Technology is evolving at a speed that far outpaces our ability to plan for its safe use in business. Cybercriminals are leveraging new technologies to successfully manipulate individuals into handing over the keys to their employers' systems, and businesses aren't fully equipped to prevent or recover from an attack. It's become clear that having the most up-to-date information on cybersecurity trends is critical for governance, hiring, and upskilling.
To mark Cybersecurity Awareness Month 2025, our sister company, Protiviti, held a series of online events to shed light on the anatomy of a cyberattack, frameworks that support AI governance and regulation, and how to leverage hiring trends and skill gaps to accelerate a cybersecurity career. Here are our top six takeaways, with key insights from event speakers and experts.
1. 85% of cyberattacks succeed through human manipulation
Many cybercriminals successfully compromise a business through its people rather than targeting its systems. “There's a quote that says, ‘Amateurs hack systems; professionals hack people,’ and that's very true. It's much easier for a hacker to target us as the user and get the keys to the system, rather than use technical skills to try and break into the system,” said a cybercrime expert during an event on the anatomy of a cyberattack.
An expert in penetration testing, forensic discovery and investigation said, “Attackers can openly link a single email address to other identifiers, such as name, mobile phone number and physical addresses. So, in short, from one email address, they can build a working profile of you detailed enough that their approach feels genuine.”
From here, they can play on ‘social engineering’, sending emails or making phone calls from spoofed accounts that convince colleagues to unknowingly grant access to systems under the guise of urgency or last-minute changes of plan.
2. AI can make scam tactics more convincing
AI is accelerating social engineering techniques, making phishing emails, deepfakes, and voice cloning more sophisticated and convincing. “AI is a big topic right now, and is an accelerator for everything, including cybercrimes. In practice, it pushes social engineering to the next level — phishing emails, deep fakes, and convincing voice clones. Attackers nowadays are harder to spot,” said an expert.
“They buy a spoofing service and set the caller ID to a senior leader using their actual phone number. They use a voice clone, so the caller ID sounds like that particular person. They add real context like project names, vendors, deadlines, so the request feels routine,” he said. “There are no links, no malware, just a phone number, plus voice, plus context. And it works.”
3. 99% of organisations unknowingly leak sensitive data via AI tools
AI tools are quickly becoming one of the most common weak points in cybersecurity. “We are seeing more personal data leaks and more AI-related security incidents and a general lack of readiness, especially on the risk management side and on the technical side," said a data governance lead.
She revealed that 99% of organisations unknowingly leak sensitive data to AI via AI tools and that 80% of Gen AI prompts include confidential information and PII. In 2024, over 200 AI incidents were reported — double the numbers compared to the previous year.
“We're seeing AI chatbots being built into SaaS applications and organisations that are quite advanced in this process; they're now getting into more agentic AI spaces. So, the risk will vary, but one thing is clear — AI is indeed increasing the attack surface and the risk surface, which could cause significant damage if these risks are not mitigated,” said a cybersecurity leader.
4. Significant gaps exist between AI adoption and governance capabilities
Organisations are enthusiastically adopting AI without building the necessary governance infrastructure to manage its risks effectively. A data governance lead revealed that only 30% of companies conduct regular audits on AI governance.
“What we're essentially asking is what data is going into the AI system, what data is being used by which AI system, and is the data consistent? Is it reliable? Is it compliant? Who has access to that data and who's accountable for managing those issues and risks around it?” said a data governance lead.
“The answers to all these questions are at the heart of data governance, because data governance is there to ensure that data is available, usable, secure, compliant, good quality, and maintaining its integrity across the lifecycle. That's why it is crucial to have data governance elements in place before starting your AI governance program.”
5. 4.8 million cybersecurity roles are unfilled globally
A cybersecurity skills gap is leaving businesses vulnerable to attacks and costing them an additional £1.76 million in breach-related expenses each year. New research from Robert Half shows that cybersecurity hiring has become a top priority for 48% of UK employers, who are offering salary premiums in a bid to quickly fill risk, compliance, and cybersecurity talent gaps in the wake of several high-profile cyberattacks.
A senior manager at Protiviti suggested that the overwhelming preference for certifications could be contributing to unfilled roles. She stated that 91% of organisations prefer certification over practical skills, but 72% struggle to find certified candidates, and 39% cite lack of practical skills as a key hiring issue.
She said, “Certification preferences and hiring challenges often impact the struggle to find certified candidates. Unrealistic job descriptions, low flexibility and slow recruitment are also factors — the average vacancy takes about 13 weeks to fill in the UK compared to the global average. In that process, you lose people. The longer the process, the higher the chance of losing the person.”
An associate director added, “We are seeing employers requiring their staff to upskill, and often, things are moving so fast they're still figuring out their policies and their governance guardrails in parallel, while things are already being adopted in the business. In addition to technical skills, we're seeing an increasing need for cyber professionals to have soft skills. Being good at cross-functional collaboration, being strong with communication, and often that narrows the pool in terms of looking for both sides of the coin.”
6. Considering candidates from non-traditional backgrounds is key to addressing skills gaps and cybersecurity concerns
Technology is outpacing hiring, especially for businesses that want certifications and practical experience from hires. Skills-based hiring, which considers transferable skills rather than certifications, offers employers access to an untapped talent pool that can be trained in-house alongside other employees.
“We're seeing organisations bringing in talented grads who may be coming from other disciplines, as they’re still very much in learning mode and can be trained up to a baseline level relatively easily. We've also had some good success with people looking to change careers. We've noticed that ex-military personnel can have a good risk management mindset, and often fit well into cybersecurity and resilience roles,” said an associate director at Protiviti. “We've seen people in related disciplines—like internal audit, tech, or enterprise risk—who understand risk management, and they also have a level of subject matter awareness.”
A senior manager at Protiviti said, “More firms are conducting internal skills gap analyses, but my thought is that it should be a continuous exercise. It's not a one-time exercise. As our requirements shift, we need to assess whether we have the right talent. Do we need to add more? Do we need to invest in our people? So, that should be the main focus every year, as the landscape keeps changing.”
