Prediction 1: Robust supply chain security is not optional; it’s essential for safeguarding against software vulnerabilities.
•In 2025, businesses need to safeguard themselves from security risks linked to software dependencies – that is, external applications or code they rely on. While they save development time, they can pose cybersecurity risks, including vulnerabilities from outdated or unpatched components, supply chain attacks, and malicious code insertion. These are what we call “zero-day” risks as the flaws remain unknown and unpatched, leaving zero-days to respond to threats.
•The increase in cyber attacks on popular applications underscores the importance of strong supply chain security. Companies should establish strict controls, including regular audits, timely software updates, and thorough management of vulnerabilities to reduce risks from third-party software.
•Effective crisis management will be crucial. Businesses should adopt a structured approach known as ‘Red Teaming’, whereby a group of skilled security experts, known as the “red team,” simulate real-world cyberattacks on an organisation’s systems, networks, and physical infrastructure. The goal is to identify vulnerabilities and test the effectiveness of the organisation’s defenses by emulating the tactics, techniques, and procedures of potential adversaries. Regular drills and scenario planning will help ensure organisations are prepared to respond effectively to security incidents.
•A comprehensive Third Party Risk Management Program should ensure compliance by managing evolving requirements and assure due diligence through proactive management responsibility. It must be flexible to adapt to varying risks across different third-party engagements and act as a platform that utilises automation for adequate coverage and frequent assessments. Additionally, it should integrate with the organisation’s risk culture and appetite, providing visibility and management capabilities, and produce repeatable, coherent results that drive continuous improvement.
Prediction 2: As geopolitical tensions rise, businesses must be prepared to swiftly isolate network segments to mitigate risks.
•The ability to segment networks and implement robust controls to remotely switch off locations will be critical in 2025. As geopolitical tensions escalate, businesses must be ready to swiftly isolate parts of their network in response to potential sanctions or security threats. This is essential for maintaining operational security and continuity, especially for companies in high-tension regions.
•Advanced network segmentation involves creating distinct, isolated segments within a company’s network, each with its own security controls and access policies. This can help limit the spread of potential cyber threats and allow for more precise control over data flow and access. By segmenting their networks, businesses can help better protect sensitive information and critical infrastructure from cyberattacks and espionage.
•In addition to network segmentation, businesses must develop robust remote control capabilities to manage and secure their operations from a distance. This includes the ability to remotely switch off or isolate specific locations in the event of a security breach or geopolitical crisis. By having these controls in place, companies can quickly respond to emerging threats and minimise the impact on their operations.
Prediction 3: NIS2 mandates 24-hour reporting of cyber incidents; this will push businesses to enhance their incident response frameworks for greater transparency.
•The new NIS2 Directive will require in-scope organizations to report significant cyber incidents within 24 hours, down from the previous 72 hours. This accelerated timeline will challenge some, as thorough investigations often take longer. While the aim is to enhance transparency and prompt response, initial reports may lack detailed information. Organizations will need robust incident response frameworks to meet these deadlines, ensuring timely updates while continuing investigations.
•NIS2 will push organizations to improve their cybersecurity hygiene and compliance management. Emphasising risk frameworks and duty of care, the Directive will compel organizations to adopt comprehensive cybersecurity measures. This includes regular security assessments, employee training, and advanced security technologies. By enhancing their cybersecurity posture, organizations can better protect against threats and ensure compliance, mitigating the risk of penalties and reputational damage.
•NIS2 will also highlight the importance of supply chain security, requiring enterprises to assess and manage risks associated with third-party vendors. Companies must ensure their suppliers adhere to stringent security standards, extending evaluations to multiple tiers of the supply chain.
•Customers will leverage cyber risk quantification tools and processes to enhance risk management, facilitate board communications, demonstrate effective risk management, and evaluate the efficacy of their cybersecurity programs. Additionally, supply chain security plays a crucial role in this process.
