The growing spectrum: Why the evolving world of cybercrime needs greater awareness in 2025

Healthcare, transport, banks, charities – nowhere seems safe. The threat of cybercrime appears to be lurking beneath any critical institution, ready to pounce and bring systems to a standstill. 

It came to light this month that September’s cyberattack on TfL has cost the transport authority a substantial £30m to date (I did have to wait for my fare refund for quite a few months…). The quick response by its IT security team minimised disruption and the amount of data exposed, but it showcases the impact one attack can cause for months on end. £5m of that cost alone was spent “on incident response, investigation and remedial cyber security measures”.

Cyberattacks are more prevalent than ever. In October, the National Cyber Security Centre (NCSC) said it had already “responded to 50% more nationally significant incidents compared to last year, as well as a threefold increase in severe incidents”. Some of the most harmful attacks have been on hospitals, where operations have been delayed due to bad actors blocking access to IT systems and holding out for a ransom – a prime example of ‘ransomware’. 

But what actually is cybercrime? And why is promoting its awareness so important for the business community? 

The spectrum of cybercrime 

The perception of cybercrime used to be images of nerdy teenagers in their bedrooms hacking accounts for fun; now it’s becoming recognised as a state-sanctioned exercise for generating funds (ironically, these states are paying large sums to get teenagers to carry out the work for them). It was just this month that the NCSC chief declared that the UK was underestimating the threat of cyberattacks from hostile states and gangs.

Speaking on the The Infinite Monkey Cage podcast at Bletchley Park, Victoria Baines, an IT professor and cybercrime investigator, describes cybercrime as “a spectrum of activity”. 

“At one end, we have nation states engaged in cyberwarfare and old school espionage,” she explains, which includes attacks on critical infrastructure. “At the other end, we have that profit-driven cybercrime, which is just making a fast buck out of other people.” 

But while it used to be easier to tell the difference between these forms of attacks, she adds, “now, when a company, or a person… or a country experiences a cyberattack, they don’t actually know the intent of that attack”. 

And this illuminates a key point. Intentions are unknown but, by many companies, so too is the threat. It’s why generating awareness of cybercrime – and crucially, cybersecurity – has become so integral. 

Making companies aware of the threat 

Without technology it’s impossible to keep up with and counteract growing threats. AI in particular is providing a whole new threat to cybersecurity but also a whole new way to defend against attacks. For companies, understanding how they are vulnerable to such dangers and what tools they can use to defend against them is paramount. Yet as various technologies tussle it out in a heated cyber tug of war, humans remain integral to the process. 

People also provide an avenue to carry out attacks through ‘phishing’ and similar techniques, with bad actors preying on their good nature or misjudgement. That’s why the clients we work with emphasise the importance of training and cultivating a culture of compliance and awareness to coexist with their technology. The notable aspect from the headline ‘IT outage’ story of the year – Microsoft’s CrowdStrike incident – was that it was triggered by human error, a coding glitch in a software update, not a cyberattack.

For cybersecurity companies, promoting awareness of both their products and services has become vital for the business community at large. Demonstrating how a combination of compliance technology, regulations and people can work can enhance the wider cybersecurity ecosystem. New FCA regulations on operational resilience this year, for example, helped contribute to a significant fall in the number of cyberattacks on financial institutions. 

But attacks like ransomware are still being underestimated. And next year, the threat is set to loom even larger. As such, making companies aware of the cybercrime threat will be the major mission in 2025.