Top cyber security priorities for CEOs in 2025 (and how to tackle them)
30 January 2025
In 2023, half of all businesses in the UK reported a cyber security-related attack or breach. This increased to 70% for medium-sized companies and an incredible 74% for companies categorised as large. These are only the reported numbers - the unreported numbers are undoubtedly higher.
However, with over 99% of UK companies categorised as small or medium-sized enterprises, a substantial portion of the economy remains at significant risk to escalating cyber threats. Given the ever-evolving complexity and severity of the challenges, what exactly should CEOs be prioritising in 2025 and beyond?
Introduction
Not a day goes by without a major cyber security incident making headlines. As two of the most digitised economies in the world, the US and the UK continually rank among the top global targets for cyber attacks. As leaders, our assumption must be not if but when an attack will happen.
However, for many small companies, cyber security can feel like a distraction from the day-to-day of running a business - an additional burden on top of the many challenges they face. But as the sophistication and frequency of cyber attacks intensifies, companies can no longer ignore the existential threat posed by cyber crime.
Today, cyber security is a key priority for every business, but no business can be expected to cover every eventuality - they need to prioritise and manage the risk. So what should you be prioritising in 2025? Here are my thoughts on what should be your main priorities for the year ahead.
1. Supply chain vulnerabilities
Many organisations depend on complex, global supply chains, making them highly susceptible to vulnerabilities introduced by partners and vendors. A breach in any part of the supply chain (including in their software supply chain) can result in significant widespread disruption across an entire network of organisations.
Why this matters: Attackers will often target the weakest links in the supply chain to infiltrate larger organisations. Targeting a small organisation, 2 or 3 layers down the supply chain, is often easier than going after the mothership. High-profile incidents such as the recent Synnovis attack on the NHS underscore just how impactful these supply-chain breaches can be.
Key priorities:
Implement robust vendor risk management to evaluate and assess the risk of working with third-party suppliers.
Incorporate software supply chain security tooling and DevSecOps practices into your software development lifecycle.
2. Advanced threats and AI-powered attacks
Cyber criminals have started to leverage AI to create sophisticated attacks that can evade traditional security defenses. From automated phishing to deepfake and AI-generated malware, the threat landscape is evolving rapidly.
Why this matters: AI attackers can now scale their efforts with unprecedented precision, targeting companies with pinpoint accuracy. E.g. In 2024, an employee at a global engineering firm was convinced to wire transfer $25m after receiving a deepfake call with ‘the company CFO’.
Key priorities:
Cultivate a security-first culture across your entire organisation. Every employee is a potential target for a cyber attack. Don’t assume they are all informed about cyber threats - most aren’t and will require training.
Adopt advanced threat detection and response systems to counteract and mitigate advanced threats, using AI to combat AI.
3. Ransomware and extortion attacks
Ransomware remains one of the most lucrative tools for cyber criminals. It has evolved into its own enterprise with threat actors now offering ‘ransomware as a service’. This, combined with the absence of legal policies prohibiting ransom payments, means that organisations continue to be targeted at an alarming rate due to the high likelihood of payments being made.
Extortion and double extortion schemes have become particularly damaging for companies (both monetarily and reputationally), especially for companies with valuable IP or who store sensitive data.
Why this matters: The financial and reputational costs of ransomware attacks are staggering, often crippling organisations for extended periods. Some organisations may never recover - once you’ve lost the trust of your customers, you may never get it back.
Key priorities:
Provide regular employee training on the latest ransomware tactics, including educating employees about phishing schemes and risky behaviours.
Backup your data and implement a robust incident response plan to action in the event of an incident.
Implement cyber hygiene best practices, from email protection and device management, to the use of multi-factor authentication and password managers.
4. Privacy and compliance challenges
With stricter regulations like GDPR, CRA, CCPA and a growing number of regional data privacy laws, organisations must navigate a complex landscape of compliance and regulation. Mishandling sensitive data can result in severe penalties and eroded customer trust.
Why this matters: As with ransomware, data breaches are not only expensive but also hugely damaging to brand reputation, especially in an era where governments and consumers demand greater accountability for how their data is stored and used.
Key priorities:
Instigate SOC 2, ISO27001 or (as an absolute minimal) Cyber Essentials certification. Regularly monitor compliance and regulatory changes to mitigate ongoing risk.
Invest in technologies that enhance data protection and (when building software) apply security-first design principles.
5. Cloud security and 'Shadow IT'
The shift to cloud and AI is transforming how software is delivered today, but it has also introduced new risks. Shadow IT and Shadow AI - the use of unauthorised applications, services and AI - has only exacerbated the problem.
Why this matters: Unsecured cloud environments and unauthorised applications are prime targets for attackers, leading to data breaches and compliance violations.
Key priorities:
Strengthen your cloud security measures and implement clear governance policies around IT usage.
Ensure visibility and tracking of all digital assets, and encourage secure, approved workflows within your organisation, backed by regular security assessments.
Introduce processes to address employee needs expediently. In the absence of any process, employees will find a way to leverage technology to make their jobs easier, but there’s a balance between encouraging continuous improvement and anarchy.
6. Talent shortage and skill gaps
The cyber security industry faces perennial talent shortages, with organisations struggling to recruit and retain skilled professionals. As the threats of cyber attacks increase, so does the skill shortage, only exacerbating the risks to organisations.
Why this matters: Without the right expertise, organisations cannot swiftly and effectively combat the increasingly sophisticated cyber threats they face.
Key priorities:
Champion workforce development by investing in training, upskilling current employees, and working with educational institutions to build a pipeline of future talent.
Partner with managed security service providers (such as Instil) to alleviate pressure from in-house teams.
In summary
In 2025, cyber security as a strategic priority for every business. The challenges of supply chain vulnerabilities, AI-powered threats, ransomware, data privacy, cloud security, and talent shortages require decisive action and sustained investment.
As with most things, cyber security starts with your people - get your culture right and you will have a great chance of mitigating the risks and driving business resiliency in an increasingly hostile digital world.
Article By
Simon Whittaker
Head of Cyber Security