By Glenn Akester, Technology & Innovation Director – Networks & Security at Node4
The technology and cyber landscape is becoming increasingly complex, but despite calls from across the industry to take action and be more proactive when it comes to cybersecurity and resilience, the required mindset change didn’t materialise for many small and medium sized businesses (SMBs) in 2024.
Despite the rising volume, scale and sophistication of cyber attacks, SMBs remained worryingly ambivalent about constructively preparing to deal with this onslaught. As a consequence, 2025 looks set to be yet another year of missed opportunities and reactive measures that will put the operational resilience of SMBs at risk.
Here are my top 10 predictions on what to expect in 2025 should SMBs fail to grasp the nettle and invest in truly effective cybersecurity strategies.
Business will remain reactive, not proactive, to cyber threats
Security initiatives will continue to be driven by incidents rather than a forward-thinking approach to risk management, leaving organisations vulnerable to increasingly sophisticated attacks. Business leaders looking to address this impasse should first conduct a business led risk impact assessment that will help narrow the focus on protecting the assets and data that matter the most. Using these insights, business leaders can then position ‘must have’ controls, prioritise efforts, and security budgets, in a proportionate way.
Information security and cyber compliance will stay a checkbox exercise
Many businesses will prioritise ticking regulatory boxes over the development of robust security frameworks. This tactic will only perpetuate existing vulnerabilities and engender a false sense of security. To effectively defend against emergent cybersecurity threats, business leaders will need to understand and actively manage security risks to their assets, data and business services and ensure they can detect, respond and recover at speed. The byword here is resilience rather than compliance alone.
Third-party risks will be ignored, until it’s too late
A lack of due diligence in vetting vendors and partners will continue to expose companies to supply chain attacks whose impact is exacerbated by the growing complexity of today’s interconnected systems. In this day and age, a robust supply chain risk management plan is a must have and due diligence should be viewed as a constant and ongoing proactive monitoring process, rather than a ‘once and done’ activity.
Businesses will yet again fail to invest in adequate resilience
Disaster recovery and continuity plans will remain underfunded and undervalued, until of course a major crisis occurs. As a consequence, recovery from a catastrophic event or cyber attack will prove significantly more costly and damaging to business operations. The UK Government’s Cyber security breaches survey 2024 finding that only 22% of UK businesses have a formal incident response plan highlights the current gap between perceived and actual preparedness.

End user awareness will remain the weakest link
Despite their ongoing security investments, businesses will continue to neglect the provision of comprehensive end user training. As a result, their employees will continue to be the most exploited vulnerability in their organisation’s cyber defences.
Cyber insurance will no longer be a realistic ‘catch all’ option for all
Soaring premiums, stricter conditions and limited payouts will make cyber insurance less appealing or unattainable for many. While some organisations will remain unconcerned, I hope the situation encourages others to enhance their internal risk reduction strategies to address the challenges of being underinsured and lacking appropriate security controls.
The public cloud era will stall
Rising public cloud costs, regulatory complexities, and high profile outages will force some organisations to rethink their strategies, opting for a blend of on-premises infrastructure, private data centres and public cloud in a pragmatic cloud approach. Get ready for more SMBs investing in managed hybrid cloud platforms that offer dedicated infrastructure and storage.
Rushed digital transformations will create more technical debt than progress
Quick wins will dominate digital transformation agendas, leading to poorly integrated systems that will compound long term scalability challenges. Rather than rushing ahead, SMBs should consider carefully if these tech implementations will result in data silos or infrastructure sprawl that will ultimately hamper the achievement of longer term goals.
Organisations will continue to sign off on AI projects, despite gaping holes in business cases
AI investments will continue to be driven by hype and ambition rather than clear achievable objectives, resulting in underwhelming outcomes and resource wastage. Before jumping on the AI band waggon, SMBs should establish if a proposed AI implementation is the only and best way to resolve an identified business challenge and fully evaluate the potential security risks involved.
2025 will be much like 2024 where technology capability and spend is concerned
With budgets and profit margins under pressure, SMBs will favour small incremental improvements over and above bold transformative changes. By focusing primarily on ‘band aid’ solutions, organisations risk compromising real progress when it comes to acquiring the capabilities that are needed to respond fast and effectively to today’s dynamic market conditions.