New England Biz Law Update
As we begin a new year, what are the newest cybersecurity threats businesses need to be aware of and what steps should they take to protect themselves? We checked in with four cybersecurity professionals to find out.
“Cybersecurity is evolving rapidly and, with it, so are the threats,” said Trevor Smith, executive vice president of Brite, a technology solutions partner based in Victor, New York. “One of the biggest challenges businesses face is navigating the overwhelming number of cybersecurity solutions available.”
Smith noted a recent report that cited more than 3,300 cybersecurity solutions across 17 categories, which for most companies is too much to research, evaluate, implement, and manage effectively.
“That’s where partnering with a knowledgeable cybersecurity solutions provider becomes invaluable,” said Smith, who explains such providers leverage industry frameworks to assess gaps in a company’s security posture and recommend the necessary measures to protect against both current and emerging threats.
A few of the emerging threats businesses should watch out for, he said, include AI-enhanced phishing scams, advanced persistent threats, supply chain attacks, IoT vulnerabilities and deepfake and ransomware attacks.
“The first step is understanding where your organization stands today,” said Smith, when it comes to steps can businesses take to protect themselves from these new threats. “A new year is upon us, and if you haven’t conducted a security assessment in the past twelve months, now is the time.”
Assessments identify gaps in a business’s security posture according to industry standards, Smith said, who notes it’s also critical to test the effectiveness of your current solutions, such as through penetration testing.
“Combining these two measures allows you to identify weaknesses, create a plan to address them, and ensure your existing tools are functioning effectively,” Smith said.
Other important steps he suggests include implementing zero trust architecture; investing in AI-driven threat detection to stay ahead; eliminating alert fatigue; strengthening endpoint security; conducting regular security assessments and penetration testing and enhancing employee training.
“Your employees are your first — and sometimes last — line of defense. Regular training, paired with simulation exercises, ensures they’re prepared to recognize and respond to threats,” Smith said.
Charlie Wood, co-founder of FoxPointe Solutions a cybersecurity, IT consulting and compliance division of The Bonadio Group, says that among the cybersecurity threats businesses should be aware of in 2025 are cloud security and misconfiguration risks.
“Most cloud environments are fairly sound; however, companies have the ability to modify configurations, so cloud security and misconfiguration risks are things that we’re seeing on a regular basis,” Wood said.
Another threat Wood sees is AI being used as a weapon via advanced natural language processing to impersonate email and voice and to enhance ransomware and social engineering capabilities.
”AI is here to make life easy, but it’s also here to make life easy for hackers,” Wood said.
He also points to increased threats of state cyber espionage and warfare that target critical infrastructure, government agencies and key industries, as well as supply chain security risks.
“You can’t just assume that everybody has the same security protocols that your organization has,” Wood said. “You have to actually assume that they don’t.”
Among the ways businesses can protect themselves from these threats, Wood says, are to perform vendor due diligence; view cybersecurity as an investment (that includes investing in cyber liability insurance) and educate and continually educate staff.
“When you look at the three tenets of cybersecurity, it’s people, processes and technology,” Wood said. “A lot of money is sunk into technologies and processes and the one thing that a lot of organizations forget to do or don’t spend enough money on is training their people.”
Two ways Wood recommends businesses stay on top of learning about new cybersecurity threats are industry publications, such as those from CISA (The Cybersecurity and Infrastructure Security Agency) and enlisting the support of cybersecurity experts to assist in identifying vulnerabilities and organization risk.
Cheryl Nelan, president and owner of CMIT Solutions of Rochester, New York, says the biggest new access point she’s seeing for cybersecurity threats right now is AI.
”AI has got so many great things for business users to do enhance their business and be more productive, but at the same time it adds another vector — another way — that you can be compromised,” Nelan said. “From a cyber security perspective, the same ways it helps us do our jobs, it helps bad guys do their jobs too.”
Nelan is also seeing an uptick in fake-out cyber-attacks through Microsoft 365.
“Thieves are trying to get your MFA [multi-factor authentication] through what looks like it’s a Microsoft pop-up,” Nelan said. “You think it’s Microsoft because it looks like Microsoft and it’s not. You end up giving the thieves the MFA code and they break in and they’re behind the scenes and you don’t even know it.”
Staying on top of new threats like these takes a regular conversation and a regular plan that is ever evolving with the business owners, the IT leaders of the organization and IT partners, Nelan said.
Malvertising — a cyberattack that spreads malware through online ads — is another cybersecurity threat Fred Brumm, co-owner of CETech, a Rochester, New York-based IT services and consulting firm, expects to continue to grow this year.
“It’s basically using advertising to get people to click on links that are bad and may install software onto your computer,” Brumm said. “And once that happens it’s kind of game over. The criminals may have access to your bank accounts, social media platforms, et cetera.”
Malvertising is growing at a fast rate, according to figures from Malwarebytes that show instances of malvertising increased 41 percent from July to September of 2024. Brumm likens it to a new flavor of spammy emails and not falling victim to malvertising is akin to not falling victim to malicious emails.
“It’s all the same stuff to look for — grammar errors, spelling errors,” Brumm said. “And be wary of pop-up messages and make sure you’re going to legitimate websites. If you do see an advertisement and it seems a little too good to be true, it might be too good to be true.”
