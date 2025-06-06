This year’s Infosecurity Europe 2025 saw industry experts come to together to discuss the latest trends, challenges and successes in the field. Here are six key trends from the show that Infosecurity Magazine found most prominent from conversations with experts on the expo floor. Amid significant technological advancements, a big theme was the continued need to focus on the basics, such as human behaviors and identity controls. Security leaders should be aware of these trends, and ensure they consider whether their strategies are prioritizing these areas sufficiently.

Attackers Using Phone Calls to Launch Attacks The nature of social engineering is continuing to evolve, with threat actors shifting to using phone calls either alone or in combination with emails to initiate the attacks. These are designed to gain victims’ credentials to gain initial access into a target organization’s network. Erhan Temurkan, Technology & Security Director at Fleet Mortgages, told Infosecurity that he is particularly concerned about phone calls impersonating IT departments, requesting employees reset their passwords. These scams have been exacerbated by improving deepfake technology, making the fraudster sound exactly like someone they know in their team. Such malicious phone calls are difficult to stop coming in, compared to traditional email phishing messages. “We can put an email gateway to stop those phishing attacks coming in, but there’s not much you can do to block a phone call because you don’t want to block legitimate customers,” Temurkan explained. It is vital that organizations implement additional layers of defense to mitigate these email-based scams, essentially their own multi-factor authentication (MFA). Temurkan noted this could include pre-agreed phrases or passcodes with individuals in the business. Identity Continues to be an Important Battleground Research has shown that credential compromise continues to be the primary way for attackers to infiltrate organizations. Rapid7 research published during Infosecurity Europe found that 56% of all compromises in Q1 2025 resulted from the theft of valid account credentials with no multi-factor authentication (MFA) in place. Thom Langford, CTO for the EMEA region, at Rapid7, noted: “It always comes down to the basics. Initial access is often through username and password attacks. They quite simply trick people into giving it to them.” This is an especially common approach in the cloud. Dr Beverly McCann, Director of Product at Darktrace, explained: “A really good entry into an organization is compromising SaaS accounts and escalating privileges to get to admin role which then allows you to access sensitive data.” In this environment, it is not only important to deploy MFA, but also ensure it is the right type of MFA. Temurkan said he is concerned about a rise of SIM-swapping attacks, in which attackers are able to utilize stolen information intercept SMS-based two-factor authentication (2FA) codes. “That only increases the driver for organizations to get off SMS 2FA. It’s better than nothing at all, but with SIM swapping on the rise, that is a real gap,” Temurkan commented. The strongest phishing-resistant MFA technologies use Fast IDentity Online (FIDO) standard protocols. These options include biometrics and physical security keys, which have become more accessible and easier to integrate in recent years. The Need to Make Cybersecurity Frictionless For cybersecurity measures to be truly impactful, they need to ensure they do not negatively impact employees’ work. Otherwise, practices are unlikely to be adhered to. Langford commented: “The biggest challenge I think we have in security is that every protective measure we put in increases employee friction – that’s problematic.” User experience should therefore be a key consideration for security leaders in their decision making. There are opportunities for this, particularly in the identity space with passwordless authentication methods such as biometrics and single sign on. “If you want to keep introducing additional controls, we as a security industry need to continue to make it easy for striking that balance between security and usability,” said Temurkan.

