Dr. Martin J. Kraemer discusses learning from The Word Economics Forum Cybersecurity Outlook 2025 report
.jpg?width=400&height=225&name=Evangelists-Martin%20Kraemer%20(1).jpg)
Last year, the British multinational corporation Arup lost about 20 million pounds after falling victim to a deepfake scam.
A finance worker in their Hong Kong office carried out 15 transactions to seven different bank accounts after joining an online meeting, during which urgent financial requirements were discussed among senior leadership.
The incident, which was a wake-up call for many other organizations, showcased how new technology-fueled old scams—AI and deepfakes—were now successfully used by cybercriminals.
The incident is an example of the growing complexity of cybercrime with new technologies increasing the frequency and sophistication of cyberattacks. The World Economic Forum (WEF) Cybersecurity Outlook 2025 names ransomware, AI-enhanced social engineering, and supply chain attacks as the top three attack types.
These three attack types will not surprise anyone working in cybersecurity; they have been prominent members of this list for years. According to the report, organizations acknowledge the related risk – 71% of risk leaders expect severe disruptions due to cyber risks and criminal activity, and 72% of organizations report a rise in cyber risk in 2024. These types of attacks frame CISO’s key challenges:
The rise of Generative AI has lowered the costs for well-developed phishing and fraud campaigns, as we can observe in more personalized attempts that often span multiple channels and formats. The same trend also manifests itself in the democratization of cybercrime as cybercrime-as-a-service platforms become more common. AI-enabled phishing and deepfakes are now available as service offerings on the dark web so that attackers require less knowledge and skill to execute their attacks. More frequent attacks from lesser-skilled adversaries are the consequence.
Cybercriminals are also increasing in number, with cybercrime and organized crime converging. The WEF report mentions forced work in online scam farms in Southeast Asia, indicative of new cybercriminal profiles. The operational efficiency and scale of traditional crime operations will bring new qualities to cybercrime and, if nothing else, continue the sharp increase in the number of attacks.
For example, according to an Accenture study, the number of personalized Deepfake attacks increased by 223% between Q1 2023 and Q1 2024. 66% of cybersecurity professionals consider AI and Machine Learning as the most significant risk for cybersecurity in 2025, while 63% admit to lacking assessment of AI tools before deployment. Risks emerge through external threats and internal application of technology. AI truly is a catalyst for cybercrime.
Increasing cybersecurity resilience is more important than ever before.
As defenders, we prepare to prevent, withstand, detect, and recover from this onslaught of attacks. We no longer believe that we can protect our organization fully and entirely from incidents, but we focus on sustaining business while managing cybersecurity risk carefully.
Good training and thinking can lead to the right action at the right point in time. But, when cybercriminals use new technology to run old scams, people might fail to take the right action, like in the Hong Kong example mentioned above. Under different circumstances, people take the right action, as illustrated by an incident at Ferrari which also occurred last year.
At the luxury car manufacturer, a senior manager asked the right question at the right time, debunking the story of a scam caller as fraud. The scammer pretended to be the CEO of the company but was not able to recall which book the CEO had recommended to the person he was calling during a conversation that took place a few days before the scam call. The senior manager at Ferrari ended the phone call immediately.
Raising awareness of cybercrime and training people to make good security decisions is the traditional focus of many security programs. One common tactic advocated in these programs is asking a personal question to verify someone’s identity.
However, we also know that training is often ineffective and does not necessarily lead to more secure behavior. Gartner found that employees deliberately bypass cybersecurity policy and sometimes act deliberately insecurely to achieve their goals. Training programs must provide effective behavioral interventions in order to increase the resilience and security posture of an organization.
Reflecting on the Deepfake incident at his organization, Rob Greig, Global Chief Information Officer at Arup, shares the following thoughts on how to secure organizations.
“It’s about having visibility about what is going on in your organization, and I mean that from a kind of technology and cyber and data perspective. Who has access to what and when? What data is moving around the organization? Who is trusted, and what is not trusted? And what sort of erroneous activity is happening within the organization? And being able to detect that, allows you to respond to that.”
We must note that Rob Greig has not come forward and said, “We must train our workforce”. No. He has come forward describing a holistic approach, the ability to effectively prevent, detect, withstand, and recover from cybersecurity threats. To achieve this all employees must be motivated to contribute by behaving securely and making good security decisions in reporting security mistakes, incidents, and risks.
Empower your workforce: Access to opportunity, the availability of support, and the experiencing recognition characterize good cyber resilience in organizations.
Environments that promote and facilitate secure behavior to increase resilience typically show several distinctive features, as the WEF Global Cybersecurity Outlook 2025 shows. Organizations that exceed their cyber resilience requirements have dedicated support teams to assist employees with reporting and addressing cyber security concerns.
They are also more likely to have anonymous reporting channels, use non-punitive policies, leverage reward and recognition programs, and include security incident reporting as a positive metric in employee performance evaluations.
Cyber resilient organizations proactively foster positive security behavior. Informed by the right understanding and the right set of values, dedicated security programs can make a difference. For example, incident reporting as a positive individual metric and the use of a non-punitive policy lowers the threshold of proactive secure behavior for many employees. Employees no longer fear getting something wrong and being punished for it. Recognition and report programs are a great way to reinforce desired behavior. Programs that work with human nature rather than against it will succeed.
Creating the right environment is crucial in facilitating secure behavior as no behavior exists in isolation. Behavioral science and psychology tell us that behavior is always the product of knowledge, ability, motivation, and the right trigger. We also know that motivation is heavily influenced by our social groups and peers as much as the context, professional or otherwise, in which it occurs.
Acting in an environment of mutual support where people actively share cybersecurity information and consult each other on security decisions is more likely secure than not. For example, employees in organizations with a poor security culture were 52 times more likely to share their login credentials as part of a simulated phishing campaign. A good security culture facilitates more secure behavior. Behavior determines outcomes and reduces risk.
Maintaining a healthy cybersecurity culture increases organizational resilience toward cybersecurity attacks.
Organizations face a new quality of cybercrime as criminals use new tools to run old scams, and AI acts as a catalyst. Organizational preparedness depends on adaptability, willingness to learn, and participation of the entire workforce. Business and IT leaders know that change management to maintain a positive organizational and cybersecurity culture is essential for the process, as a negative culture undermines strategy easily.
This challenge is inherent to human risk management because effectively reducing risk that is linked to human behavior requires a holistic approach. People can only be as secure as the tools they have been given and the environment in which they operate allows them.
Any intervention to manage cyber risk that leverages people, processes, and technology measures must be accompanied by change management to maintain and improve security culture. For example, requiring employees to report security incidents should be linked to a positive reward for reporting incidents as the WEF report suggests. This way the required change is perceived as positive and therefore compliance becomes more likely.
Increasing resilience is the most effective way to manage human risk. Improving security culture to foster resilience becomes mandatory.
New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!
