI and ML systems themselves, OWASP ML Top 10 is a valuable resource for those interested in security testing and exploring the wealth of attack scenarios. The list covers input manipulation, model poisoning, and more critical vulnerabilities.

Reining in AI?

As AI continues to grow in power and influence, so do the calls to regulate it. The potential for misuse, alongside the security and ethical risks it presents, has prompted a wave of new frameworks and legislation. 

For example, the International Organization for Standardization (ISO) has introduced ISO 42001, providing organizations with a framework for managing risks associated with AI-powered systems.

The EU’s AI Act, which entered into force on August 1, 2024, establishes a harmonized regulatory framework for AI across member states. It categorizes AI systems based on risk levels – minimal, limited, high, and unacceptable – and imposes corresponding requirements. High-risk AI systems, especially in sectors like healthcare and law enforcement, face stringent obligations to ensure transparency, data governance, and human oversight. The Act also bans certain practices, such as real-time remote biometric identification in public spaces, with limited exceptions.

In the US, in the absence of comprehensive federal AI legislation, individual states are stepping in, such as Colorado with its AI Act. In 2023, the Biden Administration issued an executive order on AI regulation, only to be rescinded on Trump’s first day back in office. This underscores how politics, AI, and cybersecurity are becoming deeply intertwined and leaves us wondering how this story will unfold in the year ahead.

While we still have a long way to go, it’s clear that steps are being taken in the right direction.

Moles in the supply chain

As businesses fortify their defenses against direct attacks, hackers are shifting focus to a more indirect route: the supply chain. By exploiting vulnerabilities in third-party suppliers and service providers, attackers can slip through the cracks and gain backdoor access to sensitive IT systems. In environments where IT connects to operational technology, manufacturing lines, energy grids, and water treatment, that backdoor access can escalate from a data breach into a physical disruption. Understanding OT security and how IT/OT convergence expands the attack surface is increasingly relevant for any organization running industrial or critical infrastructure.

One recent example of this growing threat is the Cyberhaven Chrome Extension hack, where an employee’s account was hacked in a phishing attack. This allowed attackers to publish a malicious version of Cyberhaven’s Chrome extension so they could steal browser cookies and authentication sessions. The irony here is that the extension’s very purpose is preventing unauthorized data exfiltration.

Another notable incident occurred in December 2024, when the US Treasury fell victim to a cyberattack attributed to a Chinese state-sponsored actor. The hackers exploited vulnerabilities in a third-party remote tech support product, demonstrating the risks of relying on external vendors. Experts predict these types of breaches will only increase in 2025.

To combat these threats, businesses must take proactive steps to assess and monitor their suppliers, ensuring they meet strict security standards. Key measures include:

By finding and addressing their security vulnerabilities, organizations can better protect themselves from becoming the next victim of a supply chain attack.

Disorder in the cloud

Cloud adoption continues its steady rise, cementing its role as a key component of modern business operations. According to G2’s recent report on cloud statistics:

However, as businesses increasingly lean on the cloud, its security challenges become harder to ignore. Over the years, we have identified several cloud security threats that vigilant attackers can see as low-hanging fruit:

Together, this can be a perfect storm for attackers to exploit, especially if one assumes the “shared responsibility model” actually means “the provider is 100% responsible for security.”

But it’s not all doom and gloom. The zero trust security model, which operates on the principle of “never trust, always verify,” is gaining widespread adoption. This approach enhances network security and reduces the risk of unauthorized access by requiring continuous verification of users and devices, regardless of their location.

Additionally, Cloud Security Posture Management (CSPM) tools, such as Microsoft Defender for Cloud), are becoming essential for identifying vulnerabilities and maintaining secure cloud configurations. By combining these with Identity and Access Management (IAM) practices, organizations can ensure that only legitimate users interact with cloud resources.

In 2025, DevSecOps teams worldwide will be keeping busy architecting and implementing cloud environments that are more resilient to these challenges, ensuring businesses can harness the cloud’s benefits without compromising security.

The ransomware threat

According to Google’s Cybersecurity Forecast 2025:

The numbers from 2024 back this up. Comparitech’s Randsomware roundup: 2024 end-of-year report reveals that nearly 200 million records were compromised last year, and over $133 million was paid in ransoms, with the average payment reaching a staggering $9,5 million. Finance and healthcare institutions bore the brunt of these attacks, with attackers deploying more than two dozen ransomware strains to exploit vulnerabilities in these sectors.

And that’s just what’s been reported. The true scale of ransomware incidents is outside anyone’s reach. One thing is clear, though: the ransomware economy is thriving, and its upward trajectory will likely continue in 2025.

Regulations, regulations, regulations

Cybersecurity regulations are evolving rapidly, keeping businesses, governments, and individuals on high alert. As cyber threats grow more sophisticated, global and regional frameworks like the European Union’s NIS2, DORA, and CRA are pushing private companies and public institutions to rethink their cyber defenses.

In the US, a significant step was taken on January 16, 2025, with an executive order mandating adherence to minimum security standards. The order addresses a wide range of priorities, including anticipating foreign cyberattacks and preparing for the emerging threats posed by quantum computing.

While they may be demanding, these regulations serve an important purpose: fostering a culture of vigilance, accountability, and proactive risk management. Cybersecurity is no longer a siloed concern – it’s a shared responsibility across all sectors.

Infinum recommends: how to stay cyber-safe in 2025

Knowing what’s trending in the cybersecurity space is important, but staying safe requires action. Here are five key recommendations from Infinum’s cybersecurity team to help secure your systems in 2025:

Make 2025 the year of resilience

The cybersecurity landscape will only become more dynamic in 2025. Regardless of your industry or company size, meeting this year’s challenges will demand adaptability, expertise, and constant vigilance.

If you’re looking for a partner to help you navigate these complexities – or to tackle specific activities from our recommendation list (we offer most of them) – head over to our Cybersecurity page for more information. Together, we can make 2025 a safer year for your business.

Security is a dish best served throughout the development process. Find out how adopting the Secure Software Development Life Cycle (SSDLC) protects your application from ever-evolving dangers in the digital space.

In today’s software development world, there is so much to think about: quality code, continuous integration and development, cloud environments, high performance and availability, top-notch user experience… The list goes on. However, one aspect that genuinely ties it all together is cybersecurity. Or, in this case, application security.

Why is this so important? You can have the most beautiful windows and the finest furniture in the world, but they’re of little use if the first gust of wind brings the whole building down. And as we know, the winds, tornadoes, hurricanes, and earthquakes of cyber threats show no signs of letting up.

And this isn’t just about product team responsibility anymore, it’s a legal requirement.

The Cyber Resilience Act, taking effect throughout 2026, introduces mandatory cybersecurity rules for digital products sold in the EU. It’s part of a broader push to raise digital resilience and will directly impact how products are designed, built, and maintained.

This is where the Secure Software Development Life Cycle (SSDLC) comes in. Often mentioned alongside the phrase “shift left,” the methodology emphasizes the importance of integrating security practices throughout the development process.

This challenge is compounded when teams use AI-assisted development. Our research into AI-generated code security risks shows that even detailed security prompts leave significant gaps.

For mobile applications specifically, this means building in runtime protections from the start — anti-root, anti-hook, and anti-debug mechanisms that resist reverse engineering. Our breakdown of Android protection bypass techniques shows exactly what attackers do when those layers are absent or poorly implemented.

From SDLC to SSDLC

Let’s start with the first abbreviation: a software development lifecycle (SDLC) is a set of rules and processes a team uses to design, develop, test, deploy, and maintain software. Some of them are standard, like waterfall or XP, but in practice, there are as many specific SDLCs as development teams worldwide. 

You could probably bet that as soon as Ada Lovelace wrote the first computer program, someone started to wonder, “Hmmm, how do we formalize this?” The fact is, when we standardize a process, it tends to run more smoothly. And considering that software gets shipped by the truckload every day, those SDLCs seem to be working. 

So, why would we want to shift anything anywhere?

The ‘shift left’ approach

The metaphor refers to moving a process to an earlier point in the development lifecycle, moving it left on an imagined project timeline. Some may argue that “shift left” is a buzzword or a worn-out phrase in software development, but it is essential nonetheless. 

Almost anyone working on a development project wants to get involved earlier on in the cycle – nobody wants to finish the race last. Years ago, it was software testers; they didn’t want the aforementioned truckload of software passed on to them without prior knowledge or involvement. Changes in development culture and test automation did, to a degree, manage to get them there. 

Today, security calls for its own shift left. Thus, SDLC becomes SSDLC – Secure Software Development Lifecycle.

One way to achieve this goal is to adopt a DevSecOps culture, something that teams worldwide are already doing, and with relative success. The DevSecOps methodology is based on key principles such as automation, collaboration, and continuous monitoring. As the name suggests, it involves security teams working alongside development teams and operations to bake in security practices at every stage of the process.

Microsoft’s Security Development Lifecycle and NIST’s Secure Software Development Framework can also serve as examples. These methods may not be directly comparable, but the main idea is the same – to infuse every stage of the SDLC with security thinking and introduce activities that ensure the product is resilient and robust.

The benefits of adding the “S”

A worrying statistic from CISQ and Synopsys (albeit from 2022) notes that “the cost of poor software quality in the U.S.—which includes cyberattacks […], complex issues involving the software supply chain, and the growing impact of rapidly accumulating technical debt—will total approximately $2.41 trillion.”

Of course, everyone wants, needs, and expects their applications to be secure by design and default. But let’s unpack this and illuminate what exactly you are getting by integrating security considerations into your SDLC: 

A big promise? When done right, security initiatives can indeed have that much of an impact. And it may sound like a distant dream, but achieving a secure software environment is well within reach.

OWASP SAMM as a starting point for SSDLC

We’ve mentioned a couple of “frameworks” that can serve as a basis for instilling security into your development process. However, knowing what and how to implement requires assessing the current state. It’s hard to fix anything when you’re working in the dark. 

This is where the OWASP Software Assurance Maturity Model (SAMM) comes in handy. According to its creators, the model is designed to help organizations of all types analyze and improve their security posture effectively and measurably. It covers the entire software lifecycle and is adaptable to various technologies and processes, being both evolutive and risk-driven.

Our SecOps team director shares what we can learn from the incident that got 8,5 million screens worldwide singing the blues.

On July 19th, we witnessed one of the most significant IT outages in history, caused by a problematic update of CrowdStrike’s Falcon Sensor platform. The numbers are staggering: more than 8 million devices were affected, more than 5,000 flights were canceled, and the total damage is assessed at 10 billion USD.

In the software industry, there’s a well-known principle that one should be extra careful when deploying changes on a Friday. Especially to 100% of your customers, all at the same time. 

However, this is not the only lesson we can take away from this incident that caused worldwide havoc.

Testing will never go out of fashion

Even though CrowdStrike is a cybersecurity company, this was not a security incident. It’s the oldest story in the book—a seemingly trivial change that broke everything. 

This time it came in the shape of a faulty configuration update to CrowdStrike’s security software that was supposed to improve gathering information on potential threats. The update inadvertently caused recurring BSODs (“blue screen of death” –  a critical error that indicates a system crash) on Windows machines worldwide, resulting in a historic disruption of daily life, businesses, and governments. 

Everyone in software development and testing knows that minor changes are often the most dangerous ones because they can easily fly under the radar. 

As CrowdStrike’s post-mortem identifies, the tool they used for verifying the update had an issue, which meant the faulty patch went into production with the underlying problem undetected. It’s interesting to note the improvements to their process that CrowdStrike announced to implement after the incident: 

Any QA specialist will immediately recognize some of these as no more than common, everyday software testing processes. So why would a company as serious as CrowdStrike wait for a crisis of this magnitude to fortify its testing and deployment processes? We can only speculate, but someone somewhere must have declared the above a technical redundancy and prioritized deployment speed above all else. 

Unfortunately, it isn’t just CrowdStrike. The industry has been trying to proclaim testing dead for decades, pushing to replace the entire trade with automated checks running on CI/CD platforms. “If it’s green, we’re good to go!” is today’s modus operandi.

Yet, in the supercharged, fast-paced environment where software is delivered, it is worth reminding ourselves that critical software requires more focus on quality, diligent testing, and intelligent investigation. The alternative, as this case has shown, can have global ramifications.

Massive outages are a breeding ground for cybercrime

It’s not just that planes stopped flying for a day or two; incidents of this scale open up ample opportunities for additional damage. One could say that every significant IT issue is a cybersecurity issue waiting to happen.

Immediately after the outage was reported, panic ensued and every IT technician in the world was looking into ways to bring the system back from the dead. However, not every IT technician had passed security awareness training and had enough composure to weed out the scams from legitimate fixes. 

Panic, a rapidly developing situation, and a lack of education means a perfect storm for social engineering scams of all shapes and sizes. Indeed, cybercriminals started impersonating CrowdStrike employees and shipping malicious “fixes” in record time to penetrate someone’s weakened defenses.

As noticed in a blog post from KnowBe4’s CEO:

It’s hard not to notice the irony of “fixes” for a malfunctioning cybersecurity product being actual cyber-attacks. But that’s our world, and it won’t get any simpler soon.

Preparation and training are crucial

One thing is sure—this is not the first issue of its kind, and it won’t be the last. We can (and should) take all the steps to prevent such incidents from happening, but there is no 100% guarantee. So how can we reduce their harmful effects?

When a massive outage takes place, good incident response plans, readily available technical staff, and clear mitigation steps will help soften the blow. The axios npm supply chain attack in March 2026 is a recent example of exactly this. A malicious package with 100 million weekly downloads was live for under three hours — organizations with version pinning, lockfile enforcement, and --ignore-scripts in CI were protected. Those without had a window of exposure measured in hours, with consequences that may take weeks to fully assess.

Coming into such situations utterly unprepared on the operations side of things is something no company can afford today, especially if their business depends almost wholly on digital systems.

Further, we don’t want to make a bad situation worse by having someone fall for a scam mid-crisis, so we need to focus on strengthening every company’s weakest link – its employees. 

Unless you want to blame interns for a major scandal, security awareness training is crucial. An employee who can recognize a scam will not introduce additional risk into a system already on the brink of collapse. 

Complementing that with up-to-date and followed security policies will result in an organization that enters chaos with less risk and more assurance that working order will be restored in no time.

Food for thought?

As media outlets move on to the next big story and CrowdStrike’s marketing department works to develop a strategy to repair the reputational damage, everyone else would be wise to focus on the lessons we can learn from the incident. 

The event has underlined the importance of rigorous testing, the ever-present threat of cybercrime, and the necessity of robust preparation and training for incident prevention and response. As we navigate an increasingly digital world, the threats keep multyplying, and you should double-check your systems and processes are fortified against them. 

If you feel like your company could work on these areas, we have some resources to get you started. Here’s how phishing simulations contribute to enterprise security, and if you need any assistance, you can always check out our cybersecurity services. 

The European Union has introduced two powerful pieces of cybersecurity legislation aiming to reshape the digital defenses of businesses across the continent. We take you through NIS2 and DORA and explain what they mean for your organization.

A number of cybersecurity-related acronyms have been floating around the European Union in the past couple of years. The main ones are, in no particular order: NIS2, DORA, CRA, and CER.

They are all either part of or related to the EU Cybersecurity Strategy aiming to increase resilience in an increasingly complex, critical, and dangerous cyberspace, with the ultimate goal of creating a safer society.They are all either part of or related to the EU Cybersecurity Strategy aiming to increase resilience in an increasingly complex, critical, and dangerous cyberspace, with the ultimate goal of creating a safer society.

While NIS2 and DORA regulate how organizations operate, the Cyber Resilience Act regulates what certain organizations build, and Critical Entities Resilience enforces stricter, all-hazard resilience measures for critical infrastructure across 11 sectors. 

Most of the above will have a major impact on businesses big and small, yet the dense language and large amounts of legal text and cross-references make getting to the core ideas quite a task. Most of the above will have a major impact on businesses big and small, yet the dense language and large amounts of legal text and cross-references make getting to the core ideas quite a task. 

In this article, we’ll demystify two major EU cybersecurity regulations whose implementation timelines are drawing near – the NIS2 Directive and DORA. Let’s see how ready you are.In this article, we’ll demystify two major EU cybersecurity regulations whose implementation timelines are drawing near – the NIS2 Directive and DORA. Let’s see how ready you are.

What are NIS2 and DORA all about?

NIS2 (Network and Information Security) is an EU directive that builds upon and replaces its 2016 predecessor. The main purpose of NIS was to harden and harmonize the security of network and information systems against cyberattacks in critical sectors such as banking, financial markets, energy, digital infrastructure, health, water, and transportation. The idea was to make sure that both public and private companies implement strong security measures across the board. NIS2 (Network and Information Security) is an EU directive that builds upon and replaces its 2016 predecessor. The main purpose of NIS was to harden and harmonize the security of network and information systems against cyberattacks in critical sectors such as banking, financial markets, energy, digital infrastructure, health, water, and transportation. The idea was to make sure that both public and private companies implement strong security measures across the board. 

The general objectives of NIS were:

NIS2 builds on top of that initial goal in several ways, chief among them being:

It’s important to note the word directive here:

A “directive” is a legislative act that sets out a goal that EU countries must achieve. However, it is up to individual countries to devise their own laws on how to reach these goals.

The above means that each member state will have to transpose NIS2 into their legislation – by October 17th, 2024. Croatia was the first to the finish line by putting the Law on Cybersecurity into force this February. 

Further, by April 17th, 2025, states need to determine which companies will fall within the categories of essential and important entities that are affected by NIS2, which will be regularly updated.

On the other hand, DORA (Digital Operational Resilience Act) is an EU regulation that must be applied in its entirety across the EU as of January 17th, 2025. Being a lex specialis, it takes precedence over NIS2 for the relevant organizations.

DORA primarily focuses on the financial sector, which is a high-stakes space and especially vulnerable to cyberattacks. Any downtime or data loss affecting banks, payment providers, insurance and investment companies, crypto-asset service providers, or critical third parties (such as cloud and data providers) can have serious repercussions on the economy at large, making the resilience of those systems one of the top priorities.

Is your business affected by NIS2 and DORA?

NIS2 recognizes two categories of companies: essential and important entities. The main differences between the two are in the measures these entities must take and how this will be supervised. 

There are certain other criteria that organizations have to meet to fall in either of these categories, the main ones being company size and annual revenue.

The NIS2 Directive defines sectors of high criticality (essential entities) as follows:

It is worth noting that most sectors on this list — energy, transport, drinking water, and waste water rely heavily on operational technology: the industrial control systems, SCADA platforms, and PLCs that manage physical infrastructure. For these organizations, NIS2 compliance is not just an IT exercise; it requires understanding OT security and how IT/OT convergence creates an additional attack surface that standard IT controls alone do not cover.

Other critical sectors (important entities) include:

When it comes to DORA, we already mentioned that it focuses on the financial sector. However, this doesn’t mean it only applies to financial entities. Companies that provide services to the financial sector are also affected by the act. For example, if you are an ICT vendor to a financial institution, DORA has something to say about your operations as well.

It’s the same with NIS2 – if you are part of the supply chain, you might be affected since successfully managing “external” risk is crucial in both cases.

What do NIS2 and DORA requirements mean for your business?

The preparation for NIS2 is a relatively complex procedure, but the high-level steps can be boiled down to:

Sounds simple, doesn’t it? Let’s look at the requirements.

NIS2 revolves around implementing an all-hazards (“consider everything”) approach to risk management to protect network and information systems, including:

All of the above is wrapped up with reporting obligations, meaning that essential and important entities will be required to communicate all significant incidents to the local CSIRT (Computer Security Incident Response Teams) and recipients of their services, i.e. customers. They will also need to inform them about any measures or remedies they can take in response to the threat. The first report must be sent within 24 hours of discovering the incident. 

DORA further expands on the above by covering the following categories:

DORA is somewhat more rigid in its application of third-party risk management, mandating contractual obligations between financial organizations and their ICT providers. 

Additionally, while NIS2 compliance can be shown by an audit every two years, DORA prescribes, among other things, a yearly resilience test program. Those tests include:

On top of that, an advanced TLPT (threat-led penetration test) is mandated every three years.

Security testers and white hat hackers, rejoice! 

What if your business doesn’t comply?

Both NIS2 and DORA come with significant legal and financial implications and prescribe stricter supervision.

To make sure individuals and companies take accountability, NIS2 underlines personal responsibility for upper management in case the company fails to comply with certain requirements or doesn’t report security incidents. This could mean the temporary removal of these individuals from their managerial positions or other sanctions, depending on the local law implementing NIS2.

Personal responsibility is topped up with a potential €7,000,000 (or 1.4% of the total annual worldwide turnover) penalty for important entities and €10,000,000 (or 2% of the turnover) for essential entities. 

The exact penalties for non-compliance with DORA are yet to be determined by the relevant local authorities, but we already know that critical ICT providers can be fined up to 1% of the provider’s average daily worldwide turnover.

Security is not a nice-to-have

For those who aren’t doing so already, the aforementioned should be enough incentive to start taking cybersecurity seriously and building a proactive, transparent, and security-first culture.

Not to mention this is all part of a larger trend. NIS2 and DORA are, in essence, just some of the pillars on top of which the EU plans to continue expanding its cybersecurity strategy. If your organisation operates within the UK defence supply chain, the equivalent framework is the Cyber Security Model v4 — mandatory for all MOD suppliers from December 2025.

Since digital services are already ubiquitous and manage major parts of our lives, we expect we’ll be writing plenty of articles on the topic in the years to come.

If you need support in adapting to NIS2 and DORA or just strengthening your security posture, check out our governance, risk, and compliance services or our broader cybersecurity services.

How do phishing simulations contribute to enterprise security? They enable organizations to identify weak points and educate their teams, boosting the resilience of the primary target of a phishing attack – your people.

Having celebrated its 40th birthday last year, the internet has grown up. However, from its inception to the present day, there has always been something slightly dangerous about it. 

Back in the 1990s, we feared the dialer – a particularly nasty Trojan often disguised as an innocent MP3 file that added zeros to your monthly telephone bill if you didn’t catch it in time.

Around the same time, another sneaky type of attack emerged – phishing. But unlike the dialer, which eventually went the way of the dodo, phishing never went out of style. In fact, with the emergence of technologies like artificial intelligence, it became even more widespread and sophisticated.

Phishing targets individuals at large, but it can be particularly dangerous in corporate settings. In this case, a weak link can become a gateway to hurting an entire organization. 

How do phishing simulations contribute to enterprise security? They strengthen those weak links, making them more vigilant and less susceptible to attackers’ deceits.

Phishing 101

Phishing is a form of cyber attack in which malicious actors send fraudulent messages impersonating legitimate entities to deceive individuals into revealing sensitive information. 

The scam could have just been called fishing, but the early hacking communities seem to have had a penchant for idiosyncratic spelling (phreaking is another example).

The problem with phishing is that it cannot be prevented with a technical solution – it primarily relies on the human factor. 

Any person or company would like nothing more than to delegate their cybersecurity concerns to a newly installed tool so they can go on their merry way enjoying music streaming, cat videos, and instantaneous stock transactions. Unfortunately for both parties, but fortunately for cybercriminals, there is no ready-made patch. 

PEBCAK is another 90s synonym that tells the whole story – Problem Exists Between Computer and Keyboard. In other words, humans are the Achilles’ heel of cybersecurity, and perfect phishing material.

Why phishing works

Have you ever wondered why phishing emails are often full of typos and bad grammar? Because it is a cheap and effective method of finding the weakest links. Don’t worry; an average hacker knows how to use a spell checker, and to make matters worse, in 2024, the Nigerian prince can harness the power of generative AI to do its bidding.

It is no wonder that the European Council lists social engineering among the biggest threats in the digital landscape, noting that 82% of data breaches involve a human element.

You could be an average Alice responding to your bank’s supposed request to update your data so that you don’t lose access to your account or an average Bob wanting to check out the photos from last week’s party. 

You might even be a sales manager on the receiving end of an enticing business proposal that is just one click away. Maybe you really wanted to please your deepfake bosses. No firewall in the world could stop that particular adrenaline rush.

Simulated attacks help combat enterprise-level phishing

The risk of phishing attacks is very real. The FBI’s Internet Crime Complaint Center (IC3) reported almost 300,000 instances of phishing attacks in 2023 alone, making it far and away the most used fraudulent tactic. Business Email Compromise (BEC), closely tied to phishing, translated into almost 3 billion dollars of business losses.

There are numerous other examples besides the ones mentioned above. One of the most famous ones is how Google and Meta (still Facebook at the time) were duped out of $100 million via fake invoices to their accounting department. Some well-meaning employees likely weren’t properly trained in recognizing these sorts of scams.

This is exactly the type of situation where a phishing simulation can be the perfect tool.

An effective cybersecurity strategy should always strive to be proactive and one step ahead of the plentiful threats on the horizon. How do phishing simulations contribute to enterprise security? They aim to proactively catch vulnerabilities through real-world scenarios, bolstering the defenses before actual phishing attacks occur.

If you want to ensure any level of resilience to social engineering attacks that interweave technological and psychological trickery, educating your employees is crucial. But, as we all know, merely sitting in phishing training is the epitome of an ineffective snoozefest that satisfies only the passing auditor. 

To tease out those subconscious decisions into awareness and prevent your employees from falling victim to phishing attacks, you want them to learn from experience. Even one phishing simulation carried out within an organization will decrease the likelihood of compromises among employees. 

How do phishing simulations contribute to enterprise security? We decided to check in practice

They say to sweep before your own door first, so we decided to organize an internal simulated phishing campaign. As we grew and became a multinational company with hundreds of employees, our attack surface grew as well, yet we had no idea how susceptible we might be. 

Seeing as a large percentage of Infinum employees are well-versed in cybersecurity and technology in general, we were confident that the results would reflect this. In other words, we felt we were safe against potential risks and wanted to confirm this. 

This is what we did.

After a couple of weeks, we started observing people running in circles on Slack warning each other of spoofing and suspicious emails. At one point, our IT operations specialist disclosed that an attack was underway. You would think that would severely decrease the number of compromises. It didn’t.

In a particularly ironic plot twist, I almost got hoisted on my own petard. Being the host of one of our company events, I was expecting my colleague to share a folder with various materials. To cut a long story short, I clicked on it but got to my senses before I entered my password. Haste almost got the better of me, and I’m betting the pace is similar at your company too.

Thousands of emails later, much to our chagrin, the results were in line with the benchmarks for IT companies. Not terrible, but not 0% either, in any of the relevant metrics.

In the end, we held an all-hands meeting, exchanged a few good laughs, and enrolled everyone into a new and improved security awareness training program. Yes, everyone. The phishing incident has now become a common discussion point, a “did they get you too” icebreaker, at least for the time being.

Of course, the careful reader will notice that we took some of our defenses down and exclaim that the setup was not realistic. Well, to that I say that it merely expedites the process.

Protecting your company from real phishing attacks

The fact that we are now entering the age of AI might prompt some nostalgia for the good old days when just one simulation or a course was more than enough to stay on top of the game.

New threats and exploits, remote work, and the barrage of data and communication channels are merely expanding the cybercrime playing field. As we wrote recently, we’re talking about a multi-trillion-dollar industry.

Offense might be the best defense, but in this case, to reinforce best practices in identifying and reporting suspicious activities, we have to consider both. Saying that security awareness training should not be an afterthought is an understatement, to say the least.

To improve and maintain your posture, the following topics should be visited and revisited continuously on a company level:

By regularly educating your employees on these, you’re already doing a lot to boost your collective’s resilience. To err is human, but humans who know better, err less.

Phishing simulations turn employees into security ambassadors

To protect your company from real phishing attempts and improve your security posture in general, it’s crucial to develop a culture of cybersecurity awareness within your organization. 

Proactive measures like phishing simulation campaigns and continuous security awareness training should be a key component of your broader security strategy. By incorporating these, you empower your employees to become active participants in safeguarding sensitive information instead of just passive recipients of policy and education. In reality, the threats are here to stay, and security is everyone’s responsibility.

If you need help getting there, check out our cybersecurity services. It’s a real link, trust us.

As a supermassive data breach brings security once again to the center of attention, we identify the cybersecurity trends that will help you navigate the digital landscape in 2024.

If cybersecurity wasn’t that high on your list of priorities, the year 2024 seems to be gearing up to adapt your perspective. Before we even got through its first month, the tech media headlines were ablaze with the story of MOAB – the mother of all breaches. 

The only things we used to call supermassive were black holes. Today, this adjective is used to describe data leaks. At the center of MOAB is a never-before-seen volume of 26 billion records of leaked user data that can be leveraged by malicious actors for a wide range of attacks.    

The numbers alone rightfully send chills down the spine of both company leaders and end users. However, they should also serve as motivation for both to turn a fresh leaf and define new cybersecurity goals and strategies. 

To give you an idea of what you might expect, we present cybersecurity trends likely to shape the digital landscape in 2024.

Cybercrime will be a booming business

What are the dangers of the aforementioned MOAB? The leaked data contains user credentials, but also other sensitive information, all valuable to bad actors.

You’ve probably reused your private or business credentials at least once, right? Well, that makes it easier to fall victim to cyber threats called credential stuffing and password spraying. 

There’s so much data circulating online that anyone who doesn’t practice ample amounts of cyber hygiene almost automatically becomes a target. For instance, that’s exactly what happened to senior Microsoft execs.

With the current conflicts going on in the world and the ensuing charity frauds, the upcoming US elections, and the Summer Olympics, the threat landscape of 2024 is shaping up to be very dynamic.

All of the aforementioned in the context of a 3,4 million person global shortage of cybersecurity professionals seems to be brewing a perfect storm for making cybercrime an ever more lucrative business.

Artificial intelligence will be weaponized for phishing attacks

It almost feels like there’s no realm of human endeavor left untouched by the AI revolution we’re witnessing, and it’s impossible to have a conversation about cybersecurity trends without mentioning it.

We could wax lyrical about the different ways in which the technology will improve cybersecurity both on the defensive and the offensive side of things, but let’s focus on just one type of social engineering attacks, and that is phishing.

In the days of yore, one had to at least spend some time preparing a series of semi-coherent texts that would lure their victims into clicking on the “Get your green card now!” button. Nowadays, getting a nice proofread email is a matter of entering a simple prompt into your large language model of choice.

And this is just one way bad actors might be using artificial intelligence. What about deep fakes? Getting an audio recording of your parents asking you for an urgent wire transfer because their belongings got stolen in transit is far from a science-fiction scenario. It’s a particularly vile example of vishing combined with spear phishing (yes, these are actual words) that will only become more prevalent as technology advances. 

While the danger there is you getting eked out of a few hundred bucks, similarly placed attacks on a somewhat gullible business executive (think Business Email Compromise 2.0) could have catastrophic consequences for both organizations and their end-users. BEC is already one of the most costly scams for organizations, amounting to more than 50 billion dollars in losses as per the FBI’s 2023 public service announcement. No one is safe, not even high-tech companies like Meta and Google.