This year is set to be one of the most interesting for cybersecurity professionals and small businesses in the North East, Yorkshire and Humber region. Cyber attacks are becoming more sophisticated and small businesses need to be prepared.
Our cybercrime and prevention experts here at the NEBRC, along with our Board and Cyber Essentials Partner organisations have collaborated, to create the 2025 cyber threats for SMEs report. This report predicts expected cybersecurity issues which are set to grow over the next year and beyond. In addition, experts have provided recommendations on how to best prepare for and prevent such threats.
It is often mistakenly assumed that cybercriminals will only go after large corporations however, small businesses are at considerable risk. According to Hiscox’ latest cyber readiness report (2024), a third of business leaders (34%) do not feel that their organisation is adequately prepared to handle cyber attacks1. With many smaller businesses tending to have tighter margins and fewer resources to combat threats, any successful attacks are likely to have an immediate and critical impact.
To help prepare your business, read our predictions and tips from industry experts including, senior members of the UK’s cybercrime police, ethical hackers, chief technical officers and more.
1) Deep learning systems capable of extracting sound data from keyboard inputs
Martin Wilson, Head of Student Services
Prediction:
Researchers have crafted a deep learning system, a type of artificial intelligence (AI), capable of extracting data which uses keyboard inputs. Essentially, this AI can predict typed content by interpreting the sound of your keystrokes. The ramifications imply that sensitive information like passwords or private messages could potentially be accessed. It is important to stress that this is just a theoretical finding at this stage, but it is a useful case study to demonstrate the importance of a wider point of some simple remote working precautions
Guidance:
Always remain mindful of who is around during meetings or in your vicinity, and use privacy screens where possible. Exercise caution in your surroundings while conducting meetings.
Additionally, adopting alternative authentication approaches like biometrics or password managers, along with multi-factor authentication (MFA), can offer heightened security measures. This is the type of threat which may need factoring into your remote and flexible working policies in future, to ensure staff are aware and taking any appropriate precautions.
2) Supply chain cyber threats to move from emerging risk to a current and prevalent risk
Debra Cairns, Managing Director at Net-Defence and Advisory Board NEBRC
Prediction:
The use of AI by cybercriminals, while not new, will escalate this year, transforming the landscape of digital threats. We’ve already witnessed the power of AI in voice spoofing and the emergence of tools like WormGPT, which lowers the barrier to entry for aspiring cybercriminals. This trend will intensify, with AI becoming an integral part of sophisticated attack strategies.
The initial apprehension surrounding AI focused on job displacement. However, the reality is more nuanced – AI will be a powerful tool wielded by humans for both malicious and defensive cyber reasons. We will see a surge in AI-powered phishing campaigns and automated malware development. The ability of AI to learn and adapt will make these attacks increasingly difficult to detect and mitigate.
An AI-driven arms race will begin, with some using AI for advanced threat detection and vulnerability analysis, while others will employ it for sophisticated attack automation and evasion.
In 2025, AI will also enable the creation of highly personalised and convincing social engineering attacks, exploiting individual vulnerabilities with precision.
Guidance:
To counter these evolving threats, organisations must prioritise AI-driven security solutions. This includes investing in AI threat detection systems, behavioural analysis tools, and automated incident response platforms. There are a few other ways that businesses can protect themselves against AI cybercrime:
- Training so employees can recognise deepfakes, sophisticated phishing attempts and AI-enabled social engineering tactics.
- Establishing robust data governance frameworks, including strong access controls, encryption, and data loss prevention measures.
- Collaborating and information sharing between cybersecurity professionals, law enforcement, and AI researchers to stay ahead of the AI-powered cybercrime curve.
3) AI social media information gathering will make phishing attacks almost undetectable
Martin Hart, MD at CyberShelter
Prediction:
AI is developing at a rapid rate, being applied to existing cybercriminal tactics. We expect to see AI being used to gather much more personal and business information from social media, enabling phishing attacks to become even more difficult to spot and almost undetectable. The days of grammatically bad phishing attempts are coming to an end. This can become an issue for businesses, as collecting social information is just step one. Once credentials have been exfiltrated then further, monetised attacks can start to happen.
Guidance:
To avoid falling victim, always confirm even slightly suspicious emails that ask for any data somehow, ideally with a phone call or using multiple sources. SME’s will usually be more at risk than larger corporations due to the lack of available investment in protection-based technologies but, regular training can help your teams spot the warning signs and look after their data more effectively. Encourage your team to take a moment to stop, think and check before they click.
4) Increased uptake of two-factor authentication to reduce risk from AI threats
Marcus Dempsey, Director at InfoSec Governance and CE Partner NEBRC
Prediction:
This year there will be increased uptake of two-factor authentication within businesses, to reduce the risks posed by cybercriminals who are leveraging AI within attacks. This new and heavy reliance upon artificial Intelligence, as well as increasing phishing, requires additional layers of protection. Businesses are already fighting a losing battle against cyber-related attacks, the use of AI is only going to make discovering attacks harder.
Guidance:
Awareness and training are the two best ways to combat this. Businesses should create and employ best practice when it comes to password security. People need to be made aware of what to look out for and what not to click on. Using password best practices such as the NCSC’s recommended three random words and secure internet presence are your first line of defence and the importance can’t be stressed enough.
5) More opportunistic ransomware attacks aiming for data theft and exfiltration, rather than solely data encryption
Annie Miller, Marketing Manager at NGS
Prediction:
Ransomware will continue to wreak havoc this year but, in more sophisticated and opportunistic ways. By rapidly weaponising newly discovered vulnerabilities within hours, ransomware threat actors are gaining more substantial resources and aiming for data theft and exfiltration, rather than solely data encryption.
Data exfiltration allows victims to maintain the facade of data confidentiality, as threat actors can portray themselves as involuntary penetration testers. These cybercriminals exploit the victims by convincing them to pay the ransom to avoid fines, which is not only costly but time consuming to solve. In addition, employees are often told to keep cyber attacks quiet, but often the media can find out and report on them, causing harm to a brand’s reputation.
Guidance:
There are a few ways businesses can prepare and protect against these growing threats. From security posture reviews to awareness training, leveraging free resources and expertise, alongside regular housekeeping such as patching and updates.
- Security Posture reviews- these are a detailed assessment of your full security posture, covering policy, processes, and technology platforms
- SME’s are particularly vulnerable, due to having less resource to spend and allocate to cyber defences. Using free resources available from NCSC, NEBRC and the Cyber Security Information Sharing Partnership (CiSP),to name a few, can help provide advice and keep companies up-to-date with the latest threats.
- Security Awareness Training- whether you outsource or create a training program internally, this reduces the number of human-related incidents, ensures employees understand how to responsibly handle data and combat data breaches
- Regular patching, updating systems, up-to-date antivirus and anti-malware software may seem obvious, but keeping up with the cyber best practices is essential.
6) A pronounced shift towards passwordless authentication
Garry Brown, Managing Director at Bondgate IT and CE Partner at NEBRC
Prediction:
There will be a pronounced shift towards passwordless authentication in 2025, propelled by a surge in new members aligning with the FIDO Alliance.
We have gone through iterations of increased user authentication security, with complex passwords and MFA becoming more commonplace, however, these protection mechanisms no longer offer the highest level of protection. The biggest challenge service providers face is validating that we are who we say we are and that the individual requesting access is genuine.
2025 will herald the gradual obsolescence of conventional passwords, with passkeys or biometrics combining with time-based-one-time passwords used to authenticate users, replacing traditional passwords and SMS or e-mail based MFA.
Guidance:
Businesses and stakeholders must recognise that the journey of cyber security is continuous, requiring sustained adaptation to stay ahead of evolving threats. Organisations must remain proactive, what served as effective protection in the previous year may inadvertently become a vulnerability in the current landscape. Embracing innovation and the evolution of passwordless authentication can help mitigate the risks that emerge in today’s rapidly evolving threat landscape.
When it comes to accessing systems or sensitive data, prioritising the most secure method is paramount, irrespective of any potential inconveniences or complexities. While more secure methods may require additional steps or processes, heightened security measures are a prudent and necessary safeguard against the potentially devastating impacts of unauthorised access and compromised data.
To avoid falling victim to cybercrime, SMEs should proactively allocate a substantial budget specifically for cyber security, on top of their usual IT budget. It is crucial to shift the mindset and understand that cyber security is an essential aspect for every business, regardless of size, dispelling the misconception that it is exclusive to large corporate entities.
7) Voice AI used within phishing and impersonation scams
Joe Cockcroft, Ethical Hacker, Service and Technology Supervisor at NEBRC
Prediction:
As a key theme in this year’s predictions, AI has already been incorporated into phishing emails, removing the usual tell-tale signs such as poor spelling, and advertising has seen the use of AI to impersonate celebrities. This will be seen increasingly, however, in 2025 in connection with voice impersonation. Typically a phone call can be used by businesses to confirm an invoice, or voice verification used in places such as network providers and banking, so it won’t be too long before AI is being used to exploit these as well, if not already. I’m sure 2024 will see a rise in scams utilising voice AI to impersonate others, whether directly to the victim or as an impersonation of the victim.
Guidance:
If you are uncomfortable with using voice verification, consider asking the organisation offering this whether they support multiple factors for this purpose, for example having a code sent to you in addition to using your voice. Technology in this space will continue to improve, and it is likely that there is already work taking place to separate real voices from AI-generated ones. If you receive a phone call that you aren’t sure about, you should hang up and ring them back using a number you have obtained from a verifiable source.
8) Browser security innovation is going to be a focus for many IT and security vendors
Ray Stone, Chief Technical Officer at Data Connect Group and CE Partner at NEBRC
Prediction:
Browser security innovation is going to be a focus for many IT and security vendors. One particular angle will involve browser isolation technology, which contains web browsing activity inside an isolated environment (either locally or remotely on a server), like a sandbox or virtual machine. This is to protect computers from any malware the user may encounter.
Though this technology has been around for a while, it is expected to become more mainstream as key players start to amalgamate it into their standard web security offerings. The world has changed since the inception of this technology and it has in the past been seen as more of a luxury or even an inconvenience. With the adoption of remote working and user devices falling outside the protection of enterprise firewalls, the security of end-user devices has never been so important. Browsers are the gateway to the internet and the perfect place to embed more controls over content being accessed online.
Guidance:
Various standards and requirements allude to better control of browsers. For example, the Centre for Internet Security (CIS) top 18 security controls mention browser protections and the UK Government’s Cyber Essentials Plus requires testing of all browsers independently as protections between browsers can differ.
Anyone using Windows 10 or Windows 11 will be afforded some protection by Microsoft Defender, built-in to Edge, so ensure this is enabled. On top of that many anti-virus solutions will offer some form of web protection to prevent users from visiting known, “bad” categorised sites.
There are also both free and commercial tools which can be used to better control and monitor internet access. Some tools operate at the DNS level preventing access to malicious sites before the browser even tries to connect and others more traditional like proxies do this as the browser connects. You should review your current business needs, to find which innovations will best work for your team.
9) More believable ‘lookalike’ domains that play on human error
Jamie Robson, Professional Services & Cyber Security Manager, Aindale and CE Partner at NEBRC
Prediction:
There will be an increase in the sophistication of cyberattacks including more believable ‘lookalike’ domains. Leveraging AI, domains will be created which are, visually, indistinguishable from genuine domains to deceive people using methods like the use of ‘Homographs’, ‘Combosquatting’ and ‘Typosquatting’. These exploit slight oversights in varying digital interaction methods and with the increase in sophistication, this will result in greater success for the attackers.
These attacks don’t just impact the organisation at the time of the breach, there is potential downtime whilst remediation is completed. Most phishing attacks are targeting monetary gains directly and indirectly by persuading your clients to pay into incorrect bank accounts etc.
They can also have a damaging effect on your brand reputation and can negatively impact consumer and partner trust. Where personally identifiable information (PII) is involved, this will need to be reported to the ICO and could result in a fine being issued. Furthermore, any breaches will likely result in an increased insurance premium for the organisation upon renewal.
Guidance:
User awareness is of paramount importance, as users are the first line of defence from these attacks. Enhanced training to combat this new information and streamlined processes for reporting and removing potential threats from a user’s environment.
Secure technical controls will minimise the reach of the compromise should it occur. Ensuring that all avenues are as secure as possible from all attack vectors, such as Email Security, DNS health checks, system hardening on devices, principle of ‘least privilege’ when applying permissions etc.
10) SMEs will increasingly be targeted and many losses set to remain under-reported
Rebecca Chapman, CEO and Director at NEBRC and ex-police superintendent
Prediction:
The prevalence of attacks will continue unabated against all sizes of companies both through phishing and malware. An increasing number of smaller businesses will identify one or more breaches in their security, without having the correct measures in place to deal with them.
It is worrying that businesses won’t report these breaches to the authorities and many will go unrecorded. This then limits police intelligence which is needed to help allocate resources to this ever-growing area of crime.
Many SME’s believe that cyberattacks will not happen to them because they are too small, insignificant or not “cash rich”. Yet cybercriminals don’t differentiate based on this and often the attacks are automated, casting a net far and wide. So these facts are irrelevant. If you are a small business that relies on a computer for stock ordering, invoices or even a diary system for customer appointments, these systems can be rendered useless should an attack happen. The average cost to an SME is around £3k, with some estimating that this number is even higher. This is a huge amount of money to lose in a small business.
Guidance:
There are a few simple steps that can help reduce these risks and the NEBRC free core membership sets these out, to help protect small businesses from the majority of online crime.
A key prevention tactic is to create a business continuity plan, to become more resilient and bounce back after an attack with minimum disruption.
Businesses can find protection measures that are easy to act upon within our little steps programme, which includes best practice regarding, passwords, backing up data, patching, multi-factor authentication, phishing, access controls, disaster recovery planning, anti-virus/firewalls and more. All of which can be implemented without employing a cyber company.
11) Ransomware attacks will diversify, quishing and Business Email Compromise will evolve. Human risk management will progress with human risk professionals finding a seat at the leadership table.
Liz Murray, Human Risk Management Professional and Advisory Board NEBRC
Prediction:
AI will continue to dominate security conversations. The ease of using LLMs (such as ChatGPT) will lead to businesses enforcing more stringent policies to protect information.
Security specialists will endeavour to persuade people to be curious. To fact check separately and to not share personal, or company, information with tooling found on the internet. Transcription tools should also be treated with caution- how much proprietary information is being collected through transcribing conversations?
Think about whether you know who you’re sharing information with. What will that information be used for? Where and how is it being protected?
Third and fourth party organisations will continue to be the vectors of choice for attacking larger enterprise organisations. Threat actors rely on smaller organisations having less sophisticated protection, and on employees being likely to fall victim to phishing scams, so that accounts can be used to target larger organisations.
Guidance:
SME companies though can prevent themselves from being exploited by taking simple steps to educate staff and protect systems.
12) Employee cyber training to become more comprehensive to combat emerging 2025 trends
John Hay, Head of Information Security at Net-Defence and CE Partner at NEBRC
Prediction:
Keeping employees interested and informed is increasingly challenging but, training will play a crucial role to prevent attacks in the year ahead. This is especially important given the new and evolving threat landscape, with new and complex threats emerging.
In addition, organisations’ employees are busier than ever working on core business areas, however, it is when this happens that cyber security can fall by the wayside, training becomes deprioritised and human error becomes more likely.
Despite cutting-edge technological solutions, the human element remains a critical factor in cybersecurity. Small businesses often lack the extensive resources of larger enterprises, making them particularly vulnerable. Cybercriminals recognise this vulnerability and increasingly target employees through sophisticated social engineering attacks.
Guidance:
The best way to reduce this cyber risk is by empowering your workforce through comprehensive training. As threats evolve, so will your business’s cyber security needs, making training a strategic imperative. Cyber risk training should be included within new starter onboarding, plus regular training refreshers and updates must be a requirement for staff at all levels.
What’s clear from these trends is that cyber risk is evolving at a fast pace with the increased threat of AI and more sophisticated attacks that are difficult for humans to identify. These threats are as valid for large organisations as they are for small businesses and demonstrate a clear need for training and continuity planning.
Don’t think because you are small that you are at a lower risk. Be prepared and train your staff, however few, on what to look out for. If you want any further advice please contact us at [email protected] or sign up for affordable cyber services and police-led advice through our FREE core membership.
References:
1) Hiscox, Cyber Readiness Report 2024 – https://www.hiscoxgroup.com/sites/group/files/documents/2024-10/HSX245%20%E2%80%93%20%202024%20CRR.pdf
2) Bleeping Computer, New acoustic attack steals data from keystrokes with 95% accuracy –
https://www.bleepingcomputer.com/news/security/new-acoustic-attack-steals-data-from-keystrokes-with-95-percent-accuracy/