Six cybersecurity trends you can't afford to ignore in 2025

2025 marks a turning point. Vulnerabilities have become one of the most dangerous access points into enterprise environments. Exploits are faster, attack surfaces are wider, and the cost of delay is rising - while cyber attackers are no longer waiting for the right moment to strike.

The newly released Verizon 2025 Data Breach Investigations Report (DBIR) paints a stark picture of today's cyber threat landscape and the critical vulnerabilities organisations must urgently address. 

As a contributing partner to this year's report, Qualys has had a front-row seat to these shifts and helped unpack the most pressing trends impacting enterprise security.

The findings point to a sharp escalation in vulnerability exploitation, edge device risks, ransomware tactics, and third-party exposures. These insights aren't just interesting—they are a blueprint for action. 

Here are six trends security leaders can't afford to ignore.

1. Vulnerability management: The growing challenge

Exploiting vulnerabilities as an initial access vector has grown significantly, reaching 20% of breaches analysed in the 2025 DBIR across 12,195 confirmed data breaches. This represents a 34% increase from the previous year and approaches the frequency of credential abuse (22%).

This trend demands immediate attention from security teams, particularly as Edge devices and VPNs now represent 22% of vulnerability exploitation targets, an almost eight-fold increase from just 3% in 2024.

Organisations must leverage a risk-based approach and prioritise vulnerability scanning and patching for internet-facing systems. The data clearly shows that attackers follow the path of least resistance, targeting vulnerable edge devices that provide direct access to internal networks.

2. Patch management: A race against time

According to the report, the median time for organisations to fully remediate edge device vulnerabilities was 32 days, while the median time for these vulnerabilities to be mass exploited was zero days—meaning the analysed vulnerabilities were added to the CISA KEV catalogue on or before their CVE publication. This timing gap represents a critical window of exposure that organisations must work to close.

Security teams must take a proactive, risk-based approach to vulnerability management—starting with complete asset visibility (including end-of-life systems), broad detection capabilities, automated patching, and prioritised remediation of edge device vulnerabilities, while implementing compensating controls when immediate patches aren't feasible.

3. Ransomware: Evolving tactics and economics

Ransomware presence in analysed breaches grew by 37%, appearing in 44% of all breaches reviewed (up from 32%). However, the median ransom payment decreased to $115,000 from $150,000 the previous year, with 64% of victims refusing to pay (up from 50% two years ago).

Small organisations are disproportionately affected by ransomware. While larger organisations experience ransomware in 39% of breaches, SMBs face ransomware in a staggering 88% of breach incidents.

Organisations should implement a comprehensive vulnerability management approach that

integrates threat intelligence to track emerging ransomware tactics, deploys advanced detection to flag vulnerabilities linked to known ransomware groups, leverages risk-based prioritisation for remediation, utilises next-gen EDR to detect ransomware-specific behaviours, and includes incident response playbooks for data exfiltration and extortion scenarios.

4. Cloud and application security: The third-party challenge

Third-party involvement in breaches doubled from 15% to 30%, with credential reuse in third-party environments becoming increasingly common. Research found the median time to remediate leaked secrets discovered in GitHub repositories was 94 days.

Espionage-motivated breaches grew significantly to 17%, with these attackers leveraging vulnerability exploitation as an initial access vector 70% of the time. Interestingly, approximately 28% of incidents involving state-sponsored actors had a financial motive.

Cloud and application security programs must evolve to include automated secret scanning, rapid credential rotation, and MFA in third-party environments, alongside continuous monitoring, comprehensive third-party assessments, and unified risk visibility with prioritised remediation based on business criticality.

5. Compliance and risk management 

Analysis of infostealer malware credential logs revealed that 30% of compromised systems can be identified as enterprise-licensed devices. However, 46% of compromised systems with corporate logins were non-managed devices hosting both personal and business credentials.

By correlating info stealer logs with ransomware victim data, the DBIR report found that 54% of ransomware victims had their domains appear in credential dumps, and 40% had corporate email addresses in compromised credentials.

6. Data protection and emerging threats

GenAI presents increasing risks, with 15% of employees routinely accessing GenAI systems on corporate devices. Among these, 72% used non-corporate emails, and 17% used corporate emails without integrated authentication systems. In addition, analysis indicates that "synthetically generated text in malicious emails has doubled over the past two years," showing how threat actors are adopting AI technologies.

Conclusion: A blueprint for action

The report findings are a call to action for security leaders to embrace a holistic, integrated security strategy that prioritises risk-based vulnerability management, rapid remediation, robust asset controls, and stronger third-party oversight.

By focusing on these six critical trends, organisations can build resilience and stay one step ahead of today's most prevalent cyber threats.