An analysis of the most pressing concerns based on insights from 1,000 UK business leaders.
Authors: Georgia Price-Hunt Sam Cheshire
UK businesses will be stepping into 2025 with a deeper understanding of cyber risk and a renewed focus on bolstering defences.
Yet, as they become more adept at handling familiar threats, emerging complexities, such as advanced AI and vulnerabilities in digital supply chains are coming to the fore.
AI's expanding influence
AI is reshaping both offensive and defensive landscapes. The UK’s National Cyber Security Centre has warned the technology will almost certainly increase the volume and impact of cyber-attacks in the next few years1.
Some 87% of UK organisations are classified as ‘vulnerable’ to cyber-attacks as bad actors leverage AI to execute a higher number of more sophisticated attacks2.
One of the most pressing difficulties is the policy gap surrounding AI and keeping up with the pace of innovation around AI. Even AI developers find it challenging to define comprehensive policies, complicating risk management efforts for insurers and businesses alike.
Unimpeded by compliance, malicious actors are using generative AI to create more convincing phishing schemes and social engineering campaigns, bypassing traditional detection methods.
Research shows that AI-simulated phishing emails are more likely to be opened than manually created ones, as they contain fewer telltale signs of a scam, such as poor spelling.
To keep up, businesses should invest in automated tools and educate employees on AI risks and opportunities to better handle the evolving threat landscape.
We’re increasingly seeing firms fighting fire with fire, with over half of organisations we speak to now using AI within their cybersecurity frameworks. This proportion is set to grow over the next 12 months.
Firms should prioritise employee training and awareness
With the complexity of AI-generated content blurring the lines between legitimate and fraudulent communication, educating staff to identify subtle cues has never been more vital.
Despite advances in technology, the human element remains one of the most exploited aspects of cyber defence, with 88% of data breaches caused by human error3. Moving forward, firms should continue to invest in staff awareness and place more controls around access to sensitive data, networks and applications.
Firms with a more sophisticated approach to cybersecurity are going a step further and implementing ‘zero trust’ models, which operate under the assumption of ‘never trust, always verify.
Focus on third-party and supply-chain risk
Supply chain vulnerabilities will remain a significant focus for 2025. It follows one of the biggest IT outages in history in July 2024, prompted when a faulty update caused problems for computers running on the software.
The incident brought into sharp relief the interconnected nature of global digital ecosystems and made it clear that a weak link can have cascading effects on multiple organisations.
Businesses that are very reliant on a small number of service providers are most exposed, prompting a push for more diversification, better contingencies and robust third-party risk management protocols.
We’re going to see companies focus a lot more attention on how they’re managing their third-party and supply chain risk, particularly if they’re very reliant on one software provider.
Companies are enhancing due diligence practices, incorporating continuous third-party assessments and demanding greater transparency from partners. This push reflects a broader shift in the cybersecurity strategy, where oversight extends beyond internal practices to encompass the entire digital supply chain.
Businesses continued to improve their cyber hygiene during 2024, and we expect this trend to continue into 2025, driven by stakeholder expectations and improving security benchmarks.
The role of cyber insurance
A proactive approach to cyber risk management aligns with the expectations of insurers, who continue to demand best practices like Multi-Factor Authentication (MFA) and endpoint security measures as prerequisites for extending coverage.
After a period of re-evaluation, the role of cyber insurance has evolved, with the product maturing and offering more clarity around coverage and policy wording. The industry’s proactive response to claims is also reinforcing the view of insurance as an essential part of a company's defence and loss control strategy.
It's the wraparound service that the insurer provides as an incident response team where the value really is, and which is why clients are investing in cyber insurance.
The overarching theme for 2025 is adaptation and resilience. As cyber threats become more sophisticated and embedded in daily operations, firms must continue to prioritise dynamic strategies encompassing technology, partnerships, and risk education.
The aim is not only to prevent breaches but to mitigate their impact through comprehensive risk management and incident response capabilities.
Collaboration and partnership will remain essential to accessing risk data and insights, such as
