Dan Schiappa, Chief Product and Services Officer, Arctic Wolf explores the cyber-risk mindset shift that needs to occur for organizations to be resilient in 2025.

The height of cyber-risk

The unprecedented advancements made to AI and machine learning models over the last two years have launched cybersecurity into a new paradigm, enabling modern threat actors to fire off increasingly sophisticated threats at the press of a button.

However, the evolving threat landscape has also forced business leaders and their employees to play an even more critical role in their organizations’ cyber defenses, whether they’re aware of their responsibility or not.

Because cyber-risk at an all-time high, it is essential for organizations to understand that reducing their human risk in 2025 – i.e. training their employees to foster a strong security culture – will be the most important step they take toward resiliency.

This isn’t an overnight process, especially for large teams, but improving cybersecurity aptitude is a skill that anybody can learn, regardless of their technical prowess.

This rings especially true with the number of AI tools being made available to individuals skyrocketing – making it increasingly important for companies to outline clear guidelines for employees about what can and can’t be used.

In the same vein as Shadow IT, which encompasses using IT resources without approval, Shadow AI is becoming a major challenge for businesses.

Combating the threats

Historically, cybersecurity has been an arms race for practitioners to keep up with patching vulnerabilities and defending against new technology that attackers deploy to infiltrate and extort or steal from their targets.

With the rise of AI-powered attacks, that arms race has evolved into a competition for which side has the fastest, most efficient machine learning model powering their security platform or, for cyber-criminals, crafting their threats.

This shift toward AI-based security against cyber-risks has made the margins between attackers and the defenses thwarting them even smaller than they were previously, partially because malicious actors don’t have to follow any rules or regulations around developing their offensive models.

These slim technological margins between the good guys and bad guys mean that an organization with a deeply ingrained culture of cybersecurity, aka employees who are trained to proactively report suspicious behavior can be the difference between falling victim to a ransomware attack and business as usual.

For example, just this year, we’ve seen major stories around the mix of human reconnaissance and cybersecurity.

Two of the largest breaches in recent memory – MGM Casino and MOVEit – were executed via social engineering tactics.

What’s more, Arctic Wolf research found that nearly two-thirds of IT executives have clicked on phishing links themselves, showcasing that human risk isn’t just a new employee problem, in many cases, it’s a leadership problem.

Actions like reusing credentials, disabling security measures like multi-factor authentication and errant link-clicking place organizations at a massive cyber-risk, regardless of the sophistication of their security environment.

Both leaders and end users still have a lot of work to ensure that they as individuals aren’t adversely impacting the overall security of their organizations.

Which, given the number of applications and logins that we all are keeping track of – is much more difficult than it ever has been before.

Fortunately, the journey to mitigating human risk is well-documented for organizations of all sizes; it just requires buy-in and dedication from the top of the C-suite all the way down to entry-level employees.

While that might sound simple, it does require introspection from every individual on the team.

For example, a recent survey found that despite 64% of IT leaders having clicked on a phishing link, 80% reported that they were “confident” their organization won’t fall for a phishing attack.

This shows that a number of individuals might be failing to practice what they preach.

In a modern world where threats are not only more common, but are also much more sophisticated, understanding what to watch for and teaching your employees to do the same is crucial.

This disconnect also means that, in some cases, the most effective shift an organization can make to lower their human risk is to implement mandatory security measures like multi-factor authentication, Virtual Private Networks and password managers.

Many organizations already conduct background checks on their employees, monitor work devices for suspicious traffic and require periodic password updates or the use of a password manager.

As AI-based threats become more prevalent, employees should also be well-versed in the policies and procedures of reporting suspicious activity or verifying a colleague or partner’s identity – as well as knowing what to do if a malicious link is clicked on.

Time and time again, whether it be from the classic CEO text asking for an employee to purchase gift cards or a more sophisticated deepfake; we have seen coworkers fall for scams due to the lack of confirming a fellow colleague’s identity.

Simple pauses to double check before sharing anything confidential or providing access to someone can make a world of difference in protecting your organization.

Reducing risk

All of that said, none of the above tactics are worthwhile for an organization trying to boost its resiliency without an underlying foundation of trust.

The buy-in from not just leadership, but from every individual at an organization is one of the best ways we can improve security across the board.

Routinely the things offered as solutions are basic, but without everyone taking part in them, we can’t end cyber-risk without building a community beyond the IT world that makes security top of mind.

The reality is that running a business includes vast security concerns that if we haven’t prepared the entirety of the company for, we’re going to miss.

Security leaders and staff alike need to feel empowered to always share their security concerns with organizational leaders, as updating and patching systems immediately is essential to a resiliency plan.

Background checks, people screenings, tools to mitigate phishing, shadow AI and more are just a few examples of opportunities for hackers that if left unchecked could easily lead to a breach or the stealing of business-critical information.

So yes, we will continue to see cyber-criminals looking to exploit organizations with new tools and techniques this year.

As a security community though, I’m optimistic that 2025 will be a year of reevaluating individual cyber-risk – and making the right changes and decisions to drive companies to a much safer future.

This article was originally published in the special ISC West 2025 March edition of Security Journal Americas. To read your FREE digital edition, click here.