As we look forward to 2025, what are the top cybersecurity threats that small-to-medium businesses will be facing?
Cybersecurity is an area of technology that is continuously adapting. It’s a game of cat and mouse – cybercriminals vs cybersecurity solutions. As soon as solutions are on the market to protect businesses from cybercriminals, the criminals have found new ways to steal data/money or create cyber havoc.
So, what do our experts believe will be the top seven threats impacting small businesses this coming year?
AI and Cybersecurity
It’s a catch-22, organisations are encouraged to considering using artificial intelligence or risk getting left behind. But AI itself poses a risk to businesses. The Institute of Internal Auditors published their Risk in Focus 2025 Report and named cybersecurity as their top area negatively impacted by AI.
Not only are cybercriminals themselves using AI to create more convincing phishing scams or to request step-by-step processes for illicit activities, but the AI tools like ChatGPT can also raise privacy or compliance concerns.
There are safe ways to use artificial intelligence. Sign up to our AI workshop to get your business started with AI securely.
Phishing and social engineering
Phishing attacks will continue to be the most prevalent type of attack (84% of businesses have experienced phishing attacks, according to the UK Goverment Cyber Breaches Survey 2024) but the second most common cyberattack method is impersonation – a sub-set of social engineering.
Social engineering and impersonation fraud is highly targeted, and often includes the attacker pretending to be an influential decision maker – such as the owner of a company. This makes the employees much more likely to comply with the criminals’ requests. The ISACA says that social engineering attacks are the biggest cyber security threats in today’s world.
Cybersecurity awareness training is the key to spotting phishing and social engineering scams that slip through the nets of any detection software in place.
Double Extortion Ransomware
In a double extortion ransomware attack, the attacker gains access to the victim’s network to locate and secure high-value assets. Then, after spreading throughout the network and encrypting the data, the attacker demands a ransom payment. They use the high-value assets (usually personal data) as leverage and will either publish it online or sell it to other criminals if the ransom isn’t paid.
Attackers gain access through the typical methods – phishing, malware, vulnerability exploitation, brute force, etc – which is why a cocktail of protection – including vulnerability management, MFA, cybersecurity awareness training, access control and endpoint protection – are all so important.
Supply chain attacks
Businesses rely on third-parties for smooth business operations. Whether it’s agencies, consultants, service providers, or vendors, every business has multiple relationships with high levels of trust, which makes them easy to manipulate. In supply chain attacks, cybercriminals use the same social engineering techniques, but instead of impersonating business leaders, instead they impersonate known third-parties and partners, who already have a high level of trust.
Once attackers gain a list of partners or business customers, it’s easy to work their way through a whole list of businesses to attack using the same method.
Mobile security
We’re in an increasingly mobile-first world, so mobile security needs to be considered by businesses too. Some mobile devices, like iPhones, have built-in security features that make them notoriously difficult to infect with viruses, malware, ransomware etc, but there are still risks. BYOD (bring your own device) devices pose a risk to an organisation’s data security and privacy, and as we know, the threat landscape is always evolving.
Being careful of pop-ups, downloads, and apps is still recommended, no matter what brand of phone your business uses.
Insider threats
Insider threats from employees, either malicious or accidental, are huge threats to businesses. The NCSC estimates that one in four data breaches in the UK are due to human error. Employee awareness training is key to reducing accidental insider threats, and vigilance reduces the likelihood and impact of malicious insider threats.
Physical security
When we think of cyberattacks, we think of online-only crimes. But poor physical security is practically an invitation to criminals to gain access to devices and data.
“Any device that can be accessed physically is compromised.” – Daniel Gough, Techcare.
CCTV, door security, and physical access management are all recommended solutions to keep all types of criminals away from your devices and data.
The cybercrime landscape will continue to adapt to emerging technologies and trends, and they will always be trying to keep up with each other. As a small business decision maker, the best that you can do it keep up to date with technologies and best practices.
In need of a cybersecurity partner to keep you protected from cyberattacks? Let’s have a chat.
