In an extremely interesting and insightful webinar on 25th February, Quorum Cyber’s Chief Threat Officer, Paul Caiazzo, led a panel of experts to discuss the critical findings from our Global Cyber Risk Outlook Report 2025.

After giving an update on the current and ever-evolving threat landscape – our Threat Intelligence (TI) team found a 400% increase in tracked threat actors – the panel shared practical advice for organisations across a range of sectors to strengthen their cyber security posture and cyber resilience.

Geopolitics drives cyber-attack behaviours

Jack Alexander, Quorum Cyber’s Senior Threat Intelligence Consultant, explained that the lines are increasingly blurring between the actions of cybercriminal groups and those of sophisticated nation-states. While the latter are engaging with them to conduct cyber-attacks to further their strategic objectives by the extraction of valuable data, and the ability to use organised crime groups as scapegoats. Partly due to the conflicts in Ukraine and Gaza, our TI team is seeing a greater overlap of tactics, techniques, and procedures (TTPs) during the last 12 months. This is making it more difficult for cyber security analysts to identify and monitor adversaries. “Threat actors will change their motivations based on the political landscape,” he said.

North Korea is very involved with cybercriminal groups, he explained, while Iran is selling access into organisations for gangs to exploit and profiteer from. Russia continues to protect cybercrime groups as long as they don’t attack organisations within the Commonwealth of Independent States (CIS). The panel members agreed that geopolitics heavily influences the strategies taken by nation-state threat actors.

Another group of adversaries – hacktivists – are often motivated by political or social causes. Their impact on cyber security is generally less severe compared to more sophisticated threat actors. Typically, hacktivists employ two key tactics in their digital campaigns:

• Web Defacement: involves altering the visual appearance of websites to spread messages or embarrass targets; while these attacks are visually striking, they usually don’t compromise sensitive data.
• Distributed Denial-of-Service (DDoS) Attacks: these attacks overwhelm servers with traffic, temporarily taking websites offline; they are disruptive but generally short-lived.

Cybercriminals target low-hanging fruit

The panel emphasised that it’s essential to execute cyber security basics very well before trying to secure every nook and cranny of the IT estate because cybercriminals will almost always seek the easiest targets first.

James Allman-Talbot, Quorum Cyber’s Head of Threat Intelligence and Incident Response, stressed that it’s crucial to understand the capabilities that threat actors have and which organisations they target. “Understanding this will help us protect ourselves as a community.”

Andy Ellis, a seasoned cyber security expert and member of Quorum Cyber’s Strategic Advisory Board (SAB), added that criminals didn’t want to prove themselves against the strongest defences or encourage companies like Microsoft to upgrade products – instead, they’re looking for the easiest and quickest way into a network without being detected. They are generally after the low-hanging fruit.”

Paul Caiazzo added that the bad guys are leveraging new technology, such as artificial intelligence (AI), just as much as cyber defenders. However, defenders don’t have access the criminals’ infrastructure so it’s impossible to prove if they’re successfully using AI yet or not. Despite this, Jack explained that they are leveraging AI tools to improve their phishing attacks and impersonate people by using tech to produce deepfake audio and large language models to tailor their written messages and make them more convincing for specific audiences. AI tools are also being used to research targets more thoroughly than ever before.

To counter these threats, James and Andy were clear that organisations need to put in place simple procedures, like verbal agreements, to check the authenticity of messages from company directors. However, he warned that his team is seeing more data exfiltration as a means to compromise organisations and hold them to ransom. “Threat actors aren’t always encrypting data anymore, but the way they’re extorting money is changing the conversation,” James said.

Sector-specific threats

Andy described higher education as the sector where we are seeing all the various groups of adversaries because it holds valuable intellectual property (IP) and doesn’t always have the resources for first-class cyber security. Furthermore, universities and colleges are very difficult to secure around the clock because students, researchers, and staff often use their own devices, work with a broad range of technologies, and don’t always abide by the institution’s security rules. “This is the place where CISOs have the hardest job and the least control,” he said.

In manufacturing, nation-states like China and Vietnam try to steal IP, and financially motivated criminals attempt to disrupt operations – either at the manufacturer or along the supply chain – to hold companies to ransom. “Manufacturing will always be a target for nation-state aligned groups and from an economic and IP perspective,” explained James. “They wait for the IP to be developed and then steal it,” added Andy. And Paul revealed that “the biggest insurance claims we see are for business interruption.”

Paul continued: “There’s a whole universe of financial services firms being targeted”. Andy explained that criminals do their research, and they find out when deals are due to be signed so that they can send fake contracts to try to steal any money being transferred.

“Credential leaks is one of the biggest ways that threat actors are trying to breach IT environments,” Paul added.

Facing a complex threat landscape and a heightened frequency of cyber-attacks, it can be confusing for organisations to know where to start. The panel gave some advice to organisations wherever they are on their cyber security journey:

• Get the basic security practices right
• Gain visibility of the entire IT estate
• Understand which parts of the technology stack are being targeted
• Priorities investment in areas that you’re most likely to be targeted in – it’s not possible to secure everything 100%
• Secure administrators’ credentials and identities
• Protect vulnerabilities
• Understand your threat profile
• Strengthen your cyber resilience so you can bounce back if the worst happens
• Plan and practice incident response procedures.

Delve deeper into the webinar and report content

If you missed the webinar, or you want to watch it again, or share it with your colleagues and peers in the cyber security industry, it’s available to watch on-demand.

We also highly recommend you read the Global Cyber Risk Outlook Report 2025, which delves deeper into adversaries’ TTPs and the threats facing a wide range of sectors, and which is free to download.