CISOs’ top threats for 2025, from deepfakes to Scattered Spider

In this guest post, Thoughtworks’ CISO Nitin Raina and Head of Security Architecture Nazneen Rupawalla share their outlook on the security landscape for 2025, including emerging risks and fresh approaches to confronting them.

As security leaders, we’re always monitoring for new threats looming just over the horizon. To protect our business and our customers, we need to stay one step ahead of threat actors, anticipating risks before they can cause harm. With a new year approaching, here are some of the emerging threats we’re seeing in cybersecurity, and some insights on how best to combat them.

AI-powered threats and solutions

The era of artificial intelligence (AI) is officially here, and we’re seeing extraordinary AI-powered innovation on both sides of the security battle. AI-driven cyberattacks, like deepfakes and phishing attacks, are becoming increasingly sophisticated. They’re evolving to more successfully evade detection and deceive end users. And as AI itself rapidly matures, we expect these attacks only to grow more effective.

Deepfakes are particularly concerning. We’re no longer just seeing deceptive videos, but full simulations with live responses in real time, which can be incredibly convincing. And we’re still catching up as an industry.

It’s not all doom and gloom, though. AI also presents new opportunities for combatting these and other dangers. For example, AI can be adept at pattern recognition, detecting threats and viruses quickly and isolating bot activity to minimize its impact. In 2025 we expect AI to become more powerful as a means of thwarting malicious activity.

But technology is merely one tool in our toolbox. At Thoughtworks, another crucial tactic is training our workforce to build internal awareness of deepfakes and how to detect them. For example, if one of our employees gets a voicemail from someone who sounds like our CEO, should they trust that it’s real? That kind of fundamental security hygiene — being skeptical and verifying authenticity — remains a powerful and effective defense.

Ransomware as a service

Recently, we’ve seen a new trend in which attackers target victims using someone else’s technology. This “ransomware as a service” (RaaS) phenomenon has created a new business model for threats. You no longer need a technical background to execute a ransomware attack against an organization or government; you can simply pay to access the malware strain needed to do it. 

RaaS is one reason ransomware attacks have risen in frequency and impact in recent years. In fact, Chainalysis found that total ransomware payments hit a record in 2023, topping $1 billion for the first time. The average attack has gotten more costly too, with the average ransom payment more than doubling to almost $4 million in 2024, according to Sophos.

Combatting these attacks will require vigilance from companies like ours along with cooperation with, and continued focus from, law enforcement bodies around the globe.

Supply chain vulnerabilities

Attackers will also continue looking for any points of weakness in the software supply chain, and, unfortunately, they have plenty of opportunities. After all, gone are the days when all of a company’s data and applications reside on local servers and networks. The global migration to the cloud has led to great progress in productivity and security, but it has also introduced new vulnerabilities.

Reliance on third-party, cloud-based SaaS tools and APIs makes it very difficult for organizations to trace how attackers might be exploiting such services since they’re controlled by external vendors. And since SaaS tools have proliferated so widely, an exploitation of any one of them can instantly impact thousands, or even millions, of customers.

While these attacks can be hard to prevent entirely, it’s always a good idea to assess the risk of any vendors or partners you might rely on, and implement a Zero Trust approach to constantly reinforce the security of all your users and their devices.

Social engineering attacks

In 2025, we expect the continued growth of social engineering and phishing attacks, which can often bypass multi-factor authentication (MFA) protection. MFA is certainly a smart security practice, but it’s not foolproof. Social engineering attacks will only get more sophisticated, mimicking legitimate conversations with context-based awareness and fooling unsuspecting users more effectively than ever before.

One example is Scattered Spider, a loose-knit collective of hackers who rely on social engineering tactics to bypass MFA and gain access to valuable data and systems. In September 2023, the group claimed responsibility for two ransomware attacks in Las Vegas, disrupting operations of a dozen hotels and casinos for days and costing their parent companies more than $100 million.

CISA recently issued a cybersecurity advisory that includes recommendations on what companies should do to mitigate the impact of such activities. But more than anything, we need to stay up to date with their tactics and adapt our defenses just as quickly.

Insider risk management

While external threat actors will always require vigilance, we shouldn’t ignore possible internal threats as well. Often we think that, because we trust our employees, they don’t require the same level of defense as those outside the company. In reality, the rise of remote work and widespread reliance on contractors throughout the tech industry have introduced new risk factors that demand attention.

Again, we suggest adopting a Zero Trust security architecture to treat all workers and devices with an appropriate level of caution. That way you can more effectively ensure the right people can access the right resources at the right time and deny access to those who present risk.

Advice for fellow CISOs

As we look to the new year, here are some more tips for fellow CISOs seeking to strengthen their organizations’ security postures, come what may:

• Invest in new tools where you can. In general, the faster you can find a threat, respond to it, contain it, and then remediate and fix it, the better. That might require a budget and capabilities beyond the reach of many companies. Even with tight budgets, dedicating a small team to explore and establish capabilities in less mature areas can yield powerful results. With greater focus and innovation in this space, we can expect new, cost-effective solutions to become more widely adopted.
• Implement the right security controls. For CISOs and other security leaders, better controls are a great start. Deploy the detection and response controls that are right for your organization’s size and complexity. 
• Go on offense. If you have the means to do so, put a team together to hunt for threats. That will help you find loopholes in your systems before attackers can. There are even automated threat-hunting tools emerging that can help detect and predict attacks automatically.
• Run simulations with leadership. Practice with your most senior teams so you’re prepared to manage an incident if and when it arises. 
• Stay informed. Consume all the threat intelligence information you can glean from governments, non-profits, and peers. Those partnerships are key to surfacing new attack vectors, so you can check your own systems and ensure you’re properly prepared.

Finally, start small. It’s impossible to adopt a foolproof security posture overnight, but incremental improvements can bring you closer each day. It’s going to be difficult to keep up with attackers as they grow ever bolder and more sophisticated. But we can and must do all we can to stay at least one step ahead.

Interested in more CISO insights? Check out our expert-driven content on securing your extended workforce and building a security culture.