2024 in security: what changed and what stayed the same

The end of the year is a good moment to look at the security landscape not from a technical details perspective, but from the perspective of what changed in risks and obligations. Not as a technical breakdown, but as a managerial one: what is new to know, what to reconsider, what to put in the 2025 plan.

What 2024 changed in the risk picture

The year's most resonant incident was CrowdStrike in July. Its lesson is not about a cyberattack but about operational fragility: a protective tool with wide coverage and deep access can itself become the source of a large-scale outage. This changed the conversation about vendor concentration and how updates are managed in critical components.

The second significant shift - AI as an attack tool. Phishing messages became more sophisticated and less recognizable. Voice and video deepfakes moved beyond experiments and became tools for social engineering. Verification processes that were sufficient a year ago may need review.

The third shift is regulatory. NIS2 moved from transposition phase to enforcement phase. The AI Act entered into force. This adds regulatory risk to operational risk in the sectors and jurisdictions where these documents apply.

What stayed the same - and why that matters

The main attack vectors did not change. Compromised credentials, unpatched systems, misconfigured cloud resources, insufficient privileged access controls - these are still the cause of most successful attacks.

This is important to hold in mind alongside the discussion of new threats. If basic hygiene is not in place, talking about deepfakes and AI-powered attacks is premature. The foundation must come before the upper floors.

Another constant: people remain both the weakest and the strongest link simultaneously. Social engineering works because people make decisions under pressure and with incomplete information. Technical measures reduce probability, but do not eliminate the vector.

What to revisit at the start of 2025

A few specific items worth checking after the year closes.

Vendor dependency map: after CrowdStrike - do you have visibility into which components auto-update across your full fleet? Are there critical components without a staging step?

Incident notification process: does it meet the new regulatory requirements in your jurisdictions? 24 hours under NIS2 is not a lot of time.

Verification protocols for financial operations: are they sufficient in a world where voice and video may be synthetic?

AI system inventory: do the systems you use or develop meet AI Act requirements? This question is relevant now, not only in 2026.

One question to start the year

If I had to choose one question from everything above for an internal conversation at the start of 2025, it would be this: "If one of our key IT components or suppliers goes down tomorrow - how long will we take to recover, and who makes decisions in the first hours?"

The answer to this question shows the operational maturity of a security program better than any technical controls audit.