We start with one of the more curious and long-running stories of the past year, the scandal surrounding North Korean operatives who obtained remote IT contractor positions with US companies to generate funds for the isolated regime. Towards the end of January, the US Department of Justice (DoJ) announced the indictment of five men – two North Koreans, a Mexican and two American citizens – in the case.

The prevalence of remote workers, especially since the Covid-19 pandemic, has made virtual job interviews a fact of life, and despite even more organisations issuing return to office (RTO) orders, many continue to hire for fully remote positions where their employees may rarely, if ever, physically meet. Threat actors have been quick to spot this gaping loophole in enterprise security, and human resources departments have been scrambling to respond.

The growth in speculation around the potential of quantum computing and its impact on the security world was a huge topic of conversation this year. In March, the UK’s National Cyber Security Centre (NCSC) published guidance to help support organisations as they get ready for quantum.

While its possibilities appear fantastic, in the medium term the dawn of quantum computing will render current encryption methods used to protect sensitive data obsolete, and the race is now on to develop effective post-quantum cryptography, or PQC. According to the NCSC, organisations should already be planning for PQC, ahead of technical upgrades in the early 2030s. The cyber agency wants the UK’s most at-risk organisations to have fully migrated to PQC by 2035 at the latest.

Supply chain security has become a fixture in the cyber world over the past few years, and the topic still dominated headlines in 2025. In May, the NHS’s digital chiefs wrote to their suppliers asking them to sign up to a cyber covenant.

The NHS has a long and troubled history of cyber attacks and data breaches – with attacks on partners such as OneAdvanced and Synnovis disrupting services and demonstrating the supply chain risks faced by healthcare organisations. The health service asked suppliers to commit to higher standards around supporting and patching systems, deploy multifactor authentication (MFA), always-on cyber monitoring and critical infrastructure logging, and immutable backups, among other things.

Even though it was established during his first administration, the US Cybersecurity and Infrastructure Security Agency (CISA) was not immune to the deep and sweeping cuts enacted by president Donald Trump as his second term kicked into high gear.

With longstanding officials ousted, budget cuts abounding, and threats to the long-running CVE programme that identifies and classifies dangerous vulnerabilities, the US cyber establishment was rocked to the core in 2025, with knock-on effects spreading beyond America’s borders.

With Microsoft’s longest-lived operating system, Windows 10, finally falling out of support in October, there were warnings for users across the UK during the summer of 2025 – prepare to upgrade now, or put your security at risk.

The NCSC’s chief technology officer, Ollie Whitehouse, said that not upgrading was akin to “incurring a debt at a high interest with the threat of forced repayment at a later date” as he implored organisations to upgrade their PC estates. The agency warned that, in addition to the difficulties users will see from being out of support, outdated and now unpatched Windows 10 systems will be prime targets for threat actors – harking back to the WannaCry incident in 2017, which exploited unpatched versions of Windows XP.

The UK government made progress on its Cyber Security and Resilience Bill in 2025, and was finally able to lay it before Parliament in November. Ahead of this, the usual round of consultations, debates and evidence-gathering sessions took place, and in July, the Home Office announced that a legal ban on making ransomware payments – covering hospitals and other public health bodies, public sector organisations such as councils and schools, and operators of critical national infrastructure (CNI), including datacentres – would be included.

Enacting a ransomware payment ban has broad support nationally – the majority of responses to a consultation on the matter supported it – but the subject remains a controversial one, with some sceptical that the ban will make critical UK organisations less attractive targets for cyber criminals and may actually make it harder for some to recover if and when they get hit.

The annual Black Hat cyber fair in Las Vegas brings together security professionals and hackers of all kinds, and always throws up a few oddities. This year, Cisco Talos researchers revealed a series of vulnerabilities – dubbed ReVault – affecting the security firmware and associated application programming interfaces (APIs) in Dell laptops.

During the course of their research, the Talos team discovered that if a vulnerable system was configured to accept a biometric fingerprint login, it was possible to tamper with the firmware so that the fingerprint reader would accept a non-human physical input. In what was surely a first for the security industry, the researchers posted a video online in which they defeated a laptop’s biometric security measures using a spring onion.

Back in the quantum realm, two years after the debut of its Quantum Safe Programme (QSP), Microsoft reported steady progress on incorporating PQC algorithms into some of the foundational components underpinning the security of its product suite in August.

For a tech company as ubiquitous as Microsoft, quantum security is a non-negotiable – getting it wrong could lead to disaster – so Redmond wants to move fast and hopes to have its core services secured before the end of the 2020s. Its overall strategy rests on three core pillars: updating Microsoft’s own and third-party services, supply chain and ecosystem to be quantum-safe; supporting its customers, partners and ecosystems in this goal; and promoting global research, standards and services around quantum security.

In October, political chaos in Washington DC overflowed into the security realm when the federal government was forced to shut down after temporary funding measures failed to get through a deeply divided Congress. Unfortunately, this stalled progress on extending or replacing an Obama-era threat data sharing law, CISA 2015, which expired at the end of September.

CISA 2015 set out a framework for information sharing and offered liability protections to organisations sharing threat data and cyber intelligence in the public interest. Experts feared its absence would not only hurt collaboration between the public and private sectors, but also reduce the US’s ability to act as an effective counterweight to cyber criminals and other threat actors on the world stage. Although CISA 2015 has now been extended, the possibility of another shutdown in early 2026 could cause this story to rear its head again very soon.

Security professionals need only look at the monthly Patch Tuesday alerts to see how Microsoft’s technological dominance puts it at the centre of so many cyber security stories, and the firm frequently comes in for flak from those who think it is not doing enough to fulfil its security obligations. Such voices were in full flood at the end of 2025 when the Australian, Canadian and American cyber intelligence agencies took the step of co-signing an emergency alert and issuing a guide to securing Microsoft Exchange server instances, a key vector in many of history’s most impactful cyber incidents.

The document laid out several proactive protection techniques to be applied to on-premise Exchange Servers as part of hybrid environments, and the Americans described it as a “critical resource” for Microsoft users. But one observer, a former White House cyber policy expert, said that the fact a multilateral coalition felt obligated to produce such a resource was a “devastating commentary on Microsoft’s security posture”.