Data is the most clairvoyant indicator of how expansively digital businesses are growing in terms of volume, velocity, and value. In 2025, global data creation is expected to cross 180 zettabytes. While for businesses, this means more insights and better analytics for precision-based decision-making, it also makes for a larger target for malicious actors to potentially exploit.
The escalation of GenAI has further exacerbated these threats, with such actors now able to leverage unprecedented capabilities to fuel their attacks. IBM’s 2024 Cost of a Data Breach Report stated a titanic surge in the average cost of a breach for businesses, up to $4.45 million per breach from less than a million just five years back, signaling that these actors are more dangerous than ever.
Malicious actors are weaponizing the same AI capabilities that enable generational innovation for businesses to automate attacks, bypass detection, and craft personalized exploits with unparalleled efficiency.
Hence, it is important to understand the exact modern risks and threats businesses face and, more importantly, how they can effectively counter these risks without compromising the value proposition of their data assets.
Read on to learn more.
Impact of Data Security Risks on Organizations
Data security risks are no longer simply a technical problem. Owing to just how interconnected organizational operations have become, they are dangerous strategic threats that can cause severe harm to an organization’s growth, brand value, and long-term profitability if not addressed promptly and effectively. This is further corroborated by the fact that the global cost of cybercrimes reached almost $10.5 trillion in 2025, up from $3 trillion in 2015, and is expected to grow 15% annually going forward.
When an organization’s data is compromised, it leads to significant financial losses due to both operational disruption and reputational damage. At the same time, they may face regulatory repercussions if necessary data protection measures are not in place or if an incident response plan is not initiated as required. Furthermore, the damage from a data breach can linger for months or even years after its occurrence, leaving organizations with legal liabilities and a loss of customer trust. In other words, everything that can go wrong for a business will go wrong in the aftermath of a data breach.
The adverse impact of data security risks isn’t limited to external damages; it can have similarly damaging effects on an organization’s governance, compliance, and innovation efforts. Such risks can only continue to linger because of lax or inadequate assessments that do not identify their existence. These risks then metastasize into much more significant issues while staying undetected and only come to the fore when they’ve become unresolvable issues, crippling operations across the organization.
Major Threats in 2025
1. Shadow AI & Unmonitored LLM Usage
Shadow AI refers to the usage of AI tools within an organization that has not been duly approved or gone through the necessary oversight procedures. Consequently, this leads to AI uses that are often contrary to company policies and can at times pose significant dangers.
The most immediate risk is the unauthorized use of sensitive data. Far too often, employees input sensitive data into unapproved GenAI models. A recent study found that more than 70% of all ChatGPT, Gemini, and Bard use at work came from non-corporate accounts, meaning proprietary or otherwise sensitive data is fed into these models with little or no protection and no audit trails.
This isn’t an entirely new issue; it has plagued corporations for several years, with organizational culture and especially hybrid work models contributing to the blurring of lines between sanctioned and unrestricted tools. Samsung is a vivid example of this, where confidential code was used on ChatGPT and later exploited by malicious actors.
Such unauthorized usage exacerbates an organization's overall data security and compliance challenges, as modern GenAI data usage has heightened the chances of data misuse.
How to Prevent
The most effective way to address and prevent any shadow AI usage within an organization is to establish and firmly enforce clear policies on AI usage and management. This should include details on all approved AI platforms, relevant credentials for access, and resources on safe AI usage when dealing with sensitive data. Furthermore, organizations may deploy additional technical controls and measures, such as Data Loss Prevention (DLP) filters, that ensure the detection and blocking of sensitive information from being sent to unapproved AI platforms.
2. Insider Threats
An organization can have the most up-to-date and comprehensive technical measures in place to thwart external threats and still fall victim to a data breach. In fact, if a data breach does occur, there’s a 60% likelihood that insiders, malicious or accidental, were responsible. Insider security threats originate when an organization’s own employees, contractors, or partners carry
out actions that undermine the traditional data protection measures in place. These actions can range from mistakes, such as emailing sensitive information to the wrong address, to deliberate theft of data by a disgruntled employee who had access to such data.
In 2025, the average annual cost of insider accidents exceeded $17 million and is likely to continue rising. These usually include a combination of extensive investigations, remedial measures, and regulatory fines that organizations face after a data breach.
There is a pattern to why insider threats have become arguably the most critical data security risk for organizations. With data-driven decision-making becoming an increasingly important part of an organization’s overall strategic operations, cloud and SaaS usage of data has spread proportionately. However, the access controls in place to ensure such usage is always per organizational guidelines haven’t kept pace, as legacy controls often lack the dynamic permission management capabilities necessary to facilitate such an increase in usage.
Inadequate access controls allow for both careless behaviour and malicious intent from employees, resulting in significant damages. More concerningly, these issues can persist, sometimes for years, before being identified, resulting in incalculable damage to the organization’s operations.
How to Prevent
Countering insider threats requires a combination of technological, procedural, and cultural changes across the organization. The implementation of a strict role-based access control (RBAC) mechanism that relies on the principle of least privilege (PoLP) must be the initial step, followed by regular access reviews to periodically assess the activities and responsibilities of the individuals with access to such data. This can be done through User and Entity Behaviour Analytics (UEBA), which allows for proactive detection of anomalies in each user’s activity. Lastly, regular security awareness training can help weed out any accidental instances of such threats.
3. Third-Party Data Flows
Organizations rely on an extensively complex network of third-party providers delivering various services, ranging from payment processing to marketing analytics tools and so much more. This network often operates like a well-oiled machine, a machine that relies on the consistent inward and outward flow of data. While this arrangement provides tremendous benefits to all parties involved, it also comes with an array of risks.
This is evident in the fact that almost 35.5% of all corporate security breaches in 2024 were third-party related. In other words, 1 in 3 breaches will inevitably occur because of a lapse in a business partner’s data security protocols. This makes for a troubling statistic for organizations as businesses move towards even more digital integration with third-party APIs, often sharing vital data for various purposes. Multiple stakeholders with access to data expand the attack surface for malicious actors while leaving businesses more exposed than ever before.
From a regulatory perspective, an excuse won’t suffice and will result in severe repercussions.
How to Prevent
Mitigating the risks from third-party data sharing and exposure requires extensive vendor risk management that enables organizations to have continuous and, if possible, real-time oversight of the status of the shared data assets. Such measures not only enable thorough due diligence and assessments of a vendor’s data security infrastructure before they are onboarded but also allow for specific security requirements to be made part of any future contracts, such as obligations to encrypt any shared data and prompt incident reports in case of a breach. The aforementioned PoLP and RBAC measures can also be included in such contracts if necessary to govern access to data resources on a minute level.
4. Deepfakes
Deepfakes are a curious case. They refer to AI-generated synthetic audio and visual media that can imitate a real person’s appearance or voice. What started as an amusing quirk on the internet has now evolved into a major data security threat owing to its potential use in sophisticated fraud and espionage scenarios. On paper, deepfakes can be used to impersonate senior executives or other personnel in an organization and manipulate their coworkers into divulging sensitive data or transferring monetary sums. These represent a heightened form of insider threats as they rely on the exploitation of human trust, and it works.
In 2024, malicious actors swindled a hefty $25 million when they convinced a senior financial officer within British design and engineering company Arup through deepfake voice notes and videos that the bogus request had come from the company's CFO. There are multiple such instances, which all highlight how easily deepfakes can be used for large-scale data breaches.
Like any typical social engineering attack, deepfakes target employees who would not have any reason to suspect such an attack is taking place. This can be something as straightforward as someone receiving a call from their boss asking for an immediate response. Furthermore, deepfakes need not target an employee at all. In an era plagued with misinformation, a strategically released deepfake can be used to imitate a public service announcement containing malicious instructions or a fake recording of a company CEO being circulated, talking about financial losses that could directly tank the company’s stock prices.
How to Prevent
The best defense against deepfake-related threats remains a combination of technical and social defenses. Company-wide employee training on deepfake awareness, where staff are taught how to detect or verify unusual requests through secondary and safe channels. These can be done through the institution of code phrases or additional verification steps to identify potential deepfake fraud. On the more technical side, organizations must ensure all sensitive communications occur through approved channels and mediums, with employees under strict instructions to avoid discussions via alternative channels.
5. Social Engineering Attacks
Social engineering attacks are nothing new. However, they have become significantly more sophisticated and perilous in 2025 thanks to the surge in GenAI. This surge has given attackers a litany of precision-based tools and methods that create elaborate scams, including AI-crafted phishing emails, texts, or calls that can be personalized to an individual level and delivered via multiple channels in an unprecedentedly coordinated manner. This involves a combination of the data security threats discussed earlier that elevate the plausibility of the scams, capable of real-time adoption.
Various factors have contributed to this evolution in social engineering attacks. For instance, hybrid work environments allow remote employees to work from the comfort of their homes. However, in case an employee is targeted by such an attack, they cannot simply walk over to a colleague and ask, “Did you send this request?”. Instead, they’ll likely have to communicate online. The other colleague might take a while to respond. This gap in their communication is what makes modern social engineering attacks so effective, as they leverage urgency. The recent Verizon Data Breach Investigation Report highlighted how the fundamentals of social engineering remain the same, but now leverage the social elements far more effectively.
This has been made possible largely due to the escalation in AI capabilities in the last few years. Attacks combine social elements and AI capabilities to tailor scams based on each individual’s work situation. This is evident in the escalation of phishing campaigns that exploit medical emergencies and return-to-office mandates. Employees’ social media and past communications can be ingested into AI models to create phishing attacks that are not just highly believable but capable of evading detection by traditional spam filters.
Examples of such modernized social engineering attacks include Business Email Compromise (BEC), where attackers pose as executives from an employee’s company, leveraging deepfake technology. Even the FBI and other federal agencies have had to issue warnings about this particular attack, becoming far more convincing and effective than ever before. Then there are watering hole attacks, where attackers may compromise an entire website through the injection of a fake sign-on page, or long-con attacks, where they may pose as a customer support rep for weeks before slipping a user malware through a bogus help link.
How to Prevent
Preventing social engineering across the organization requires the adoption of a significant defense-in-depth approach that combines both processes and people. Regular training and awareness workshops remain the best way to ensure the workforce is both aware of the latest social engineering tactics and equipped with the knowledge of how to detect such attacks. As for the technical safeguards, email security gateways can be set up where AI capabilities are used to flag emails if the sender’s behavior is anomalous, such as the email being sent from an unapproved IP address. Furthermore, phishing-resistant multi-factor authentication (MFA) methods, such as FIDO2 security keys, are designed to be social engineering-proof. Access governance protocols can be set up where digital access is both highly curated and verified for each access instance.
6. Inadequate Data Classification
So much has been written over the past few years about data being the “new oil” and its potential to usher in a new industrial era. And yet, so few organizations have the kind of clear understanding of their data necessary to leverage it to its true potential. Inadequate data classification means an organization has minimal, or at best, a distorted view of its data, such as what data they have, where it is stored, and most importantly, how sensitive it is. Data not understood properly cannot be secured properly, as unclassified data cannot be dealt with per its unique contextual requirements, such as the need for encryption or tokenization.
These inadequacies in data protection as a result of inadequate data classification open up an organization to increased risks of data breaches, regulatory fines, and, consequently, reputational damage. Furthermore, regulatory compliance becomes far more complicated than it needs to be, as nearly all major data privacy and protection regulations, such as the GDPR, CPRA, POPIA, and others, require organizations to know exactly what categories of data they hold and to ensure specific categories are protected properly. In case of a breach, organizations that do not have their data assets properly categorized face the risk of harsher penalties, as it can be demonstrated that they failed to take the appropriate measures required per their regulatory obligations.
Other requirements include retention limits, which can only be honored if an organization categorizes its data to ensure visibility into its obligations with respect to each asset’s unique context.
How to Prevent
This is a fairly straightforward gap to address as it requires organizations to adopt and implement a robust data classification and governance strategy. Such adoption is made easier through external tools that allow for the establishment of data classification policies customized for each organization’s unique needs. Furthermore, such tools allow for data discovery and access governance, where an organization can scan its entire database and infrastructure, categorize each asset accordingly, and then set access permissions as required.
7. Ransomware-as-a-Service (RaaS) Sophistication
Ransomware attacks have long been a security problem for organizations, going back to the very early days of the internet. However, modern leaps in GenAI have seen it mutate into something even more nefarious in the form of ransomware-as-a-service (RaaS). As the name indicates, the RaaS model is the, for lack of a better term, “franchising” of ransomware, as skilled cybercriminals build customized ransomware kits and offer them to those willing to pay for them. While ransomware used to be the work of seasoned cybercriminals, this model means that even more malicious actors can now target businesses with minimal technical know-how but with the financial resources to effectively outsource such attacks.
This is evident in the numbers, as there has been a steep 8% increase in ransomware attacks in one year within North America alone. Growing sophistication of such attacks aside, the RaaS model allows for unprecedented “bounties” being set for vulnerabilities in newly released patches by businesses. The result? For the first time, cybercriminals may truly be set to be “one step ahead” of businesses. Zscaler pointed out this stark possibility in their predictions for 2025, specifying how “RaaS groups specialize in different attack stages, allowing for coordinated attacks that are optimized and ensure the targets are far broader than ever before.
How to Prevent
Regardless of how effective the RaaS model may seem, enterprises must undertake everything within their means to ensure there are no data security vulnerabilities across their infrastructure. Zero-trust network architecture can be extremely effective in limiting how vulnerable systems are to a ransomware attack. If such an attack does occur, it limits their spread significantly by verifying each access point. This restricts the ransomware’s lateral movement. Furthermore, companies must invest significantly in endpoint detection and response (EDR) as well as extended detection (XDR) mechanisms that leverage behavioral analytics to detect, identify, and prevent ransomware attempts. On a more non-technical side, MFA and robust email security hygiene across all remote access points, along with encryption of all data at rest assets with lattice-based encryption protocols, mitigate the ransomware threats borne out of compromised credentials.
8. Cloud & Multi-cloud Environments Misconfigurations
Organizations are aggressively pursuing cloud migration since most organizations wish to operate in a multi-cloud environment that relies on a combination of AWS, Azure, GCP, and more. In such a setting, misconfigurations have become one of the leading causes of data breaches. These refer to misaligned settings where cloud resources are exposed or unintentionally left less secure than intended. These can include instances where storage buckets are left open, databases are without passwords, or overly permissive network rules.
A multi-cloud architecture further complicates these issues as each platform has its own security model and dozens of integrated services, opening up more possible misconfiguration possibilities. The fact that cloud adoption procedures and policies are nearly universal means that attackers are able to hunt for misconfigured assets specifically. In 2024 alone, more than 30% of all cloud security incidents were attributed to misconfigurations, making it by far the leading cause of cloud breaches.
How to Prevent
The most effective way to prevent cloud and multi-cloud misconfigurations is the comprehensive adoption of cloud security posture management (CSPM) tools that allow for automatic scans of cloud environments for known bad configurations and flag any potential issues against the best practices. Additionally, organizations may leverage infrastructure as Code (IaC) where cloud setups are codified and put through extensive code reviews and automated checks before deployment.
9. Supply Chain Attacks
Supply chain attacks can be a particularly troublesome threat for businesses as they directly threaten the data resources by introducing backdoors or malicious code into trusted software and services, thereby calling all third-party vendor services into doubt. In a typical supply chain attack, the attackers specifically target the relationship between organizations by compromising an essential third-party service and then using it to infiltrate customer networks. Per a Gartner report, 45% of organizations worldwide experienced supply chain attacks in 2024, up almost threefold from 2021. These include several high-profile cases, such as SolarWinds, where a software update affected thousands of their clients, including government agencies.
Attackers have become creative in their supply chain attacks, using tactics such as dependency confusion and typosquatting, where developers are tricked into downloading a malicious package instead of a legitimate one.
How to Prevent
Eliminating supply chain attacks can be a daunting task, verging on the impossible, since it involves potential vulnerabilities in external vendors’ systems that are not always in the organization’s control. However, there are ways to mitigate its risks, such as the deployment of a zero-trust architecture. Additionally, organizations can take practice-related measures such as demanding a Software Bill of Materials (SBoM) from vendors every time a new update or feature is deployed. The code itself can be secured via techniques such as reproducible builds that detect any tampering, code signing, and validation.
10. Inadequate Encryption Methodology
Encryption remains one of the fundamental data security mechanisms. However, if encryption practices are inadequate in the face of a business's threats, it can lead to nothing short of disaster. Moreover, this may be one of the more immediate threats to an organization’s data security, as it doesn’t involve a particular form of attack but rather the risk that an organization’s encryption strategy is insufficient.
This can be due to the use of outdated algorithms, poor key management, or not encrypting data in all the needed states (in transit, at rest, and in use). Furthermore, cyberattacks are becoming increasingly more sophisticated, with AI compounding both the attackers’ capabilities and volumes of attacks. Organizations that do not update their encryption methodology in response to such developments will always be at risk.
However, strong encryption isn’t enough of a countermeasure. Even the strongest protocols can be undermined owing to flawed implementation. The 2019 Capital One breach is the most apt example of this, where attackers still accessed encrypted data through a misconfigured identity role. In other words, the technical measures were there, but they were implemented in a manner that defeated their purpose.
How to Prevent
The best preventative measure in this case is elevating encryption practices, ideally to the best protocols available, while also being future-proof. While AES-256 bit has become the modern standard protocol, some businesses that operate with highly sensitive data may wish to opt for lattice-based cryptography, elliptic curves, or Diffie–Hellman, depending on their needs. Regular audits that assess and review encryption algorithms and protocols in use are also necessary to ensure any outdated or weak protocols are replaced as soon as possible.
