Cybersecurity Expert | Cyber Resilience

AI in the UK: Driving Innovation Without Expanding Cyber Risk

2026-05-29T19:00:47.719+01:00

Written by Sean Tilley, Senior Sales Director EMEA at 11:11 Systems

Artificial intelligence is no longer a future ambition for UK organisations. It is already shaping how decisions are made, how services are delivered, and how quickly businesses can respond to change. From automation and analytics to customer engagement and operational optimisation, AI is becoming an integral part of the modern enterprise.

AI Governance and Cyber Resilience: A Boardroom Imperative

As adoption accelerates, however, a quieter risk is emerging, and it is one that boards and executive teams cannot afford to treat solely as a technical issue. AI is not simply another tool for innovation. It is altering the cyber risk landscape and unsettling long held assumptions about security, governance, and resilience.

Recent research by 11:11 Systems highlights the scale of that concern. In a global survey of more than 800 senior IT leaders, nearly three quarters (74%) said they believe integrating AI into their organisations could increase vulnerability to cyber attacks, a view shared particularly strongly by both UK and European respondents. This reflects that while they aren’t reluctant to innovate, there is growing recognition that AI changes how risk behaves, moving faster, spreading more easily and becoming harder for leadership teams to understand and control.

Why Boards should be Paying Attention

AI can strengthen cyber defences. Machine Learning systems are capable of spotting anomalies at speed, automating elements of incident response, and helping security teams prioritise threats more effectively. In theory, these capabilities should favour defenders.

In practice, the same techniques are also being adopted by attackers. AI is already being used to generate more convincing phishing campaigns, automate reconnaissance, and adapt malware in real time. UK Government commissioned research has shown that vulnerabilities can arise at every stage of the AI lifecycle, from early design decisions through to deployment and ongoing maintenance This creates new attack surfaces that many organisations are still learning how to manage.

For boards, the implication is that AI risk can no longer be contained within IT functions. It raises questions about compliance, reputation, operational continuity, and long-term value, while also challenging how risk is identified, tested, and understood at the board level, particularly when AI-driven systems behave in ways that are opaque or difficult to predict.

While the technical risks continue to evolve, two organisational dynamics are making them harder to control.

Shadow AI is Becoming Endemic

Employees are increasingly turning to unapproved or unsanctioned AI tools to work faster and more efficiently. Often this happens with good intent, but without visibility, governance, or security oversight. UK regulators have been clear that organisations remain accountable for how personal and sensitive data is handled, regardless of whether AI tools are formally approved or informally adopted.

The Information Commissioner’s Office (ICO) has repeatedly emphasised that AI deployments must comply with UK GDPR principles, including transparency, accountability, and data minimisation. When AI use sits outside formal controls, blind spots emerge, making it harder to demonstrate compliance to regulators and auditors and harder to contain incidents when something goes wrong.

For boards, the risk is not simply the existence of unauthorised tools. Fundamentally, the risk lies in the widening gap between what leaders believe is happening inside the organisation versus how AI is being used day to day, under pressure to move faster.

Pressure for Speed is Outpacing Resilience Planning

AI initiatives are often driven by competitive urgency. Leadership teams want rapid deployment, visible progress, and quick returns. Yet research suggests this urgency often comes at the expense of recovery readiness, oversight and confidence in how incidents should be handled. This is supported by the 11:11 Systems study which found that many organisations remain overconfident in their ability to recover from cyber incidents, even as complexity increases.

When AI systems are deployed before recovery, backup, and incident response plans have been tested against new threat scenarios, resilience becomes theoretical. In an AI driven incident, the speed and effectiveness of recovery will determine the scale of operational disruption, regulatory scrutiny, and reputational damage the business faces.

Why Resilience Models Must Evolve

Many board level approaches to resilience were designed for risks that were visible, testable, and broadly predictable. AI quietly undermines those assumptions.

UK organisations are increasingly being encouraged to rethink resilience in light of how AI changes the pace and complexity of incidents. That shift is evident in three areas.

Recovery processes are evolving to become more automated and scalable. This reflects the reality that manual responses struggle to keep up with fast moving, complex incidents. Research shows that prolonged recovery times significantly increase financial and operational damage following cyber events, particularly in large enterprises.

Testing is changing. Static, annual recovery plans are poorly suited to adaptive threats. Government research into AI security risks points to the need for ongoing validation across the AI lifecycle, rather than periodic, check list driven assurance.

Finally, resilience is being treated less as a downstream activity and more as a design principle. Governance, visibility, and recovery capabilities are increasingly expected to be built into AI deployments from the outset, not added after an incident. UK regulatory guidance reinforces the expectation that organisations can demonstrate control and accountability over AI driven processes, even as those systems evolve.

The Board Level Takeaway

AI represents a strategic opportunity for UK businesses. But adoption that outpaces governance and recovery planning can quietly expand exposure at the very moment organisations believe they are becoming more advanced.

The question for boards is no longer whether to adopt AI, but how to do so responsibly. Confidence in innovation needs to be matched by confidence in recovery. That requires tougher questions about visibility, testing, and readiness, not just performance and productivity.

In this context, AI governance is not about controlling technology. It is about restoring board level confidence in how risk is understood and managed. In an increasingly complex UK threat landscape, the organisations that succeed will not be those that move fastest at any cost. They will be the ones that embed cyber resilience into AI adoption from the outset, innovating with intent and remain resilient in the face of increasing complexity.

Controlling AI Agents: Why Detection Is Too Late

2026-05-22T07:00:00.000+01:00

This is Part 2 of a 2-part series. Read Part 1: Your AI Agent Doesn’t Care About Your Controls

If AI agents change how execution happens, they also expose a fundamental limitation in how most security controls operate. Many control models assume there is sufficient time to detect, assess, and respond to events before they result in material impact.

That assumption no longer holds.

Traditional detection models follow a sequence in which an event occurs, is logged, analysed, and then acted upon. This approach works at human speed, where actions are spaced out and intervention is possible. In automated environments, particularly those involving AI agents, that sequence is compressed to the point where response often occurs after the outcome has already been realised.

The Speed Problem

AI agents operate at a pace that removes the window for meaningful intervention. They do not pause between actions or wait for approval cycles. Once triggered, they execute tasks rapidly across systems, often chaining multiple actions together in a single flow.

By the time an alert is generated, the action has already completed. By the time it is reviewed, the downstream effects may already be in place. This fundamentally changes the role of detection. It becomes a mechanism for understanding what has happened, rather than preventing it.

The Illusion of Monitoring

In response to increasing complexity, many organisations invest in expanding their monitoring capability. More logs are collected, more alerts are generated, and dashboards become more detailed. However, this increase in visibility does not automatically translate into improved control.

Without context, prioritisation, and validation, monitoring becomes a record of activity rather than a means of assurance. Security operations teams are often left dealing with high volumes of alerts that are difficult to interpret in real time. AI agents amplify this problem by increasing both the frequency and the speed of events.

The result is a growing gap between what can be seen and what can be meaningfully controlled.

Evidence and Its Limitations

Control assurance depends on evidence, but evidence is only useful if it reflects the current state of the environment. In slower operational models, evidence can remain valid for extended periods. In highly automated environments, that validity window shortens significantly.

Access models change, configurations drift, and behaviour evolves rapidly. Evidence that was accurate recently may no longer represent reality. This creates a challenge for organisations that rely on periodic validation or static reporting to demonstrate control effectiveness.

In this context, evidence must be continuously refreshed and validated against actual behaviour, not assumed based on design.

What Needs to Change

Addressing this challenge does not require abandoning existing frameworks, but it does require changing how they are applied.

The first shift is from access control to execution control. It is no longer sufficient to confirm that an identity has access to a system. Organisations must understand what actions are being executed, in what sequence, and under what conditions.

The second shift is the reintroduction of accountability. Every action performed by an AI agent should be attributable, traceable, and explainable. Without that, it is difficult to demonstrate that controls are operating effectively.

The third shift is towards validating real behaviour. Policies, architectures, and intended workflows provide useful context, but they do not prove how systems behave in practice. Validation must be based on observed activity in production environments.

Finally, independent assurance becomes increasingly important. Second-line validation provides a mechanism to challenge assumptions, review evidence, and confirm that controls operate as intended under real conditions. Without this, there is a risk that assurance becomes self-declared rather than evidence-based.

Final Thought

AI agents are efficient and highly capable. They execute exactly what they are designed to do, often with greater speed and consistency than human operators.

The risk lies not in the technology itself, but in the assumption that existing control models still provide meaningful assurance. As execution changes, so must the way control effectiveness is measured and validated.

The key question is no longer whether controls exist, but whether their effectiveness can be demonstrated in the context in which they are now operating.

Your AI Agent Doesn’t Care About Your Controls

2026-05-21T14:02:27.027+01:00

This is Part 1 of a 2-part series on AI agents and control assurance. Read Part 2: Controlling AI Agents: Why Detection Is Too Late

The cybersecurity industry has spent years investing in visibility. Dashboards have improved, detection tooling has matured, and the volume of telemetry available to security teams has increased significantly. Most organisations can now see more of their environment than at any point in the past.

However, one of the most important emerging risks is not hidden malware or an unknown vulnerability. It is the rapid introduction of AI agents operating across environments that organisations do not fully understand, cannot clearly inventory, and often cannot meaningfully govern.

This is not simply another software category. It represents the introduction of autonomous digital actors interacting with identity systems, APIs, SaaS platforms, cloud environments, and business processes. These agents are not constrained by the same assumptions that underpin traditional control models, and that is where the risk begins to surface.

From Users to Actors

Traditional security models are built around users. Users authenticate, request access, and perform actions within defined boundaries. Even when errors occur, those actions are constrained by identity controls, privilege models, monitoring, and the natural pace of human interaction. There is friction in the system, and that friction is part of how control is maintained.

AI agents remove much of that friction. They are not passive tools assisting users; they are active actors executing tasks. They retrieve data, make decisions, invoke APIs, and trigger workflows across multiple systems in seconds. The shift is subtle but important. The challenge is no longer limited to managing access. It becomes a question of controlling execution.

Execution Without Assurance

Most organisations assume their existing control frameworks still apply in this new model. On paper, they do. In practice, they often do not.

Control frameworks were designed to validate human-driven actions, predictable workflows, relatively static privilege models, and slower operational cycles. They were not designed to validate high-frequency automated decisions, cross-system execution chains, or real-time, context-driven behaviour.

This creates a gap that is easy to overlook. The agent may be authenticating correctly, calling approved APIs, and interacting with authorised systems. From a control perspective, nothing appears to be broken. Yet there is often no mechanism to prove that the actions being executed are appropriate, proportionate, or safe in the context in which they occur.

Where Controls Start to Fail

This is not a theoretical issue. It is a structural one, and it tends to appear in consistent ways across environments.

The first area is identity. AI agents commonly operate using service accounts, shared credentials, or delegated access tokens. While this enables integration and automation, it weakens attribution. In a traditional model, actions can be traced to an individual. In an AI-driven model, activity may be technically valid but operationally ambiguous, making it difficult to establish accountability when something goes wrong.

The second area is privilege. To enable capability, agents are often granted broad access across systems and services. However, least privilege is not simply about limiting access; it is about ensuring that access is used appropriately in context. An agent may be authorised to access a system, but that does not mean every action it performs within that system aligns with business intent or risk tolerance. Most control models validate access rights rather than behavioural appropriateness.

The third area is monitoring. As automation increases, so does logging. However, more data does not necessarily lead to more assurance. When an agent executes hundreds of actions in a short period, logs can quickly become noise, alerts become volume-driven, and meaningful signal is harder to extract. Monitoring shifts from proactive oversight to retrospective analysis.

The final and most important area is control validation. Controls such as access reviews, segregation of duties, and approval workflows may still exist, but they are rarely tested against autonomous, multi-step execution across systems. The result is not a lack of controls, but a lack of confidence that those controls are operating effectively in the way they were intended.

Final Thought

AI agents are not bypassing controls. In most cases, they are operating within them. The issue is that those controls were not designed to validate how work is now being executed.

If control effectiveness cannot be demonstrated against real behaviour, then the presence of controls alone does not provide assurance.

Next in the series:
Controlling AI Agents: Why Detection Is Too Late

AI Agents Are Creating a New Cybersecurity Blind Spot

2026-05-11T07:00:00.000+01:00

The cybersecurity industry has spent years focusing on visibility. Dashboards expanded. Detection tooling improved. Telemetry volumes exploded. Yet one of the biggest emerging risks in 2026 is not hidden malware or an unknown zero-day. It is the rapid deployment of AI agents that organisations barely understand, cannot fully inventory, and often cannot meaningfully govern.

AI agents are moving beyond chat interfaces and simple copilots. They are increasingly capable of reasoning, planning, accessing systems, invoking tools, retrieving information, and taking autonomous actions with limited human involvement. That changes the security conversation entirely.

This is not simply another software category. It is the emergence of autonomous digital workers operating across identity systems, APIs, SaaS platforms, cloud environments, and business processes.

And most organisations are deploying them faster than they can secure them.

Research and industry reporting throughout 2026 show a growing concern across both government and enterprise sectors around agentic AI security risks. Security leaders increasingly view autonomous AI systems as one of the most significant new attack surfaces facing organisations.

The concern is justified.

AI agents introduce a combination of risks that traditional governance and security models were never designed to handle.

AI Agents Change the Nature of Identity Risk

Most cybersecurity programmes were built around managing human identities and traditional service accounts. AI agents disrupt that model because they behave more like autonomous actors than passive software components.

Many organisations are now deploying AI agents with:

access to internal documentation
integration into SaaS platforms
permissions to execute workflows
API access to sensitive systems
delegated authority to make operational decisions

The problem is not simply access. It is scale and autonomy.

Industry forecasts suggest AI agent identities may soon outnumber human identities dramatically inside enterprise environments.

That creates several immediate challenges:

identity sprawl
excessive permissions
unmanaged API tokens
poor lifecycle governance
invisible machine-to-machine trust relationships
difficulty attributing actions and accountability

In many environments, organisations already struggle to maintain accurate inventories of privileged accounts or SaaS integrations. AI agents accelerate that problem significantly.

The result is a growing gap between operational reality and governance visibility.

AI Agents Create a New Attack Surface

The security industry often focuses heavily on model risks such as prompt injection or data poisoning. Those are important, but they are only part of the picture.

The bigger issue is that AI agents operate across interconnected runtime environments.

Modern agents may:

consume external data
invoke plugins and APIs
interact with cloud services
maintain persistent memory
chain multiple actions together
collaborate with other agents
execute operational workflows automatically

That creates an entirely new form of runtime attack surface.

Recent research highlights risks including:

memory poisoning
malicious tool invocation
indirect prompt injection
AI supply chain compromise
runtime dependency manipulation
self-propagating agent loops
excessive agency and unauthorised action execution

The important point is this:

Many of these attacks do not exploit traditional software vulnerabilities. They exploit trust, autonomy, orchestration, and context.

That makes detection and governance significantly harder.

Why Existing Security Controls Are Struggling

One of the most dangerous assumptions organisations can make is believing existing security tooling automatically extends to AI agents.

In many cases it does not.

Traditional controls were largely designed for:

deterministic systems
predictable workflows
static permissions
human-driven actions
relatively stable software behaviour

AI agents are fundamentally different.

They are probabilistic, adaptive, and capable of unexpected behaviour under changing context conditions.

This creates several assurance problems:

inventories quickly become outdated
permissions drift continuously
actions may not be fully explainable
logging lacks meaningful context
governance ownership becomes unclear
accountability boundaries blur

The challenge is not merely technical. It is operational.

Security teams increasingly face environments where AI functionality appears inside:

SaaS products
collaboration platforms
development tooling
cloud management interfaces
workflow automation systems
productivity platforms

Often these capabilities are enabled by default or adopted informally by business teams before governance frameworks exist.

This is rapidly becoming one of the largest forms of Shadow IT the industry has seen.

The Real Risk Is Governance Lag

The most significant AI security risk in many organisations is not the AI itself.

It is governance lag.

Technology deployment is moving faster than:

control validation
identity governance
operational assurance
policy adaptation
board understanding
security architecture redesign

This creates a dangerous illusion of control.

Dashboards may still appear green while autonomous systems quietly accumulate:

privileges
integrations
external dependencies
sensitive data access
operational authority

Without strong governance, organisations risk repeating familiar mistakes:

deploying first
governing later
discovering exposure during incidents

The difference now is speed.

AI systems compress timelines dramatically.

What Security Leaders Should Do Next

The organisations responding most effectively are not trying to ban AI agents entirely. They are focusing on visibility, containment, and evidence-driven governance.

Several priorities are emerging:

1. Build an AI Asset Inventory

Most organisations cannot currently answer:

which AI agents exist
what systems they access
what permissions they hold
what data they process
who owns them

That must change quickly.

AI agents should be treated as managed operational assets with clear ownership and lifecycle governance.

2. Apply Least Privilege Aggressively

Many AI deployments currently operate with excessive permissions for convenience.

That is unsustainable.

AI agents should operate with:

constrained access scopes
segmented permissions
time-limited credentials
monitored API activity
restricted tool invocation

The principle of least privilege matters even more in autonomous environments.

3. Treat AI Runtime Behaviour as an Assurance Problem

The industry increasingly needs continuous validation rather than static approval models.

Security teams should focus on:

runtime monitoring
behavioural drift detection
evidence freshness
control verification
anomalous workflow analysis

This aligns closely with broader Continuous Control Monitoring (CCM) approaches already emerging across cybersecurity assurance programmes.

4. Update Governance Frameworks

Most governance structures were not designed for autonomous operational actors.

Boards, risk committees, and security leadership teams need clearer accountability models around:

AI deployment ownership
operational risk tolerance
human override mechanisms
auditability
resilience testing
third-party AI exposure

The governance gap is becoming as important as the technical gap.

Final Thought

AI agents are not simply another cybersecurity trend. They represent a structural change in how digital systems operate.

The organisations that succeed will not necessarily be those deploying AI fastest.

They will be the organisations that can answer:

what their AI systems are doing
what authority they possess
how they are governed
how they are monitored
whether their controls still work under real operational conditions

That is ultimately the real challenge of AI security in 2026.

Not visibility alone.

But provable assurance.

Sources and further reading:

Mythos AI: What Security Leaders Should Do Next

2026-05-07T07:00:00.000+01:00

The recent discussion around Anthropic’s Claude Mythos Preview and Project Glasswing has caught the attention of the cybersecurity industry for good reason.

Mythos is not just another AI announcement. It is being positioned as a frontier model with advanced cybersecurity capability, particularly around finding and exploiting software vulnerabilities. Anthropic has stated that Project Glasswing is intended to give selected defenders early access to this capability to help secure critical software, rather than releasing the model broadly.

Cisco has also published guidance following its work with Mythos, explaining that it is changing its near-term threat modelling of AI-enabled attackers and issuing defensive recommendations for customers. That is the important point.

Whether Mythos itself remains tightly controlled or not, the direction of travel is clear. AI-enabled vulnerability discovery and exploitation capability is improving quickly. Security teams need to prepare for a world where attackers can find, chain and act on weaknesses faster than many organisations can currently respond.

Why Mythos Matters

The concern is not that every attacker suddenly has access to Mythos today.

The concern is that Mythos shows what is becoming possible.

If AI can accelerate vulnerability discovery, exploit development and attack path analysis, then the defensive timeline changes. Security teams cannot rely on slow review cycles, stale evidence or manual-only response models when the speed of threat discovery is increasing.

This does not mean the fundamentals no longer matter.

It means they matter more.

Cisco’s guidance focuses heavily on strengthening fundamentals such as phishing-resistant MFA, Zero Trust, least privilege for AI agents, disciplined patch management and full asset visibility. It also highlights removing end-of-life systems, automating detection and containment, embedding active defences and using AI defensively for threat hunting, validation and testing.

That is where the practical response needs to start.

The Risk Is Speed

Many organisations still manage cyber risk through processes designed for a slower environment.

Monthly reporting.
Quarterly reviews.
Annual testing.
Periodic evidence collection.
Manual triage.
Long remediation cycles.

Those activities still have a place, but they are not enough on their own.

AI-enabled attackers will not wait for the next governance cycle. They will look for exposed systems, weak identity controls, unpatched vulnerabilities, misconfigured cloud services and overlooked legacy platforms.

The key question becomes:

Can we identify and reduce exposure quickly enough?

That is a very different question from simply asking whether a control exists.

What Security Leaders Should Focus On

The response to Mythos should not be panic, hype or rushing to buy more AI tooling.

It should be disciplined improvement in the areas that matter most.

1. Strengthen Security Fundamentals

Start with the controls that reduce the most likely paths of attack:

Phishing-resistant MFA.
Least privilege.
Complete asset visibility.
Disciplined patch management.
Removal of end-of-life systems.
Secure configuration.
Segmentation.
Logging and monitoring.
Tested incident response.

These are not new ideas. The challenge is proving they are actually working across the environment.

2. Reduce Structural Risk

End-of-life platforms, unsupported systems and brittle legacy dependencies become more dangerous when attackers can find and chain weaknesses faster.

This is not just a technology hygiene issue.

It is a resilience issue.

Organisations should be clear on where structural risk exists, who owns it, what compensating controls are in place and by when the risk will be reduced.

3. Automate Where Speed Matters

Manual response will always have a role, especially where decisions affect operations. But manual-only models will struggle against AI-driven attack velocity.

Security teams should look at where automation can safely support:

Detection.
Enrichment.
Prioritisation.
Containment.
Evidence collection.
Control validation.

The aim is not blind automation.

The aim is controlled speed.

4. Apply Least Privilege to AI Agents

One important point in the Cisco guidance is that least privilege must also apply to AI agents.

That is a point worth taking seriously.

AI agents may interact with systems, APIs, data, workflows and security tooling. If they are not properly governed, they can become powerful operational pathways.

Security teams should be asking:

What can the agent access?
What actions can it take?
Who approved that access?
How is activity logged?
How is behaviour reviewed?
How is access removed when no longer needed?

AI agents should not sit outside normal identity, access and change control disciplines.

5. Improve Control Assurance

This is where Mythos becomes especially relevant.

It is not enough to say controls exist.

Security leaders need confidence that key controls are operating effectively and that the evidence behind them is current.

For example, if patch compliance is reported as high, are internet-facing assets included? Are exceptions approved? Are unsupported systems visible? Does asset inventory match the patching data?

If MFA is reported as complete, are privileged users covered? Are break-glass accounts monitored? Are service accounts excluded? Are temporary bypasses reviewed?

If endpoint protection is deployed, are agents active, current and reporting from all in-scope assets?

This is the practical value of control assurance. It challenges assumptions before attackers do.

What Boards Should Ask

The Mythos discussion should also sharpen board-level cyber questions.

Instead of only asking:

Are we secure?

Boards should increasingly ask:

How quickly can we identify exposure?
How fresh is our control evidence?
Which critical systems still rely on unsupported technology?
Where are we dependent on manual response?
Are AI agents governed through least privilege?
Can we prove key controls are operating effectively?

These are practical questions. They move the conversation away from confidence statements and towards evidence.

Using AI Defensively

AI should not only be seen as an attacker advantage.

Defenders should also use AI where it improves speed, analysis and prioritisation. That might include threat hunting, vulnerability analysis, configuration review, testing, simulation and control validation.

But AI-generated outputs still need challenge.

AI can support assurance, but it should not replace evidence.

Final Thoughts

Mythos matters because it signals where cybersecurity is heading.

AI-enabled capability is likely to make vulnerability discovery, exploit chaining and attack planning faster. That increases pressure on organisations still relying on slow remediation, incomplete visibility and periodic assurance.

The answer is not fear.

The answer is preparation.

Strengthen the fundamentals. Reduce structural risk. Improve visibility. Automate carefully. Govern AI agents. Validate controls with current evidence.

At Cybersecurity Expert UK, I am continuing to explore these themes around practical cyber resilience, assurance and measurable control effectiveness.

I have also been developing AI Labs tools to help security leaders think through exposure, control assurance and operational resilience in a more practical way, including:

Threat Exposure Analysis.
Control Assurance Validation.
Operational Resilience Mapping.
Cyber Control Failure Simulation.

You can explore the AI Labs tools here:

AI Labs – Provable Cyber Resilience Tools

The core message is simple.

In an AI-accelerated threat environment, assumptions will not be enough.

Security leaders need evidence they can trust.

Adaptive Security Leadership in an Expanding Threat Surface

2026-04-30T02:00:00.000+01:00

Last week I joined fellow security leaders at CISO Inspire Summit North for a panel discussion on The Expanding Threat Surface: Adaptive Security Leadership for 2026 and Beyond.

It was a timely discussion, because the challenge facing security leaders today is not simply more threats. It is more connections, more dependencies, and more complexity. Suppliers, SaaS, identities, automation and distributed ways of working have all expanded the attack surface in ways that traditional control models often struggle to keep pace with.

One theme I returned to during the discussion was that many cyber risks are not new. They are often familiar control failures appearing at greater scale and speed.

That matters, because it shifts the focus from chasing every emerging technology risk to strengthening fundamentals.

Security fundamentals still matter most
Identity, ownership, visibility and resilience remain foundational.

As organisations scale, risk often hides where ownership is unclear, where no one truly owns a critical service, a supplier dependency, or a privileged access path.

Adaptive security leadership is not simply about adding more controls. It is about making sure the right controls are owned, evidenced, validated and able to hold under pressure.

Visibility alone is not assurance
Another discussion point was the danger of equating visibility with confidence.

Dashboards can inform. They do not, on their own, assure.

Confidence should come not just from seeing controls, but from evidence they work in practice.

That distinction matters even more as regulatory expectations increase and boards ask harder questions about resilience, not merely compliance.

Complexity is becoming a risk in itself
One point raised during the panel was that we may sometimes over-engineer controls while under-investing in fundamentals.

Complexity can create blind spots.

Adaptive leadership often means simplifying security, making the secure path the default, and reducing friction rather than adding layers that become difficult to sustain.

In many cases resilience improves not through more complexity, but through clearer ownership, stronger validation and simpler control design.

Zero Trust is a direction, not a destination
We also touched on Zero Trust, which is often discussed as an architectural ambition.

I tend to see it more practically.

Strong identity, least privilege, continuous validation and measurable progress matter far more than treating Zero Trust as a finished state.

It is less a destination than a discipline.

One practical takeaway
If there was one practical action I would emphasise, it would be this:

Make ownership explicit for critical services, then test one real failure end-to-end.
That often reveals more about operational resilience than many reporting packs ever will.
Turning assumptions into proven resilience remains one of the most important shifts organisations can make.

Final reflection
A strong message from the session was that adaptive security leadership today is increasingly about judgement, accountability and evidence.

Not just technology.

Not just compliance.

But proving controls hold when conditions are less than perfect.

That is where confidence is built.

Thanks again to the organisers, moderator and fellow panellists for a thoughtful discussion.

AI Agents, Security Culture and a Conversation at Abbey Road Studios

2026-04-26T13:08:39.367+01:00

I recently joined a panel at the iconic Abbey Road Studios to discuss a provocative theme: Your AI agent doesn’t care about your security culture.

HotTopics Studio: Abbey Road Studios Event

It captures an important truth. AI will often scale the quality of the environment it is given, whether that environment is built on strong governance and effective controls, or weak assumptions and poor oversight.

One of the themes explored was accountability. As organisations move from experimenting with AI to operationalising it, the challenge is not only what AI can do, but who governs it, how outcomes are verified, and how control effectiveness keeps pace.

My own takeaway was simple: AI does not compensate for weak controls. It can amplify them.

A fitting discussion in an iconic setting.

What the UK Cyber Security & Resilience Bill Means for Security Practitioners

2026-03-25T23:58:00.006+00:00

The UK Cyber Security & Resilience Bill is progressing through Parliament Royal Assent expected later in 2026.

The UK's Cyber Security and Resilience Bill is working its way through Parliament, and if you haven't started paying serious attention yet, now is the time. Introduced to the House of Commons in November 2025, the Bill represents the most significant overhaul of UK cyber regulation since the NIS Regulations in 2018, and its implications for security practitioners are immediate and practical.

What's Actually Changing
At its core, the Bill expands the existing Network and Information Systems regulatory framework. It brings more organisations into scope, imposes stricter incident notification requirements, and hands regulators substantially more enforcement power. Secondary legislation and statutory Codes of Practice will follow, but the primary architecture of what you'll be working within is already taking shape.

One of the most significant shifts for practitioners working in or alongside managed services is the creation of a new regulated entity category: the Relevant Managed Service Provider (RMSP). For the first time, MSPs providing services to in-scope sectors face direct regulatory obligations. If your organisation is an MSP, or relies heavily on one, your compliance exposure has materially changed.

⚠ Key Point - Incident Reporting Timelines

The Bill introduces two-stage incident reporting: an initial notification within 24 hours and a full report within 72 hours, with copies sent to the NCSC. Your detection, triage, and escalation workflows need to meet these timelines under real pressure, not just on paper.

Penalties That Command Attention

The financial exposure for non-compliance is substantial and should feature prominently in any board-level conversation about investment in cyber controls.

Maximum Penalty Structure

Standard maximum penalty - £10m or 2% of global turnover
Higher maximum (serious breaches) - £17m or 4% of worldwide turnover
Continuing contraventions (daily) - Up to £100,000 per day
Extended ceiling (exceptional cases) - Up to 10% of worldwide turnover

These are not hypothetical. Regulators will also gain cost recovery powers, able to levy periodic fees to fund their oversight activities. Expect more active enforcement, not passive monitoring.

UK vs NIS2: Don't Assume Alignment
If your organisation already operates under the EU's NIS2 framework, a critical warning: the UK Bill and NIS2 share objectives but diverge in material ways. Reporting thresholds differ, customer notification requirements differ, and the sectors in scope are structured differently. A NIS2-aligned incident response playbook will not automatically satisfy UK obligations.

Practitioners managing cross-border environments will need jurisdiction-specific runbooks. A single process attempting to satisfy both simultaneously risks failing both under pressure.
Supply Chain Risk Is Now Statutory

The Bill introduces the concept of designated "critical suppliers" organisations whose compromise could cause major disruption to the economy or wider society, even if they are not themselves regulated entities. These suppliers will receive formal written notice and will have the right to make representations or appeal.

Secondary legislation will likely impose specific supply chain security obligations on regulated entities potentially including contractual requirements, security assessments, and continuity planning mandates. The era of passing a questionnaire and considering supply chain risk managed is ending.

🔗 Supply Chain Reality Check

Without consolidated visibility across cloud platforms, SaaS providers, and outsourced partners, your compliance posture is built on assumptions, not evidence. The Bill will expose that gap when regulators come calling.

What Practitioners Should Do Now
The Bill has passed its Report Stage in the Commons and is heading to the House of Lords. Royal Assent is expected later in 2026. Waiting for the final text before acting is not a defensible position.

Determine whether your organisation or key MSPs fall into newly in-scope categories, including data centres with Rated IT Load above 1 MW
Review incident detection and escalation workflows against the 24-hour initial notification requirement
Map divergence between your current NIS/NIS2 compliance posture and what the UK Bill will require
Audit your supplier assurance programme, move beyond annual questionnaires towards continuous oversight
Engage legal, compliance, and operational teams together; this cannot be owned by security alone
Monitor the Bill's progress and watch for secondary legislation, which will contain the operational detail

The regulatory environment for UK cyber security is shifting substantially. The organisations best placed when the Bill receives Royal Assent will be those treating this as a live operational project, not a future compliance task.

Track the Bill's progress via the UK Parliament Bills tracker and the House of Commons Library briefing.

The True Cost of Cyber Downtime: A UK Board-Level Briefing

2026-03-19T07:00:00.000+00:00

Written by Sean Tilley, Senior Sales Director EMEA at 11:11 Systems

Cyber downtime carries measurable financial consequences, and those consequences are becoming clearer with each major incident. Research from 11:11 Systems shows that 78% of European organisations report losses of up to $500,000 per hour following a cyber-related outage, while 6% face costs exceeding £1 million per hour. When recovery extends beyond containment, the disruption begins to register in revenue performance, contractual exposure, and customer stability rather than remaining confined to the technology function.

For UK leadership teams, the issue centres on continuity of income, fulfilment of obligations, and the strength of customer relationships under strain.

Recovery delays compound risk

Half of organisations surveyed require between one and two weeks to fully recover from a cyber incident. Over that period, cost exposure builds in ways that are rarely reflected in early estimates.

Revenue stalls, particularly where digital platforms underpin billing and subscriptions, while service commitments are breached, supply chains experience secondary disruption, and internal teams divert time and budget away from planned initiatives towards remediation and communications.

Extended recovery places additional pressure on customer relationships, especially in sectors where availability is assumed as standard. Regulatory scrutiny increases in parallel, particularly under UK GDPR and sector-specific resilience requirements, where organisations must demonstrate that appropriate safeguards were established before the incident occurred.

A significant proportion of the cost emerges over time rather than immediately. Insurance premiums adjust at renewal, forensic specialists and legal advisers remain engaged, customer notification programmes continue long after systems are restored, and remediation work extends into future quarters. By the time the full impact is visible, the loss total often exceeds initial projections.

According to Cyber Monitoring Centre recent UK attacks across retail, healthcare and critical infrastructure have collectively cost businesses more than £1.9 billion. At an individual level, even a contained incident can translate into multi-million-pound losses once revenue interruption, remediation spend and longer-term customer attrition are properly accounted for.

Recovery time remains the decisive variable, steadily increasing commercial strain and regulatory attention the longer disruption persists.

For boards, cyber downtime is no longer a technical failure but a test of governance. In the immediate aftermath of an incident, external scrutiny rarely focuses on how the attack occurred. Instead, attention turns to whether leadership understood its exposure, validated recovery assumptions and exercised informed oversight before disruption struck. Where recovery falters, questions follow around board assurance, investment prioritisation and whether resilience was treated as a compliance exercise rather than a core commercial safeguard worthy of sustained board attention. In that context, prolonged downtime can quickly become a proxy for broader leadership risk.

The preparedness gap

Despite recent high-profile incidents, many organisations still overestimate their ability to recover.

Backup environments may exist without having been stress-tested under realistic conditions, recovery objectives are documented but rarely validated, crisis governance structures that appear clear on paper can lose coherence under pressure and visibility across cloud platforms, SaaS providers, and outsourced partners frequently remains incomplete.

Modern enterprises operate across layered digital ecosystems that depend on managed services, third-party infrastructure, and interconnected suppliers, each introducing dependencies that may sit outside direct oversight. Without a consolidated view of these relationships, recovery planning remains fragmented and assumptions around restoration timelines tend to be optimistic rather than proven. When those assumptions fail, cost exposure accelerates quickly.

Resilience as a strategic advantage

The organisations that recover fastest are rarely those with the most technology, but those with the clearest decision rights. During major incidents, value is lost less through system failure than through delayed executive judgement such as uncertainty over who authorises restoration priorities, how customer communications are sequenced, and which commercial trade-offs are acceptable under pressure. Boards that rehearse these decisions in advance shorten recovery by eliminating hesitation at the moment it matters most. In competitive markets, that decisiveness increasingly separates resilient businesses from those that merely survive disruption.

Containing the cost of downtime requires disciplined preparation rather than reactive response.

Scenario-based recovery testing that includes executive leadership brings clarity to decision-making authority, communication sequencing and operational prioritisation, while tabletop exercises expose governance gaps before they are tested in live conditions.

Disaster Recovery as a Service can materially reduce restoration timelines where isolated environments and immutable backups are properly implemented. Equal attention should be given to external dependencies, with clear understanding of partner capabilities, escalation paths, and recovery commitments established in advance of disruption.

Effective resilience planning therefore extends across internal systems, cloud providers, and supply chain partners, ensuring that recovery capability is aligned rather than siloed.

Preparation does not prevent incidents, but it materially reduces their financial and operational impact.

What This Means for Boards

The commercial exposure created by cyber downtime is now quantifiable and, in many cases, escalating. The central question for boards is how effectively the organisation can absorb disruption without sustained damage to revenue, customer trust or regulatory standing.

Organisations that embed recovery capability into broader business planning place themselves in a stronger position to manage that exposure with discipline, control and credibility.

When insider risk is a wellbeing issue, not just a disciplinary one

2026-03-16T00:30:00.030+00:00

Written by Katie Barnett, Director of Cyber Security at Toro Solutions

Insider risk is still often framed around intent, with the focus placed on malicious employees, disgruntled contractors, or deliberate misuse of access for personal gain.
Those cases exist and they matter, but they are rarely where risk first begins, and they do not reflect how most insider-related incidents actually develop.

In reality, many cases take shape slowly and quietly. They are shaped by pressure, fatigue, disengagement, coercion, manipulation or personal strain rather than hostility. The behaviour that later causes harm is often preceded by long periods of stress, isolation, being influenced or unresolved workplace issues. By the time someone is formally labelled an insider threat,the opportunity for early, proportionate support has usually passed, and the organisation is left with far fewer options.

This is why treating insider risk purely as a disciplinary or compliance issue consistently falls short. In many situations, the underlying issue is one of wellbeing first, with security consequences following later, whether the organisation recognises that link or not.

The scale of the problem

Insiders are a significant and consistent factor in security incidents. Accenture[1] has reported that a significant proportion of security incidents involve insiders, many of which are linked not to sophisticated intent, but to frustration, opportunism, or poor judgement under pressure.

Research from the Ponemon Institute[2] also shows that many employees who leave an organisation take some form of sensitive data with them, often without seeing it as wrongdoing. These findings do not mean that most people are inherently risky. They show how easily people can justify their actions when they feel unsupported, unheard, or under strain.

Despite this, insider risk is still often pushed aside or handled in isolation. In many organisations it moves between HR, security, and legal teams without a shared understanding of what is really driving behaviour. When this happens, patterns are missed and early warning signs become normal, until a more serious incident finally brings the issue to senior attention.

How insider risk really develops

Insider risk rarely begins with a clear breach of policy. More often we find that it develops incrementally through small changes in behaviour that are easy to explain away, particularly in high-pressure or highly trusted roles.

Someone may start working excessive hours to manage workload, gradually bypassing controls that feel obstructive rather than protective. They may disengage from colleagues, become defensive when challenged, or withdraw from routine interaction. None of this suggests malicious intent in isolation, but it often marks the point at which judgement can begin to erode.

In roles with wide access and limited oversight, these issues can go unnoticed for a long time. As people grow more comfortable with the systems, informal shortcuts start to feel normal, and risk builds in the background. By the time leadership becomes aware, it’s often because something has already gone wrong.

In some cases, the influence is external. Individuals may be targeted by criminals, competitors or organised groups who exploit personal vulnerabilities, financial stress or emotional pressure. This does not always look like blackmail or explicit threats. It can begin with flattery, requests for small favours, or appeals to sympathy, and gradually escalate into access, information sharing or rule-bending that feels difficult to refuse.

Coercion does not always come from outside. In some environments it can arise internally through power imbalances, unrealistic expectations, or pressure from senior colleagues that makes it hard to say no without fear of consequences.

Connection without closeness

Modern ways of working have added a new layer of complexity. We are more digitally connected than ever, yet many people now experience their work in relative isolation. Messages replace face to face conversations, context gets lost, and informal check-ins happen far less often.

Judgement does not exist in a vacuum. Stress, fatigue, and emotional strain shape how people interpret information and how carefully they make decisions. When pressure rises and support feels distant, people are more likely to misread situations, take shortcuts, or justify behaviour they would normally question.

This is not just a wellbeing issue. It is a resilience issue. Emotional strain narrows perspective and makes people more open to influence, whether that influence comes from outside the organisation or from their own internal reasoning.

Why the wider environment matters

These dynamics are being intensified by wider economic uncertainty. Prolonged cost-of-living pressures, geopolitical instability, and sustained disruption across global markets are all putting strain on individuals’ finances.

Financial pressure affects how people behave. It makes it harder to focus, increases anxiety, and can reduce how seriously people think about consequences. Some may even feel they have little left to lose. This does not mean they intend to do harm, but it does raise risk, especially for those who have access to sensitive systems, information, or assets.

From a security point of view, money stress increases risk. When organisations treat financial wellbeing as separate from security, they overlook an important part of the problem.

Financial strain also increases susceptibility to manipulation. People under pressure are more likely to respond to offers of help, opportunities to “fix” problems quickly, or requests that promise relief from stress. From a security perspective, this creates conditions where coercion becomes easier and more effective, even when individuals have no intention of causing harm.
Why controls alone are not enough

When insider risk is identified, organisations often respond in a technical way by tightening access, increasing monitoring, and reinforcing policies, but while these actions are important, they rarely address the underlying conditions that allowed the risk to develop in the first place.

Controls alone do not reduce burnout. Monitoring does not ease financial pressure, and policy reminders do not restore sound judgement. In some situations, a poorly timed escalation can actually increase feelings of mistrust or isolation, which pushes risk further underground instead of resolving it.

Both research and practical experience show that behavioural warning signs often appear before any technical breach occurs, including changes in performance, disengagement, conflict with management, and financial difficulty, and when organisations wait until behaviour crosses a formal threshold, their options become limited and the consequences are usually far more severe.

What “support as prevention” looks like in practice

Support does not mean ignoring misconduct or lowering standards, but instead means expanding the prevention toolkit so organisations can step in earlier, when the impact is lower and when individuals still have realistic options.

In practice, this often includes:

Clear, normalised escalation routes, so staff can raise concerns without automatically triggering a disciplinary process.
Line managers trained to notice and act on changes in behaviour, workload strain, or disengagement, and to involve the right functions early.
Shared ownership between HR, security, and operational leadership, so people risk does not fall between organisational boundaries.
Proportionate, temporary risk management, such as short-term access adjustments or additional oversight while a personal issue is being addressed.

This approach reflects the direction set out in UK protective security guidance, which emphasises treating insider events as connected, strengthening leadership understanding, and addressing the reasons insider risk is often deprioritised or avoided.
Culture determines whether people speak up

In many insider cases, colleagues notice warning signs but decide not to raise them because they worry about getting someone into trouble, triggering an investigation, or being seen as overreacting.

Where people believe that raising concerns will lead to fair and supportive action, reporting becomes more likely, but where they expect blame or punishment, staying silent feels safer.

This is not a training failure. It is a cultural one.

A quieter form of prevention

The most effective insider risk programmes are often the least visible because they are built into everyday management practice, supported by leadership, and grounded in trust, and they recognise that people are both the greatest asset and the most complex part of any security system.

In a world that is increasingly connected but emotionally fragmented, emotional and financial pressures are no longer side issues. They are part of the risk landscape.

For organisations that are serious about resilience, insider risk must be understood not only through controls and compliance, but also through culture, support, and leadership judgement, and this shift does not weaken security. It strengthens it.

Building Trust in AI SOC Analyst Solutions: A UK and EU CISO Perspective

2026-03-13T00:02:00.002+00:00

By Brett Candon, VP International at Dropzone AI

Trust has always been critical in security operations, but in the UK and Europe it carries significant regulatory weight. GDPR, NIS2 and similar related data‑protection frameworks shape far more than legal risk, they directly influence architectural decisions, supplier selection, and how security data can be accessed, processed and reviewed. That becomes more pronounced as autonomous AI systems move from proof‑of‑concept to daily SOC tooling.

The appeal is undeniable. Faster investigations, more consistent outcomes, and the ability to scale Tier‑1 response are all compelling. However, without clear answers on data flows, access and accountability, AI introduces risk as easily as it removes it. And speed alone does not result in trust.

Against this backdrop, AI‑native approaches to SOC operations are gaining traction, grounded in the idea that autonomy, transparency, and repeatability must be foundational design principles rather than retrofitted controls. These systems are positioned to investigate alerts end‑to‑end using agent‑based reasoning, producing structured, auditable outputs in minutes. If implemented with the right governance, this operating model has the potential to meet the elevated trust and accountability expectations that characterise UK and EU security environments.

Data Sensitivity Changes the Trust Model

However, as SOC data often contains personal data, whether in endpoint identifiers, usernames, IP mapping, or embedded message content, it requires a closer look at where the investigative work happens and who performs it. This is particularly true for UK and European users that must adhere to GDPR. If a platform relies on offshore human review behind the scenes, organisations may be exposing sensitive operational context to jurisdictions with different privacy standards.

As a result, interest in autonomous SOC analysis extends beyond speed and efficiency. It reflects a desire to reduce opaque manual processes and replace them with systems that can complete investigations independently, while still producing outputs that are auditable, jurisdictionally compliant. For UK and EU organisations, autonomy only builds trust when it removes uncertainty rather than creating new blind spots. Customers need to be in control of what the AI is investigating, have visibility of what it is doing and have control over the output.

Explainability and Accuracy Are Key Trust Factors

For CISOs, explainability forms the next pillar of trust. An alert closed in seconds means little if the underlying reasoning behind the decision cannot be reviewed. Boards, auditors and regulators increasingly expect security leaders to justify decisions with evidence. Investigation reports need to show what data was examined, which hypotheses were tested, and how conclusions were reached. AI systems that show this reasoning are far better suited to audit review, incident analysis, and regulatory inquiry than those that operate as black boxes.

As European AI regulatory frameworks move from legislative text to supervisory enforcement, CISOs should expect closer scrutiny of how AI‑assisted decisions are documented, monitored, and justified after the fact.

Accuracy is another key pillar of trust. European buyers are sceptical of headline claims that cannot be verified. False‑positive and false‑negative rates only matter if they hold up under real-world conditions. This has increased interest in evaluation models that allow security teams to test AI‑driven investigation capabilities against their own data, rather than relying solely on vendor‑curated demonstrations. In environments shaped by due diligence and evidence, the ability to validate claims independently is itself is a signal of trust.

From Alert Volume to Analyst Impact

Strategically, the shift toward autonomous SOC operations goes beyond incremental optimisation. It reflects a broader move away from manpower‑bound, alert‑driven models toward operating frameworks that allow AI to absorb routine investigative workload and free experienced analysts to focus on high‑impact decisions.

Advances in large language models and agent‑based reasoning have made this shift technically possible, while market pressure and workforce constraints have made it necessary. Importantly, industry research increasingly positions this transition as augmentation rather than replacement, a distinction that resonates strongly in European environments and balancing transformation with workforce responsibility.

None of this removes buyer accountability. UK and EU CISOs still need to apply the same rigour they would to any high‑sensitivity platform, with questions tailored to AI’s specific risk. This starts with end-to-end data-flow transparency to where data is processed, what categories are ingested, and how artefacts are stored or discarded.

It also includes understanding whether investigative workflows involve human access outside approved jurisdictions. It requires assessing explainability through real investigation outputs including evidence citation, and decision traceability.

Finally, it demands validation of accuracy and consistency under realistic conditions. Public metrics may provide context, but operational value is determined locally.

What Trust Looks Like Going Forward

Trust builds over time. Market maturity, breadth of deployment, and exposure to real-world scrutiny all contribute to confidence in any emerging operating model. In conservative buying environments, these signals provide evidence that systems have been tested across varied conditions and constraints. Staged rollouts, reference checks, and contractual clarity remain best practice, particularly when incident response decisions may later be examined by regulators or courts.

Looking ahead, the question for UK and EU CISOs is no longer whether AI will play a role in the SOC – it already does – but how to deploy it without compromising sovereignty, privacy, or auditability. The path forward lies in autonomy that supports security teams by reducing opaque processes, investigations that make their reasoning visible, and performance claims that can be tested rather than taken on trust.

In a region where trust is both a security principle and a legal requirement, AI systems that are transparent in operation, verifiable in design, and accountable in outcome will earn their place at the centre of modern SOCs.

AI Is Moving Faster Than Security Controls

2026-03-08T23:57:00.007+00:00

AI is entering organisations faster than the security controls designed to govern it.

Artificial intelligence is rapidly becoming embedded across organisations.

AI assistants are now writing code, summarising documents, analysing data, and supporting operational decisions.

What began as experimentation is quickly becoming operational dependency.

For security teams, the challenge is not simply adopting AI. The real challenge is understanding how AI changes the way cybersecurity controls need to be validated.

In many organisations, AI tools are already interacting with corporate data, internal systems, and operational workflows.

Yet when security leaders ask a simple question

“How do we know these AI systems are operating within our control boundaries?”

…the answer is often less clear than expected.

Why AI Security Controls Are Different

Traditional software behaves in predictable ways. Security teams can audit code, validate configuration, monitor logs, and confirm whether controls are operating as intended.

AI systems behave differently.

Modern AI models generate probabilistic outputs rather than deterministic ones. The same prompt may produce different responses, models can evolve through updates, and outputs may influence decisions that were never explicitly coded into the system.

This creates a shift in how security controls need to be assessed.

Controls designed for traditional systems do not always translate neatly into AI-driven environments.

Examples are already appearing in practice:

AI coding assistants generating insecure or non-compliant code
Employees uploading confidential documents into AI tools
AI platforms accessing internal data through integrations
AI agents interacting with APIs or automation platforms beyond their intended scope

In many cases, organisations technically have policies that cover these scenarios.

The real challenge is proving those policies are actually effective in practice.

The Growing Problem of Shadow AI

Just as “Shadow IT” emerged when employees adopted unsanctioned cloud services, many organisations are now experiencing Shadow AI.

Employees are increasingly using AI tools independently to improve productivity. These tools often bypass procurement processes, security reviews, and governance frameworks

Common examples include:

Uploading documents into AI summarisation tools
Using AI assistants to analyse internal reports or spreadsheets
Generating code snippets with public AI models
Connecting AI plug-ins to automate existing workflows

From a security perspective, this creates several unknowns.

Organisations may not know:

Which AI tools are being used
What data is being shared with them
Whether prompts or outputs are stored externally
How AI-generated outputs influence operational decisions

The result is a widening gap between policy intent and operational reality.

AI Governance Without Visibility

Many organisations have already responded to AI risk by introducing policies, governance groups, or internal guidance.

These are important foundations.

But policy alone does not create assurance.

The real question is whether organisations can demonstrate that controls around AI usage are actually working.

That means being able to answer questions such as:

Do we know where AI tools are being used across the organisation?
Can we detect when sensitive data is submitted to external AI services?
Are AI-generated outputs influencing critical processes without validation?
Do we monitor AI integrations and access permissions?

Without measurable answers, AI governance risks becoming another form of dashboard compliance.

Controls may appear compliant on paper but lack operational validation.

Moving Toward Practical AI Security Assurance

Organisations that are managing AI adoption successfully are beginning to treat AI risk in the same way they treat other critical security controls.

The focus shifts from policy statements to evidence, monitoring, and validation.

Practical steps increasingly include:

Maintaining an inventory of approved AI systems
Monitoring integrations and API activity
Detecting data flows to external AI platforms
Ensuring human oversight for critical AI outputs
Continuously reviewing permissions and access scope

These measures do not remove risk entirely.

But they shift the conversation from:

“Do we have an AI policy?” to the far more important question

“Can we prove our AI controls are working?

The Next Cybersecurity Challenge

Every major technology shift has forced organisations to rethink how security controls are validated.

Cloud computing did. DevOps did. SaaS platforms did. AI is now doing the same.

The organisations that manage this transition successfully will not necessarily be those that deploy AI the fastest.

They will be the ones that understand how to measure and validate the controls surrounding it.

Because in cybersecurity, the most important question is rarely whether a control exists.

The real question is whether it works.

NCSC Warns UK Organisations to Prepare for Potential Iran-Linked Cyber Activity

2026-03-03T21:51:00.007+00:00

Geopolitical conflict rarely stays confined to physical battlefields. Increasingly, it spills into the digital domain. The latest escalation of tensions in the Middle East has prompted the UK’s National Cyber Security Centre (NCSC) to issue a warning to organisations to review their cyber security posture and prepare for possible cyber activity linked to Iran.

While the NCSC has stressed that there is currently no confirmed significant increase in direct cyber threats to the UK, it has warned that the situation is fast-moving and organisations should remain alert.

Rising Tensions and Cyber Spillover
The warning follows a sharp escalation in the regional conflict involving Iran, the United States and Israel. Military developments have been accompanied by cyber activity targeting digital infrastructure and online services in the region, highlighting how modern conflicts now run across both physical and digital fronts.

In response, the NCSC has advised UK organisations to review their cyber defences and ensure they are prepared for possible disruption. The agency noted that while the direct cyber threat level to the UK has not significantly changed, there is “almost certainly a heightened risk of indirect cyber threat” for organisations with operations, assets or supply chains in the Middle East.

This includes potential activity from Iranian state actors as well as Iran-aligned hacktivist groups.

Iran’s established Cyber Capabilities
Iran has long viewed cyber operations as a strategic tool that allows it to project influence asymmetrically against more technologically advanced adversaries. Over the past decade, Iranian cyber groups have targeted sectors such as energy, finance, transportation and government networks.

Previous campaigns linked to Iranian actors have included destructive malware operations, espionage campaigns and disruptive attacks against critical infrastructure. For example, the widely documented Operation Cleaver campaign targeted energy and transportation organisations globally.

Although Iranian cyber capabilities are generally considered less sophisticated than those of Russia or China, they have demonstrated a willingness to conduct disruptive and politically motivated attacks.

What the NCSC is advising Organisations to do

The NCSC’s guidance is not calling for panic, but it does emphasise the importance of cyber resilience during periods of geopolitical instability.

Organisations are advised to:

Review their external attack surface and internet-exposed services
Increase monitoring for suspicious activity
Prepare for common threat tactics such as phishing and distributed denial-of-service (DDoS) attacks
Ensure patching and vulnerability management processes are up to date
Review incident response plans and escalation procedures

The NCSC has also encouraged organisations to sign up to its Early Warning service, which provides alerts about potential security issues affecting UK networks.

The Risk of Opportunistic Cyber Activity
One important point highlighted in the advisory is that not all cyber activity during geopolitical crises comes directly from state actors.

Periods of international tension often attract:
politically motivated hacktivists
cybercriminal groups seeking to exploit confusion
proxy actors aligned with nation-state interests

These groups may launch attacks intended to disrupt services, deface websites or leak stolen data for political impact.

A Reminder for Boards and Security Teams
Events like this are a reminder that cyber risk does not exist in isolation from geopolitical developments. Organisations operating globally, particularly those with supply chains or business interests in politically sensitive regions, must assume that digital infrastructure could become collateral damage during international conflicts.

For security teams, the key takeaway is not that a wave of attacks is imminent, but that situational awareness and operational readiness matter.

Cyber resilience is most effective when organisations treat security posture reviews as routine practice rather than emergency reactions.

Sources:
• National Cyber Security Centre alert: https://www.ncsc.gov.uk/news/ncsc-advises-uk-organisations-take-action-following-conflict-in-the-middle-east

AI in the SOC: Why Complete Autonomy Is the Wrong Goal

2026-02-20T07:30:00.001+00:00

Dan Petrillo, VP of Product at BlueVoyant

As artificial intelligence (AI) becomes more deeply embedded in security operations, a divide has emerged in how its role is defined. Some argue the security operations centre (SOC) should be fully autonomous, with AI replacing human analysts. Others believe that augmentation is the right path, using AI to support and extend existing teams.

Augmentation probably reflects how SOCs operate in practice. It helps analysts triage alerts, investigate incidents faster, and it brings better context into their work, while still ensuring humans are accountable for decisions.

Complete autonomy assumes a level of reliable, end-to-end decision-making that can operate without continuous human oversight. That’s a high bar. In real SOC environments, the technology, data quality, and operational constraints rarely support that assumption. Detection pipelines are noisy, context is fragmented across tools, and threat signals often require human judgment to interpret correctly. Even the most advanced automation struggles with edge cases, ambiguous alerts, and the dynamic nature of attacker behaviour.

Why an Autonomous SOC Falls Short

Delving deeper and examining why AI cannot fully replace SOC analysts; in short, it comes down to the oversimplification of the complexities inherent in what security operations involve. Investigation is only one part of a functioning SOC. Organisations also depend on experienced practitioners to interpret ambiguous signals, manage escalation, and communicate risk to senior leadership. When incidents become business issues, that same expertise is required to apply judgement, coordinate stakeholders, and produce reporting that stands up to scrutiny.

When something goes wrong, such as a logging failure, a broken parser following a third-party firewall update, or months of missing telemetry, automated systems cannot resolve the issue alone. Human expertise is needed to understand context, reconstruct events, and guide remediation.

Governance is another constraint. The cost of false negatives remains unacceptably high, and security leaders are unlikely to deploy solutions that act without clear oversight. Even where AI can execute parts of a workflow, organisations still require process controls, quality checks, and human validation for complex or unfamiliar scenarios. A fully autonomous model cannot reliably make the right judgement call in every situation, particularly when decisions carry real business impact.

Accuracy risks also remain. AI systems can make mistakes, draw incorrect conclusions, or miss important signals if left unchecked. Human oversight therefore remains essential to spot errors early and prevent them from turning into operational problems.

Ultimately, fully autonomous SOC models ask organisations to trade human judgement and accountability for AI that is still maturing. That trade-off is impractical in an environment where consequences are measured in real-world disruption.

Why AI in the SOC Is Still Essential

However, none of the above suggests that AI does not have a place in the SOC. When implemented with purpose it delivers measurable improvements in the areas where teams are under the most pressure.

AI can take on repetitive, high-volume tasks such as alert triage and enrichment, allowing analysts to focus on more complex investigations, decision-making, and response. Deployed effectively, AI in the SOC is essential to reclaiming human time from low value activity, enabling teams to apply expertise where it has the greatest operational payoff.

Some of the most significant benefits of integrating AI agents into human-led SOC teams include:

Workload reduction: AI can handle repetitive, high-volume tasks such as alert triage, dynamic enrichment, and report generation, reducing analyst fatigue and operational backlog.
Process consistency: AI helps standardise workflows across varying skill levels, smoothing differences in tool syntax and operating procedures so teams perform more consistently.
Improved alert quality: By incorporating external threat intelligence, control telemetry, and asset context, AI can reduce false positives and support more accurate prioritisation.
Faster decision-making: Attack timelines, path mapping, and context-rich summaries enable analysts to assess scope, impact, and containment options more quickly.
Knowledge retention: AI working alongside human analysts captures operational insights over time, mitigating the impact of staff churn and preserving institutional knowledge. It can also identify patterns that may be missed by individuals and recommend rules or remediations accordingly.
Always on: AI doesn’t need breaks, get tired, fall ill, take holidays, or turn up late. It becomes a consistently reliable coworker for stretched teams working under pressure.

Where Augmentation Delivers the Most Value

AI delivers the greatest value when applied to SOC activities that are slow, manual, or prone to inconsistency, while keeping humans accountable for decisions and execution.

Augmentation should be introduced first in areas where AI can speed up analysis, surface insight, and support judgement, without removing human oversight. Below are a few areas where you might consider using AI to augment your team:

Alert triage: False-positive reduction, dynamic enrichment, and contextual prioritisation using threat intelligence, asset criticality, and exposure data.
Augmented investigations: Natural language querying, attack path and timeline visualisation, and suggested queries that speed root-cause analysis.
Incident and case summarisation: Automated executive- and GRC-ready reporting that consolidates findings with clear, decision-ready context.
Hypothesis generation: Continuous pattern and behaviour analysis to surface new detections, investigative approaches, and remediation opportunities for human approval.
Operational oversight: AI that learns expected procedures and flags process deviations, bottlenecks, or underperformance for leadership attention.
Response recommendations: Context-aware guidance and playbook generation, with optional integration-driven execution remaining under human control.

What This Means for Security Teams

Security teams manage millions of investigations every year, even after automating many routine cases. While automation can streamline these routine tasks, full autonomy remains unrealistic. The most critical stages of an investigation still rely on human judgement, context and accountability.

AI will continue to enhance the speed, scale and consistency of security operations, but the SOC of the future will remain human led, with AI augmenting, not replacing, analysts. Organisations that adopt AI in targeted, outcome driven ways will scale more effectively, reduce risk and preserve institutional knowledge. As threats evolve, AI augmented SOC teams will not only keep pace but stay ahead of adversaries.

It’s 2026. Why are the basics still being missed?

2026-02-15T11:34:00.017+00:00

Written by Katie Barnett, Director of Cyber Security, and Gavin Wilson, Director of Physical Security and Risk, at Toro Solutions

After spending years working with organisations on security, one thing becomes hard to ignore. When something serious happens, the root causes are sadly rarely surprising and there is often a sense of inevitability to them. Access that was never quite tidied up, controls that were written down but not really enforced, multi factor authentication that was recommended but not mandatory or decisions that made sense in the moment and were never revisited.

Last year’s headlines about the Louvre brought this into focus. The Louvre Museum, the world’s most visited cultural landmark, faced heavy criticism after investigators revealed that its internal video surveillance system was protected by the password “Louvre.” This came after a daylight heist in which thieves stole French Crown Jewels valued at over $100 million. The striking thing was not how bold the theft was, but how familiar the weakness behind it felt.

It would be comforting to see that as a one-off mistake, but it rarely is. The Louvre was simply visible. Similar assumptions exist inside many organisations, often sitting quietly in the background while attention is pulled towards more immediate concerns. In most cases, people are not unaware of the issues they are just not the ones that shout the loudest.

As you will know there is no shortage of discussion about how the threat landscape is changing, it’s changing every day. AI, geopolitical tension, supply chain exposure and the blending of physical and cyber risks are all moving fast and often featuring heavily in conversations with leadership. However, at the same time, whilst the big conversations are happening it is not unusual to walk into environments where access is loosely understood, vulnerabilities have been accepted by default, and physical security relies on a shared sense of trust rather than consistent control.

Access and identity management is a good example of how this plays out. Access is granted to keep work moving, which is usually the right decision at the time, but we find that what happens less reliably is the follow-up. Projects end, people change roles, suppliers move on, and amid increasingly demanding workloads, access is forgotten or missed and remains because removing it is never a priority. Over time, confidence creeps in where certainty should exist, and that only becomes obvious when something goes wrong.

This is also where passwords and multi-factor authentication continue to cause problems, despite years of attention. It’s been drilled into everyone that passwords alone are weak, reused and easily compromised. Multi-factor authentication (MFA) is now heavily recommended across organisations, yet it is still common to find critical systems without MFA enabled, with MFA applied inconsistently, or disabled because it caused friction. Exceptions become normal and service accounts are excluded because they always have been. None of these decisions feel dramatic on their own, but together they leave credential compromise as one of the easiest ways in.

The Louvre example resonates precisely because it reduces this to something uncomfortably simple. A globally recognised institution, with significant resources, still relying on a password that offered little real protection for a critical system. This is not a technology problem; it's just what happens when basic controls are never quite treated as urgent enough to demand sustained attention.

Vulnerability management tends to follow a similar path. Patching is rarely ignored outright instead it is delayed, deferred and worked around, often for understandable reasons. Each decision feels small, but the cumulative effect is not. When an incident eventually occurs, it is often described as sophisticated or unavoidable, even when the weakness involved had been known about for some time and often one that could be easily resolved.

Physical security is another area where every day behaviour quietly undermines formal controls. We have all seen people wearing work badges in public places or holding secure doors open because it feels impolite not to. These moments are easy to dismiss, but they say a lot about how security is experienced day to day. In environments where physical access can be the door opener for cyber compromise, those behaviours carry more weight than many organisations realise.

Third-party risk is similar. Businesses rely on suppliers to function, and that reliance grows each year. Initial checks are usually done with good intent, but ongoing scrutiny is harder to sustain. Access persists, assumptions build, and visibility fades. When incidents occur through these routes, the surprise often comes from how little the organisation really knew about its own exposure.

Response and recovery are where many of these gaps finally surface. Plans exist, backups are in place, and there is confidence that people will respond sensibly under pressure. In reality, uncertainty plays a bigger role than expected. Decisions take longer and responsibilities are less clear. Recovery takes more effort than anticipated and the damage often comes as much from this uncertainty which causes delay as from the original incident.

The reason the basics continue to be missed is not a lack of knowledge or capability. It is that foundational security work rarely feels urgent, and it competes constantly with an ever-changing risk landscape and slick tools and initiatives that promise growth, efficiency or innovation. The basics do not generate visible wins when they work, and they rarely fail in isolation and as a result, risk accumulates quietly as it is normalised by the absence of immediate consequence.

The organisations that make genuine progress take a different approach. They accept that security fundamentals require ongoing attention, not periodic clean-up. Access is treated as something that changes continuously, physical security is reinforced through everyday behaviour, not just policy and response and recovery are practised because disruption is assumed, not because it is feared.

As 2026 progresses, the question is no longer whether threats will continue to evolve. They will. The more challenging question is whether organisations are prepared to be disciplined about the things they already know matter. Until the basics are given the same weight as innovation and growth, we will continue to see familiar failures surface in very public ways, followed by the same uncomfortable question of how something so simple was missed again.

UK Cybersecurity Weekly News Roundup - 31 March 2025

2025-03-31T01:02:00.001+01:00

UK Cybersecurity Weekly News Roundup - 31 March 2025

Welcome to this week's edition of our cybersecurity news roundup, bringing you the latest developments and insights from the UK and beyond.

UK Warned of Inadequate Readiness Against State-Backed Cyberattacks

Cybersecurity experts have sounded the alarm over the UK's growing vulnerability to state-sponsored cyber threats. A recent report by the National Cyber Security Centre (NCSC) shows a 16% increase in severe cyber incidents affecting national infrastructure in 2024. A worrying 64% of public sector IT leaders said they are unsure about best practices, with legacy systems worsening the risk. As digital transformation accelerates, public infrastructure like energy and healthcare face increasing exposure to ransomware and espionage. Read more

NCSC Publishes Roadmap for Post-Quantum Cryptography Migration

The NCSC has published official guidance on migrating to post-quantum cryptography (PQC) to protect against future quantum computing threats. The document urges critical infrastructure operators to begin preparations now, with system discovery and risk assessments expected by 2028. Full migration should be completed by 2035. The roadmap highlights the need for cryptographic agility and risk-based planning in anticipation of quantum threats. Read more

UK Government to Update Software Vendor Security Code of Practice

Following a public consultation, the UK government will publish a revised voluntary code of practice for software vendors later this year. The updated framework will include clearer technical requirements and a new attestation mechanism for vendors to demonstrate compliance. The initiative aims to raise the standard of cybersecurity in commercial software used by UK businesses and public services. Read more

Google Patches Actively Exploited Chrome Zero-Day (CVE-2025-2783)

Google has released an emergency update for Chrome to patch CVE-2025-2783, a high-severity zero-day vulnerability that was being actively exploited in the wild. The flaw allowed attackers to bypass sandbox protections. All users are urged to update their browsers immediately. This marks the second major Chrome zero-day reported in 2025. Read more

UK Considers Ransomware Payment Ban for Public Sector

A proposal to ban ransomware payments by UK public sector and critical infrastructure organizations is under review. While the policy aims to discourage threat actors, experts warn that it may increase the pressure on under-prepared organizations and push attacks toward entities with no ability to recover quickly

UK Cybersecurity Weekly News Roundup - 23 March 2025

2025-03-24T01:23:00.000+00:00

Welcome to this week's edition of our cybersecurity news roundup, bringing you the latest developments and insights from the UK and beyond.

NHS Scotland Confirms Cyberattack Disruption

On 20 March 2025, NHS Scotland reported a major cyber incident that caused network outages across multiple health boards. The cyberattack disrupted clinical systems and led to delayed patient care, with staff reverting to paper-based processes. The incident has been linked to a suspected ransomware group, although official attribution is still pending. Investigations are ongoing with support from the National Cyber Security Centre (NCSC).

Further coverage from The Register confirmed that some systems were taken offline to prevent further spread, while emergency care remained operational. The affected regions included NHS Dumfries and Galloway, which issued a statement urging patients to only attend if absolutely necessary. (Read more on The Register)

NCSC Weekly Threat Report – 22 March 2025

The NCSC's latest threat report highlights ongoing exploitation of known vulnerabilities in Progress Telerik UI by state-aligned threat actors. The report urges UK organisations to patch vulnerable systems immediately, as attackers continue to target unpatched web servers.

Additionally, the NCSC notes an increase in malicious QR code campaigns—so-called "quishing"—where attackers embed phishing URLs into QR codes used in emails, posters, or even receipts. Organisations are advised to educate staff and implement QR code scanning policies.

Cyber Threats on the Rise as UK Eyes General Election

As the UK gears up for a general election later this year, the NCSC has raised concerns over potential interference campaigns and disinformation efforts by hostile states. Security services are reportedly on high alert, coordinating with political parties to bolster cyber resilience. While no major incidents have been reported yet, the threat landscape is being closely monitored.

Quick Bytes

New phishing campaign mimics HMRC emails demanding urgent tax repayment. Be vigilant and double-check all official correspondence.
UK universities warned of increased targeting by espionage-motivated groups, particularly in the fields of AI and quantum computing.
ICO fines a London-based telemarketing firm £130,000 for unlawful data use and non-compliance with GDPR.

That’s all for this week! Stay tuned for more updates, and follow best practices to keep your systems secure.

➡️ Previous Post: UK Cybersecurity Weekly News Roundup - 17 March 2025

UK Cybersecurity Weekly News Roundup - 16 March 2025

2025-03-16T09:43:00.000+00:00

Welcome to this week's edition of our cybersecurity news roundup, bringing you the latest developments and insights from the UK and beyond.

UK Government's Stance on Encryption Raises Global Concerns

The UK government has ordered Apple to provide backdoor access to iCloud users' encrypted backups under the Investigatory Powers Act of 2016. This secret order applies not just to UK users but potentially to Apple users worldwide. In response, Apple has removed its Advanced Data Protection feature in the UK, expressing disappointment. This move has significant implications, raising concerns about global user privacy and security. Experts argue that creating backdoors compromises overall security, potentially allowing malicious entities to gain access. Apple's compliance or resistance will set a precedent for other governments seeking similar access. Read more

Sellafield Nuclear Site Improves Physical Security Amid Cybersecurity Concerns

Sellafield, the world's largest plutonium store, has been taken out of special measures for physical security by the UK's nuclear industry regulator, the Office for Nuclear Regulation (ONR). This decision follows significant improvements in guarding arrangements, allowing routine inspections instead of enhanced regulatory oversight. However, concerns regarding its cybersecurity remain. Last year, Sellafield was fined almost £400,000 for cybersecurity failings, allegedly involving hacking groups linked to Russia and China. While there was no conclusive evidence of a successful cyber-attack, cybersecurity remains a critical concern. Read more

UK Businesses Face Significant Financial Impact from Cyberattacks

In the past five years, cyberattacks have cost British businesses approximately £44 billion ($55.08 billion) in lost revenue, with 52% of private sector companies experiencing at least one attack during that period, according to insurance broker Howden. On average, these attacks cost companies 1.9% of their annual revenue. Larger companies, with over £100 million in annual revenue, are more likely to be targeted. Despite the significant risk, only 61% of businesses employ anti-virus software, and only 55% use network firewalls, due to cost and lack of internal IT resources. Read more

Global Sanctions Target Russian Cybercrime Network

The United States, United Kingdom, and Australia have jointly sanctioned Zservers, a Russian bulletproof web-hosting service provider, and two Russian operators linked to it for supporting the LockBit ransomware syndicate. The U.S. Treasury Department's Office of Foreign Assets Control, along with its U.K. and Australian counterparts, targeted Zservers for facilitating LockBit attacks by providing specialized servers resistant to law enforcement actions. Lock

UK Cybersecurity Weekly News Roundup – 9 March 2025

2025-03-09T20:16:00.001+00:00

Welcome to this week's edition of our cybersecurity news roundup, bringing you the latest developments and insights from the UK and beyond.

Microsoft Engineer's Transition to Cybersecurity

Ankit Masrani, a 36-year-old software engineer, successfully transitioned into a cybersecurity role at Microsoft. With a background in IT and a Master's degree in computer science, Masrani secured an internship and later a full-time position at AWS, focusing on data and network security. He now serves as a principal software engineer on Microsoft's Security Platform team, emphasizing the importance of skills in big data technologies, machine learning, cloud services, and comprehensive security knowledge for such career pivots. Read more

StubHub Breach: Taylor Swift Tickets Stolen

Cybercriminals exploited a backdoor in StubHub's system, stealing nearly 1,000 tickets, primarily for Taylor Swift's Eras Tour, resulting in over $600,000 in profits. The breach highlights vulnerabilities in ticketing platforms and the need for robust cybersecurity measures to protect consumer interests. Learn more

UK's Cyber Security and Resilience Bill Introduced

The UK government has introduced the Cyber Security and Resilience Bill, aiming to update existing regulations and strengthen the nation's cyber defenses. The legislation seeks to expand regulatory oversight, enforce stringent cybersecurity measures across various sectors, and introduce mandatory compliance with established standards to protect critical infrastructure and the digital economy. Details here

British Library Cyberattack: A Wake-Up Call

In October 2023, the British Library suffered a significant ransomware attack by the Rhysida group, leading to the theft of approximately 600GB of data. The attack disrupted services, delayed payments to authors, and highlighted vulnerabilities in cultural institutions. Recovery efforts are ongoing, emphasizing the need for robust cybersecurity measures in public sector organizations. More information

Global Impact: US Charges Chinese Hackers

The US Department of Justice has charged 12 Chinese nationals, including hackers and government officials, for their roles in extensive cybercrime campaigns targeting dissidents, news organizations, U.S. agencies, and universities. This action underscores the growing concerns over state-sponsored cyber espionage and the need for international cooperation in cybersecurity. Read the full story

Protecting Your Devices: Recent TV Box Malware Attack

TV owners are urged to perform essential security checks following a cyber attack affecting 1.6 million Android TV devices. Hackers infiltrated home networks through TVs, stealing data and using devices to mine cryptocurrencies, leading to increased energy bills. Users should update devices, uninstall unused apps, install anti-malware software, and avoid third-party vendors to safeguard against such threats. Learn how to protect your devices

Stay informed and vigilant to protect your digital assets in this evolving cybersecurity landscape.

UK Cybersecurity Weekly News Roundup – 2 March 2025

2025-03-03T00:25:00.006+00:00

UK Government's Encryption Demands Lead to Apple's Data Protection Withdrawal

The UK government has mandated that Apple provide access to encrypted iCloud backups under the Investigatory Powers Act of 2016. In response, Apple has withdrawn its "Advanced Data Protection" feature for UK users, citing concerns over user privacy and security. This move has sparked a global debate on the balance between national security and individual privacy rights. Read more

International Sanctions Target Russian Cybercrime Network

The United States, United Kingdom, and Australia have jointly imposed sanctions on Russian web-hosting provider Zservers and two Russian nationals for supporting the ransomware group LockBit. This group has been linked to numerous high-profile cyberattacks, including those on Boeing and the UK's National Health Service, extorting over $120 million since 2019. Learn more

Sellafield Nuclear Site Improves Physical Security Amid Cybersecurity Concerns

The UK's Office for Nuclear Regulation has acknowledged significant improvements in physical security at the Sellafield nuclear site, leading to its removal from special measures. However, ongoing cybersecurity challenges persist, highlighting the need for continued vigilance in protecting critical infrastructure. Details here

Google Expands AI Initiatives in Poland to Enhance Energy and Cybersecurity

Google has signed a memorandum with Poland to develop artificial intelligence applications in the energy and cybersecurity sectors. This initiative aims to bolster Poland's technological infrastructure and reduce reliance on external energy sources, amidst increasing cyber threats. More information

US Department of Homeland Security Overhauls Cybersecurity Personnel

The Department of Homeland Security is set to terminate 12 employees from the Cybersecurity and Infrastructure Security Agency involved in monitoring misinformation. Additionally, all election security activities are temporarily paused to assess implications on free speech, reflecting ongoing debates about the role of federal agencies in regulating information. Read the full story

AI Safety Policies Shift Focus Towards Security

Recent policy changes in the US and UK are reframing AI safety as a security-focused issue, potentially sidelining ethical considerations such as bias and content accuracy. This shift has raised concerns among experts about the comprehensive governance of AI technologies. Explore the implications

Polish Space Agency Suffers Cyberattack

The Polish Space Agency (POLSA) detected unauthorized access to its IT infrastructure, prompting immediate security measures. Investigations are underway to identify the perpetrators, amid ongoing concerns about cyber threats targeting national agencies. Find out more

Australian IVF Clinic Hacked, Exposing Sensitive Patient Data

Genea, an Australian IVF clinic, suffered a ransomware attack by the group Termite, compromising nearly a terabyte of sensitive patient data. The breach has raised significant concerns about data security in healthcare institutions. Read more

US Treasury Department Breached by Chinese Hackers

The US Treasury Department disclosed a significant cybersecurity breach attributed to Chinese state-sponsored actors. The attackers accessed unclassified documents, highlighting vulnerabilities in federal cybersecurity defenses. Learn more

UK's War on Encryption Affects Global User Privacy

The UK's demand for access to encrypted iCloud data under the Investigatory Powers Act has led to Apple's withdrawal of its Advanced Data Protection feature for UK users. This move has significant implications for global user privacy and sets a concerning precedent for government overreach into personal data. Read the a

UK Cybersecurity Weekly News Roundup – 24 February 2025

2025-02-24T01:53:00.005+00:00

Welcome to this week's edition of our cybersecurity news roundup, bringing you the latest developments and insights from the UK and beyond.

Home Office Contractor's Data Collection Sparks Privacy Concerns

The Home Office faces scrutiny after revelations that its contractor, Equifax, collected data on British citizens while conducting financial checks on migrants applying for fee waivers. A report mistakenly sent to the Refugee and Migrant Forum of Essex and London (Ramfel) contained information on 260 individuals dating back to 1986, raising significant privacy issues. The Home Office has ceased using Equifax for visa fee waiver processing pending an investigation into the potential data breach. Read more

Apple Withdraws Advanced Data Protection in the UK Amid Government Dispute

Apple has removed its Advanced Data Protection (ADP) feature for UK users following a dispute with the British government. The government demanded access to encrypted material on Apple's iCloud under new evidence-collection powers. Apple, opposing the creation of a "back door" to its encryption service, opted to discontinue ADP in the UK. This decision highlights ongoing tensions between tech companies and governments over privacy and security regulations. Learn more

Sellafield Nuclear Site Improves Physical Security but Cyber Concerns Persist

The UK's Office for Nuclear Regulation (ONR) has removed Sellafield nuclear site from special measures concerning physical security, citing significant improvements. However, concerns over cybersecurity remain. Sellafield has been under scrutiny due to previous safety issues and cybersecurity deficiencies. Collaborative efforts are ongoing to address these challenges as the site continues to manage the nation's nuclear waste. Full story

UK Government Introduces AI Cybersecurity Standards

The UK government has unveiled a new Code of Practice aimed at protecting AI systems from cyber-attacks. This initiative seeks to provide businesses and public services with guidelines to secure AI technologies, thereby safeguarding the digital economy. The voluntary code is expected to form the basis of a global standard for AI security, reinforcing the UK's position as a leader in safe technological innovation. Details here

Cyberattacks Cost UK Businesses Over £40 Billion in Five Years

Recent findings reveal that cyberattacks have cost British businesses approximately £40 billion in lost revenue over the past five years. More than half of private sector companies have experienced at least one attack, with compromised emails and data theft being the most common threats. Despite the increasing risks, many businesses lack adequate cybersecurity measures, often due to high costs and limited IT resources. Read the report

Stay tuned for more updates and insights in our next weekly roundup.

Prevention is Better Than Cure: The Ransomware Evolution

2021-09-13T18:32:00.003+01:00

Ransomware tactics have continued to evolve over the years, and remain a prominent threat to both SMBs and larger organisations. Particularly during the peak of COVID-19, research by IBM found that ransomware incidents ‘exploded’ in June 2020, which saw twice as many ransomware attacks as the month prior, taking advantage of remote workers being away from the help of IT teams. The same research found that demands by cyber attackers are also increasing to as much as £31 million, which for businesses of any size, is detrimental for survival.

In recent months, ransomware attacks have not left mainstream media headlines. And with the number and frequency of ransomware attacks increasing, not to mention the innovation in distribution methods, this should be a wake-up call for organisations to strengthen their defences. Jack Garnsey, Product Manager Security Awareness Training and SafeSend, VIPRE explains that by taking a preventative approach, businesses can take the necessary steps to strengthen their cybersecurity posture. This includes a combination of education, processes, hardware and software to detect, combat and recover from such attacks if they were to arise.

Ransomware in the 21st Century
Ransomware is not a new phenomenon, but its use has grown exponentially and has led to the development of the term ‘Ransomware as a Service' (RaaS), which is a subscription-based model that enables affiliates to use already-developed ransomware tools to execute attacks.

As ransomware incidents become more sophisticated and frequent, such as the increase in fileless attacks which exploit tools and features that are already available in the victim’s environment, the level of potential damage to a business is heightened. These types of attacks can be used in combination with social engineering targeting, such as phishing emails, without having to rely on file-based payloads. And unfortunately, ransomware is extremely difficult to prevent – all it takes is one employee clicking on the wrong link in an email or downloading a malicious attachment.

No matter the size of an organisation, the effects of ransomware can be devastating financially, as well as inflicting longer-term damage to business reputation. The Irish Department of Health and Health Service Executive (HSE) was recently attacked by The Conti ransomware group, who reportedly asked the Health Service for $20 million (£14 million) to restore access. This attack caused substantial cancellations to outpatient services, part of a system already stretched to the max due to COVID-19. Some ransomware gangs operate by a flimsy code of "ethics", stating they don't intend to endanger lives, but even if a minority of ransomware organisations are developing a sense of conscience, businesses are not exempt from the damage that can be done from such attacks.

Additionally, in the US, Colonial Pipeline paid the cyber-criminal group DarkSide nearly $5m (£3.6m) in ransom, following a cyber-attack that took its service down for five days, causing supplies to tighten across the US. Unfortunately when under attack, a majority of businesses, such as the major pipeline, often pay the ransom. Luckily for Colonial Pipeline, some of the money was later recovered by the American Department Of Justice's Ransomware and Digital Extortion Task Force. But if they pay once – they will pay multiple times. A successful ransomware attack can be used various times against many organisations, turning an attack into a cash cow for criminal organisations offering Ransomware as a Service. So much so, that there is now an ongoing debate around whether it should be illegal for businesses or an individual to pay a ransom in order to try and deter the attackers, or at the minimum, to at least report it to the necessary regulators.

Contain and Report It
If a ransomware attack were to take place, it is important that the organisation works with local authorities to try to rectify the issue and follow the guidance. Often, many ransomware attacks go unreported – and this is where a lot of criminal power lies.

Prevention is always better than cure, and damage limitation and containment are important right from the outset. As the United States President, Joe Biden, highlighted in his recent letter to business leaders around ransomware: “The most important takeaway from the recent spate of ransomware attacks on U.S., Irish, German and other organizations around the world is that companies that view ransomware as a threat to their core business operations, rather than a simple risk of data theft will react and recover more effectively.”

Most organisations should have a detailed disaster recovery plan in place and if they don’t, they should rectify this immediately. The key to every disaster recovery plan is backups. Once the breach has been contained, businesses can get back up and running quickly and relatively easily, allowing for maximum business continuity.

As soon as the main threat has passed, it is recommended that all organisations conduct a full retrospective audit, ideally without blame or scapegoats, and share their findings and steps taken with the world. Full disclosure is helpful – not only for the customer, client or patient reassurances but also for other organisations to understand how they can prevent an attack of this type from being successful again.

The Support of Digital Tools
When it comes to ransomware, the importance of getting security foundations right must be emphasised. These attacks are not likely to stop or slow any time soon, but their success can be prevented with the right security armoury.

Particularly to mitigate the threat of ransomware, it is crucial to have secure endpoint protection in place which protects the files, application and network layer across a number of devices, and respond to security alerts in real-time. This has never been more important than during the ongoing pandemic, where employees are dispersed and working from home in order to ensure all devices are protected and comply with the same standards.

Additionally, solutions such as email attachment and URL sandboxing are also vital, as these digital tools provide vital protection against malicious emails. They can help prevent dangerous links, attachments or forms of malware from entering the user's inbox by examining and quarantining them. By filtering out this traffic and automatically restricting dangerous content, businesses can maintain greater control over email and the access points to the network.

The Human Layer
The users themselves are a key part of any security strategy. Those who are educated about the types of threats they could be vulnerable to, how to spot them and the steps to take in the event of a suspected breach, are a valuable and critical asset to any organisation.

Employees need to be trained to be vigilant, cautious, suspicious and assume their role as the last line of defence when all else fails. The final decision to click send on an email or a link lies with the human, but this one click could mean the entire organisation falls prey to a ransomware attack. The key is to change the mindset from full reliance on IT, to one where everyone is responsible. In order to strengthen a business’ human layer protection, security awareness training and education must be implemented across the board.

These programmes are designed to support users in understanding the role they play in helping to combat attacks and malware. Using phishing simulations, for example, as part of the wider security strategy, will help to give employees insight into real life situations they may face at any point. The importance of testing your human firewall was also outlined in Joe Biden’s ransomware letter: “Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.”

Conclusion
Cyber security is a multi-faceted, complicated area, and one which must receive investment in each layer, from the technology to the people, to the tools we give to the users. Nevertheless, businesses of all sizes can safeguard their data and themselves from these types of ransomware attacks by investing in their cybersecurity and ensuring their workforces are conscious and informed of the threats they face.

Both detection and prevention play a key role in stopping ransomware, but it shouldn’t be one or the other. The essence of a solid cybersecurity strategy is a layered defence that includes endpoint detection and response, email security, advanced threat protection, web security and a business-grade firewall for the security of your network – at its most basic. But even with the most sophisticated software in place, hackers make it their mission to stay one step ahead of IT defences. That is why regular training, in addition to complementary security tools which reinforce security best practices, can provide a fortified strategy for users to mitigate the threat of a cyberattack.

How Businesses Can Utilise Penetration Testing

2021-08-13T14:00:00.002+01:00

Understand your security vulnerabilities

Article by Beau Peters

The basic approaches like phishing simulations are good, but they tend to have limited reach. This is why more agile methods, penetration testing among them, have been getting increasing attention. In essence, this sees experts with a background in ethical hacking utilizing the techniques of cybercriminals to breach a business’ systems. This also receives a certain amount of hesitancy — business owners are often unsure about the idea of letting somebody hack their systems in the name of cybersecurity.

As always, there is more to this issue. So, let’s explore what penetration testing is, why businesses should engage with it and how they can do so to get the most impact.

What are the Benefits?
Penetration testing requires a significant amount of trust. Therefore, it’s important to look at what the payoffs of this approach are as opposed to ostensibly safer techniques.

Some of the key benefits include:

Ascertaining Vulnerabilities

Penetration testing tends to be the most direct and reliable approach to identifying what parts of a company’s systems are vulnerable to attack. In general, testers will go through each aspect of the network architecture, the website and software code, applications, and hardware to identify where weaknesses lie. This doesn’t just apply to external threats but internal issues, too.

These experts are also approaching their review of a business’ systems with the creative, outside-of-the-box thinking cybercriminals are likely to use. As such, companies benefit from perspectives not usually offered by in-house information technology staff. Once points of vulnerability have been identified, the tester will often provide information about what issues are the highest priority to handle based on the severity of the risk and the consequences.

Maintaining Trust

Perhaps above all else, the benefit of penetration testing is the opportunity to maintain and strengthen trust between a business, its customers, and its supply chain. This is vital given the amount of consumer and partner data companies are gathering and storing. Security is particularly vital in cases when companies are undergoing data democratization — where important data is not just accessible to analysts and leadership but to all members of the organization.

This can be an empowering use of data, helping workers to understand how best to use and protect such information. However, alongside practical obstacles like deficient tools and siloed data, there is a need to prevent breaches. Penetration testing identifies where risks are throughout democratization practices, giving businesses the tools to strengthen their approaches. In turn, consumers and suppliers are assured their data is used to its best purpose and kept safe.

Understand the Needs
While penetration testing utilizes curious, creative ethical hackers, businesses shouldn’t be mistaken in thinking this means it’s a simple process. It requires technological experts who usually go through at least five stages of protocols — from planning the right approach for the goals of the test to analyzing the data they’ve received and compiling a detailed report. The testing methodologies, too, can vary depending on the circumstances. As such, to make the most out of the process, businesses need to have a clear idea of what their needs are.

Some of the common tests and the relevant needs they serve include:

Application Testing

Many brands are producing their own apps to improve customer engagement. However, consistent data security can be difficult to achieve, particularly when working across multiple operating systems. Application penetration testing is used to spot flaws in the current security systems, as well as how they interact with user’s devices and represent vulnerabilities to consumers.

Physical Testing

Businesses often think cybersecurity attacks will originate remotely. But when a company keeps its servers and equipment on-site, there is potential for criminals to break into the premises and cause a breach. Hacks may even come from staff. Physical penetration testing should, therefore, be sought to understand whether the equipment is vulnerable to the types of tools and methods in-person hackers may use.

Wireless Testing

Businesses are increasingly utilizing wireless tools for integral parts of operations. This includes capturing sensitive data, through contactless payment machines or sensors on devices in the Internet of Things (IoT) that track and control the supply chain. Wireless penetration testing can be used to understand how easy it is to illicitly collect data or even disrupt operations through the connected ecosystem. They’ll also confirm where stricter measures need to be in place to prevent access.

Finding the Right Expert
Having established what pen testing is and how it can fit in with a business, how can companies find the right people for the job? After all, one of the key concerns companies have in this area is that they are essentially hiring hackers — there’s a lot of social and legal baggage accompanying this activity.

When bringing on a consultant or hiring an in-house tester, the best approach is to look for relevant certification. Some of the most recognized examples here include the Certified Ethical Hacker licenses issued by the International Council of E-Commerce Consultants (EC-Council), and the Certified Penetration Tester course offered by the Information Assurance Certification Review Board (IACRB). Global Information Assurance Certification (GIAC) also provides various specialized qualifications that are considered to be reliable. These courses are designed to provide knowledge not just about the technical skills to positively impact a business, but also the ethical standards to help make sure testers are staying on the right moral and legal track throughout their activities.

Conclusion
Penetration testing is an agile tool offering various benefits for businesses, including maintaining trust and highlighting points of vulnerability. However, it’s important to remember that getting the most out of the process requires clarity on the company’s challenges and goals for testing, alongside sourcing the relevant certified tester to collaborate with.

Payment Security: Understanding the Four Corner Model

2021-07-28T19:40:00.006+01:00

Introduction
Online shopping digital payment transactions may seem quite simple, but in reality, just one single transaction sets off multiple, long-chain reactions. The Payment Card Industry comprises debit cards, credit cards, prepaid, e-purse/e-wallet, and POS payment transactions that enable easy payment transactions for consumers. However, the card scheme is a popular payment transaction process which is also a central payment network that uses credit and debit cards to process payments.

The card scheme comes in two variants namely the Three-Party Scheme and the Four Party Scheme payment model. The Four Corner Model also popularly known as Four-Party Scheme is the model under which most of the payment systems in the world operate. It is used in almost all standard card payment systems around the globe. So, explaining in detail the payment model, we have shared details on how the Four Corner Model works while also explain the role of every entity involved in it

The Payment Network: Four Corner Payment Security Model

The Four Corner Model of Payment Security and How it Works
The card payment network, often called the Four Party Scheme, comprises multiple entities involved in an online transaction. The entities involved would include the Cardholder, the Merchant, the Issuer, and the Acquirer. So, before moving on to understanding how the Four Corner Model works, let us briefly learn about the entities involved and their role in the process.

Cardholder
Cardholders are the consumers who are issued a debit or credit card by a financial institution, such as a bank. The cardholder is a client of the issuing financial institution and may have an account directly linked to the payment card. The cardholder uses the card to make financial transactions for products or services they avail from businesses.

Merchant
Merchants are organisations that accept card payments from cardholders for the products or services they offer to them. These can be merchants offering “Card Present Payment” digital payment options such as card swipe terminals and/or “Card Not Present” digital payment options such as online portals or even using modes such as UPI at the POS itself.) For instance, the e-commerce platforms, restaurants, hotels, and shops equipped with POS payment terminals, etc. can be termed as merchants. For that matter even an ATM can be termed as a Merchant as the primary role of the merchant is to “accept” payment cards.

Issuer/Issuing Bank
The issuer is the Financial Institution that issues the payment card to the cardholder. It is generally the bank that issues a payment card which could be a debit card, credit card, or prepaid card. However, it is important to note the issuing bank on behalf of various payment card brands like Visa, Mastercard, American Express etc provides customers with payment cards. This can even be a private payment brand or network like a domestic scheme. But it is the issuing bank that is responsible for the security of the payment card, the cryptography, and the other relevant security controls.

Acquirer
An acquirer is basically a software and hardware vendor who provide a medium or a tool for accepting payment cards to the Merchants. They are a third-party system and not the bank where the merchant has an account. So, an acquirer provides hardware or a software application to the merchant for accepting card payments and process the transactions. That said, the acquirer is responsible for managing the final return authorization codes from a transaction and ensures the merchant delivers the goods or services based on the payments received. Examples for this can be Razorpay, PayU, Paytm, etc.

How the Four Corner Model Works
The Four Corner Model triggers when a consumer makes a payment online with a payment card for products or services purchased from the merchant. This triggers the event or flow of payment authentication and processing with various entities involved in the process. However, for this to happen a cardholder needs to have a payment card while the POS terminal of the merchant must be able to accept the payment card.

So, when a customer makes a payment with the card, an authorization request transmits from the merchant's POS terminal to the acquirer, and then to the issuer who either returns a positive or negative response which then again goes back to the merchant and then to the cardholder. The authorization process and response can be obererved on the POS terminal screen. It is important to note that the authorization requests and associated responses are transmitted via the card networks like VISA and MasterCard or a vast network of switches, gateways, and servers by card scheme network. On receiving a positive response from the issuing bank, the merchant processes the delivery of the goods or services to the client. At this point, it is also important to note that the Four Corner Model can also be a Three Corner Model if the Acquirer bank is skipped in the process, and the switches and gateways route the authorization flow directly to the Issuer. This makes the payment process less hassle on the payment network and also speeds up the transactions.

While this is just one side of the payment process, now there is the clearing and settlement process that requires the merchant to transmit the transaction details to the acquirer. On receiving the transaction details, the acquirer collects the funds from the cardholders’ account by transmitting the corresponding payment flows to the issuing banks. So finally the merchant bank receives the money only after there is an interbank settlement of funds.

Conclusion
The Four Corner Model is a popular model for online payment transactions. It is a systematic payment transaction process that facilitates end-to-end secure transactions that are ciphered and protected at every stage of the information or payment transmission process. That said, such payment transactions often need HSM and automated key management to prevent hacks or criminal activity during the processing of online payment transactions. It provides the framework for managing numerous keys throughout their life cycles and ensuring secure payment transactions.

Author Bio
Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2,

PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.

Free Coventry University Course to Help Everyone Protect their Online Privacy

2021-07-13T20:41:00.004+01:00

Now everyone can learn what privacy means, how your privacy is impacted when using the web and mobile apps, and how to protect your privacy online thanks to a free course from Coventry University.

The UK university has worked closely with experts including Pat Walshe at PrivacyMatters to create an informative online course, offering participants easy access to key information about how to keep their online privacy safe.

Coventry University has a strong reputation for its digital education provision and online offering after it was ranked number 1 in the world for the delivery of Massive Online Open Courses (MOOCs) by MOOCLabs for 2021.

With people's information and digital footprint becoming increasingly sought after, the university hopes the course will build further awareness while helping people stay protected online. Typically, data is collected through cookies and pixels on websites or other means such as browser fingerprinting and trackers embedded in mobile apps. Tracking techniques allow multiple parties to learn about the pages you visit, what you click and view, what devices you use and your location, all of which has data protection and privacy implications.

Citizen Scientists Investigating Cookies and App GDPR compliance (CSI-COP), an EU Horizon2020 funded project led by Coventry University, has facilitated the free informal education course, called ‘Your Right to Privacy Online’. The project has already seen the creation of a privacy-by-design, no-tracking website.

The course is designed to help people gain the knowledge and skills to turn off tracking by disabling cookies on websites and changing app permissions on mobile devices. It features an introductory video, practical tasks and activities, a knowledge test and recommended reading to help participants stay safe online.

Huma Shah, Assistant Professor and Researcher in Artificial Intelligence at Coventry University, said: “We’re delighted to be able to tap into the university’s expertise in digital education to deliver this new, accessible and really useful course. The hope is that we can help as many people as possible to protect their online privacy and personal data while using the internet as well as giving them the tools and knowledge to better understand their rights to online privacy.”

Beyond the MOOC, members of the public can join the CSI-COP team as citizen scientists to explore the extent of tracking across the internet. Citizen science is a great way for volunteers to collaborate with research teams, raising awareness of issues impacting society and increasing trust between the general public and scientists.

Pat Walshe, Director for PrivacyMatters, said: “It’s never been more important to help people understand how their privacy is impacted when using websites and mobile apps and to help them protect their rights under data protection and ePrivacy law. I’m glad to see Coventry University working hard to achieve this with the development of this course which I’m sure will help greatly."

Find out more about this new course and the CSI-COP project.