AI is changing the world, but in cybersecurity, it’s not the biggest factor by any means. Experts from DNA and Kyndryl gathered to discuss the future of cyber threats and what Finnish organisations should focus on today so they can face the future with confidence.
How has cybersecurity evolved over the past ten years? Although artificial intelligence has already transformed much – and will surely transform even more – certain things have remained the same.
Traditional threats, such as ransomware, denial-of-service attacks and data breaches, have not gone away. Zero-day vulnerabilities and misconfigured systems are still goldmines for criminals seeking to breach corporate networks.
However, the level of criminal activity has become more professional, and the results as well, says Kaapro Kanto, Director of Enterprise Network and Cloud Services at DNA.
“Methods are more advanced than before. Criminal groups operate more like professional organisations, and they now use more sophisticated tools such as AI,” he explains.
AI can be used, for example, in deepfake scams that mimic voices and even place automated scam calls to potential victims. Meanwhile, increasingly intelligent software is scanning networks and searching for vulnerable servers on behalf of human attackers.
Although the basic criminal toolkit has largely stayed the same, the operating environment and context of cybersecurity have changed, says Kris Lovejoy, Global Security & Resiliency Leader at Kyndryl, a leading provider of business-critical enterprise technology services.
“In the past 10–20 years, the number of threats has increased, and their level of sophistication is on a whole new level,” she notes.
Security researchers often describe a system’s weak points with the formula threats × vulnerabilities. The result indicates the highest-risk targets. A threat might be malware, while a vulnerability could be a missing security patch.
“The number of potential targets has increased radically. With the spread of hybrid work, cloud services and smart technologies, the impact of attacks has grown. Breaches are serious on their own, but now they have systemic effects – attacks can bring down critical infrastructure,” she says.
“More threats, more vulnerable targets, greater striking power.”
A crucial shift in mindset
According to Lovejoy, the biggest change in organisational cybersecurity may not be technological at all, but about a mindset shift. Organisations now understand much better that they must invest in detecting attacks and defending against them.
“At the same time, there’s much discussion about operational resilience – an organisation’s ability to take a hit and continue operating afterwards. Not every company has fully mastered it yet, but the need for resilience is now clearly recognised,” she adds.
“Companies are practising recovery from attacks far more than before. Ten years ago, this was rare – today, organisations are much more aware,” says Kanto.
He notes that regulation is also pushing organisations toward stronger cybersecurity.
Today’s biggest risks
What are the greatest technological threats facing organisations today? Where should companies focus right now?
At the top of the list – unsurprisingly – is artificial intelligence, says Lovejoy.
“Cybercriminals are using AI in highly advanced social engineering schemes. We’ve also seen the first examples of malware that can adapt intelligently. Combined with advanced deepfake technology that undermines identity verification, this creates a very big problem,” she explains.
The second major risk is the supply chain. According to Lovejoy, about a third of attacks now come through third-party systems, many of which are less protected than their main targets. The number of such attacks has quadrupled in just four years.
The third major risk is insider threats, which stem especially from shifts in the labour market. In today’s uncertain economy, even highly skilled professionals are worried about their jobs – and historically, such situations have often fueled an increase in cybercrime.
AI is taking cybercrime to a new level
AI has two sides: alongside the risks, it offers significant benefits.
“AI will increase the efficiency and variety of attacks, but at the same time, it will make defending against threats easier,” predicts Kanto.
According to him, AI can be utilised to build more secure systems and to automatically respond to attacks. It can help security analysts and other professionals focus on the most critical threats.
Still, criminal groups now have access to methods that used to be reserved only for nation-state actors. Defending against these threats requires AI solutions whose development demands resources. There is a risk that smaller players will be left behind.
“This is an arms race, absolutely,” says Lovejoy. “Both sides are constantly using more powerful tools.”
Lovejoy highlights two particular AI-related risks looming in the future. The first is the rise of more powerful, persistent and fully autonomous AI agents – which may sound like science fiction but could soon become reality. The second is the widespread, rushed and often careless use of open-source software.
“I fear that many organisations are unknowingly introducing malicious code and backdoors into their systems – dangers that go unnoticed. We are already seeing signs of AI being used to analyse open-source applications and create tailored malware against them,” she warns.
Although many have been quick to dismiss AI as just the latest hype, cybersecurity experts believe we have not yet seen half of its impact.
“I believe we still underestimate AI’s effect on cybersecurity,” says Kanto. In his view, AI will have a massive impact both on the ability of criminals to strike and on defending against attacks – though not quite yet.
“Last spring, it seemed like we were in the middle of a real AI revolution, but with GPT-5, I consider the development more as an evolution. I think we are on the plateau of the hype cycle,” he reflects.
Lovejoy agrees. Development has slowed, but the revolution is just around the corner.
Humans in the middle of technology
When talking about technology, the human factor is often forgotten. But AI is not yet replacing people: thinking professionals are still needed to monitor systems and perform high-level analysis.
Kanto agrees with Lovejoy’s view on the risk posed by idle or displaced cybersecurity professionals, noting that what matters most is having enough professionals with the right, up-to-date skills. Each new technological era demands new types of expertise.
“Workforce issues are essential in cybersecurity. Even now, there is a skills gap in those who can support business leaders in understanding risks and in driving initiatives that improve organisational cybersecurity,” he says.
The right technical competence is critical. As AI advances quickly, there’s a risk of throwing out the baby with the bathwater.
“There’s a concern that companies may underestimate the importance of cybersecurity professionals as they evolve. These experts play a critical role in safeguarding systems. Streamlining operations must be done thoughtfully, as losing those with deep knowledge of a company’s infrastructure and security could pose significant risks,” Kanto advises.
New kinds of roles are also emerging. Lovejoy predicts that with autonomous AI agents, some cybersecurity staff will be trained as “AI governors” responsible for overseeing software behaviour. We will see prompt engineers, specialists in AI ethics, and other new roles. Preparing and training for these future positions is difficult because development is moving so fast.
What lies ahead
The future will bring even bigger challenges. The shift to quantum computing is already underway, but the transition will be difficult. There are fears that current encryption algorithms could be broken within a few years. Hackers are already known to be collecting encrypted data for later use.
“Microsoft has said it aims to be prepared for quantum threats by 2029 and complete the transition by 2033. What does that mean for other, much smaller organisations?” asks Kanto.
AI’s impact will grow – that is clear. But attention must also stay on older infrastructure such as power and telecom networks, the resilience of which will likely be tested repeatedly in the years ahead.
Lovejoy also points to the growing geopolitical fragmentation of digital networks.
“Finland has demonstrated a strong national commitment to cybersecurity through a range of initiatives. With its technological advancements, culture of innovation and skilled workforce, Finland is well-positioned to raise its profile as a bridge-builder for international cooperation in cybersecurity and resilience,” Lovejoy observes.
“I believe Finland brings advanced thinking and deep expertise in the cybersecurity space. This positions the country as a model for others to follow in building a secure and resilient digital ecosystem.”
Resilience matters
The threats of tomorrow are varied and still partly invisible. So where should companies invest in right now if they want to strengthen their position against future challenges?
“I would start by understanding and pruning your own systems and software. I mean the entire supply chain,” says Lovejoy.
If a company has 100 partners, one of them likely has a vulnerability in its systems that could become an attack vector. Simplifying and streamlining gives organisations a clearer overall picture of system risks and raises the level of security.
Companies should also launch programs to identify insider threats, support critical thinking when hiring security staff and expand AI-based monitoring against phishing and social engineering campaigns.
Lovejoy calls for adopting a zero-trust architecture. To prepare for future quantum threats, companies should also build technical understanding of encryption methods – either internally or through their partner networks.
“In my view, companies should focus on what they do best and seek out the best security and technology partners to support them,” says Kanto.
If an organisation succeeds in all this, it will have already strengthened its resilience significantly, says Lovejoy.
“Resilience does not mean doing everything yourself. A successful organisation has reliable partners who provide the technology and security that support safe business. Building an ecosystem for preparedness is extremely important.”
