CYBERSECURITY IN 2025 – A SHIFTING LANDSCAPE

The biggest cybersecurity risk that businesses faced years ago was losing access to their data due to a ransomware attack where a hacker would lock up a company’s files and only release them back if a ransom was paid. Wisely, many businesses responded to these threats by creating redundancies in their systems that were frequently backed up so that the worst case scenario would be that the business lost a few days’ worth of data. As a result, these classic ransomware attacks are now less lucrative to the bad actors, so they have shifted their focus to stealing data from businesses and threatening to post that data on the “dark web” unless a ransom is paid. This so-called “double extortion” attack is the biggest cybersecurity threat facing businesses in 2025.

As we enter the new year, recent high-profile data breaches serve as a stark reminder of the critical importance of cybersecurity in protecting sensitive corporate information. Cyber threats are evolving in sophistication and scale, and organizations must remain proactive in mitigating risks. Here are 20 best practices and tips to keep in mind in 2025:

1. Partner with cybersecurity firms for audits, monitoring, and forensic analysis.
2. Identify and assess vulnerabilities in your IT infrastructure.
   
3. Perform penetration testing and vulnerability scans to identify weaknesses before attackers can exploit them.
4. Update your risk assessment strategy to account for new threats and technologies.
5. Enforce strong password policies and multifactor authentication (MFA) for all systems.
6. Regularly review and limit access to sensitive data based on employees’ roles.
7. Monitor for unauthorized access attempts and respond promptly.
8. Encrypt sensitive data both in transit and at rest to the maximum extent possible.
9. Maintain a secure data backup system and test the recovery process regularly.
10. Implement data classification policies to ensure appropriate handling of confidential information.
11. Regularly review the amount, age, and types of data you are storing. Cheap electronic or cloud storage makes it easy for companies to become “digital packrats,” thus increasing the stakes (and cost) in the event of a data breach.
12. Remember that the weakest links in any IT environment are most often the people who operate in that environment (i.e., your employees).
    
13. Educate employees on recognizing phishing attempts, social engineering, and other common attack methods.
14. Conduct regular cybersecurity training sessions and simulated attacks to reinforce awareness.
15. Establish clear procedures for reporting suspected incidents.
16. Stay informed about emerging threats and regulatory changes through professional networks and updates.
17. Evaluate your cybersecurity insurance policies to ensure adequate coverage against potential losses from breaches and compliance fines.
18. Take advantage of any free training or audit services that your insurance company offers to minimize the chances of a data breach.
19. Regularly evaluate the cybersecurity practices of third-party vendors and partners who have access to your systems or data. Establish clear security requirements and ensure compliance with contractual agreements.
20. Review your vendor and supplier contracts to determine if you can shift or share the risks associated with a data breach.

While you cannot completely shed responsibility for what happens to data that you are legally obligated to protect, you can create and pursue potential avenues of recovery against others in the event of a data incident involving your systems.

Brian J. Lamoureux is a Partner on the Firm’s Litigation, Employment, and Cybersecurity teams. He can be reached at [email protected] or 401-824-5155.