Top Cyber Risks of 2025: Supply Chains, Geopolitics, and Cybercrime The ongoing cyber skills gap has worsened by eight per cent since 2024, with two-thirds of organizations reporting moderate-to-critical shortages in essential talent and skills to meet their security needs

The growing complexity of cyberspace in 2025 is widening inequalities across organizations and nations, creating significant cyber risks for businesses and governments alike. According to the World Economic Forum's Global Cybersecurity Outlook 2025, 35 per cent of small organizations globally believe their cyber resilience is inadequate—a sevenfold increase since 2022. This widening gap is especially stark between large and small organizations, developed and emerging economies.

The ongoing cyber skills gap has worsened by eight per cent since 2024, with two-thirds of organizations reporting moderate-to-critical shortages in essential talent and skills to meet their security needs. Alarmingly, only 14 per cent of organizations feel confident they currently have the right people and expertise in place. Rising geopolitical tensions, complex supply chains, and a surge in cyber-enabled crime are compounding these challenges, making cybersecurity a critical priority in 2025.

Supply chain vulnerabilities

One of the biggest challenges facing organizations is the increasing complexity of supply chains. More than half (54 per cent) of large enterprises identify supply chain challenges as the primary barrier to achieving cyber resilience. A lack of visibility into the security practices of third-party suppliers has made organizations vulnerable to risks such as software vulnerabilities and the spread of cyberattacks across interconnected ecosystems.

For instance, in November-end, Blue Yonder, a provider of supply chain software technology to various global brands, suffered a ransomware attack. This incident caused disruptions for several companies, including Starbucks and the U.K. grocery giant Morrisons.

On the other hand, the attack on C-Edge Technologies — a State Bank of India (SBI) and Tata Consultancy Services (TCS) joint venture was hit by ransomware attack which led to the disruption of payment systems in nearly 300 small banks in India.

Geopolitical tensions

Geopolitical uncertainties are another key concern, with 60 per cent of organizations stating that such tensions have influenced their cybersecurity strategies. Cyber espionage, intellectual property theft, and the disruption of business operations are top concerns for CEOs and cybersecurity leaders. These risks, fueled by geopolitical turmoil, are forcing organizations to reassess their strategies to better protect sensitive data and ensure operational continuity.

In recent years, sophisticated cyber-sponsored groups have emerged due to ongoing tensions between countries, such as the cyberwarfare between Russia and Ukraine, which has left critical infrastructure under constant cyber threats.

According to a European Parliament report, Ukraine's public, energy, media, financial, business, and non-profit sectors suffered the most.

The Ministry of Justice recently stated, "Today, another registry, the State Registry of Civil Status Acts, which suffered from a large-scale Russian cyberattack, has become operational. Offices responsible for the state registration of civil status acts have restored the ability to input information on citizens' births, marriages, divorces, name changes, and deaths into the database."

AI-Powered Cyberattacks

Artificial intelligence (AI) is expected to have a significant impact on cybersecurity in 2025. However, while 66 per cent of organizations recognize the growing importance of AI in cybersecurity, only 37 per cent have measures in place to assess the security of AI tools before deployment. The rapid advancements in generative AI (GenAI) pose additional threats, with 47 per cent of organizations citing adversarial use of AI as a major concern. The rise of ransomware and AI-enabled cyberattacks continues to challenge businesses, with nearly 72 per cent reporting an increase in organizational cyber risks.

Convergence of organized crime groups into cybercrime

The interaction between traditional organized crime groups and cybercriminals is transforming the nature of cybercrime, increasing its scope and social impact. Violent organized crime groups are now engaging in cyber-enabled fraud, human trafficking for scam operations, and data harvesting.

"This is perhaps most starkly shown by the trafficking of more than 220,000 people to forcibly work in online scam-farms in South-East Asia. 10 With such farms engaging in the harvesting of data, disinformation and social engineering to name a few capabilities, they are essentially becoming "criminal service providers," said the report.

Globally, scammers have siphoned over USD one trillion in the past year, costing some countries more than three per cent of their GDP. The entry of traditional crime groups into cybercrime markets has escalated risks, as these groups are less concerned about the collateral damage caused by targeting critical social services like healthcare.

Combined with the accessibility of Crime-as-a-Service (CaaS) platforms, the threat landscape now includes a wider range of targets, from small businesses to essential public services.

The Domestic Scene

India also emerges as a favorite spot for cyber-abled attacks around the world with significant challenges faced by critical infrastructure sectors like banking. Sanjay Bahl, Director-General of the Indian Computer Emergency Response Team (CERT-In), highlights the vulnerabilities of cooperative banks, which play a key role in promoting financial inclusion in rural areas. These banks rely on cost-effective upstream services from commercial banks but often lack robust cybersecurity measures. Resource constraints, coupled with inadequately trained staff, leave these banks vulnerable to cyberattacks. "Reduced confidence in responding to incidents only worsens their vulnerabilities," Bahl noted.

In 2024, India emerged as the second most targeted nation globally. The finance and banking sectors were the most affected, with 20 victims followed by government (13), telecommunications (12), healthcare and pharma (10), and education (9).