The future of cybersecurity will be defined by people, not just technology. As threats evolve, human risk — the choices, habits, and culture within organisations — will shape resilience more than ever. 

In this Q&A, Andy Fielder looks ahead at how leaders can anticipate tomorrow’s challenges and build a security mindset that lasts.

What do you see as the most significant cyber threats organisations are dealing with today? 

The most significant threats haven’t necessarily changed, but they’ve evolved to become more sophisticated and harder to defend against. Ransomware remains a major concern today, but what’s striking is how professionalised it’s become. These groups now operate like legitimate SaaS businesses complete with tech teams, support desks, and structured operations. That level of organisation has made it easier for more people to get involved, and the financial incentive is enormous. Some estimates suggest cybercrime revenues, across all types, rival the size of Russia’s economy. With that kind of return, it’s no surprise that organised crime continues to invest heavily in this space. 

Credential theft is another major threat. Most organisations have reasonable technical controls in place to protect against common attacks, so attackers are increasingly targeting user credentials. By compromising non-business platforms where people reuse passwords, they can harvest login details and use bots to validate which ones work. These credentials are often stored and used later in targeted attacks. It’s a methodical approach that bypasses traditional defences that’s really effective. 

The third area of concern is supplier compromise. Businesses can no longer think of themselves as isolated entities. Attackers understand that suppliers often have weaker security postures, and they exploit that trust gap. We’ve seen high-profile cases in retail and automotive where breaches have occurred through a supplier, not the company. Once inside, attackers pivot to the primary target. It’s a clear reminder that cybersecurity must extend beyond the organisation to its entire ecosystem. 

How have these threats evolved over the past few years—and what’s driving that change? 

The biggest shift has been the professionalisation of cybercrime. It used to be something people did for fun —a teenager in their bedroom trying to prove they could break in. That still happens, but what’s really changed is the rise of structured, organised operations. These groups now function like proper businesses, with teams, infrastructure, and objectives. That level of organisation has made attacks more scalable, more targeted, and far more dangerous. 

State-led activity has also ramped up significantly. Cyber warfare has become a recognised tool for economic and geopolitical disruption — a way for nations to influence or cause damage without physical conflict. The threat this poses is very different now. It’s strategic, well-funded, and often aimed at undermining national infrastructure or major businesses. 

At the same time, better technical controls have forced attackers to shift their tactics. It’s harder to break through firewalls and endpoint protections, so the focus has moved to human behaviour. Social engineering has become one of the easiest and most effective ways in. If an attacker can trick someone into handing over credentials or gather enough personal information to impersonate them they can bypass technical safeguards. Once they’re in, they look like a legitimate user, and it’s often only when they start doing something suspicious that they’re detected. That change in focus — from systems to people — is one of the most important evolutions we’ve seen. 

In light of these changes, how have organisations had to rethink their approach to cyber defence?

There’s now a real emphasis on the supply chain. Businesses are recognising that they’re only as secure as the vendors and partners they rely on. That means understanding who those suppliers are, how they manage their own security, and holding them accountable. Supplier compromise is one of the most likely entry points for an attack today, and that shift has forced companies to widen their defensive lens beyond their own walls. 

At the same time, there’s been a mindset shift around technical controls. It used to be that if you had solid firewalls, a good Security Operations Centre (SOC), and the right tools in place, you felt reasonably confident. But attackers have adapted. They’re going after credentials, which means they can bypass all those layers of protection.  The reality is that most breaches now stem from human error, someone clicking the wrong link, sharing the wrong detail, or reusing a password. 

Unlike technical controls which behave consistently, people are unpredictable. We all have different risk appetites, different habits, and that variability is hard to manage. It’s led to a broader recognition that cyber security isn’t just a technical issue anymore but a human one. The responsibility to protect businesses doesn’t sit solely with IT. It’s everyone’s job. That shift from tech-first to people-first is probably one of the most important changes we’ve seen.  

Looking ahead 3–5 years, which emerging threats do you believe will pose the greatest challenge? 

AI is already changing the game, and it’s doing so on both sides. From a defensive point, we can use AI to identify patterns, detect abnormal behaviours, and cut through the noise to highlight real threats. But criminals are using the same technology to make their attacks more convincing and effective. 

Take phishing. It used to be easy to spot because of poor spelling and grammar but now, AI can create messages that look completely legitimate, making it much harder to identify what’s fake. That will only get more sophisticated. It’s becoming more important for people to understand what those threats are and how those threats might show themselves, so they don’t get caught. 

Looking further ahead (5 to 15 years), quantum computing will also be a game-changer. It will break the encryption methods that currently protect everything from banking to cryptocurrencies. It’s a daunting prospect because, at that point, much of what we rely on for digital trust could be compromised. Although it’s still some way off, it’s a threat we’ll eventually have to face. 

There are new PQC (Post-Quantum Cryptography) standards that will help us to encrypt and protect in a quantum world and companies need to start understanding their cryptography footprint and planning for how they can move to PQC standards so they’re ready. 

What practical steps can organisations take to future-proof themselves against evolving risks?  

The key is resilience — assuming an incident will happen and preparing accordingly. That means having robust detection tools, like SIEM platforms that aggregate logs from across your systems and use AI and human analysis to spot threats early. 

It’s also about testing your disaster recovery and incident response plans so that when something does happen everyone knows their role. How will you isolate or quarantine affected systems? Who communicates with key stakeholders? Do you have forensic specialists ready to call if needed? A well-prepared organisation can detect, contain, and recover quickly — and communicate transparently. This actually builds trust, because customers today understand that no one is immune to cyberattacks. 

Another important principle is to “shift left” which means baking security in from the very start of product design or system development, rather than trying to bolt it on later. It’s far more effective to build securely by design than to add defences later. 

Are there any recent or upcoming regulations that could reshape how organisations manage cybersecurity risk?

Yes, particularly from the EU. The Digital Operational Resilience Act (DORA) is one that’s having a real impact. It places a much stronger emphasis on supplier risk management — holding third parties accountable for their own security posture and ensuring that organisations know exactly how secure their supply chain is. 

The EU Cyber Resilience Act (CRA) focuses on software and IoT devices and is aimed at ensuring digital products are secure by design throughout their lifecycle. IT will bring with it significant fines for not complying — 15million euros or 2.5% of global turnover. This is likely to apply from 2027 so SaaS providers need to start planning now to comply.  

 In what ways is artificial intelligence transforming the landscape of risk management? 

AI is transforming risk management in two major ways — as both a defensive tool and an offensive one. On the defensive side, it’s invaluable for analysing the vast amount of data that our networks and applications generate. It helps us detect anomalies, highlight risks, and automate the initial triage process so that human analysts can focus on containing attacks.  

On the offensive side, criminals are using AI to test systems for weaknesses, create deepfakes, and power sophisticated phishing, smishing, and social engineering campaigns. That’s why education is so important — helping people understand how realistic these threats can be, simulating them so that they can experience them, and teaching them to verify sources rather than trust what they see online. AI will only get smarter, so awareness and validation are crucial. Don’t just take what you see at face value. Always validate through some other means under your control, that’s the best way to avoid getting caught. 

Could automation ever fully replace human judgement in responding to cyber incidents? 

No, I don’t think it could. Automation has a huge role to play in accelerating threat detection, and surfacing the right information, but human judgment is essential. 

Every organisation has a different risk appetite and a different context. What might be a critical issue for a bank or law firm might not be the same for a retailer or manufacturer. Automation supports decision-making, but it can’t replicate the individual understanding of business priorities and risk tolerance that humans bring.

We need our judgement to decide what risks are risks to our businesses. I think what works best is a combination of automation and human judgements. I don’t think one replaces the other. 

How can organisations better empower their workforce to be the first line of defence? 

It starts with culture. Security has to be everyone’s responsibility, not just the responsibility of a specific team/teams. When employees feel personally invested in protecting the organisation and themselves, the whole posture improves. 

Education and supporting it with the right tools is vital, but culture drives behaviour. Moving away from an approach where mistakes are punished to one that rewards good security habits is much more powerful. You don’t want a culture of fear; you want a culture of shared responsibility and awareness. 

Ultimately, empowering people to protect the organisation also empowers them to protect themselves, both at work and in their personal lives. 

Cyber risks don’t stand still. Neither should you. Explore more on the MetaCompliance blog.