Skip to Main Content
Publications

Cybersecurity Awareness Month 2025: A Comprehensive Guide to Navigating Modern Cyber Threats

Cyber threats don't wait for an invitation – and they certainly don't take a break when the calendar flips to October. As Cybersecurity Awareness Month 2025 begins, the stakes have never been higher. Every organization, from global enterprises to local businesses, faces a relentless barrage of digital risks that are evolving faster than ever before.

Cybersecurity Awareness Month isn't just about raising awareness – it's about empowering you to act. In this article, we'll break down the latest cyber threats, reveal how artificial intelligence (AI) is reshaping both attack and defense, and spotlight the regulatory and litigation trends that could impact your business. Drawing on insights from industry-leading reports – including IBM's Cost of a Data Breach Report 2025 and NetDiligence's Cyber Claims Study 2025 – as well as real-world case studies from our own incident response work, we'll give you practical, actionable steps to strengthen your company's defenses.

Safeguarding your company's future means making cybersecurity a core part of your business strategy. Let's dive in and make this month the turning point for your organization's cyber resilience.

The 2025 Cyber Threat Landscape

The cyber threat environment in 2025 looks very different from just five years ago, and the trend line points toward greater professionalization, automation, and systemic risk. At the same time, the average costs in the U.S. surged to a record $10.22 million per incident, driven by increased regulatory fines and detection costs (Data Breach Report).

Ransomware remains the single most visible threat, but it has matured well beyond the crude encrypt-and-demand tactics of 2018. Today's groups operate like fully staffed businesses. They offer Ransomware-as-a-Service (RaaS), complete with licensing models, revenue sharing for affiliates, and even 24/7 customer service hotlines for victims struggling to pay in cryptocurrency. Some groups employ professional negotiators who study their targets and adjust demands based on company size, insurance limits, or industry sector. The result is not just higher ransom demands – some exceeding $50 million – but also greater sophistication in extortion tactics, including threats of public data leaks, regulatory complaints, and stock price manipulation (Data Breach Report).

Business Email Compromise (BEC) continues to fly under the radar compared to ransomware headlines, yet it accounts for more direct financial losses annually than ransomware. The FBI's Internet Crime Complaint Center (IC3) has consistently reported billions of dollars lost each year through fraudulent wire transfers and invoice scams. Attackers now combine BEC with AI-driven voice cloning and deepfake videos to trick even seasoned executives and finance teams. For many companies, the first time they learn of this risk is when a seven-figure wire has already left their account (see Cyber Claims Study).

Artificial intelligence (AI) has reshaped the threat landscape. Indeed, AI has become a force multiplier. What once took hours of trial-and-error by a criminal can now be generated instantly. AI enables:

  • Phishing at scale: flawless, context-specific emails written in seconds, free of the grammar mistakes that once gave scams away.
  • Deepfake audio and video: cloned voices of CEOs, board members, or vendors used in urgent requests.
  • Malware that adapts: AI-written code that mutates faster than traditional signature-based defenses can detect.

AI has lowered the barrier to entry for cybercrime while simultaneously raising the bar for defenders. IBM found that 16 percent of breaches in 2025 involved AI-enabled attacks, including AI-generated phishing and deepfakes (Data Breach Report).

Supply chain attacks are also surging, and they remain one of the most difficult risks to mitigate. In these incidents, attackers compromise a trusted vendor, managed service provider, or software platform, and then pivot into dozens – sometimes hundreds – of downstream organizations. A single vulnerability in a payroll provider, cloud service, or law firm can cascade into a national enterprise-wide breach. IBM found supply chain compromises were among the most expensive breaches, averaging nearly $5 million and requiring the longest containment times (267 days on average) (Data Breach Report).

The takeaway for boards and executives is clear: if you haven't mapped your critical vendors and tested your incident response plan against a third-party compromise, you are leaving a blind spot that attackers are actively seeking to exploit.

AI and Cybersecurity

AI is a double-edged sword. Attackers now rely on AI to scale their operations, while defenders are only beginning to match pace. For businesses, this creates a dual imperative: harness AI responsibly while protecting against its misuse.

On the offensive side, AI enables adversaries to generate convincing phishing campaigns, fabricate synthetic voices and videos, and even write self-mutating malware. IBM found that 16 percent of all breaches last year involved AI-enabled attacks, with the most common being AI-generated phishing emails (37 percent) and deepfakes (35 percent), and that so-called Shadow AI – unsanctioned or unmanaged AI tools used by employees – increased average breach costs by $670,000 (Data Breach Report).

But AI is also transforming cyber defenses. Organizations that deployed AI-powered security and automation reduced breach lifecycles by 80 days and cut costs by nearly $1.9 million on average (Data Breach Report). The gap between attacker adoption and corporate deployment underscores the risk of falling behind – adversaries are already all-in on AI, while many companies are only beginning to experiment with it.

Regulators are paying close attention too. The Federal Trade Commission (FTC) has warned that deceptive or unfair uses of AI can violate Section 5 of the FTC Act. The Securities and Exchange Commission (SEC) has begun pressing public companies for disclosures around AI-related risks, particularly where AI models create operational or systemic exposure. States are stepping in as well: Colorado's AI Act, the first comprehensive AI law in the U.S. – though now, not the only domestic AI regulation – will require transparency, accountability, and human oversight for high-risk AI systems starting in 2026. These developments underscore that AI governance is no longer optional.

Litigation is following close behind. Plaintiffs' lawyers already are targeting companies for:

  • Misuse of biometric data under state laws like Illinois' Biometric Information Privacy Act (BIPA), which has already produced multimillion-dollar settlements;
  • AI-enabled surveillance in the workplace and consumer environments; and,
  • Alleged algorithmic discrimination, particularly in financial services, lending, and employment decisions.

The bottom line: If your company is deploying AI, you need more than a policy on paper. Regulators and plaintiffs alike will want evidence of oversight, testing, and accountability. That means documented governance frameworks: proof you can explain, defend, and, if necessary, correct how AI is used inside your business.

Regulatory and Litigation Update

Regulators and plaintiffs' lawyers are focusing on more than just AI. At the federal level, regulators are shifting from cybersecurity guidance to enforcement. The SEC's new cyber disclosure rules have already led to enforcement actions, with legal costs averaging $20.1 million per case for large companies and some topping $500 million (Data Breach Report). The Department of Justice (DOJ) has also signaled that mishandling a breach will increasingly be treated as corporate misconduct, particularly when executives downplay scope or impact. Meanwhile, the FTC continues to expand its definition of "unfair" data practices, targeting companies that deploy AI tools, tracking pixels, or third-party analytics without robust disclosures and consumer consent.

Moreover, states are moving faster than Congress on these issues. California, Colorado, Tennessee, and others now embed explicit cybersecurity requirements into privacy statutes, creating overlapping obligations for incident response, vendor oversight, and consumer rights. These laws are also accelerating breach notification timelines – a trend IBM found adds nearly $500,000 in additional costs when deadlines are missed (Data Breach Report).

On the litigation front, the trend is unmistakable. Class actions are surging in three areas:

  • Website trackers (pixels, session replay, cookies), particularly in healthcare and financial services;
  • Wire fraud and BEC liability, where plaintiffs test whether companies can shift losses to banks or insurers; and,
  • Delayed or incomplete breach notifications, which courts are increasingly viewing as evidence of negligence.

NetDiligence found that class action defense costs averaged $450,000 for SMEs, while large-company cases stretched into the tens of millions (Cyber Claims Study). Some courts are also showing less patience for "no harm" defenses, for example, IBM reports that in 63 percent of cases where personal data was exposed, litigation proceeded past dismissal (Data Breach Report).

The takeaway: proactive conduct matters. Companies that can produce evidence of incident response testing, AI governance, vendor risk management, and board-level oversight not only reduce breach costs but are far better positioned to defend against regulators and plaintiffs. Failing to prepare leaves you at the mercy of regulators and plaintiffs – preparing now puts you in control of the outcome.

Proactive Risk Management: Turning Preparation into Advantage

The good news: proactive preparation not only reduces risk, it also pays dividends in regulatory credibility, litigation defense, and even insurance coverage. Key areas you should focus on now include:

  • Tabletop exercises remain one of the most effective tools available. They demonstrate foresight, reduce liability, and regulators consistently look more favorably on companies that can show they've tested their response plans under realistic conditions. Additionally, practice makes perfect – companies that regularly conduct tabletop exercises are much better equipped to respond to an actual incident when it happens.
     
  • Vendor oversight is another weak spot. Contracts should include meaningful data security obligations, audit rights, and indemnification – yet too often they do not. Attackers know the supply chain is the soft underbelly, and regulators know it too.
     
  • Cyber insurance is also evolving. Underwriters are no longer rubber-stamping coverage; they are demanding detailed risk assessments, updated incident response plans, and evidence of tabletop exercises. Companies that cannot demonstrate preparedness often face higher premiums, exclusions, or outright denials.
     
  • AI governance is quickly joining this list. With the FTC, SEC, and state regulators sharpening their focus, companies must show they have meaningful guardrails in place – not just policies, but documented oversight, testing, and accountability for how AI is used.

Wondering where to start? Before year-end, companies should:

  • Update and externally review their incident response plan.
  • Conduct at least one tabletop exercise.
  • Review vendor contracts for data security terms, audit rights, and indemnification.
  • Reassess cyber insurance coverage against evolving risks.
  • Begin building or strengthening AI governance policies.

So, let's use this year's Cybersecurity Awareness Month as a wake-up call. It is a chance to move beyond posters and phishing tests and turn awareness into action. Proactive investment today prevents reactive costs tomorrow. Litigation, fines, and reputational harm are always more expensive than preparation.

Our team has helped clients across industries implement each of these steps – and we are ready to do the same for your organization. If you need assistance with these issues, or with any other cybersecurity, data privacy, or technology-related matter, please contact the authors Matt White, AIGP, CIPP/US, CIPP/E, CIPT, CIPM, PCIP, Alex Koskey, CIPP/US, CIPP/E, PCIP, or any member of Baker Donelson's Data Protection, Privacy and Cybersecurity Team.

Email Disclaimer

NOTICE: The mailing of this email is not intended to create, and receipt of it does not constitute an attorney-client relationship. Anything that you send to anyone at our Firm will not be confidential or privileged unless we have agreed to represent you. If you send this email, you confirm that you have read and understand this notice.
Cancel Accept