The evolving cyber threat landscape

Key takeaways from a KPMG Belgium Board Leadership Center event.

30 October 2025

On 14 October 2025, the Board Leadership Center welcomed Fabrice Clement, CISO at Proximus and Board member of the Cyber Security Coalition, Uschi Joris, Global Digital Foundations Director at Sibelco, Jean-Louis Schirmann, CEO of The European Money Markets Institute, Benny Bogaerts, Partner and Cyber & Digital Risk Practice Lead at KPMG in Belgium, and Benoit Watteyne, Partner at KPMG in Belgium, for a discussion on the evolving cyber threat landscape and what it means for boards.

Cybersecurity has been one of the top priorities On the Board Agenda for the past few years, but cyberattacks are evolving, driven by: geopolitics and the spilling over of warfare from the battlefield to the cyber space; digitalization, which increasingly offers new domains to attack; artificial intelligence (AI), used not only to enhance security but also the sophistication of attacks; and the exploitation of increasing (political) instability. No longer limited to stealing data or disrupting operations, cyberattacks now aim to manipulate information, undermine processes, and erode trust. Disinformation campaigns, deepfakes, and AI-driven social engineering highlight how fragile our trust in digital interactions has become. Companies and boards need to be able to respond to these evolving threats.

According to our 2025 Cyber Survey, conducted in collaboration with the Cyber Security Coalition, 50% of organizations reported an increase in cyberattacks and 16% experienced one or more incidents that caused a disruption or damage over the past year.

Operational changes such as decentralization of operations, increased outsourcing, and changing stakeholders can also increase an organization’s cybersecurity risks. What can you do? Focus on your processes, people, and technology.

Processes and regulation | People | Technology and AI | Looking ahead | Top tips

Processes and regulation

New cyber regulations – such as NIS2 and DORA – can pose challenges for organizations, but it can also be an accelerator: an opportunity to bring focus to your policies and attention to your cybersecurity program both within the organization and at the board.

NIS2

Start where you can. Whether that’s setting up a transversal program or using an external provider to help set guidelines. Map and prioritize your critical services, then extend the reach to other services. Choose the compliance method that aligns with your organization – according to our survey, 49% of respondents choose to rely directly on Cyber Fundamentals, while 28% use ISO 27001 certification, and 15% use ISO alignment.

Interested in learning more about NIS2? Also read: NIS2 in Belgium

DORA

Start with an assessment of what you have in place, then perform a gap analysis to see where you need to adapt. The policies and procedures – what’s on paper – might be the easy part, while the practices and processes may take longer to embed.

Reporting also has its challenges. It’s an important part of compliance, but it also takes a lot of resources and it’s not always possible to hire new staff or to outsource. So, it’s a question of prioritizing and finding an approach that suits the company’s risk appetite, is compliant, and sustainable.

Interested in learning more about DORA? Also read: The DORA journey

Third-Party Risk Management (TPRM)

Not only do companies need to be aware of and protect against cyberattacks on their own systems and operations, but they also need to be mindful of the risks posed by their suppliers, i.e. their third-party risks. According to our survey, 38% of companies confirmed a cyberattack against one of their suppliers, while 29% didn’t know if an attack against their supply chain had taken place.

TPRM is not about finger-pointing but rather communication, collaboration, and transparency. Integrate cyber and information security into your existing oversight practices of third parties. Assess the risks, negotiate a security plan, and consider how you’ll ensure compliance, whether through certifications from suppliers, conducting audits, or via self-assessment questionnaires.

Keep in mind though that you can have the best processes in place, but the outcome will depend on the quality of the information you receive. And your negotiating power will not be the same with all your suppliers.

People

While attacks may be more sophisticated, people remain a key driver in any cybersecurity program. Cybersecurity is not only an IT responsibility, but also a business responsibility, and every layer needs to take accountability.

According to our survey, one of the top five causes of an incident is weak credential security. Further, looking at the top types of cyberattacks identified in the survey, many of the top five threats that can be handled in the normal course of business have a human error component: phishing attacks, password theft, malware, scam calls, and data leakage.

With passwords still being written on post-its and laptops not being locked when users step away, training and awareness remain essential – throughout all levels of the organization.

One way to level-up your training is to make it more personal. Many organizations perform phishing simulations with their employees. Build upon that by linking the results to a learning track for those who click on a phishing email, for example, using AI to give them personalized information on how they could have detected it.

“We as leaders need to be exemplary.” Leading from the top is extremely important. Do the training first; set the example. If you as leaders can find the time to do it, so can the rest of the organization.

Technology and AI

AI brings both new opportunities as well as new obstacles.

51% of survey respondents use it to enhance their cybersecurity. Whereas phishing detection was previously rules-based, AI and machine learning can now define patterns, baselines, and variations. Be mindful that it won’t catch everything, but it is an improvement on previous technology.

At the same time, it poses concerns around compliance with data protection, data availability to third parties, and a lack of technical knowledge. User error is also a key factor in the risks here – are your employees accidentally sharing sensitive information in tools such as ChatGPT? Are they aware of the risks? Do you have new policies in place to address this new landscape?

The board should also follow the company’s policies on the use of AI, and they too should be aware that putting confidential information into open-source tools, such as ChatGPT, poses a risk of data leakage. What can companies do instead? Offer safer, approved alternatives that allow people to play with AI, benefit from its advantages, while respecting company policy and security.

Looking ahead

Here are some of the top areas companies are focusing on over the next year:

Identity & Access Management (IAM) programs
Delivering on AI roadmaps
Compliance with DORA & NIS2
Awareness and training
Monitoring and incident readiness
Third-party risk management, including auditing external suppliers

And perhaps most importantly:

“Focusing on protecting our company and our customers.”

And finally, a few top tips

Invest each year in structural improvements to your cybersecurity
Have multiple sources of cyber intelligence
Have real-time monitoring
Have a cyber incident response team
Use Multifactor Authentication (MFA)
Continually build the expertise in your teams
Always be prepared for the worst – work on your cybersecurity but also on your crisis management
You can mitigate a lot, but you cannot mitigate everything. Every redundancy comes at a cost. Assess the risks and find the balance
Collaborate with others in your industry to exchange threat intelligence

To complement the rich discussion at this event, we have also updated our Cyber Security Boardroom Questions: Responding to a cyber-attack.

About the Board Leadership Center

KPMG’s Board Leadership Center (BLC) offers non-executive and executive board members – and those working closely with them – a place within a community of board-level peers. Through an array of insights, perspectives, and events – including topical seminars and more technical Board Academy sessions – the BLC promotes continuous education around the critical issues driving board agendas.