Cybersecurity Today: Episode 2025 - A Look Forward, Weekend Edition (January 11, 2025)

Host: Jim Love
Guests:

• Laura Payne – White Tube
• Dana Proctor – IBM
• David Shipley – Boser on Security (Culture Critic)

Introduction

In this forward-looking episode of Cybersecurity Today, host Jim Love engages with a panel of cybersecurity experts—Laura Payne, Dana Proctor, and David Shipley—to discuss emerging threats, trends, and strategies poised to shape the cybersecurity landscape in 2025. Straying from the typical monthly review, the episode delves into anticipated events and themes that could significantly impact businesses and institutions.

Major Themes and Discussions

1. Targeting SaaS Providers and Data Breaches

David Shipley initiates the conversation by highlighting a recent cybersecurity incident involving Power Schools, a prominent SaaS provider for educational institutions across North America. The breach affected major school districts, including those in Toronto, Newfoundland, and Alberta, mirroring the 2024 attack on CDK Global in the automotive sector.

"[00:50] David Shipley: ...SaaS providers being hit, particularly those that are prominent large market concentration in markets where they can hurt and they know that payment's gonna come."

Key Points:

• Market Concentration as a Target: Cybercriminals focus on industry leaders to maximize impact and profit.
• Rapid Incident Response: Power Schools’ swift acknowledgment and communication on January 7th demonstrated commendable transparency.
• Credential Compromise: Similar to past incidents (e.g., Charge Healthcare), stolen credentials via technical tools like MFA (Multi-Factor Authentication) may have facilitated unauthorized data access.
• SaaS Vulnerability: High market concentration in SaaS platforms makes them lucrative targets for large-scale data extraction attacks.

Jim Love underscores the vulnerability of public institutions like schools and healthcare facilities, emphasizing the disproportionate impact on organizations with limited resources.

"[04:11] Jim Love: ...people go after public type institutions or not for profits and hitting the weakest of now you said they..."

2. The Paradox of Trust in Technology

The panel discusses the overreliance on security tools and the misconception that robust firewalls or antivirus software alone can protect against sophisticated cyber threats.

David Shipley reveals alarming statistics from their research:

"[28:42] David Shipley: ...140% higher click rate average for those who strongly agree that security tools completely protect them... "

Key Points:

• Overconfidence in Security Tools: Belief in the invincibility of security measures leads to risky behaviors, such as disregarding phishing attempts.
• Generational Factors: Younger generations, accustomed to rapid technological advancements, may exhibit a misplaced trust in automated security solutions.
• AI’s Role: While AI enhances security capabilities, it also introduces new vulnerabilities, especially with prompt engineering and deepfake technologies.

Dana Proctor adds that the increasing attack surface of larger organizations, combined with uniformity or diversity in their systems, complicates effective security measures.

"[07:05] Dana Proctor: ... the bigger you are, the more attack surface there is..."

3. Combating Apathy in Cybersecurity Investments

Laura Payne expresses concern over organizational apathy towards cybersecurity, where repeated breaches foster a sense of inevitability, leading to complacency.

"[25:02] Laura Payne: ...die a quick death before catastrophic activities actually happen..."

Key Points:

• Regulatory Gaps: Absence of stringent regulations like Bill C26 or C27 leaves organizations unmotivated to invest proactively in cybersecurity.
• Economic Impact: Data breaches impose hidden costs that contribute to inflation and act as a de facto tax on businesses.
• Critical Infrastructure Risks: Sectors like energy, water, and healthcare face escalating threats, with AI-driven attacks increasing in frequency and sophistication.

Jim Love emphasizes the need for shifting organizational culture to prioritize cybersecurity investments before facing catastrophic incidents.

4. The Rise of AI in Cybersecurity and Beyond

The conversation shifts to the burgeoning role of AI within organizations, both as a tool and as a potential security threat.

David Shipley warns about the blind trust in AI systems and the challenges of ensuring their reliability.

"[27:54] David Shipley: ...we are wired as humans to trust a computer more than we trust another human being."

Key Points:

• AI as Employees: The integration of AI agents into workplaces introduces new vectors for cyber threats, such as AI-specific phishing attacks and prompt injections.
• Deepfakes and Verification: AI’s capability to generate realistic deepfakes complicates the verification of information, posing legal and security challenges.
• Trust in Technology: The innate trust placed in AI systems can lead to complacency, undermining traditional security protocols.

Laura Payne highlights the need for continuous oversight and verification of AI outputs to prevent misinformation and security breaches.

"[33:17] Laura Payne: ...prompt engineering attacks... ensuring that the intention of your models is maintained."

5. Quantum Computing and Post-Quantum Cryptography

Laura Payne touches upon the imminent advancements in quantum computing and the necessity for quantum-safe cryptographic practices.

"[39:08] Laura Payne: ...Quantum will be the new kid in town."

Key Points:

• Quantum Threats: Quantum computing poses significant risks to current encryption standards, necessitating the adoption of post-quantum cryptography.
• AI and Quantum Synergy: The combination of AI and quantum computing could exponentially increase the ability to crack encryption, intensifying the cybersecurity arms race.
• Regulatory Preparedness: Organizations must prioritize crypto agility and quantum-safe practices to safeguard against future threats.

Jim Love notes that some companies are already utilizing quantum principles to enhance their cybersecurity defenses ahead of widespread quantum computing adoption.

"[41:19] Jim Love: ...Canadian companies are using quantum principles to crack encryption for major firms now."

Concluding Insights and Resolutions

As the episode wraps up, panelists share their personal resolutions to combat the evolving cybersecurity challenges:

• Laura Payne commits to fostering better interpersonal understanding within her team, ensuring that technological advancements do not overshadow human-centric values.

• Dana Proctor aims to increase in-person interactions and reduce dependency on remote collaborations to enhance team cohesion and security effectiveness.

• David Shipley dedicates time to disconnect from technology and engage with human-centric activities, emphasizing the importance of balancing technological reliance with human insight.

"[45:18] Dana Proctor: ...organize things so that they're more in person, focused and behaving like humans did before quarantine."

Notable Quotes

• David Shipley [00:50]: "SaaS providers being hit, particularly those that are prominent large market concentration in markets where they can hurt and they know that payment's gonna come."

• Dana Proctor [07:05]: "The bigger you are, the more attack surface there is, right? And the more people there are paying attention to you."

• Laura Payne [25:02]: "I hope that it's not something catastrophic to have our organizations saying hold back on innovation..."

• David Shipley [27:54]: "We are wired as humans to trust a computer more than we trust another human being."

• Jim Love [41:19]: "We're actually using quantum principles to crack encryption for major firms right now."

Final Thoughts

Episode 2025 of Cybersecurity Today provides a comprehensive outlook on the pressing cybersecurity issues anticipated in the upcoming year. From the targeting of high-impact SaaS providers and the overreliance on automated security tools to the transformative and potentially disruptive roles of AI and quantum computing, the panel underscores the necessity for proactive strategies, regulatory frameworks, and a balanced approach between technology and human factors. As organizations brace for these evolving threats, fostering a culture of vigilance, continuous learning, and adaptive security measures will be paramount in safeguarding against the complex cyber landscape of 2025.

For further insights and detailed discussions, listeners are encouraged to tune into the episode and engage with the panelists’ expert perspectives.