Five cybersecurity lessons 2025 taught us
Luke Hudson
Cyber Business Development Manager
The year attackers upgraded, outages overachieved, and AI learned how to cause chaos with remarkable enthusiasm.
2025 was not a quiet year for cybersecurity. It was more of a “plot twist every quarter”. Ransomware got a sequel nobody asked for, helpdesks became the hottest target in town, cloud outages reminded everyone about single points of failure, and AI expanded its CV to include “personal assistant to cybercriminals.”
Here are the five lessons 2025 insisted we take with us into 2026, with insights, humour, and a little tough love.
1. Ransomware is having a glow up
Ransomware didn’t return in 2025, it simply evolved like it booked a transformation montage. Smarter tactics, faster execution, and multi-extortion as standard.
- Global attacks surged 43%
- Average ransom payments climbed above £700k
- Dwell time dropped to under 24 hours for 50% of ransomware attacks (barely long enough for a coffee break)
The underground industry for ransomware groups keeps on growing and getting more profitable – with expensive consequences for companies. Ransomware groups now run like a well-oiled machine, running multi-extortion franchises, complete with data theft, double leaks, and follow-up attacks for returning customers.
One of the largest contributors to the huge increase in ransomware attacks this year, which people often don’t talk about, has been Akira piggybacking off a vulnerability from yesteryear – SonicWall’s improper access control (CVE-2024-40766). In most cases, this was exploited at the time of the zero-day. Once they had access, they used kerberoasting to gain service account credentials with MFA disabled and then launch their ransomware attack. They’ve hit hundreds this year in exactly the same way.
For Claranet customers using Continuous Security Testing, they received a zero-day notification through their platform, informing them of the vulnerability and what to do about it, as soon as the CVE became public.
With Claranet’s threat intelligence, ransomware resilient endpoint protection, and 24/7 detection and response, organisations catch attacks early, contain them fast, and stop a ransomware “glow up” becoming a business meltdown.
2. Attackers found the spare key under the helpdesk
Social engineering found a new style in 2025 too – not email, not in person, but over the phone. Attackers might craft a beautiful phishing email, but why not follow up with a little charm, audacity, and an AI voice clone?
Thanks to groups like Scattered Spider, IT helpdesks became prime targets:
- Helpdesk impersonation rose 300%
- MFA reset scams surged
- Deepfake voice calls became unsettlingly normal
Attackers might still rely on you to download and open a malicious attachment, or type your username and password into a convincing-looking web form. But if you’re really reluctant, they might pretend to be your colleague in IT giving you a helping hand to reset your password.
Phishing never went away – it just evolved a new arsenal of techniques as people became more aware of it. It’s no longer just a phishing email with a dodgy link or an attachment. Now it’s several emails, a phone call, a web form. Different tactics for different targets. There is only so much we can hammer home the message of employee awareness, that people are still your first line of defence. If you have security awareness programmes, make sure they are updated include vishing and IT helpdesk attacks as a part of social engineering tactics. The best advice for worried employees is to slow down, stop and think, double check with your colleagues or your IT department.
Claranet strengthens the identity layer with zero-trust controls, hardened MFA processes, behavioural analytics, and human risk training that turns your helpdesk from the easiest point of entry into one of the hardest.
3. The AWS outage proved you can’t put all your cloud eggs in one silicon basket
2025’s major AWS outage broke more than just SLAs – it broke illusions.
Retailers froze. Logistics stalled. Entire digital ecosystems took an enforced lunch break they did not schedule.
- One in three organisations saw critical disruption
- 45% uncovered hidden cloud dependencies they didn’t know existed
- Many learned their “resilience strategy” was, in fact, a PowerPoint slide
Cloud is powerful, but no platform is infallible. If your architecture can be taken down by one region, availability zone, or misconfigured failover path, 2025 politely highlighted the problem. Guarding yourself against upstream risks to business continuity means more than worrying about your smaller suppliers – it means having a plan for when the “too big to fail” technology shows its weaknesses too.
One hyperscaler outage won’t put off most companies from using cloud services. They might, however, think much harder about their backup, disaster recovery and failover solutions. What if the failover solution also runs on AWS? Relying heavily on one technology creates single-points-of-failure that have obvious risks for business continuity, but most companies will still do it for pragmatic reasons. If you have a business contintuity plan or a disaster recovery plan, use this as an object lesson in preparing for the unexpected. Even if the AWS outage didn’t affect you, how would your organisation need to respond in such a scenario? Who would you need to help you out of the problem?
Claranet helps organisations architect for reality, not optimism, by designing resilient multi-cloud and private cloud environments that keep operations running even when a hyperscaler hiccups.
4. AI “vibe coding” made phishing so convincing even security teams blinked twice
Long gone are the days of badly-written phishing emails with suspicious full stops. (Especially since LLMs learned to write grammatically complete sentences in perfect English.) In 2025, attackers outsourced their planning and writing their phishing campaigns to AI, and AI delivered.
- AI-generated phishing attacks rose 900%
- Deepfake audio scams grew 25%
- Emails now perfectly mimic your boss, including their passive-aggressive sign offs
One attacker even planned and orchestrated their entire phishing campaign and onward attack paths using Claude. Our prediction for 2026: an even greater rise in vibe-coded phishing attacks coming to an inbox near you.
The rise of agentic AI tooling means the barrier to entry in creating realistic phishing applications is at an all-time low. Combine that with having an agent that can help create a proof of concept, accelerate the enormous amounts of research that phishing campaigns take, help the attacker pick their targets and tailor their emails, and you’ve got a recipe for an enormous rise in AI-generated phishing campaigns.
Claranet pairs behavioural detection with intelligent email threat protection and continuous user education, helping teams spot AI-crafted attacks that look and sound exactly like the real thing.
5. Continuous security testing became the only sensible way to keep up
Annual pen tests are still a critical foundation, but they can’t carry the weight of an always-on threat landscape by themselves.
- Attack surfaces grew 22%
- 70% of exploited vulnerabilities were over six months old
- Continuous testing allowed some organisations to detect issues 14x faster
The maths is simple: if new vulnerabilities emerge weekly, and your IT estate changes monthly, then you can’t expect a yearly penetration test to win, if you don’t know when attackers will strike.
Continuous Security Testing helps you uncover vulnerabilities as they emerge, so you can remediate them faster, locking down your security to stay ahead of attackers.
Claranet’s Continuous Security Testing brings the best of manual penetration testing and automated vulnerability scanners together. With CREST-certified expertise, attack surface monitoring, and direct contact with expert offensive security consultants who become an extension of your team, CST gives organisations year-round assurance
The real lesson? 2025 rewarded curiosity and punished complacency
Organisations that asked difficult questions, challenged assumptions, and invested in resilience fared better than those who didn’t stay ahead of the curve.
2025 didn’t reinvent cyber risk, it magnified it. 2026 will belong to the organisations that take these lessons seriously and build security into every decision.
Curiosity goes further when you pair it with the right expertise. The strongest partners help you see what you’ve missed, pressure test your confidence and strengthen every part of your environment – not just the obvious bits. Claranet brings the engineering depth, intelligence, and always-on vigilance needed to turn these lessons into lasting resilience. Because in 2026, the organisations that thrive won’t be the most hopeful, they’ll be the best prepared.
Claranet continues to help businesses move from uncertainty to assurance, from reactive to proactive, and from “we hope we’re secure” to “we know we are.”
To find out how you can improve security and lower your cyber risk in 2026, get in touch.