2025 APAC 
Cybersecurity Predictions

It’s that time of year again. Do we expect anything radically different in 2025 compared to 2024 or will we experience an evolution of existing trends? There are a few issues that are not new but are becoming critical to address in 2025, such as the need to get board and executive buy-in for cybersecurity decisions, and the acute need to protect critical infrastructure. Veqtor8 research indicates that identity protection will take centre stage in 2025, against a backdrop of generative AI threats such as deepfakes and voice cloning. Generative AI will become key to defending against a range of threats, which is a continuation of a trend that became significant in late 2023 and 2024.

Identity protection takes centre stage

It is now becoming clear that our adversaries are not hacking – they are logging in. Creating synthetic identities, authorised push payments, credential stuffing, deepfakes and the continued use of passwords, are making poor identity protection the leading vulnerability for too many companies. It is the easiest vulnerability to exploit but also the easiest to address. Identity and access management is also the most cost-effective way of reducing risk compared to other controls.

A basic understanding of authentication and authorisation is missing in a high proportion of companies today. Creating a better understanding of these activities and their importance makes us all much safer. In 2025, Veqtor8 research indicates that identity and access management will be the leading initiative for APAC companies with 38% focusing on improving it.

Expect identity protection to become the cornerstone of cybersecurity because, without it, other controls have an extremely limited impact.

Boards and business executives play a leading role in cybersecurity decision making

Gradually, cybersecurity is evolving from a technical set of activities to being central to overall corporate strategy. Cybersecurity leaders often think and operate in purely technical terms which can make it difficult for them to obtain the necessary budget to manage cybersecurity risk in a way that is aligned to the organisation’s overall risk appetite.

Indeed, only 48% of APAC organisations expect their cybersecurity budgets to increase in 2025. Given that organisations are dealing with ever expanding attack surfaces, fiendishly complex AI-related threats, sophisticated nation state attacks, low cost ‘as-a-service’ attack kits, such as ransomware as a service, that can be used by people with limited technology expertise — most organisations need more investment into managing cybersecurity risk. In 2025, cybersecurity risk management will increasingly involve executives from a range of senior roles.

Expect CFOs, CEOs, and business unit heads to take a much more proactive role in managing cybersecurity risk and putting pressure on the cybersecurity function to do more with less.

Increased emphasis on critical infrastructure protection in 2025

Nation state attacks against critical infrastructure are increasing alarmingly across the APAC region. Taiwan, South Korea, the Philippines, and Vietnam are at the brunt of an upsurge in critical infrastructure attacks as well as grey-zone attacks such as recent undersea cable sabotage, disrupting Internet connectivity in Vietnam. Less mature economies such as Vietnam, and the Philippines are ill-equipped to address these  growing threats to their national security. Some providers of critical infrastructure in mature economies such as Australia — despite the tightening of the Security of Critical Infrastructure (SOCI) Act — display a level of complacency that cannot last for much longer.

Cybersecurity decision makers in APAC expect nation state attacks to be the leading cybersecurity threat in 2025. Critical infrastructure is particularly vulnerable to nation state attacks. Governments across the region are responding with regulations, guidelines, and resources, to tighten security in this area. Expect even greater focus to be placed on critical infrastructure in 2025.

APAC organisations face a deluge of AI-based attacks

AI, particularly generative AI, will make attackers much more efficient. Social engineering will continue to become faster and more effective with AI, and multimodal phishing attacks will become increasingly difficult to detect.

Newer forms of AI-based attacks including narrative attacks, AI poisoning and deepfakes will require the ability to rapidly change cybersecurity posture and to deploy AI defensively to a much greater extent than before.

In large swathes of the APAC region, organisations are being bombarded with disinformation, co-ordinated with a range of other attack vectors. Commonly, these attacks are part of well-funded and much larger nation state attacks.

Expect APAC organisations to struggle to mitigate AI-based attacks in 2025.

Gen AI becomes embedded in cybersecurity operations

Generative AI is making security teams more efficient and productive. It can help the cybersecurity function to address increasing skills shortages as well as an expanded threat landscape.

Most organisations are using Generative AI on an ad hoc basis to relieve skills shortages and reduce administration. Veqtor8 research shows that organisations, particularly financial services firms, are increasingly embedding generative AI into their operations for tactical purposes. It is increasing productivity for these organisations as well as reducing false positives and ensuring that cybersecurity posture is aligned with the risks and risk appetite.

Increasingly, Veqtor8 expects generative AI to disrupt and transform the cybersecurity function. Expect Generative AI to be used to anticipate needs by predicting threats and for proactively managing risk.

2025 will undoubtedly be a tumultuous year for cybersecurity professionals. AI-based attacks, particularly those launched by nation states will be fiendishly difficult to mitigate. The wider C-suite, as well as business executives will increasingly influence cybersecurity strategy and seek ways of maximising cybersecurity investments. Identity protection is, for many, the most cost-effective way of reducing cybersecurity risk, while also offering visible benefits quickly. Expect it to become front and centre of cybersecurity strategies in 2025.