Prioritizing data and identity security in 2025

To say that the cybersecurity landscape has grown more complex over the past several years would be a dramatic understatement. Attackers have more resources at their fingertips than ever, and data breaches have become almost a daily occurrence. For both businesses and individuals, the need for stronger data protection has never been clearer—but many aren’t sure where to begin. That’s a real problem, especially at a time when the cost of a breach is at an all-time high and regulators are increasingly looking to penalize businesses that don’t treat security and compliance with the seriousness they deserve.

The good news is that improving data and identity security isn’t that hard—but it does require a strong understanding of how attackers operate, where your most pressing vulnerabilities and exposures are, and what the modern threat landscape actually looks like. Attackers have become increasingly adept at exploiting low-hanging fruit like exposed identities, reused passwords, and devices that lack MFA protections, and many are gaining access to AI tools that make their jobs even easier. Fortunately, there are four key steps today’s organizations can take to avoid becoming an easy target.

1. Double down on fundamentals. First, it’s important to get the basics right. Yes, new security threats are emerging on an almost daily basis, along with solutions designed to combat them. Security and business leaders can get caught up in chasing the “shiny objects” making headlines, but the truth is that most organizations haven’t even addressed the known vulnerabilities in their existing environments. Major news headline-generating hacks were launched on the backs of knowable, solvable technological weaknesses. As tempting as it can be to focus on the latest threats, organizations need to get the basics squared away. Many organizations don’t even have multifactor authentication (MFA) enabled—and while MFA isn’t a silver bullet that will solve everything, it’s no coincidence that Microsoft says 99.9% of compromised accounts don’t have MFA implemented.

2. Understand how AI impacts security. It’s not just businesses racing to adopt AI—cybercriminals are already leveraging AI tools to make their tactics significantly more effective. For example, many are using AI to create persuasive, error-free phishing emails that are much more difficult to spot. One of the biggest concerns is the fact that AI is lowering the barrier to entry for attackers—even novice hackers can now use AI to code dangerous, triple-threat ransomware. On the other end of the spectrum, well-resourced nation-states are using AI to create manipulative deepfake videos that look just like the real thing. Fortunately, strong security fundamentals can help combat AI-enhanced attack tactics, but it’s important to be aware of how the technology is being used.

3. Account for the “human element.” Human beings are the most overlooked, underfunded, and vulnerable element of cybersecurity. Depending on their level of knowledge and experience, employees and executives can either be your first line of defense when it comes to protecting data and devices…or your weakest link. Businesses that understand this and implement engaging (and even entertaining) security awareness training have a distinct advantage over their competitors. Training alone can’t solve the problem, but it can make a big difference—and when it comes to stopping cyberattacks, you never want to be an easy target.

4. Improve your approach to cyber education. Speaking of security trainings, it’s important to understand how people learn most effectively. Traditional cybersecurity education methods involve a lot of canned, virtual content that employees (understandably) tune out. Leave those videos behind—instead, prioritize live, engaging programming. Grab viewers’ attention by starting with personal cybersecurity advice, rather than focusing on professional directives. It’s helpful to break awareness training down into bite-sized action items rather than overwhelming employees with an endless, “all you can eat” buffet of options and advice. The more employees can engage with and understand security trainings, the stronger your culture of security will be.

For security professionals—and even business leaders—it’s also a good idea to stay informed by attending industry conferences and other educational events. I’m personally looking forward to the Agility ’25 conference in April, where I’ll be leading a session on savvy cybersecurity in a world of weaponized AI. The conference is hosted by LogicGate, a leader in modern, enterprise-grade governance, risk, and compliance solutions, which makes it the ideal opportunity for security, compliance, and risk management professionals to come together and discuss the threats emerging in their respective areas of expertise. The more risk and security experts can come together and share knowledge, the better-informed everyone will be—and when it comes to protecting data and identities, that can mean the difference between a minor incident and a major breach.