How can businesses avoid cybersecurity blind spots in 2025?

Cybersecurity incidents in 2024 reinforced a hard truth: most breaches stem from preventable security failures rather than sophisticated attacks. Once again, last year, attackers relied on well-known tactics like phishing and credential theft, often using generative AI to launch these attacks quickly and at scale. 

A 2024 Hornetsecurity ransomware attack survey revealed that over two-thirds (66.9%) of respondents said the emergence of generative AI increased concerns that their organisations would become ransomware targets, with small businesses (55.3%) becoming the prime target of these types of attacks in Q3 alone.

With limited cybersecurity expertise and resources, small businesses often struggle to defend themselves against evolving threats. But for any organisation, understanding the most common security gaps is critical to strengthening resilience and preventing future breaches. 

The key question now is: what security gaps should businesses prioritise to ensure they don’t fall foul of future cybersecurity attacks?

Phishing and credential theft 

A UK government survey from April 2024 revealed that 50% of all businesses and 84% of large enterprises experienced a cybersecurity breach or attack in the past 12 months. Of these, phishing was by far the most common attack vector, affecting 84% of businesses and 83% of charities.

Many phishing attacks rely on reverse proxy-style credential theft, whereby social engineering and malicious links are used to bypass authentication controls and compromise accounts. Yet, despite phishing’s year-on-year dominance and the simplicity of their attacks, many organisations remain unprepared due to a lack of security awareness training.

While it is a must to have robust, next-gen cybersecurity solutions in place, all the latest firewalls, complex passwords, and best anti-malware solutions in the world won’t be enough if the human defences are weak. Cybersecurity awareness training, which should cover different types of phishing and credential theft attacks, is extremely important to ensure the ‘human firewall’ of a company is fortified. 

Inadequate protection against chat-based attacks

Another security gap that businesses may not be aware of is threat actors’ emerging use of real-time communication tools like Microsoft Teams to launch cyberattacks. These platforms have become new targets for phishing-style attacks, where attackers impersonate trusted contacts to distribute malware or steal credentials. 

These chat-based threats bypass traditional email security measures and exploit the implicit trust employees place in internal communications. Most employees aren’t trained to spot cybersecurity threats in these spaces, which means businesses are leaving blind spots that attackers are exploiting.

Compromised backups - when safety nets disappear 

Another security gap businesses should prioritise is properly secured backups. These are critical safeguards against data loss and ransomware, but many organisations failed to secure them properly last year. In 2024, 16.3% of ransomware victims reported a ransomware payout to recover their data – a sharp year-on-year increase from just below 10%.

This increase highlighted an unpreparedness among organisations when it came to securing their critical data, particularly as ransomware attacks grew more sophisticated. Increasingly, attackers not only encrypted primary systems but also backup systems, which traditionally served as a company’s final safety net, rendering these inaccessible. 

To outpace modern threats, businesses need immutable backups that are stored in a way ransomware cannot alter or delete. If recovery plans do not account for ransomware targeting backups, then it no longer becomes a plan but a gamble, and in 2025, businesses cannot afford to roll the dice. 

The security gaps covered so far highlight the importance of a proactive strategy, whether that’s security awareness training or ensuring backup systems are resilient. But what’s the core principle or strategy that unifies these seamlessly?

‘Zero trust’ environment

Zero trust is a practical security approach that minimises risk and limits the impact of breaches. Instead of assuming certain users or devices are ‘safe,’ zero trust requires continuous verification and strict access control to prevent unauthorised access, whether from external threats or insider risks. There are three main components of zero trust, which should cover the security gaps that businesses often neglect or miss. 

The three core pillars of zero trust call for:

● Verify explicitly: authenticate and authorise every connection (even if it's coming from an internal network).

● Assume breach: segment networks so that when a breach occurs, it doesn’t automatically mean an organisation’s entire network is compromised.

● Adopt least-privilege access: ensure users only have the necessary permissions for their tasks. 

However, there’s a key problem with implementing zero trust. Granting access is easy, but continuously reviewing and removing unused permissions is difficult. Employees and external parties often retain access long after it’s needed, and the shift to cloud-based environments and remote collaboration has further complicated access management. It leaves the door open for potential breaches at any point. 

This is where permission managers play a critical role. By automating access reviews, enforcing least-privilege policies, and preventing overdue permissions, businesses can continuously enforce ‘zero trust’ principles without overwhelming IT teams.

That said, technology alone cannot replace the strength of a ‘human firewall’, a defence that is strengthened when the leaders in an organisation set the example.

Why leadership buy-in is key to cyber resilience

Having a strong ‘employee firewall’ is crucial, and leading by example strengthens this. Leaders must recognise that cybersecurity is a business-wide priority, not just an IT issue. It demands clear accountability across departments. 

Many organisations leave security concerns 100% in the hands of IT and/or their CISO(Chief Information Security Officer). A CISO's job is more than just ‘secure everything’ and take the blame for breaches. There is a very important human and business process component involved as well that requires input from company stakeholders.

Instead of assuming security is solely a CISO responsibility, every business unit must take ownership of the security risks tied to the tools, applications, and data they manage. The finance department, for example, must assess the risks of the SaaS solutions they chose hand-in-hand with the IT department. HR must be accountable for the personally identifiable information (PII) they process. To build a genuinely cyber-resilient business, everyone must be involved. There’s no point in the security team taking the blame and responsibility for mistakes that other departments might make.

Blaming security teams for breaches caused by poor security practices elsewhere is counterproductive. Cyber resilience is only possible when security is integrated into the company’s broader risk management framework and when leaders set the standard.

Back to basics

In 2025, cybersecurity is about more than just technology or reacting to the latest AI-driven deepfake or phishing scam. It’s about mastering the basics: vigilance, accountability, and a proactive mindset. The most devastating breaches often stem from overlooked vulnerabilities, cutting corners, and preventable mistakes. 

Businesses that prioritise security awareness, strict access control, and leadership-driven accountability will be the ones that remain resilient. In a world where breaches are inevitable, preparedness and awareness are the only true defence. The organisations that embed security into their core business strategy will be the ones that withstand future threats and thrive.