The following is excerpted from the RSA ebook, Top Trends in Identity for 2025, which distills threat intelligence and insights from RSA cybersecurity and product experts, customers, partners, and analysts. The eBook shares predictions on the identity and access management (IAM), cybersecurity, and business trends that will shape 2025. By reading the eBook, security leaders can begin to plan their priorities for 2025 and learn from the best practices and coming innovations that can help keep their organization safe. Download the full ebook now.
Where were you on July 19, 2024?
With any luck, you weren’t traveling. That day, a combination of a CrowdStrike update and limitations with Microsoft environments reportedly crashed 8.5 million Windows systems, delayed or cancelled 10,000 flights, and cost Fortune 500 companies more than $5 billion in direct losses. Importantly, the outage wasn’t due to cybercriminals or threat actors. Instead, infrastructure simply failed—and when it did, nearly everything broke.
That one day looms large over 2025 and foreshadows what we expect to see this year in security. Not because we expect any of the particulars to reoccur, but because the overall environment really hasn’t changed all that much since last July.
Organizations will largely have the same technologies and capabilities at their disposal this year as they had last year. They will continue making progress in implementing multi-factor authentication (MFA), deploying passwordless authentication, and honing their use of AI in their tech stacks. And they will continue working in hybrid environments and generating increasing numbers of machine identities. At the same time, threat actors will continue attacking passwords, using their own instances of AI in attacks, and trying to find ways to bypass MFA. Researchers will continue making incremental progress on new technologies like quantum computing, and security experts will continue preparing for threats that are ten years away.
For the most part, the same systems, capabilities, risks, and threats will play out in 2025 as they did in 2024. We don’t expect a revolution in any one of those variables. Instead, we expect evolutions in each.
However, if a single software update can crash millions of computers, as it did in 2024, then evolutions will become revolutions. Even without marquee new technologies hitting the market in 2025, with interconnected systems, growing numbers of users and agents, and AI that can make decisions and generate outputs faster than any human, incremental progress will have exponential effects in 2025.
We expect there to be more of everything in 2025: more MFA, more passwordless authentication, more AI deployed in cybersecurity stacks, and more users (especially more machine users), as well as more attacks on passwords and more data breaches that do even more damage.
Add in a new presidential administration in the United States with shifting cybersecurity priorities, and new global regulations emphasizing resilience after that July 19 incident, and we expect a bigger, louder, and riskier 2025.
That’s not to deter action. To the contrary: organizations should continue investing in cybersecurity and infrastructure capabilities that will help them weather a perfect storm. They should use history to guide them: historically, most data breaches were caused by some weakness in an organization’s identity infrastructure. That can mean a password that is vulnerable to compromise, a failure to implement MFA, or an attacker exploiting some other vulnerability in an organization’s identity lifecycle to move laterally, gain more permissions, and do more damage. Likewise, interconnected systems built on single points of failure will do just that. Resilient systems will thrive when fragile ones fail.
I don’t know what date will define cybersecurity in 2025. But I do know that day is coming—and it may be coming soon. I urge you not to wait to find out when it will be, but instead to take action now to prepare.translated
Download the RSA ebook Top Trends in Identity for 2025 now.
