As the festive season and the new year is upon us, this time of year also heralds a significant surge in cyber threats. With a staggering 40% increase in cyber-attacks, organisations and individuals alike face heightened risks in the digital landscape.
blue goose Lead Cyber Consultant, Alison Jiggins, sat down with the Offensive and Defensive Cyber Leads from the security advisory firm, G3, to discuss the impact of the festive season and what is anticipated in 2025.
The G3 Offensive Cyber team explained: “Many threats originate from locations where December holidays are not celebrated the same way. This means while resources may be stretched in targeted organisations, common threat actors are likely to be at full capacity and well positioned to exploit any seasonal gaps in security defence, detection and response.”
With UK consumers expected to spend £28.6 billion on Christmas gifts this year, a significant increase in social engineering tactics is expected. As cyber security professionals, we know we’ll see the usual phishing scams that feature festive themes, fake shipping notifications, and irresistible offers designed to entice consumers.
Additionally, this year, the rise of generative AI will make it easier and faster for cyber criminals to execute these attacks against organisations and their suppliers, raising the risk of supply chain compromises. To help mitigate these threats, it is essential to enhance cyber awareness training focused on holiday scams and encourage scepticism toward unsolicited offers.
Educating employees about AI led cyber threats
Businesses can start by reviewing and strengthening security measures and making sure employees are aware and informed about common cyber risks at work and at home. CISOs should conduct pre-holiday security assessments to confirm that all defences are effective.
A key focus this year should be on educating staff about the use of AI in social engineering attacks. Bust common myths and misconceptions that can lead to false senses of security such as: “being able to identify common errors or features of AI imagery and content, which as indicators are becoming less reliable as the technology matures.” G3 Offensive Cyber advises.
Cyber Security awareness in 2025
As we approach the new year, security professionals are beginning to plan their employee education strategies. I’ve been closely monitoring the progress of the UK Government’s Cyber Security and Resilience Bill, which emphasises the importance of regular cyber security training for employees. This legislation, if passed, will underscore the need for a well-prepared workforce capable of addressing evolving cyber threats. In addition to the government’s initiatives, G3 are anticipating several key emerging areas to shape the focus of employee education efforts in the year ahead. These include:
- Collaborative working: Cyber-criminal and other threat actors are likely to increase collaboration, combining resources pulling for complex and resource-intensive attacks.
blue goose recommendation: Foster a positive ‘suspect it, report it’ culture within your organisation. Encourage employees to report and discuss potential security threats they encounter, which can help identify patterns indicative of coordinated attacks
- Social engineering will evolve with AI to increase their chances of success. AI will be used creatively to prepare attacks by building trust, such as employing voice cloning and generated images or video to inject false authenticity and encourage targeted users to interact with malicious approaches.
blue goose recommendation: Expand on G3’s advice, educate staff more broadly on the use of AI, highlighting to colleagues how AI is used in attacks, communicating clearly what applications are acceptable to use and guidance on its use.
- Cyber regulations are reshaping industries, with the EU pushing for stronger cyber security. Compliance is no longer just about avoiding fines— some new requirements introduce personal liability, holding senior leaders directly accountable.
blue goose recommendation: As leaders, attend webinars on the new regulations and ensure you provide sessions with your leadership to ensure the team is aware and accountable for what is changing.
- Ransomware attacks: Attacks on Critical National Infrastructure (CNI) are on the rise as nation-states turn to cyber warfare. Attacks on hospitals and other healthcare services are common place due to their vulnerability.
blue goose recommendation: Emphasise to colleagues the impact their actions can have on ransomware attacks. Highlight key warning signs and consider launching a campaign to explain what ransomware is, as many may not fully understand the term. Providing a clear definition is essential.
If you are interested in how blue goose can help with cyber security awareness training, simply contact us for a conversation about how we can help.
And thank you to the Offensive Cyber team at g3.co for their contribution to this article.
G3’s offensive cyber team bring decades of experience to deliver sophisticated and tailored active security testing and simulations. They help secure your environments, understand risk exposure and test detection and response capabilities against a range of threat actors, helping companies understand what plausible actors would really do on networks.
