In part one of our 2025 cybersecurity predictions, we highlighted insights from our experts on the topic of passkeys, digital identity wallets and the threats of AI-driven phishing – areas that saw a lot of focus in 2024, and ones that we expect to continue being a major focus this year. If you missed our first post, check it out here.
Last year, it was clear that evolving cybersecurity trends and challenges had far-reaching impacts across all industries. Governments prioritized efforts in the form of new cybersecurity regulations to ensure businesses are taking important areas like authentication seriously moving forward. Next, we sat down with some more of Yubico’s experts to hear their thoughts and predictions across key industries impacted by ongoing cybersecurity challenges – including financial services, critical infrastructure and government cybersecurity regulations globally.
Tackling cyber threats in financial services: Josh Cigna, Solutions Architect
The financial sector recently surpassed healthcare as the most breached and attacked industry, these cyber risks and trends are a top concern. According to reports individuals working in finance are the second most likely to open a phishing email. Unfortunately, new threats like generative AI will only accelerate these trends. These attacks will expose individual banks, credit unions, investment firms and credit card organizations to potential loss of consumer trust, financial risk and threat of regulatory action, but they will also lead to more systemic operational disruptions.
On a global scale, we’re seeing banks adopting passkeys including PKO Bank Polski, a Polish multinational banking and financial services company, who is leading the way by adopting YubiKeys to protect its customers. It has enabled the use of YubiKeys so that its customers can authenticate with the highest level of security when logging into its e-banking service, making it more phishing-resistant. I expect to continue seeing banks adopt passkeys at scale in 2025 as successful programs like PKO Bank Polski are realized.
A major push for adoption will come from regulatory & standards bodies, both governmental and private, highlighted by the latest revision to PCI DSS 4.0 which speaks to the need to ensure digital identities are tied to individuals, to prove that identity at regular intervals, and to implement strong MFA in line with best practices. Both the FTC and PCI DSS 4.0 speak to the need for MFA in line with the recent NIST Special Publication 800-63’s definition of phishing-resistant MFA – which includes FIDO2/WebAuthn-based authentication or a Smart Card.
Expect to see some more support and adoption of interoperable Verifiable Credentials, starting in Europe and hopefully growing in use in the North American and Asia Pacific regions, backed by phishing resistant MFA. The Global Acceptance Network (GAN) and similar organizations are working to build out usable trust networks to provide strong ID verification services to organizations and individuals. Greater adoptions of verifiable credentials will protect both enterprises and users, and growth of these technologies will help users protect their online and real life identities.
Across financial services, account lockouts due to phishing and credential theft demonstrate the need (and requirement) for strong, phishing-resistant MFA. However, PCI DSS goes one step further and acknowledges the requirement to ease the reliance on human knowledge, asking for consideration of how users interact with systems and how to make authentication as easy as possible. When thinking about an authentication solution, it is important to consider a solution that is user-centric, strongly tied to identity, and phishing-resistant. All of these point toward continued efforts and momentum of prioritizing authentication strategies by financial services organizations that lead to a passwordless future.
Increased cybersecurity government regulation: David Treece, VP of Solutions Architecture
Given the real damage that attackers have caused at all levels of the government, 2024 saw governments focusing on mandating and enforcing regulations around cybersecurity and Zero Trust practices globally – highlighted by the Office of Management and Budget’s (OMB) M-22-09 which mandated all federal civilian agencies to fully implement Zero Trust principles last year. We saw similar efforts in Europe, including the NIS2 Directive – a new piece of EU-wide legislation aimed at improving the region’s cybersecurity – which required all businesses across the EU to adhere to enhanced cybersecurity requirements and penalties for not doing so. We also saw updates to Australia’s Essential Eight cybersecurity framework which introduced stricter requirements for phishing-resistant passwords that aim to combat the vulnerabilities of weak MFA implementations susceptible to phishing and social engineering attacks in the Australian banking sector.
In 2025, I expect continued efforts from governments around the world to implement and enforce similar regulations and guidelines in order to keep businesses and individuals secure from increasingly sophisticated cyber threats like phishing. As federal agencies around the world look to meet new and upcoming regulations, the adoption of Zero Trust Architecture and robust, phishing-resistant MFA like YubiKeys is not just a compliance requirement—it’s a critical step in safeguarding the nation’s infrastructure. The path forward is clear: by embracing these well established security measures, we are not only meeting the demands of today but also building our defenses for new attacks that will come.
Prioritizing securing critical infrastructure: Josh Cigna
Industry reports peg the cause of about 80% of cyber attacks on stolen credentials, it’s therefore critical that operators of industries within the Critical Infrastructure sphere adopt Zero Trust methodologies to stay secure. Zero Trust requires a strong central identity program that is flexible enough to allow for seamless user interaction but reinforced to withstand the actions of malicious parties.
To securely meet this bar for critical IT and Operational Technology (OT) environments, utility companies need to start by adopting the modern MFA solutions prescribed by Zero Trust methodologies where they can. Legacy MFA such as SMS, one-time passcodes (OTP), and push notifications available to traditional OT networks (when they are available at all) are highly susceptible to modern phishing attacks. Given the rise and sophistication of cyber attacks, there is a need for phishing-resistant MFA which includes personal identity verification (PIV)/Smart Card, modern FIDO2 or WebAuthn passkey authentication. The good news is that the energy sector is already ahead of the game due to wide Smart Card adoption. Other industries need to push vendors to provide strong authentication technologies, and need to find ways to isolate their legacy networks behind strong access controls provided by modern authentication.
Smart Cards have been one of the most trusted and proven implementations of MFA for over 20 years, and often relied upon as the standard for authentication by energy companies. PIV Smart Cards qualify as phishing-resistant MFA because even if someone manages to steal credentials, they would still need the card to access something. Today, Smart Cards come in many form factors, from a credit card size that fits in your wallet to a hardware security key that fits on your keychain. There’s only one challenge: the typical credit card-shaped Smart Card hasn’t historically worked well on mobile devices without additional hardware and software.
Moving forward, I expect the energy sector to grow its adoption of phishing-resistant authentication solutions to provide the highest level of protection against phishing and unauthorized account access. Other industries need to push OT vendors to support stronger solutions, and invest in isolation technologies backed by the same strong MFA to protect against attacks. At the same time all organizations need to protect their IT networks with Zero Trust architecture backed by strong MFA. At the end of the day understanding the challenges faced by operators with OT networks is the best place to start, and these operators need to take layered approaches working across the IT/OT gap to find success.
Content retrieved from: https://www.yubico.com/blog/cybersecurity-in-2025-part-two-insights-and-predictions-from-yubicos-experts
