Risk controls for compliance are based on known vulnerabilities and past cyberattacks, and as a result, they are developed by looking back at history. And there are significant emerging and changing risks in cybersecurity where established and agreed risk controls have not been developed yet. Further, the regulatory requirements are also in development and in progress. Strategic plans should include new regulations in all major countries.

Another aspect of compliance is that the audit or assessment process is always a snapshot in time. And it’s typically too expensive and time-consuming to audit everything, so audits have limited scope. We know that cyber attackers have become more organized and highly skilled and have learned how to “hide” once they have gained intrusion into a system or environment. These attackers are no longer interested in publicity; instead, they prefer to remain undetected while they drain data and learn the details of a system. They are motivated by money or the objective of a state-sponsored mission.

AI Supercharges Attacks and Outpaces Traditional Defenses

At the top of the list of emerging risks is our favorite hot topic: AI (Artificial Intelligence). Attackers use AI to accelerate their attacks and increase the scale or impact. These threats can automate vulnerability identification, deliver millions of convincing phishing schemes and even adapt the attack method in real time to circumvent security measures. Traditional defenses are still relevant but are not sufficient without new and innovative approaches such as data monitoring.

Businesses across all sectors are dragging their feet to take the first step with governance of AI. It is essential to set clear policies for acceptable use of AI and make decisions regarding the use of public AI models and/or the development of a private AI model. Training for both IT users and developers is also critical.

IT users need to be able to recognize suspicious emails, text messages, images, websites, among other tactics and know how to respond. Developers need to be trained on AI guardrails, error conditions and other security aspects of AI code.

Ransomware Evolves Faster Than Defenders Can Respond

Next on our list is ransomware. It’s a threat that isn’t standing still and continues to escalate. Projections from Cybersecurity Ventures, reported in Cybercrime Magazine, warn that global ransomware damage could reach $57 billion in 2026, and by 2031, costs could soar beyond $275 billion annually. Meanwhile, in 2025, the average cost per attack increased by 17%.

We’re now seeing ransomware attacks in which the stolen data is used for multiple extortion models, including stock manipulation or targeting a victim’s clients. Another new tactic is to skip encryption entirely and rely instead on the threat of public exposure as a way to coerce payment. Ransomware notes have become sophisticated, using psychological tactics like artificial time pressure and explicit threats of regulatory fines to force quick payments.

Although insider risk is long-standing and not isolated to ransomware, be aware that ransomware groups are actively attempting to recruit corporate insiders or use unintentional gig workers to gain initial physical or remote access to target networks.

Supply Chain Attacks Expose Trusted Partners as Vulnerabilities

And that isn’t all. The list of emerging and escalating risks continues with supply chain attacks, which compromise trusted third parties. Supply chain cybersecurity vulnerabilities are weaknesses in third-party vendors, software or service providers that attackers exploit to breach a target organization. The types of attacks being executed aren't new but, again, with AI-powered attacks, defense has become much more challenging. These examples include:

• intrusions into software libraries or updates which in turn attack client systems and networks
• a lack of encryption or secure protocols when sharing data between suppliers and partners
• inadequate security monitoring of vendor networks, and
• outdated components such as legacy systems that are no longer patched

Another vulnerable area where compliance and risk controls haven’t caught up is highly relevant in the hospitality industry. Cloud technology has been rapidly adopted and tends to be full of misconfigurations and API vulnerabilities, which are top targets for data breaches. A more futuristic threat on the horizon is quantum computing, where it's anticipated that encryption will no longer be viable because even the strongest algorithms can be broken quickly. The essential defense of encryption will become useless, underscoring the need for innovation and solutions.

All of these emerging and changing risks exist in the context of a shortage of cybersecurity professionals. These are typically the same professionals who are fully tasked to provide evidence and samples to audit teams. Now more than ever, it is the time to increase cybersecurity staffing and provide teams with tools and ongoing training to help stay ahead in protecting your company.

Taking a short-term approach to cybersecurity and limiting your program of work to compliance alone is a strategic mistake. Dependence on information systems and networks is critical to every aspect of the business, especially in the hospitality industry. Fully funding a robust cybersecurity program protects the future of your company.