Summary
2025 was a year of significant change in cyber security. AI lowered the barrier for attackers while strengthening defence. Cloud platforms proved powerful but not uninterrupted. High-profile breaches such as M&S highlighted the real financial impact of cyber incidents, while outages across Azure, AWS, and Cloudflare exposed the risks of cloud dependency. This end-of-year review examines the most critical cyber risks of 2025 and the lessons organisations must carry into 2026.
The Risks That Changed Everything and the Lessons for 2026
“The only constant in life is change.”
Heraclitus
In cyber security, change is not abstract. It reshapes how organisations operate, how attackers behave, and how quickly traditional assumptions break down.
For years, many organisations believed the cloud was inherently secure, resilient, and uninterruptable (sorry). In 2025, that belief changed. Repeated outages across Azure, AWS, and Cloudflare, combined with AI-driven attacks and high-profile breaches such as M&S, forced organisations to rethink risk, resilience, and control.
This was not a year defined by a single incident. It was defined by patterns. Below are the most significant cyber risks of 2025, and what they mean for organisations across Ireland and the wider EU heading into 2026.
Identity Compromise Accelerated by Malicious AI
Identity compromise remained the primary entry point for serious cyber incidents, but AI changed the scale of the problem. As reported by BleepingComputer, malicious large language models enabled inexperienced attackers to generate phishing campaigns, malware, and exploit code with minimal effort. These tools lower the barrier to entry while increasing realism and speed.
AI-driven phishing, credential harvesting, and business email compromise became harder to detect and easier to automate. Once accounts were compromised, attackers moved rapidly across email, cloud platforms, and internal systems.
According to CrowdStrike, Identity Security is the protection of user, device, and application identities to ensure only authorised access to systems and data. It focuses on preventing credential misuse, privilege abuse, and unauthorised access, recognising that identity is now the primary attack vector in modern cloud and hybrid environments.
For most organisations, identity security remained the single most important control point in 2025, and it will remain so in 2026.
Breaches with Measurable Business Impact
The cyberattack on Marks & Spencer was a clear example of how cyber risk translates directly into business impact. Reporting from Supply Chain Digital highlighted the effect on profits, operations, and confidence.
This was not an isolated IT issue. It disrupted supply chains, affected financial performance, and reinforced that cyber incidents are now board-level concerns. The M&S breach became a reference point for executives assessing their own preparedness.
Across Ireland and the EU, this shift in perspective is becoming more common. Cyber security is no longer measured only in technical controls, but in operational resilience and financial exposure.
Cloud Dependency and Core Infrastructure Outages
Throughout 2025, major outages affected Azure, AWS, and Cloudflare. Analysis by CyberNews identified a striking pattern. Many of these disruptions were caused by failures within the providers’ own core infrastructure, not by customer error.
For cloud-dependent organisations, the impact was immediate. Business applications went offline. Customer services were disrupted. Internal teams had limited visibility and little ability to influence recovery timelines.
These incidents challenged the assumption that hyperscale cloud platforms automatically deliver resilience. Cloud remains essential, but dependency without contingency planning introduces operational risk that must be acknowledged.
Cloud Cost Overruns and Loss of Visibility
Cost also became a defining cloud issue in 2025. According to IDC, more than 70 percent of organisations reported cloud cost overruns of twenty percent or more. TechRadar found that nearly half of IT teams experienced unexpected cloud costs between five thousand and twenty five thousand dollars, often due to limited governance and visibility. Thirty two percent believed budget was wasted on unused features or over-provisioned capacity.
These challenges affected more than finance. Poor visibility made it harder for security teams to understand where data resided, how systems were connected, and which assets were exposed.
For many organisations, this combination of cost pressure and risk triggered a strategic reassessment.
Hybrid and On-Prem Infrastructure Returned as a Strategic Choice
In response to cloud cost, control, and resilience concerns, many organisations began repatriating workloads. Research indicated that between 68 and 70 percent of IT leaders were moving workloads away from public cloud, often due to cost and governance concerns. TechRadar reported that 42 percent of IT professionals moved workloads to dedicated infrastructure in the past year, with 55 percent citing the need for full control and customisation.
Hybrid is no longer a transitional phase. It is now the default operating model for many organisations.
From a cyber security perspective, this introduces complexity. Fragmented tooling, inconsistent policies, and limited cross-environment visibility create gaps that attackers can exploit. Hybrid itself is not the risk. Poor governance is.
Browser Trust and the Expanding Attack Surface
Late in 2025, malicious Chrome and Edge extensions were uncovered that had been silently repurposed after years of appearing legitimate. Millions of users were affected.
This highlighted an overlooked risk. Browsers are now the primary interface to cloud and SaaS platforms, yet extension governance is often weak. As browser-based work continues to grow, browsers must be treated as a core part of the attack surface.
Delayed Detection and the Cost of Poor Monitoring
Organisations without continuous monitoring continued to experience long dwell times. Attacks went undetected for weeks or months, increasing recovery costs and operational damage.
AI-enabled attacks made this worse by accelerating attacker movement and reducing obvious indicators of compromise. Where 24×7 monitoring and managed detection services were in place, organisations detected threats earlier and limited impact.
Monitoring did not eliminate risk, but it consistently reduced severity.
Vulnerability Exposure and Infrequent Testing
Unpatched systems, misconfigurations, and insufficient testing remained common weaknesses. While vulnerability scanning and penetration testing were widely recognised as essential, many organisations still treated them as periodic exercises.
In a rapidly evolving threat landscape, this approach left unnecessary exposure.
AI Governance Emerged as a Real Risk
As organisations embedded AI tools into operations, governance lagged behind adoption. Uncontrolled AI systems accessed sensitive data and operated without clear oversight.
2025 marked the shift from AI governance as a future concern to a current requirement. This will accelerate further in 2026.
Security Awareness and Risk Ownership
Human behaviour continued to influence outcomes. Organisations that invested in practical, scenario-based security awareness reduced the likelihood of successful attacks.
More importantly, organisations with clear risk ownership and treatment plans proved more resilient than those reacting incident by incident.
NIS2 and CyFun
Alongside NIS2, CyFun continued to gain momentum in 2025 as an emerging cyber security framework across Europe. Originating in Belgium and based on the NIST framework, CyFun was developed to give organisations a clear, practical way to understand and improve their cyber security maturity. Unlike high-level regulatory directives, CyFun focuses on what good looks like in practice. It assesses real controls, operational processes, and supply chain exposure, rather than relying on policy statements alone.
CyFun is now being widely adopted across Europe and has seen strong uptake in Ireland, particularly among the NCSC-IE, Government Departments and public sector agencies. Importantly, CyFun is expected to become a certified framework in Ireland by 2028, further strengthening its role as a recognised benchmark for cyber maturity. Its appeal lies in its simplicity. Organisations of any size can use CyFun to benchmark their current posture and three tiered approach to the organisation, prioritise improvements, and demonstrate progress in a structured and repeatable way. In the context of NIS2, the relationship is clear. NIS2 tells you that the wall must be painted. CyFun tells you what colour of paint to use. Together, they help organisations strengthen not only their own defences, but also the resilience of the wider supply chain.
What This Means for 2026
The lessons from 2025 are clear:
- AI has changed the threat landscape.
- Cloud dependency must be balanced with resilience.
- Hybrid environments require unified governance.
- Identity security remains the highest priority.
Change is not the threat. Failing to adapt to it is. Organisations that recognise this, and act on it, will be far better positioned for 2026 and beyond.