Cybersecurity Today – Year-End Review: The Highs and Lows of Cybersecurity in 2025

Podcast: Cybersecurity Today
Host: Jim Love
Guests: Tammy Harper (Flair), Laura Payne (White Toque), David Shipley (Beauceron Security), John Pinard (IT Operations & Cybersecurity, Credit Union / Project Synapse)
Date: December 20, 2025
Episode theme: Reflecting on the major cybersecurity threats, resilience, emerging trends, and lessons learned throughout 2025.

Episode Overview

This year-end special gathers a panel of cybersecurity leaders to dissect the significant events, trends, and lessons from 2025. The conversation ranged from ransomware’s evolving tactics, the effectiveness (and limitations) of technical defenses like MFA, the growing influence of AI on both attack and defense, law enforcement successes, and a candid look at the human and ethical dimensions of cybersecurity.

The show’s central question: Was 2025 a story of hope, or of hopelessness? The panel weighs major breaches, new attack techniques, industry wins, the challenge and promise of AI, and what defenders need to keep doing as the threat landscape evolves.

Key Discussion Points & Insights

1. 2025’s Threat Landscape: More Intense, More Sophisticated

• Ransomware Evolves: High-profile attacks like the Clop group’s campaigns against Oracle EBS and FTP servers highlighted a shift toward exfiltration/extortion rather than just encryption. (05:49–08:43)
• Rise in Payment Amounts: While ransom payments are less frequent, they’re increasing in size—with important variations by data type and sector. (08:43–11:24)
• Session Hijacking & MFA Bypass: Attacks stealing session cookies, advanced phishing, and bypassing MFA were seen as both alarming and increasingly common. Apple and Azure environments were specifically mentioned as recent targets. (00:49–03:27, 18:49–21:22)

Notable Quote:

“It just feels like the dumpster fire is extra warm this year, particularly as we end the year with Clop back like Eminem, the real Slim Shady of mass organization breaches.”
— David Shipley (03:27)

2. Ransomware: To Pay or Not to Pay?

• Payment Rates: One Canadian survey found 74% of ransomware victims paid—a stat met with skepticism and discussion about the skewed data (self-selection bias, underreporting). (07:58–12:02)
• Erosion of Trust: Even when ransom is paid, data often still appears on the black market, and organizations no longer believe criminals’ promises that stolen data will be deleted. (08:43–13:03)
• Changing Techniques: More attacks now extort based upon the potential reputational or regulatory harm of breach exposure.

Notable Quote:

“We did everything we could, we paid off the threat actors and they pinky swore they deleted the data. Please stop doing that … Do not give any credit in a lawsuit because they paid. If anything, be like, no, that was dumb, don’t do that.”
— David Shipley (13:11)

3. Signs of Hope: Law Enforcement & Collaboration

• Disruption of Fraud Schemes: Notable law enforcement wins include arrests of ransomware affiliates, infrastructure takedowns, and specifically Canada’s Operation Maple Disruption, which brought together private banks and public agencies to disrupt large-scale fraud. (13:11–17:06)
• Fighting Back: Increased awareness, major banks taking action, and international collaboration led to some disruption of criminal “scam compounds” in Southeast Asia.

Notable Quote:

“We are seeing … not necessarily the core gangs taken down, but we’re seeing infrastructure disrupted, affiliates arrested. We’re seeing really good disruption efforts.”
— David Shipley (13:11)

4. The Human Element & The Limitations of Tech

• MFA Critique: The panel warns against undermining trust in MFA due to new bypass methods—emphasizing layered security, not silver bullets. MFA stops many attacks, but session hijacking and social engineering still work. (18:49–21:45)
• Awareness Training: Despite claims it’s ineffective, training remains vital. Phishing campaigns are more realistic than ever, exploiting people’s busy routines and the enduring “weakest link” in security: humans. (22:30–26:32)

Notable Quotes:

“No single technology is the perfect protection. You still need layers and you still need to take responsibility as the human in the chair.”
— Laura Payne (18:49)

“Just because [training is] not the be-all and end-all doesn’t mean you get rid of it … It’s right up there with disaster recovery tests. You hate to do them, but you still gotta do them.”
— John Pinard (26:32)

5. AI: The Double-Edged Sword

• Attackers Adopting AI: AI is lowering the technical bar for entry, letting less-sophisticated criminals launch more advanced attacks and set up criminal infrastructure. However, overreliance means more operational mistakes on their side.
  (34:39–38:41)
• Social Engineering Gains: AI is especially successful at automating phishing and obfuscating criminal identity during negotiations, defeating style analysis, and outpacing defensive capabilities.
• Defense & Hope: AI also helps defenders—but the arms race is evident. Law enforcement and security firms need to learn and innovate as quickly as attackers.
• Agentic AI Dangers: Solutions like agentic AI (AIs that can act with fewer guardrails) introduce new risks, especially when deployed without proper testing and oversight. (29:55–33:48)
• Industry Critique: Companies like OpenAI and Microsoft are criticized for prioritizing speed and market share over defender tooling, with the competitive AI race likened to “I was just following orders”—abdicating responsibility for security. (41:17–44:06)

Notable Quotes:

“It lowers the bar to expertise. … It allows lower skilled threat actors to hop into what was previously a level or two above them. But again, they don’t have the experience … They’re making more mistakes, they’re getting caught, fumbling a lot more.”
— Tammy Harper (34:54)

“[Agentic AI] is unvetted, it’s unprotected, and that’s a huge problem. Now … the reaction to that cannot be ban AI. It will not work … you will just get shadow AI.”
— Jim Love (29:55)

6. Culture, Agency, and Compassion: Where to Focus in 2026

• Agency & Societal Responsibility: The future of tech isn’t “settled”—security leaders and society can (and must) reclaim agency in shaping AI’s trajectory, refusing fatalism or tech determinism. (46:22–48:06)
• Community & Human Connection: Tammy Harper (50:29) warns that layoffs in the tech sector could drive talented defenders to crime out of necessity, and stresses the importance of nurturing human-to-human networks and support.
• Compassion in Security: The panel closes by urging defenders not to lose sight of empathy—for both colleagues and users. Curiosity, skepticism, and compassion—not just blame—are vital. (51:36–52:54)

Notable Quotes:

“What I want to do next year is … focus on my friends and family and looking at how I can build out my human-to-human, person-to-person community better. That’s going to be the ultimate network you’ll have to rely on.”
— Tammy Harper (49:09)

“Kindness is the new punk rock. … In an age when selfishness, when me-first is dominant … a little more compassion, a little bit of that e-word—empathy—in our industry. How amazing is that?”
— David Shipley (52:54)

Major Timestamps for Key Themes and Quotes

• Opening remarks, state of the landscape – 00:49–03:27
• Clop/Oracle ransomware evolution – 05:49–08:43
• Ransomware payments and doubts – 07:58–13:03
• Law enforcement, Operation Maple Disruption – 13:11–17:06
• Human cost of Southeast Asia scam compounds – 16:11–17:39
• The MFA debate and importance of layered security – 18:49–21:45
• Phishing resilience: humans as the last line – 22:30–26:32
• AI’s exploitation for cybercrime, OPSEC mistakes – 34:54–38:41
• Industry’s failure to get ahead of AI’s risks – 41:17–44:06
• Panel’s hopes & fears for 2026 – 40:06–50:29
• Compassion & kindness in cybersecurity – 51:36–52:54

Panel’s Closing Reflections for 2026

• Jim Love (host): Encourage safe AI experimentation on non-production systems and emphasize productivity through smart, secure innovation. (45:34)
• David Shipley: “The future is not written. … You have lots of agency in 2026.”
  Calls for everyone to stay informed and assert their voice in technology’s evolution. (46:22–48:06)
• John Pinard: Advocate for thoughtful AI adoption, ramping up security measures, and immersive, consequences-based security training. (48:06)
• Tammy Harper: Warns about workforce changes pushing laid-off defenders into crime, calls for building strong personal networks. (49:09–50:29)
• Laura Payne: Hopeful that the AI “bubble will burst … and rationality will prevail,” with better public education and critical thinking. (44:24–45:13, 50:35)

Panel’s parting wisdom:

• Kindness and curiosity, not fear and fatalism, should guide the cyber community into 2026.

Memorable Soundbites

• “[Clop is] back like Eminem, the real Slim Shady of mass organization breaches.”
  — David Shipley (03:27)
• “No single technology is the perfect protection … you still need layers and you still need to take responsibility as the human in the chair.”
  — Laura Payne (18:49)
• “Do not surrender your agency in 2026 to the tech bro saying, there's nothing you can do. Garbage! … The future is not written. There is no fate but what we make.”
  — David Shipley (46:22)
• “Kindness is the new punk rock.”
  — David Shipley (52:54)
• “What I want to do is … build out my human-to-human, person-to-person community. … That’s going to be the ultimate network you’ll have to rely on.”
  — Tammy Harper (49:09)

Summary Verdict

2025 saw both immense new risks and sparks of resilience. The year’s biggest lesson: the only losing move is fatalism. Layer defense, leverage curiosity and compassion, keep people at the center, and refuse to cede the future of technology—and connectivity—to either criminals or reckless innovation. The panel urges the cyber community to carry hope, assert agency, and build connection into 2026.