Organisations are realising the importance of securing their operational technology (OT) environments, however many are also finding out that spending alone does not guarantee resilience. Despite adopting new tools and frameworks, core issues persist, these being limited visibility, alert fatigue, and incident response strategies that fail to reflect the operational reality. The reason? Too many approaches are built on IT-centric assumptions.

Working closely with operators of critical infrastructure, we at Dragos frequently encounter well-intentioned security programmes that simply don’t work in practice, because they weren’t designed with OT in mind. It’s no longer a question of why OT security matters. The focus now must be on how to implement it effectively. That begins with thinking differently, and understanding what OT-native security truly looks like.

OT is not just another IT environment

OT environments operate under distinct constraints and priorities. IT security is generally centred on protecting data and managing user access. However, OT security is about maintaining uptime, operational continuity, and safety. A disruption in IT—whether caused by an outage, cyber threat, or unscheduled maintenance— might result in productivity loss. In OT, it could shut down production, essential services such as power and water, or compromise safety systems.

The systems underpinning many OT assets, ranging from programmable logic controllers (PLCs) to SCADA networks, are often decades old and not built with cybersecurity in mind. Many use bespoke protocols, proprietary technologies, and complex hardware combinations that traditional IT tools cannot effectively interrogate.

Vulnerability management must reflect operational constraints

In IT, patching is often the default response to a discovered vulnerability. In OT, it’s rarely that simple. Many industrial systems require months of planning before updates can be deployed. Unplanned downtime is costly and, in some sectors, dangerous.

A more pragmatic approach is required: risk-based vulnerability management that accounts for operational context. Where patching is not immediately feasible or optimal, strategies such as network segmentation, access control, and enhanced monitoring offer mitigations that maintain both uptime and protection.

OT threat detection must be purpose built

Generic anomaly detection, common in IT, produces a high volume of alerts. Many of these alerts are irrelevant in an OT context. This leads to alert fatigue and wasted effort. OT-native detection tools, by contrast, are built around known attacker tactics, techniques and procedures (TTPs) specific to industrial environments.

By focusing on high-fidelity indicators of malicious activity, rather than raw anomalies, these tools enable faster, more decisive responses and help security teams concentrate on what genuinely matters.

OT and IT security must be integrated, but equitably

It is increasingly important for organisations to bring their OT and IT security functions into alignment. But this must be done in a way that respects the unique requirements of each. Too often, integration efforts are driven from the IT side alone, applying unsuitable tools and processes to OT environments.

Successful integration depends on mutual understanding, ensuring that IT and OT teams collaborate on policies, incident response, and risk prioritisation, while still maintaining the protections and performance requirements that OT systems demand.

As cyber threats targeting critical infrastructure become more sophisticated, so too must our response. Many of the most common OT security pitfalls stem not from lack of investment, but from misplaced assumptions – treating OT as an extension of IT, rather than a domain in its own right.

A critical, and often overlooked, component of successful integration is the development of a dedicated OT Incident Response (IR) plan. OT environments have unique operational, safety, and continuity requirements that demand tailored response strategies. Simply adapting existing IT IR plans to OT contexts is insufficient and potentially dangerous. Instead, organisations must invest in OT-specific response plans that account for industrial processes, asset criticality, and the real-world consequences of downtime or missteps.

True resilience 

True resilience depends not only on these dedicated OT IR plans, but also on their seamless integration with existing IT incident response processes. This means establishing clear communication protocols, joint playbooks, and shared situational awareness between IT and OT teams—while respecting the specialised requirements of each environment. Policies, risk prioritisation, and incident escalation procedures must be developed collaboratively to avoid gaps or conflicting actions during a crisis.

However, having plans on paper is not enough. The effectiveness of both OT and integrated IT/OT incident response plans hinges on regular validation through realistic exercises, such as tabletop simulations. These exercises expose gaps, foster mutual understanding, and build confidence among cross-functional teams. They are essential for preparing personnel to respond quickly and appropriately to complex cyber-physical scenarios.

At Dragos, we see this reality every day. The organisations best positioned to withstand future threats are those adopting security practices designed with their operational context in mind. These practices prioritise visibility, safety, and continuity, as much as they do compliance.

It’s safe to say that if you work within the technology industry, you can’t get through a single conversation without AI coming up. And there’s a good reason for that.

Research shows that 78% of CISOs agree that AI-assisted cyber threats are having a significant impact on their organisation, and 45% of cybersecurity professionals do not feel prepared for the reality of AI-powered cyber threats.

However, Dave Spencer, Director of Technical Product Management at Immersive, argues that, irrespective of how concerned you are about AI-powered attacks or risks, the security fundamentals are still what really make the difference in preventing a breach.

He explains why basic cyber hygiene is in danger of being overlooked, and how to ensure businesses are prepared with the relevant cyber skills needed in the age of AI.

How has AI changed security?

Interestingly, AI is being used in rather similar ways by both attackers and defenders. AI tools are employed by both sides to rapidly automate complex or monotonous tasks. Attackers use them to generate more effective phishing interactions, while defenders use them to wade through the flood of security alerts they receive.

Of course, the obvious difference between the two sides is that whilst defenders are bound by a moral and ethical compass, attackers are not. This means cybercriminals are often able to deploy AI tools much faster than security teams can – attackers don’t care about weakening an organisation’s security posture.

Another key consideration is that, by introducing AI into business operations, it becomes yet another piece of technology that the security team must protect. AI can inadvertently create vulnerabilities that attackers can exploit if proper protocols are not in place.

One of the most pressing threats to AI is prompt injection attacks, where attackers trick Large Language Models (LLMs) into revealing sensitive information. Our own researchers have shown that tricking LLMs is not particularly difficult, and you don’t need to be highly technical to gain access to sensitive data.

In fact, we conducted a test in which participants attempted to get a GenAI chatbot to reveal sensitive information, and 88% of them succeeded in at least one level of an increasingly difficult challenge.

Ultimately, while AI has changed the security team’s role on the surface, when you dig deeper, the fundamentals remain the same. This is why strong cyber hygiene practices are more important than ever.

Why is cyber hygiene so important?

When a company is breached, the most common phrase you’ll see in their immediate statement is that a “sophisticated actor breached our systems.” And whilst the group responsible may indeed be sophisticated, the method they used likely wasn’t.

The majority of breaches occur because basic security fundamentals are not being observed. This includes failing to implement and enforce multi-factor authentication (MFA), using weak passwords, and neglecting to patch known vulnerabilities.

Yet, too many organisations are focused on the latest AI tool they could implement. That mindset is dangerous and means they’ll never be ready for a breach, because hygiene fundamentals should form the absolute baseline of any cybersecurity strategy.

It doesn’t matter if you have the latest AI-powered endpoint detection and response tool, if every device can connect to the network and access systems without requiring MFA approval.

So, why is it still such a struggle?

Much of poor cyber hygiene can be traced back to a lack of development in cyber skills across an organisation’s workforce.

Legacy cyber training, such as presentations, e-learning videos, and multiple-choice tests, remains the primary method for developing cyber skills. However, these sessions are often overly generic and fail to address the specific needs of different teams or roles.

Lacking urgency and realism, such training struggles to capture attention, leaving employees disengaged and viewing it as a poor use of their time. It essentially becomes an attendance test rather than a genuine test and development of cyber skills.

If employees are sitting through training thinking it’s a waste of time, they’re not absorbing the security information being provided, and as a result, they’re not developing good security habits. You can’t tell if they’ll be ready for when a real incident happens. Ultimately, if your cyber skills development is rubbish, your cyber hygiene standards will be too.

The core purpose of cyber training is to build readiness in employees, so they know exactly what good security looks like, and more importantly, what to do in the midst of a cyber crisis.

How can we address the problem of cyber hygiene?

We have to ditch ineffective cyber skills development programmes and replace them with training that is engaging and genuinely valuable to employees, which prepares them to deal with cyber risk. This is where cyber simulations come in.

Unlike traditional training, cyber simulations immerse people in realistic, high-pressure scenarios where they must act, not just observe. They test judgement, coordination, and the ability to follow protocols under stress. Crucially, they reinforce both crisis response and core cyber hygiene through repetition and lived experience to build readiness.

Simulations reveal weaknesses that would otherwise remain hidden. A security strategy that seems flawless on paper might have cracks when tested under real-time pressure. This approach equips individuals and teams to spot cyber risks quickly and respond effectively. 

Furthermore, by actively engaging people in cybersecurity, they begin to understand the reasons behind certain practices and decisions. To the average employee, MFA might not mean much, but its importance is crystal clear to someone who understands cybersecurity.

With AI, there’s also the additional challenge that most people don’t know the difference between machine learning, LLMs, agentic AI, supervised data sets, and unsupervised data sets, or what their functions are. If an organisation can’t answer this, then how do they know when and how to leverage AI?

Simulations help employees build their understanding of AI and its distinctions, meaning they know what it’s useful for, and more importantly, understand what the risks are and how to deal with them.

Ultimately, advanced tools can’t protect you if your team isn’t prepared. True cyber resilience isn’t built through annual compliance exercises. It comes from mastering the basics, testing them under pressure, and embedding readiness into the daily rhythm of how teams work, communicate, and make decisions.

When the fate of senior political careers publicly hinges on a single leaked message, the concern isn’t merely the sensational risk of a fall from power; it’s the deeper problem of continued reliance on messaging platforms fundamentally unfit for the demands of public office.

From PM Boris Johnson’s downfall, fuelled by leaked WhatsApp messages revealing how critical decisions were made during the UK’s most severe public health crisis, to the White House’s recent “Signalgate” breach, which exposed details of U.S. military strikes in Yemen, messaging app leaks have become politically fatal. No longer just embarrassing, they seem now to expose national vulnerabilities and dramatically erode public trust. Yet many senior officials still conduct matters of state and national security over consumer-grade platforms like WhatsApp, Signal and Telegram, tools never built for the weight of public office.

As digital communication cements itself at the heart of modern governments, it’s time to face a hard truth: consumer messaging apps are now a structural vulnerability in political infrastructure.

MP Messaging Mayhem: How Apps Took Over the Business of Government

Group chats, DMs, and encrypted threads have quietly replaced cabinet meetings, war rooms and press briefings as the new arenas of political decision-making. During the pandemic, consumer based apps became the UK government’s de facto command centre, where ministers, advisers and scientists debated lockdown restrictions, shaped media narratives, and, in some cases, arranged the very PartyGate rule-breaking gatherings that would later spark national outrage.

Across the Atlantic, Signal seemed to emerge as the preferred ‘secure’ choice among Washington and White House staffers. But time would reveal that encryption alone doesn’t guarantee safety. Without enforced identity checks, audit trails, or granular access controls, even the most encrypted apps leave governments vulnerable to internal leaks and external breaches.

So why do our (we would hope) security-aware leaders still rely on consumer messaging apps? Because they’re fast, familiar, and frictionless, the very qualities that also make them dangerously unaccountable.

Fallout: How Consumer Messaging Leaks Brought Down Two Powerhouses

In the UK, WhatsApp wasn’t just a digital convenience; it was Boris Johnson’s undoing. Leaked messages from Downing Street aides revealed not only a flippant disregard for COVID-19 rules but also active attempts to “get away with” parties while the public remained locked down and facing legal sanctions for contravention. The fallout was unequivocal: resignations, police fines, and ultimately, Johnson’s forced resignation as Prime Minister.

But the damage ran deeper than the fall of a PM. When Johnson refused to hand over unredacted WhatsApp messages to the official COVID-19 Inquiry, it triggered a legal standoff. What began as a straightforward review of pandemic decision-making quickly spiralled into a national debate over privacy, transparency, and the role of private messaging in public office. The inquiry stalled, and public trust eroded further.

In the US, a parallel scandal of equally disturbing magnitude unfolded in April 2025. Dubbed “Signalgate,” it centred on the inadvertent inclusion of a journalist, “JG”, in a Signal group chat discussing classified military operations in Yemen, including precise details of planned airstrikes. While Signal’s encryption remained intact, the breach highlighted a far more human flaw. There was an absence of real time authentication to prove identity and message access controls. Sensitive national security information was exposed not through hacking, but through a basic error, proving that encryption alone is no defence against operational sloppiness and mismanagement. The fallout was swift. Mike Waltz, National Security Advisor, was forced to resign, and the episode served as a stark warning that even encrypted platforms are only as secure as the practices governing their use.

A breakdown of protocol. Another political career ended by insecure messaging.

Why Regulation Is Failing

Most democratic nations pride themselves on transparency and accountability, but messaging apps have quietly circumvented both. Laws like the UK’s Freedom of Information Act and the US Presidential Records Act were drafted in the era of emails and memos. They were never built to handle digital messages, vanishing photos, or encrypted DMs.

This regulatory lag has created a dangerous loophole in the corridors of the central government. Sensitive decisions can be discussed, documented and deleted without scrutiny. Public records are incomplete. FOIA requests go unanswered. Investigators hit encrypted walls. 

Some governments have issued internal guidance. A few have tried to ban consumer messaging apps entirely. But most responses have been reactive, inconsistent, and ultimately toothless. 

The Missing Infrastructure: Identity-Verified Messaging

What’s needed is infrastructure-level change. Just as classified email systems exist for formal communications, secure messaging must evolve from an optional tool to a mandated platform that offers continuous biometric authentication to avoid unintended additions and, most importantly, to ensure messages can only be read by those addressed.

This is where YEO Messaging enters the frame. Designed in Britain, YEO combines military-grade encryption with continuous biometric authentication, requiring users to verify themselves throughout the reading of the message, not just when logging in.

Its platform includes, 

• Geofencing controls — messages are only viewable in permitted physical locations. What goes on in the White House stays in the White House. 
• Continuous Facial Recognition — removing the risk of device theft or spoofing and inadvertent JG’s joining! Ensuring the messages remain confidential after receipt.
• Read-tracking and screenshot blocking — protecting confidentiality and auditability.
• Expiry and recall features — offering politicians dynamic control over sensitive content.
• Message Control – no screenshots, no forwarding, and no copying without sender permission.

YEO Messaging isn’t just a “better WhatsApp” it’s a total rethink of messaging as part of critical national infrastructure.

Conclusion: Trust Begins at the Message Level

In an era defined by information warfare, digital surveillance, accountability and cyber threats, the tools governments use to communicate matter more than ever. They are not politically neutral. They carry risk, shape narratives, and, as we’ve seen, can unmake leaders – fast!

The downfall of Boris Johnson and Mike Waltz and the subsequent unravelling of events that followed wasn’t the result of sophisticated hacking by a foreign state-sponsored actor; it was the consequence of relying on messaging platforms fit for their private lives but grossly unfit for the demands of high office.

We can’t afford another messaging scandal. And we don’t need to. With platforms like YEO Messaging, governments and public institutions now have the chance to reclaim control over their digital communications, and with it, restore confidence in how leadership works in the 21st century.

The Open Web Application Security Project (OWASP) has long been one of the most trusted names in application security. Its most famous project, the OWASP Top 10, has been a go-to resource for developers and security teams alike, offering a standardised list of the most critical web application vulnerabilities. 

Since its introduction, it’s been marketed as a starting point for secure coding practices. But with the next update expected shortly, we must now ask a difficult question: Has the OWASP Top 10 failed us, or have we simply failed to act upon it?

Same List, Same Problems

Let’s be clear: the OWASP Top 10 has value. It brings awareness to critical issues. But when we examine its impact over time, the evidence is troubling. Many of the vulnerabilities first highlighted in early versions of the list, injection flaws, cross-site scripting (XSS), broken authentication, and security misconfiguration, continue to appear in every subsequent edition. 

This isn’t just disappointing; it suggests that, despite widespread awareness, we’re not solving the underlying problems. In fact, the total number of software vulnerabilities continues to climb. The CVE list grows every year. What should have been resolved by now has instead become normalised. So, why aren’t we making more progress?

Why the OWASP Top 10 Isn’t Driving Change

In my experience, there are three core reasons the OWASP Top 10 isn’t delivering the transformation we hoped for: lack of context, lack of education, and lack of actionability.

1. Developers Lack Context

Modern developers are often handed user stories, tasked with building specific features, and measured against functional requirements, not security ones. Rarely do they have visibility into how their code will be used in the real world. Is it going into a healthcare platform? A consumer-facing mobile app? A component in a critical infrastructure system?

That kind of context matters. If a developer doesn’t understand the operational environment, how can they effectively prioritise security? Assumptions take the place of understanding, and those assumptions can introduce serious risk. What’s more, the industry often treats developer capabilities as interchangeable: junior developers should all know X, senior developers should all know Y, but not all developers have the same training or exposure. This inconsistency becomes more dangerous in a world where AI-generated code is gaining traction. If models are trained on insecure practices, or if developers don’t know what to watch for, the problems will only compound.

And before you say “how can a developer working for company X not know what their code goes into”, think about this – how many companies have grown by acquisition, or how many companies create SDKs or APIs, or how much of your code is from open-source libraries? The moment your code is used by someone else, that’s when context starts to get lost. The greater the separation, the harder it is for a developer to account for user requirements in their testing.

2. Security Education Is Declining

We assume that awareness translates into knowledge, but that’s not how education works.

The Building Security in Maturity Model (BSIMM) Report tracks how real-world organisations implement software security initiatives. In its 15th edition, released in January 2025, one of the most striking findings was that security awareness training has dropped nearly 50% since 2008. That’s despite an ever-growing attack surface, increases in cyber-attack complexity, and increasing regulatory pressure. It’s not enough to circulate a PDF or hold an annual security talk. Developers need to be actively trained, not just on what to avoid, but on how to write secure code for the specific environments and technologies they use. Without that, the OWASP Top 10 becomes little more than a checklist for compliance rather than a driver of change.

3. The List Lacks Actionability

Let’s face it, awareness without empowerment is performative. The OWASP Top 10 tells you what the most common risks are, but it doesn’t help organisations operationalise that knowledge. There’s no built-in guidance for remediation, no framework for prioritisation, and no accountability for fixing the issues once they’re known. As a result, many developers and even AppSec teams view the list as someone else’s problem. A static document can’t drive dynamic change unless the surrounding ecosystem is built to act on it.

Web Apps vs the Wider World: What CWEs Tell Us

Another major shortcoming of the OWASP Top 10 is its narrow scope. It’s designed specifically for web applications, but today’s software landscape is far broader. API-driven services, cloud-native platforms, embedded systems, and mobile apps all play significant roles in enterprise ecosystems. 

OWASP’s list doesn’t address the risks these platforms face. To get a more complete picture, we must look beyond OWASP. The MITRE CWE Top 25, for example, offers a platform-agnostic view of the most dangerous software weaknesses based on real-world exploitability and impact.

Here’s the shocking bit: 40% of the weaknesses in the 2024 CWE Top 25 aren’t even mentioned in the OWASP Top 10. One of the most common software weaknesses, CWE-787: Out-of-bounds Write, is entirely absent from OWASP’s list. Why? Because OWASP is focused on web applications, and CWE is focused on software security at large. This divergence is dangerous. It reinforces a fragmented view of risk and one that leaves organisations blind to issues that lie outside of the web app domain.

Accountability Is Coming

For years, security was about raising awareness, but now we’re entering a new era of accountability. Consider the Digital Operational Resilience Act (DORA), which came into effect across the EU in January 2025. It will force financial institutions to meet strict security requirements, from incident reporting to third-party risk assessments. Non-compliance will no longer be optional. Even more sweeping is the Cyber Resilience Act (CRA), set to take effect in 2027. It will mandate security standards for all hardware and software products with digital elements sold in the EU, backed by fines large enough to make company boards take notice.

These laws mark a profound shift from guidelines to governance. Sure, it’s important to understand the risks, but if organisations aren’t implementing proactive security strategies, then they’ll become a relic, untrusted by customers and obsolete in the eyes of the market.

What You Can Do Today

So how do we move forward? First, treat the OWASP Top 10 as a baseline and not a benchmark of success. It’s a good place to start, but by no means a complete solution – particularly if your app isn’t a web app. Expand your visibility by incorporating the MITRE CWE Top 25, which offers a more comprehensive, real-world view of dangerous vulnerabilities across all types of software.

Second, empower developers, not just with knowledge, but with tools and authority. Integrate secure coding practices into your CI/CD pipelines. Use security tooling that provides feedback in real time, not just in postmortems. And most importantly, make security part of the definition of “done” and not a side process.

Third, invest in contextual training. Developers shouldn’t just learn what to avoid but also understand why it matters in the environments they build for. Generic training won’t cut it. Tailor your education programmes to your domain, your risk profile and your tech stack.

Fourth, benchmark your practices against real-world data. Resources like the BSIMM Report give insights into what some of the most mature security programmes are doing. Use it to identify gaps and plan improvements; not in theory, but in how your team actually works.

And finally, build accountability into processes. Track key security metrics. Make them part of quarterly reviews. Tie them to incentives and governance. Because when security stops being bolted on to products and becomes everyone’s responsibility, that’s when real change happens.

Final Thought

Fifteen years. That’s how long we’ve been cycling through the same vulnerabilities in the OWASP Top 10. In that time, we’ve built space-grade cloud platforms, invented AI copilots and redefined how we work and live. And yet, we’re still being taken down by injection flaws and broken authentication. 

So maybe the question isn’t just whether the OWASP Top 10 has failed us. Maybe the real question is: Why haven’t we done more with what we already know?

The question is no longer whether your organisation will face a security incident, but when. Sooner or later, an attack will happen, which is why a robust Incident Response Plan is critical, because the size of an organisation does not matter. Big or small, they are all at risk.

An effective Incident Response Plan includes the following four components: 

1. A straightforward structure

Simplicity and structure are your allies when creating an Incident Response Plan. A complicated plan will only create confusion. Use charts, bullet points, and clear language to make it easily understandable.

2. Using recognised frameworks

Many organisations opt to use established frameworks ISO standards as templates for their plans. These frameworks offer a structured approach, providing sections and subsections that cover all essential areas, from governance to technical responses. 

By using a recognised framework, you not only ensure completeness but also facilitate easier communication with external parties who may be familiar with the framework.

3. Stakeholder responsibility

An Incident Response Team (IRT), typically led by a Chief Information Security Officer (CISO), should be designated to take charge during an incident. The plan should also specify roles and responsibilities for each stakeholder, from IT personnel to legal advisors.

4. Proportional funds

Budget considerations must be part of the planning process. Allocate sufficient funds for personnel, technologies, and training. This allocation should be proportional to the organisation’s size and risk profile.

 Small businesses might not have the same resources as larger corporations. A good Incident Response Plan for a small business should be scaled to their specific needs, focusing on the most critical assets and functions. It should prioritise simplicity, clarity, and actionable steps that can be taken with limited cybersecurity personnel.

Overcoming the hurdles of Incident Response Plan implementation 

Whilst implementing an Incident Response Plan, various challenges may arise. One example of this could be ensuring all team members are fully trained and understand their roles within the plan. 

Another challenge might be maintaining the plan’s effectiveness over time. To overcome these challenges, companies should enforce regular training sessions, continuous plan updates based on new threats and lessons learned from past incidents, and ensure clear communication channels within the organisation.

Examining the effectiveness of an Incident Response Plan

The effectiveness of an Incident Response Plan can be measured through regular testing, such as tabletop exercises or live drills, to ensure team readiness. Additionally, metrics like the time to detect, respond to, and recover from incidents can provide insights into the plan’s effectiveness. Continuous improvement based on these metrics and feedback from incident post-mortems is crucial for maintaining a robust incident response capability.

The importance of detection, reporting, and identification 

1. Proactively monitoring systems 

 Your first line of defence is detecting an incident quickly. Invest in advanced monitoring systems and allocate personnel to supervise them around the clock. 

2. Streamlining reporting

Streamline reporting protocols so that incidents can be rapidly identified and acted upon. Simplicity is key here, ensuring even the least technical person can report a problem.

Internal and external communication strategies

1. The role of good PR

Public Relations (PR) and your marketing team (if you have one) play a pivotal role in managing perceptions during an incident. Transparent, timely communication can mitigate panic, control misinformation, and maintain your organisation’s reputation.

2. Internal communications

Internal stakeholders need to be in the loop as well. Have a plan to keep everyone from top management to the frontline workers informed.

3. External communication plan

Customers, partners, suppliers, and sometimes the media will require timely and accurate updates. Your plan should specify who communicates this information, how, and when. A failure to report an incident to customers can land you in hot water with regulators and impact your reputation.

Identification, containment, eradication, and recovery 

1. Containment procedures

After identifying an incident, containment is the first priority. Your plan should have procedures for immediate and long-term containment actions, such as isolating affected systems or updating security protocols.

2. Elimination and restoration

The plan must spell out how to find the root cause of an incident and eliminate it. It should also outline the steps to restore and validate system functionality for business operations to resume.

Security testing services

Regularly scheduled simulated attack scenarios help keep your team prepared and your strategy up to date. It’s crucial for identifying gaps in your plan and rectifying them.

Some notable security testing services include penetration testing, red team testing, vulnerability assessments, and cyber security risk assessments. 

The role of cyber insurance

Cyber insurance can be a lifesaver, covering costs that can range from legal fees to ransom payments. Your Incident Response Plan should clearly state how and when to engage your cyber insurance coverage.

The dos and don’ts organisations should follow

Dos

• Train staff regularly
• Update plans frequently
• Communicate transparently
• Analyse and learn from every incident

Don’ts

• Ignore early warning signs
• Underestimate the importance of employee training
• Neglect to update stakeholders
• Fail to adapt your strategy post-incident

It is important to remember that an effective plan must continuously adapt and evolve – it shouldn’t be static. By integrating these elements, your organisation isn’t just preparing for potential threats, but actively fostering a resilient and secure operational environment for the future. 

Cyber attacks still seem like a dystopian ‘it will never happen to us’ to so many people. While these retail breaches have disrupted operations, and inflicted substantial financial losses, it is the compromised customer data and direct public impact to household names that has turned lots of attention to these latest cyber attacks.

Put frankly, the recent  hacks have grabbed headlines because so many members of the public have directly been affected which makes the story sensational and newsworthy.

Why the Sudden Rise in Retail Cyberattacks?

The escalation in attacks is attributed to the activities of sophisticated cybercriminal groups such as Scattered Spider and DragonForce. These groups employ advanced social engineering tactics in their attacks. They often impersonating employees to deceive IT help desks and gain unauthorised access to systems. The retail industry’s vast repositories of customer data and its reliance on digital operations make it an attractive target for such malicious actors. A key word is ‘employ’, showing that cybercrime itself is a booming and growing industry. 

Retailers’ Vulnerability to Cyber Threats

Several factors contribute to the retail sector’s susceptibility:

Legacy Systems: Many retailers operate on outdated IT infrastructures, which are more prone to security breaches.

Third-Party Dependencies: The extensive use of third-party vendors and suppliers increases the attack surface, providing multiple entry points for cybercriminals.

High-Volume Transactions: The sheer volume of daily transactions makes it challenging to monitor and detect anomalies promptly.

As mentioned, the cybercriminal groups recognised as being the driving forces behind the attacks focus on sophisticated social engineering tactics. Cyber professionals like to focus on tooling and technology as our main defenders. However, human risk management and understanding insider threats and behaviours of employees remain a vulnerability.

Indicators of Cyber Maturity Deficiencies

The delayed detection and response to breaches suggest a lack of cyber maturity within the sector. For instance, M&S experienced prolonged disruptions, with online services remaining unreliable weeks after the initial attack. Such extended recovery times point to inadequate incident response plans or major incident plans and a need for more robust cybersecurity frameworks in some instances. 

However, without fully understanding the nature of what happened once attackers gained access to the network, I would not fully support the statement. An area that M&S got very right in the process was their continued communication with their customers. They were transparent and shared information on what was happening. Communication during an incident is often left out of the incident response plan. However including this as part of your preparation within an incident response will save time and ensure clear and appropriate messages are relayed in a time of crisis.

Historical Context: Lessons from 2014

The current wave of attacks echoes the cyber incidents of 2014, where retailers faced a series of breaches. In the world of cyber security, it’s not IF we get breached, it’s WHEN. 

Unfortunately, with the development of new technologies and attacks becoming more sophisticated, it is not history repeating itself as such, it is the fact that the threat landscape continues to grow and employees leave and join new companies. Therefore, there should be collaboration between cyber security and HR to understand the risks and ensure timely cyber security awareness training for joiners, movers and leavers.

Why Is It Happening Again?

I believe it is down to ongoing vulnerabilities, disjointed cybersecurity teams to the business need and the evolving tactics of cybercriminals. While technology has advanced, so have the methods employed by attackers. It could be suggested the retail sector’s slow adaptation to these evolving threats has left it exposed.

Proactive Measures for the Future

History will always repeat itself, that’s the biggest lesson to learn! Unfortunately, we spend most of the time being reactive in cyber security as we fundamentally respond to the presence of an attack or impending risk. Businesses need to spend more time understanding what proactive measures look like – both inside and outside the cyber security team.

Invest in Modern Infrastructure

Updating legacy systems to more secure, modern platforms can reduce vulnerabilities and reduce tech debt. Doing so frees up more potential budget for other endeavours.

Enhance Employee Training

Regular training sessions can equip staff to recognise and respond to phishing attempts and other social engineering tactics. Step away from generic security training and understand how specific risks can affect the business or individuals in the business and deliver bespoke training. Training does not stop at recognising threats, it must also extend to ensuring employees understand what to do when they suspect suspicious activity, and the roles they play during a crisis. 

Implement Multi-Factor Authentication (MFA) or Single Sign – on (SSO)

MFA and SSO adds an extra layer of security, making unauthorised access more difficult. Also embed a two-factor authentication for requests such as financial transactions.

Regular Security and Risk Audits

Conducting frequent audits can help identify and address potential weaknesses before they are exploited. Not only that, but they can help identify risks there are to the business. Also, ensure that patch management is understood and fluid through the business. There should be full visibility of all of the environments and assets of the business.

Develop Comprehensive Incident Response Plans

Having a well-defined and tested response strategy ensures quicker recovery and minimises damage in the event of a breach. IRPs should be tested regularly with different scenarios including different areas of the business, not only sitting in the cyber security teams. 

To be clear, cyber security is not going away. Technology, and AI is advancing all the time, and criminals will keep evolving their hacking tactics. Businesses need to understand that cyber resilience is business resilience.

A ransomware attack is one of the most critical threats an organisation can face. It can bring operations to a halt, resulting in significant financial losses, and inflicting serious reputational damage. The way you react in the first 24 hours can make all the difference between containment and catastrophe. During this pivotal window, fast and informed action is essential. Not only to limit damage, but to enable recovery, and identify the root cause.

Whether you’re currently navigating an active breach or want to prepare your response plan in advance, here’s what needs to happen during those first 24 hours.

Step one: verify the attack and isolate affected systems

The moment ransomware is suspected, the priority is to confirm what’s happened. Ransomware doesn’t always announce itself with a dramatic pop-up, it may start quietly, encrypting files and spreading laterally across your network. Early warning signs include inaccessible files, failed logins, or unusual outbound traffic.

Once an attack is confirmed, isolate affected systems from the network immediately. Time is now of the essence. Ransomware attacks often seek to maximise damage by spreading across shared drives and cloud platforms. You should disconnect devices, disable Wi-Fi and VPNs, and block access at the firewall level to prevent further infection.

Having a cyber security team on standby allows for experts to provide step-by-step guidance in real time, helping you make the right moves to contain the threat without destroying forensic evidence. In high pressure moments, panic can lead to costly mistakes. Having a calm, expert-led approach ensures you stay focused and strategic.

Step two: alert internal stakeholders and assemble your response team

Ransomware response is not just an IT issue—it’s a business-wide challenge. Once containment is underway, you must inform key internal stakeholders. This includes executive leadership, legal, compliance, and communications teams. You should appoint a central response lead, ideally from your crisis management team. It will be their responsibility to coordinate efforts and make key decisions quickly.

If you’ve already established an incident response plan, now is the time to activate it. 

Step three: protect your backups and avoid engaging attackers

It may be tempting to click the ransom note or initiate contact with attackers to understand their demands. This is strongly advised against. Not only does it carry legal and ethical risks, but it may compromise your recovery options or make you more vulnerable to secondary attacks.

Instead, secure all backups and logs. Identify when the attack began, which systems are affected, and what data may be at risk. Taking note of this information will be crucial for both remediation and regulatory reporting.

Partnering with an expert will significantly improve this process, by providing rapid forensic support to help assess the impact by identifying indicators of compromise (IOCs), tracing the attack vector, and determining the attacker’s dwell time. This information can help you understand if data exfiltration occurred, an increasingly common element of modern ransomware attacks. 

Step four: report the incident and review legal responsibilities

Depending on your industry and location, you may have regulatory or legal requirements to report a ransomware incident. This could include notifying the Information Commissioner’s Office (ICO), your industry regulator, or affected third parties.

It is vital not to delay these conversations. By following previous steps, you should have clear documentation and technical insights which will back up your reporting. This will help the process run smoothly.

Step five: begin recovery with help from a cyber security expert 

Once the ransomware is contained and systems are stabilised, it’s time to begin recovery. This involves more than just restoring files from backup. You must ensure the attacker’s access is removed, vulnerabilities are patched, and your environment is safe to bring back online.

Having a trusted partner makes all the difference at this stage. Incident response specialists will work alongside IT and cyber teams to validate clean systems, conduct a secure restoration, and put new protections in place. Your business shouldn’t just bounce back; it should come back stronger.

How timely action and skilled expertise makes a difference

The impact of a ransomware attack goes far beyond financial loss – it’s operational, reputational, and often long-lasting. The quicker and more effectively you respond, the more you reduce the long-term impact.

Cyber security firms offer several solutions to ensure organisations are ready to face ransomware. One is emergency incident response, where teams can rapidly deploy to help take control, contain the threat, and recover operations; either on-site or remotely. Another option is to hold an incident response retainer. Retainer services give you guaranteed access to expert responders when you most need them. With predefined SLAs, threat intelligence, and environment familiarity, these tools can help businesses respond faster and more effectively.

Proactive planning leads to a stronger future

The initial 24 hours of a ransomware attack can be overwhelming – but they don’t have to be. With thorough preparation and expert support, you can respond quickly, minimise the impact, and restore operations with confidence. In moments where every minute counts, experience is your strongest defence.

Software vulnerabilities do not politely queue up waiting for security teams to deal with them one at a time. They emerge constantly, from every corner of the digital estate. There were an average of 108 new Common Vulnerabilities and Exposures (CVEs) recorded every day last year. Cyber teams in most organisations have a huge number of vulnerabilities jostling for attention. 

Traditional approaches to deal with these vulnerabilities are typically rely on manual processes and use on disconnected tools and teams with reactive prioritisation. They simply are not suitable for the scale of modern risks, or the speed at which cybercriminals turn exposures into attacks. Practitioners can quickly find themselves spending most of their days running around fighting fires rather than making any meaningful security progress. 

This is where the Vulnerability Operations Centre (VOC) comes into its own. Purpose-built as a mission control for vulnerability management (VM), the VOC enables organisations to move from reactive scrambling to strategic action, giving them the best chance of identifying, prioritising and neutralising risks before they escalate. Here’s what a typical day in the VOC could look like. 

Scanning the horizon for new risks

One of the most important aspects of the VOC approach is that it provides a centralised platform for all vulnerability management needs. This could be handled by a dedicated team, or as a function of the existing SOC set apart from other activities. It’s a sharp contrast to the common practice of different departments handling VM responsibility in isolation. 

Cyber threats can emerge at any time and SOC teams will typically be on alert 24/7. The VOC however means that the team works in a different rhythm from the traditional, firefighting pace of an SOC. Overnight, scanners, threat intelligence feeds and internal asset inventories have populated the VOC platform with fresh data.

Rather than sifting through disconnected reports or spreadsheets, analysts open predefined queries that immediately highlight what matters most. Newly discovered critical vulnerabilities, trending exploits, and urgent exposures are presented with context tying them to the organisation’s most mission-critical assets. 

Instead of treating every vulnerability as equally urgent, the VOC applies a risk-led lens. Context is key. A mid-severity CVE on a public-facing server may demand immediate action. However, a higher-scoring flaw deep inside an isolated system can wait for later review.

For critical findings, the VOC team deep-dives into the threat landscape. Has someone weaponised this vulnerability? Is it linked to ransomware campaigns? Has a proof-of-concept exploit been published overnight?

Within the first hours of the day, teams can triaged, ranked and assign vulnerabilities. This ensures security teams focus on the issues that genuinely threaten the business, not the noise that clutters traditional workflows.

Co-ordinating the response

Equipped with this information the VOC can shift from triage to orchestration. Newly identified vulnerabilities are funnelled into structured remediation campaigns, with tickets automatically raised through the organisation’s ITSM platform. Each item is categorised by urgency — whether it needs to be resolved within hours, days, or weeks. This systems sets with clear deadlines and assigns responsible teams.

Rather than flooding IT or DevOps with disconnected alerts, the VOC ensures that the right teams receive the right tasks, supported by all the context they need to act swiftly. Analysts monitor campaign progress in real time, checking which remediation actions are on track and which need escalation.

Suppose a critical patch has not been applied by the set deadline. In that case, VOC analysts chase it directly through the platform. They can comment within the ticketing system to find out what blockers exist and ensure accountability without adding friction.

This approach transforms vulnerability management from an endless, shapeless to-do list into a disciplined, measurable operation.

Security teams are no longer stuck manually chasing updates or duplicating efforts across silos. Instead, they can stay focused on strategic oversight, ensuring the business stays one step ahead of active threats.

Proactive hunting and resilience building

As the day unfolds, the VOC team moves beyond immediate remediation into proactive defence. Analysts use the platform to monitor for older vulnerabilities that may have gained new relevance. This is a crucial task, given that most successful exploits target weaknesses over a year old.

The VOC’s intelligence feeds and risk scoring models automatically flag any shifts in threat activity. For example, a three-year-old vulnerability that once posed little danger might suddenly spike in priority if new exploits are published or threat actors begin weaponising it in the wild.

Service Level Agreements (SLA) help structure this activity. Analysts review SLA dashboards to ensure ongoing remediation campaigns remain on track. As with urgent patching, if deadlines are slipping, they can follow up directly within the platform. Progress stays visible to all stakeholders without bogging them down in manual reporting.

Teams also put this proactive time towards preparation for monthly management reporting. Using real-time data, the VOC team can effortlessly demonstrate key metrics: the volume of vulnerabilities discovered and closed, time-to-fix averages, SLA adherence rates, and high-risk areas requiring further attention.

Delivering resilience through visibility and action

The centralised, structured VOC approach delivers clear results. It means fewer surprises, stronger resilience, and a security function that operates with foresight rather than afterthought.

Transforming vulnerability management from a reactive scramble into a proactive, strategic activity not only better secures the organisation, it also drastically improves the experience for practitioners. Alternating between time-consuming manual drudgework and panicked emergencies makes for a stressful and unsatisfying workday. A burnt-out security team is going to be off their game, and they’re also likely to look for greener pastures – a huge problem in the ongoing skills crisis.  

With the VOC in place, security leaders can stop reacting to threats and start each day already armed with a proactive plan to improve the company’s resilience.

Depending on which data you review and trust, ransomware attacks are either in decline or reached record levels in 2024. The truth as is often the case may well be somewhere in between. What is clear however, is that governments are increasingly exploring new approaches with how to counter the threat of ransomware and cybercrime. 

Late last year, the US government focused on reforms to cyber insurance policies as a potential avenue for disrupting ransomware networks. The then deputy national security advisor for cyber and emerging technologies, Ann Neuberger, told the Financial Times that many of the insurance policies covering reimbursement in the case of ransomware are inadvertently feeding the criminal ecosystems they are designed to disrupt. 

“We don’t negotiate with (cyber) terrorists”

It was proposed that preventing cyber insurance companies from reimbursing companies impacted by ransomware attacks could in fact help disrupt the cycle. More recently, this approach has also been mooted for consideration by the UK government, with proposals to protect UK businesses and critical national infrastructure by banning ransomware payments.

The thought process being that this will in time deter cybercriminals from targeting such organisations or networks if they know that payment will not be forthcoming. In its reporting when announcing the consideration of these proposals, the UK government revealed that the National Crime Agency managed 13 ransomware incidents between September 2023 – August 2024 that it categorised as posing “serious harm to essential services or the wider economy.”

Regardless of what regulators propose and what they may eventually adopt, however, there are a number of things businesses should be doing to make sure things don’t even get that far in terms of navigating around the potential requirement not to pay. 

The key to keeping ransomware at bay

The key when it comes to ransomware is to think about deterrence; and specifically how to create deterrence against perpetrators. While banning ransomware payments may be one solution, another is forcing cybercriminals to work much harder with their attacks. That means ensuring that employees become a vital first line of defence at businesses. 

Bad actors undoubtedly see the human element as the weakest link in organisations, and stats show that the majority of breaches involve some sort of human element. However, with the right education and training in place, organisation can flip this statistic on its head. 

This means actively promoting cybersecurity awareness and educating employees is vital for businesses to achieve and maintain strong organisational cyber resilience. Providing practical training helps mitigate the risks of employees misunderstanding concepts and also aids in implementing best practices for developing robust security measures and ensuring regulatory compliance at a much higher level.

What’s more, cybersecurity training should be ongoing, not a one-time event. Organisations should conduct regular training sessions, at least quarterly, to ensure that employees stay updated on emerging threats and retain the skills they learn. 

Better ransomware training 

Some of the most effective training methods include simulating cyberattacks and ransomware threats in real-time. These practical, scenario-based exercises reinforce critical thinking, teamwork, and decision-making under pressure, as well as helping organisations measure preparedness and identify gaps in knowledge or processes. 

Ultimately, the key is to make training engaging and relevant to each employee’s role, empowering them to be confident in recognising and responding to potential cyber threats. By combining regular training with advanced defensive tools, organisations can transform the human element at a business from a potential liability into a robust line of defence. 

The other important consideration for businesses arming themselves against ransomware attacks is to factor in that even when they have taken all of the precautions and proactive preparedness steps they can, the reality is that it is extremely difficult to protect everything at all times. 

This means prioritisation is vital, which in turn means understanding where and what the most significant aspects of the company’s ‘crown jewels’ are and making sure those have the most robust protection in place. This likely means detaching critical core systems from business systems in order to do so. 

Preparing for the future 

While banning ransomware payments to disincentivise attackers may have its merits, the flip side is that it will make it harder to detect, analyse and prevent future incidents with no visibility into payment flows. This means there is a clear need for balance between regulatory enforcement and intelligence gathering.

However, while strengthening forensic capabilities may be one avenue to mitigate future ransomware threats, the only way to ensure an organisation’s security in this environment comes back to developing the preparedness to respond to these attacks. That means conducting regular cyber exercises and training programmes to ensure employees are up to date with the latest trends, threats and tactics.

On Valentine’s Day of this year, one of the largest cases of business logic abuse was detected. It saw a botnet distributed over 11million unique IP addresses use API calls to the login systems of a Fortune 500 hospitality provider based in the UK with the express purpose of carrying out fraud by using credential stuffing in an attempt to identify valid user accounts and access payment details. 

Timed to coincide with one of its busiest days of the year for the business, the attackers sought to hide among the general influx of bookings but it wasn’t just the timing of the attack that allowed it to fly under the radar. 

Business logic abuse 

The attack used a technique known as business logic abuse which technically isn’t an attack at all, at least not in the traditional sense. This is because business logic abuse uses the functionality of the API or application against it in order to manipulate workflow processes and/or gain unauthorised access. In these attacks, the calls to the API look legitimate and syntactically correct. In reality, however, the attacker will have studied how it works and whether it can be tricked into oversharing data or if a sequence of events can be reordered to allow them to avoid paying, for instance.

Such attacks are bot-driven and see stolen user credentials, infrastructure such as proxies, compromised servers and devices, and management toolkits from the Dark Web such as SNIPR, BlackBullet or SentryMBA used to repeatedly attempt to complete sign up forms, account logins, partially complete purchases or make bookings. And because these actions appear bona fide, it’s incredibly difficult for defensive measures to detect them. Firewalls, Intrusion Prevention Systems, Web Application Firewalls (WAFs), and security gateways can’t stop them. 

Hiding in plain sight

In the case of the Valentine’s Day attack, IP-based detection was ineffective because the attackers used residential proxy networks to mimic legitimate traffic. As a result, even though the attack generated over 28 million security events, these were only equivalent to three events per unique IP address and so failed to raise the alarm. 

Preventing these attacks is also problematic. Often the subversion of business logic is not a top priority which means that perfectly coded APIs that are compliant with API protocols can still fall foul of these attacks. 

This is because while the API functions correctly, the developer will have failed to anticipate if those functions can be accessed and altered or combined to achieve malicious ends. These forms of abuse are covered in several of the attack types documented in the OWASP API Security Top 10 which provides a useful starting point and should form the basis for building test cases for API testing. 

A massive attack surface 

But what about those APIs that have already gone live? There’s now a massive installed base of APIs. In fact, API calls now account for 71% of web traffic. This represents an enormous attack surface which business logic attacks are increasingly targeting. In fact, business logic abuse is thought to account for more than a quarter of attacks against APIs.

Addressing business logic issues post-production in applications has principally been done using bot mitigation tools. These use application instrumentation to collect signals from the client by injecting Javascript code into the web application but as both APIs and mobile applications do not use Javascript, typically interacting using XMl/JSON, the attacker can simply bypass the web application and go straight to these. Mobile applications can be compiled with SDK to receive the missing signal but there is no workaround for APIs. What’s more, application instrumentation inevitably adds to development and QA cycles and can even risk breaking the application. 

Fingerprinting an attack

What organisations need is a solution that can see all the traffic to a given application or API and detect anomalies based on multiple behavioural-based criteria. 

Using a central threat intelligence database of behavioural patterns, known malicious infrastructure and third party intelligence and machine learning to analyse API headers and payloads while local models determine behaviour and intent, it’s possible to create a behavioural fingerprint of the attack. 

The unique fingerprint is traceable so that even if the attacker pivots and changes their strategy to avoid detection, they remain under observation. And crucially, as the approach is agentless, it does not require anyone to inject code into the API or application.

It was using this form of behavioural based analysis that allowed the hospitality provider to identify what was happening to its application APIs. It was able to determine that the botnet was predominantly made up of compromised routers and IoT devices and to track the high volume, low and slow and attack, determining that the source traffic was widely distributed over more than nine million IP addresses. 

A machine learning-based policy was then devised to block the malicious traffic based on a single unique fingerprint without the need to upload an IP address list. IP lists have limited use because, as anticipated, the attacker quickly attempted to change the infrastructure they were using to continue the attack. 

Because the fingerprint was tracked, this too could be successfully blocked.

De-risking the database 

As a case example, the attack highlights the importance of not relying on IP-based solutions. In a world where organisations are going API-first, these interfaces now represent key ingress points and if compromised can have significant impacts on the business. These include the potential for increased infrastructure costs incurred from handling the higher traffic volumes resulting from bot attacks. 

The loss of revenue from stolen goods and services and risk to the company’s reputation, with customers losing confidence in the ability of the business to deliver. And the cost of investing additional personnel into monitoring and responding to the security incident. But by using behavioural-based analysis, the business can mitigate these risks and using a light tough approach detect and block business logic abuse.

Ransomware attacks have evolved from a disruptive nuisance to an existential threat for businesses of all sizes. No longer confined to simple file encryption, modern ransomware campaigns target entire cloud environments, backups, and identity management systems, leaving organisations with few options for recovery. 

With the UK government considering a ban on ransomware payments, companies can no longer rely on paying their way out of an attack. Instead, they must shift their mindset and operational strategies to assume an attack will happen and prepare accordingly. 

The evolution of ransomware: beyond file encryption

Ransomware attacks have undergone a troubling transformation in recent years. Attackers no longer limit themselves to encrypting files and demanding payment for their release. They now aim for maximum disruption. And once inside a business’s network, these attacks can spread rapidly, locking down systems, stealing sensitive data, and rendering traditional recovery solutions useless.

One of the most alarming developments is the targeting of backup systems. Many businesses assume their data is safe if they have backups in place, but modern ransomware strains actively seek out and destroy backups before deploying their final payload. Attackers know that if they eliminate the safety net, companies are left with no choice but to comply with their demands.

But this isn’t the only risk.  Identity management systems, such as Entra ID (formerly Azure Active Directory), are also increasingly in the firing line. A compromised identity system can grant attackers access to a company’s entire cloud environment, allowing them to manipulate settings, create new user accounts, and maintain persistence within the network long after the initial attack. Without the ability to verify trusted users and access controls, businesses may struggle to recover – even after the ransomware has been removed.

The false sense of security: why built-in Microsoft protections aren’t enough

Many organisations assume that Microsoft’s inclusive built-in security features, within the standard service, offer sufficient protection against ransomware. However, these default security measures are not designed to withstand sophisticated, targeted cyberattacks. Microsoft provides some level of backup and recovery. However, these tools have limitations in scope and retention policies, meaning critical data can still be lost if an attack succeeds.

Cybercriminals specifically exploit these gaps. They know that many businesses operate under the false assumption that their basic security systems adequately protect their data. In reality, while Microsoft secures the infrastructure, its shared responsibility model holds businesses accountable for protecting their own data. Without additional proactive security measures, these vulnerabilities will only increase.

UK ransomware payment ban: raising the stakes for business continuity

In light of the UK government’s proposed ban on ransomware payments, businesses in the public and private sectors could soon be under greater scrutiny in how they report and respond to ransomware threats. If enacted, this legislation would make it illegal for public sector bodies and CNI operators to pay ransoms, removing what has often been seen as a last resort to regain access to critical systems and data. While the outright ban isn’t currently proposed for private companies, they would still be required to report any intention to pay a ransom, with the possibility of the payment being blocked if it violates legal regulations.

Paying a ransom has never been a guaranteed solution, with many organisations never receiving decryption keys even after fulfilling demands – which is one of many reasons cyber security specialists advise against making payment. Not only does it perpetuate cybercrime, but it also fails to address the fundamental security issues at play, meaning companies remain equally vulnerable to future attacks. Still, for many organisations, the ability to do so has provided a desperate fallback. Without it, companies must prioritise building robust backup systems and disaster recovery strategies more than ever, to minimise downtime and prevent catastrophic data loss.

Shifting to a ‘when, not if’ cybersecurity mindset

Given the growing sophistication of ransomware and the rapid rise in threats, companies must shift from a reactive stance to a proactive one. Instead of hoping an attack won’t happen, organisations should operate under the assumption that it will, and take steps to mitigate its impact before it occurs. Prevention is always better than the cure, after all.

One of the most effective ways to do this is by implementing a comprehensive cybersecurity framework, such as ISO 27001 or the updated National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0. This structured approach consists of six core functions that, when properly executed, can help businesses prevent, detect, and recover from ransomware attacks:

1. Govern (GV): shaping cybersecurity governance

This critical function defines and communicates an organisation’s cybersecurity risk management strategy in context, aligning it with its mission and stakeholder expectations. It integrates cybersecurity into broader enterprise risk management (ERM) by setting policies, roles, and responsibilities, and overseeing cybersecurity strategy and supply chain risk management – ultimately strengthening governance across every touchpoint.

2. Identify (ID): understanding cyber risks

Before a business can defend against ransomware, it must first understand its vulnerabilities. Regular risk assessments and audits can help identify weak points in infrastructure, access controls, and backup strategies. Mapping out critical assets and dependencies ensures an organisation can focus its cybersecurity efforts on the most valuable and high-risk areas, in accordance with the its broader risk management strategy

3. Protect (PR): building stronger defences

Prevention is the first line of defence. Implementing multi-factor authentication (MFA), network segmentation, endpoint detection, and secure backup solutions can significantly reduce the risk of successful attacks. Security awareness training for employees is also crucial, especially since human error remains one of the leading causes of a breach.

4. Detect (DE): spotting threats early

The earlier an organisation detects a ransomware attack, the better their chances of mitigating its impact. Continuous monitoring tools, anomaly detection software, and advanced threat intelligence feeds can help businesses identify suspicious activity before it escalates into a full-blown attack, enabling timely response and reducing potential damage.

5. Respond (RS): acting quickly and effectively

When an attack occurs, having a well-rehearsed incident response plan can make all the difference. Businesses should establish clear protocols for isolating infected systems, notifying relevant stakeholders, and executing recovery procedures. Regular drills and simulations ensure that employees know their roles and responsibilities in the event of an attack, ensuring swift and effective action.

6. Recover (RC): ensuring business continuity

A robust recovery strategy is essential for minimising downtime and financial losses. Businesses should implement off-site, immutable backups that cannot be modified or deleted by attackers. A clean room environment – a separate, secure infrastructure used to restore data and verify its integrity before reintroducing it into the production environment – can also prevent reinfection and ensure a smooth recovery process.

The time to act is now

More than a disruptive inconvenience, ransomware is a significant risk that can bring operations to a standstill, spiral costs, and damage reputation beyond repair. With cybercriminals targeting backups, identity management systems, and cloud environments, and the UK government considering increased scrutiny surrounding ransom payments, businesses must take action before they too become victims.

The term itself may have been coined in the late 1990s, but hacktivism is still thriving in the mid-2020s. In fact, what were once loosely connected and decidedly amateur activist groups are increasingly evolving into more highly skilled, focused and formidable “digital militias”. And they are determined to make an impact.

The bad news for corporate network defenders is that hacktivists can always contrive a pretence to attack. That means no organisation is safe. It’s time to expect the unexpected.

From activism to impact

For many years, hacktivism was associated with groups like Anonymous and LulzSec. These organisations mainly used distributed denial of service (DDoS) attacks and web defacement to make political points. Although their rhetoric may have been fierce, these highly distributed collectives mainly worked to raise awareness of political causes. Notably, these included the Occupy movement, the Arab Spring, and the treatment of Julian Assange. Their campaigns rarely caused significant financial, reputational or operational harm to the chosen victims. Websites soon came back online, defaced pages were returned to normal, and the world quickly forgot about any non-sensitive information that may have been leaked.

That’s certainly not the case in 2025. The hacktivist groups we encounter today are usually focused on impact as well as attention. They want to hack and leak sensitive information, destabilise governments and businesses, and even disrupt critical services. As a result, they’re more likely to be made up of a tighter inner circle of skilled operatives. These operatives then recruit carefully in secret and focus on operational security (OpSec) to evade the authorities.

Understanding the drivers for hacktivism

Their motivation could be ideological, political, nationalist or simply opportunistic—and in some cases, a blend of more than one of these drivers. Most tend to be ideologues focused on religious or geopolitical conflicts. Think: pro-Russian “NoName057(16)”, which accuses its detractors of “supporting Ukrainian nazis”, or GhostSec, which claims fight for a free Palestine.

Then there are the politically motivated groups that seek to influence government policy. SiegedSec has targeted conservative initiative Project 2025, while being a vocal participant in #OpTransRights. GlorySec, a likely South American group of self-described anarcho-capitalists, aligned with Taiwan in its attempt to break free from China’s sphere of influence.

Nationalist groups are less common but often go heavy on cultural symbols and patriotic rhetoric to justify their actions. The Indian “Team UCC” likes to position itself as a defender of persecuted Hindus worldwide, especially in Bangladesh. Several pro-Russian groups also fit the nationalist mould, with prominent Russian flags and jingoistic pronouncements about defending the motherland.

Opportunistic groups, on the other hand, seem to target victims simply because they are easy to hack. SiegedSec hacked into a Chinese messaging application’s website, claiming that “it’s not secure at all”, for example. 

The whole picture gets more confusing still, when one peers closer. The Israel-Hamas conflict has drawn in other groups for which this fight is not their main focus, such as TeamUCC (pro-Israel). Pro-Russian groups often side with China in disputes, for example. Also, GlorySec aligns with Ukraine, NATO, and Israel but seems unsupportive of trans rights. The bottom line is that these loose cannons could theoretically find a reason to turn their firepower on any potential target. 

Hacktivism, cybercrime and state-level attacks

They do this using many familiar TTPs. DDoS is a favourite, with attacks now fairly straightforward to launch given the number of booter sites open for business. Although these attacks have become more advanced of late, incorporating multiple attack vectors to bypass traditional mitigations, they are relatively low impact. Likewise, web defacements are usually short-lived, even though some more recent attacks include malicious code injections to compromise victim networks. 

More concerning for organisations caught in the hacktivist crossfire are hack-and-leak campaigns. These campaigns are designed to exfiltrate and publish sensitive data via file-sharing platforms. Iranian state-aligned group Cyber Av3ngers was a prolific exponent of this, sharing details of SCADA systems from an Israeli facility, which were subsequently assessed to be recycled.

The same group has been pegged for attacks on critical infrastructure systems, an increasingly popular tactic for hacktivists. Its compromise of Israeli-made industrial control devices in utilities facilities led to much hand-wringing from American security experts, and residents in Ireland going without drinking water for two days.

Perhaps most concerning is the increasingly blurred lines between hacktivism and cybercrime activity. Some groups, like CyberVolk, are using ransomware to fund their operations. Others have promoted a variant dubbed “SMTX_GhostLocker”, which seems to be developed by GhostSec. And some hacktivists, like Ikaruz Red Team, use ransomware to target their victims, although not ostensibly to generate profits.

An equally concerning development is the alignment of state activity with hacktivism. This is most obvious in Russia, where groups like NoName and KillNet have long been suspected of government direction or arms-length involvement. The UK’s NCSC has warned about the potential for destructive attacks by such groups.

Playing the long game

Against this fast-evolving backdrop, the best response for CISOs is to get back on the front foot through investment in DDoS mitigation, and documenting and patching external systems to reduce the risk of defacements. For more sophisticated threats, the best approach is attack surface risk management (ASRM). This approach continuously monitors assets for security gaps and then recommends remediation steps. Combined with extended detection and response (XDR), it provides both resilience and rapid discovery and containment of threats before they can cause harm.

Above all, plan for the long term. These digital militias aren’t going anywhere.

Ransomware attacks remain a persistent danger to businesses. And according to the National Cyber Security Centre’s (NCSC) Annual Review 2024, these attacks continue to pose the most immediate and disruptive threat to the UK’s critical national infrastructure. 

The Government’s initiative to widen the ransomware payment ban to public sector organisations, the NHS, schools, councils, and critical infrastructure providers, to make them unattractive to cybercriminals, is a daring move in fighting cybercrime. For too long, ransomware operators have benefitted from a “pay-and-forget” culture, reaping profits with little consequence. 

Cutting off the financial incentives is a significant move.  But will this ban stop the attacks?

The ransomware payment ban: The proposals

The Home Office is currently carrying out a three-month consultation on three proposals.  The first is a targeted ban on ransom payments for public sector organisations and critical national infrastructure providers.  The second, a requirement for private organisations to report payment intentions before proceeding; And the third, mandatory incident reporting for all victims enhancing the intelligence available to UK law enforcement agencies.  This will enable law enforcement to identify emerging ransomware threats and focus their investigations on the most active and harmful ransomware groups.

While these proposals aim to deter attacks and improve intelligence-sharing, they also present issues.

The government hopes that a complete, although targeted, ban on ransom payments for public sector organisations will remove the financial motivation for cybercriminals. However, without adequate investment in resilience, these organisations may be unable to recover as quickly as they need to, putting essential services at risk. 

Many NHS healthcare providers and local councils are already dealing with outdated infrastructure and cybersecurity staff shortages. If they are expected to withstand ransomware attacks without the option of paying, they must be given the resources, funding, and support to defend themselves and recover effectively.

Short term wins; long term losses

A payment ban may disrupt criminal operations in the short term.  However, it doesn’t address the root of the issue – the attacks will persist, and vulnerable systems remain an open door. Cybercriminals are adaptive. If one revenue stream is blocked, they’ll find other ways to exploit weaknesses, whether through data theft, extortion, or targeting less-regulated entities.

The requirement for private organisations to report payment intentions before proceeding aims to help authorities track ransomware trends. However, this approach risks delaying essential decisions in high-pressure situations. During a ransomware crisis, people need to make decisions in a matter of hours, if not minutes. Adding bureaucratic hurdles to these critical moments could exacerbate operational chaos. 

Similarly, if an organisation needs urgent access to its systems to maintain critical services, a delay caused by regulatory reporting could increase the damage. There is also the possibility that some businesses may avoid disclosure, undermining the intended benefits of the policy. Also, who foots the bill for the operational chaos if payment is denied?

Mandatory reporting of ransomware incidents is also an important step in building a clearer understanding of the threat landscape.  However, fears remain about how organisations will respond. Many may be concerned about regulatory scrutiny or reputational damage which could lead to underreporting. If this policy is to be effective, the government must ensure that reporting mechanisms offer practical support rather than retributive consequences.

Resilience is essential 

Resilience is the key here. Rather than focusing solely on banning payments and implementing regulatory reporting, organisations should prioritise preventing attacks and ensuring they have robust recovery strategies. However, without the right funding and support, under-resourced organisations won’t just struggle to prevent attacks, they’ll also flounder in recovery. 

Leveraging a framework like ISO 27001 has proven effective in bolstering defences and preparing organisations for worst-case scenarios.

This framework helps organisations integrate security into their daily operations rather than treating it as a second thought. Public sector bodies can strengthen their defences by systematically identifying vulnerabilities and reducing the likelihood of falling victim to an attack. ISO 27001’s emphasis on regular testing and monitoring ensures that threats are detected early, limiting the potential damage.

One of the most critical aspects of resilience is business continuity. ISO 27001 places significant focus on incident response planning, ensuring that organisations have a clear and tested strategy for restoring services. This is especially key for public sector organisations that cannot afford extended disruption. By having a set recovery plan, organisations can avoid the difficult decision of whether to pay a ransom simply to get back online.

Yet many public sector bodies simply lack the staffing, expertise, or funding to adopt these strategies at scale. Without significant investment in cyber resilience, the ban might feel like the Government is tying public sector organisations’ hands behind their backs.

So, if this ban comes into effect, what other options does the Government have to support and help public sector organisations?

Additional initiatives 

The government, instead of relying on overstretched and underfunded bodies to manage ransomware response on their own, could assist with developing cyber expertise and supporting these businesses.  One way to do this is to enhance the UK Cyber Cluster Collaboration (UKC3) initiative.  This would increase the support these regional cybersecurity support hubs can offer by pooling cybersecurity professionals to assist multiple councils, schools, or NHS trusts rather than each trying (and failing) to build their own team. 

Similarly, the government could also establish a Cyber Civil Defence initiative which engages vetted cybersecurity professionals who can volunteer to assist in national or regional cyber emergencies – like that of voluntary organisations supporting emergency response like St John Ambulance. This could be structured as a public-private partnership, tapping into the expertise of private-sector security firms that handle ransomware incidents.

Public sector bodies also often face slow, bureaucratic procurement processes that prevent them from quickly obtaining the necessary cybersecurity tools. The government could create pre-approved cybersecurity solution frameworks (similar to the G-Cloud procurement model), allowing organisations to deploy vetted security solutions rapidly without red tape.

Ultimately, the government’s ambition is commendable, but ambition without actionable support, risks failure. If this ban is to succeed, it must be paired with tangible investments in cybersecurity for the public sector: grants for modernising infrastructure, workforce training, and robust incident response resources. 

Cyber resilience should be a fundamental component of organisational operations rather than merely an afterthought or compliance exercise. Without this, the ban could fail, penalising victims while allowing attackers to remain unaffected.

State-sponsored cyber threats are escalating. In a recent speech at the UK Government’s Cyber Security Conference, NCSC Richard Horne highlighted nation-state activity as a leading issue in an increasingly hostile cyber threat landscape.   

While many industries are at risk of this heightened aggression, critical infrastructure is particularly vulnerable. Essential services such as energy, water, and transport have become key targets in aggressive geopolitical cyber strategies.  

The risk is made worse by the fact that so much critical infrastructure relies on operational technology (OT) systems that are often outdated, heavily siloed, and easy prey for dedicated threat actors. To withstand these evolving threats, 2025 must be the year of OT security investment, where IT and OT teams work in unison to defend against nation-state adversaries. 

How nation-state cyber threats are accelerating 

Cyberattacks against critical infrastructure have become a fundamental tool of statecraft, with activity aimed at disrupting economies, weakening rivals, and asserting geopolitical influence. 

The CRINK nations – China, Russia, Iran, and North Korea – are among the most active. You can connect almost all nation-state-sponsored cyber incidents to one of the four. In just one example, last year multiple security agencies around the world, including the NCSC and CISA, issued a joint advisory against Chinese state-sponsored actor ‘Volt Typhoon’. The group targets water, energy and transportation sectors around the world with the intention of setting up significant and disruptive attacks in the future.  

The most worrying aspect of these attacks is their potential to cripple essential services. Attacks on cyber-physical systems causing operational downtime and widespread disruption can create very real damage in the physical world, from energy blackouts to preventing emergency healthcare.  

One of the most prominent examples is Sandworm, an APT linked to Russian military intelligence, which is believed responsible for multiple attacks on Ukraine’s power grid over the last decade. The group deployed the Industroyer and Industroyer 2 malware, custom-built for targeting industrial equipment using specific protocols. Sandworm is also responsible for the notorious NotPetya malware, which spread far beyond its intended Ukrainian targets.  

The convergence of IT and OT environments has inadvertently expanded the attack surface and given cyber adversaries new opportunities to infiltrate industrial control systems. 

The outdated siloed model of IT and OT security is no longer viable 

For years, businesses have treated IT and OT security as separate disciplines, with little in the way of united visibility or strategy. This may have worked in years past. However, the increasing crossover between the two fields means this fragmented approach is no longer sufficient.  

Traditional IT security models – typically focused on protecting data and network perimeters – fail to address the unique risks posed to OT environments, where system uptime and physical safety are paramount. 

Visibility is one of the key challenges. OT networks tend to include a large number of legacy systems that were not designed for modern security controls. Further, it’s common to find multiple different proprietary operating systems. This makes it more difficult to effectively monitor the network and detect signs of intrusion and malicious activity.  

Attackers can exploit connectivity between IT and OT systems, using IT breaches as stepping stones to disrupt critical operations, while also using the visibility gaps to avoid detection.  

Budget priorities must shift towards OT security 

Despite the rising threat to OT environments, cybersecurity budgets have traditionally focused on IT security, leaving industrial systems vulnerable. This must change in the year ahead, and budget trends must shift to favour OT-specific investments if organisations are to defend against nation-states and other advanced threats. 

Key investment areas should include both OT-specific threat detection and intrusion prevention systems and network segmentation to limit lateral movement in case of a breach. It’s also important to implement secure remote access solutions to mitigate third-party risks from the expansive supply chains present in most critical sectors.  

Prioritising the budget for OT also needs to go beyond common vulnerabilities and exposures (CVEs) because there are just so many potential vulnerabilities out there. In a sample of 270 organisations, we found more than 111,000 known exploited vulnerabilities (KEVs) in OT devices – an impossible number to budget for. 

The key to making it manageable is to filter for public exploits linked to threat groups and insecure connectivity to find the most critical issues. From our sample, this reduced 111,000 to around 3,800 – creating a manageable, targeted remediation approach.  

Equally as important as this, any technology must be backed by close collaboration between IT and OT departments.  

Bridging the IT-OT cultural divide is key 

OT management often remains heavily siloed from IT, even as the two sets of technology have become increasingly interconnected to facilitate better automation and remote access.  

The two fields also have different priorities. Historically, IT has focused on data confidentiality and access control, while OT is more concerned with delivering safety, uptime, and operational efficiency. These differing objectives often lead to resistance when implementing cybersecurity measures, particularly if stakeholders perceive them as disruptive to critical processes. 

To bridge this divide, organisations must actively seek to foster cross-functional collaboration between IT and OT teams. On an operational level, investing in OT-specific cybersecurity education can help teams understand emerging threats. 

CISOs play a crucial role in aligning these teams, ensuring that security controls enhance, rather than hinder, operational continuity. Companies that successfully embed cybersecurity into their organisational culture will be far better positioned to detect, mitigate, and respond to OT threats. 

Why IT-OT security task forces are the next step in cyber resilience 

One of the most effective ways to align OT security with the rest of the organisation is to establish joint IT-OT security task forces that report directly to the board. These groups can not only improve collaboration between the two environments, but also make it easier to raise OT security as a board-level issue. This level of stakeholder visibility can make it easier to secure dedicated resources for OT-specific threat detection, vulnerability management, and incident response. 

A well-structured IT-OT security task force should conduct regular risk assessments to identify vulnerabilities across converged environments, working together to implement solutions like network segmentation to contain potential breaches. It’s also important to develop OT-specific incident response plans to minimise downtime during attacks. 

Treating OT security as a business essential 

As state-sponsored threats escalate, OT security can no longer play second fiddle to IT. All organisations managing cyber-physical systems must ensure they prioritise investing in OT-specific protections in the year ahead, along with the education and collaboration needed to use them effectively.  

Those who take a proactive approach to OT security in 2025 have the best chance of foiling cyber adversaries’ intent on disrupting critical infrastructure as part of their geopolitical agenda.  

1. How at-risk is my smartphone now compared to a few years ago? How is the cybersecurity landscape around personal mobile devices evolving?

The UK has seen a worrying shift in how criminals target smartphones. Over 200 phone or bag snatch thefts happen every day in England and Wales, and the consequences go far beyond losing a device. A stolen phone can mean financial fraud, data breaches, and reputational damage—not just for individuals but also for businesses.

I know this firsthand because it happened to me. Losing my phone wasn’t just inconvenient; it also allowed criminals to access my financial, social, and corporate accounts. That’s why I created Nuke From Orbit, a security solution designed to instantly cut off criminal access and help victims regain control of their digital identities.

And the problem is getting worse:

• 62% of victims suffer further losses after their phone is stolen, with 1 in 5 having their banking apps breached and 1 in 4 losing money from their digital wallets.
  
• Police close 82% of cases without identifying a suspect, and just 0.8% lead to a conviction (Crime Survey for England and Wales).

With mobile payments now overtaking cash and card transactions in the UK, criminals are targeting smartphones for resale and the personal and financial data inside them. This means we must act now—before more people fall victim to this growing threat.

2. The rising cost of cybercrime: What does it mean for individuals and businesses?

Smartphone theft in the UK has more than doubled, with 78,000 reported incidents in the past year alone. That’s a sign of how much we rely on our mobiles in daily life—whether for banking, work, or social connections. But it also means the risks are more significant than ever.

I recently spoke with ethical hacker Nikhil Raine, who put it bluntly:

“Once criminals have access to your accounts, you’re at risk of a full-scale account takeover. If your phone is lost or stolen, you must act fast—report it to your bank, freeze your accounts, and change all your passwords. Check your bank statements regularly for suspicious transactions, and monitor your credit score. If your personal details end up on the dark web, you could face identity fraud, deepfake scams, and criminals impersonating you to steal from your friends and family.”

This isn’t just an inconvenience—it’s a long-term security risk that can impact everything from your finances to your reputation.

3. The role of AI: A game-changer in security—or a new weapon for criminals?

AI is already transforming mobile security, but its implementation presents serious challenges. While AI-driven fraud detection is improving, it still struggles to differentiate between genuine transactions and suspicious activity, especially when users make one-off or high-value purchases.

At Nuke From Orbit, we’re exploring how AI can analyse phone behaviour—like usage patterns, location data, and unexpected changes—to detect theft and trigger immediate protective

measures. However the challenge is ensuring accuracy without creating false alarms that frustrate users and lead them to disable security features altogether.

At the same time, criminals are weaponising AI to power a new wave of cybercrime. Voice cloning, AI-driven phishing, and deepfake scams are becoming more advanced, allowing hackers to impersonate people with alarming accuracy.

That’s why the tech, finance, and telecoms industries must step up—investing in AI-powered behavioural analysis and multi-layered authentication to keep people safe. But technology alone isn’t enough; user education is critical in helping people spot and avoid AI-powered scams.

4. Emerging threats: What should smartphone users be on the lookout for?

Cybercriminals are evolving their tactics. One growing concern is “shoulder surfing”—when criminals watch people enter their PINs or passwords in public places. It might sound low-tech, but it’s highly effective. A thief who spots your unlock code can steal your phone and access everything inside it within seconds.

Simple steps can help prevent this:

• Be aware of your surroundings when entering passwords.
• Use biometric authentication whenever possible.
• Enable privacy screens to block prying eyes.

Beyond that, there are clear warning signs that your phone may have been compromised. If you notice:

Unfamiliar activity on your accounts (transactions you didn’t authorise, messages you didn’t send). Strange app behaviour (apps opening or closing unexpectedly, settings changing on their own). Performance issues (sudden battery drain, overheating, or increased data usage).

These could all be signs that your device has been hacked. If that happens, act immediately: change all your passwords, run a malware scan, and use a security app to lock down your accounts before further damage is done.

5. Has remote work blurred the lines between personal and work devices?

Absolutely. Since the pandemic, the way we use our phones has changed dramatically. People now access confidential work emails, sensitive documents, and corporate messaging apps on personal devices—often without realising the security risks.

This is a huge problem because:

• Personal devices are harder for IT teams to secure.
• Work files and emails can be automatically backed up to personal cloud accounts.
• A single stolen phone can expose both personal and business data.

Companies need to get serious about this. If possible, issue dedicated work devices to employees. If that’s not an option, businesses should at least restrict access to critical systems on personal devices and use mobile device management (MDM) tools to enforce security policies.

Security and convenience will always be at odds, but businesses must accept that prioritising security may require trade-offs.

6. The future of mobile security: What needs to change?

The old security methods are no longer enough. Criminals are adapting, and cybersecurity needs to evolve just as fast.

When it comes to mobile payments, the stakes are incredibly high. Unlike contactless cards with transaction limits, smartphones provide seamless access to bank accounts, investment platforms, and crypto-wallets—making them a goldmine for criminals.

To combat this:

• Banks must educate users on treating their phones as critical security devices, not just everyday gadgets.
• AI-powered identity verification (KYC) must improve to detect fake IDs and prevent fraud.
• Two-factor authentication (2FA) should involve a secondary device, like a tablet or smartwatch, instead of relying solely on the phone.
• Consumers must take security seriously—using strong passwords, enabling 2FA, and adopting passkeys instead of traditional logins.

The future of mobile security is about more than stopping theft—it’s about preventing criminals from exploiting stolen devices. We can keep people safe in an increasingly digital world by staying ahead of emerging threats and embracing new security measures.

At Nuke From Orbit, our mission is simple: make smartphone theft as useless to criminals as possible. The more we raise awareness and push for better security, the harder we make it for hackers and thieves to profit from stolen devices.

It’s time to take mobile security seriously—before it’s too late.

A new year always brings a fresh impetus to look again at the business’ cybersecurity posture – and perhaps to find ways to strengthen it.

At the tail end of 2024, the UK’s National Cyber Security Centre highlighted the fact that cyber-related risks facing the UK are being “widely underestimated“, the cyber chief warned in their first major speech after last year’s appointment. As businesses evolve and digital threats grow more sophisticated, prioritising readiness has never been more critical. In 2024, only 2% of UK organisations achieved a ‘mature’ level of readiness according to research from Cisco: a 15% drop from the previous year.

There’s every reason to turn this trend around in 2025. If the threats from continuing geopolitical, warfare and cybercrime were not enough motivation; the rapid acceleration and adoption of AI will surely keep the CISO up at night. Fortunately, the security industry doesn’t require any upending. There are globally recognised best practices, widely understood technologies, and well-respected regulations and certifications to support businesses improving their security posture. The difficulty in the management of these threats comes from the limited supply of time, personnel, resources, all of which are in demand throughout a business and the IT organisation that supports them.

Crises are sure to come. Why not practice?

Simulating crises is a very practical way of identifying where ones’ weaknesses lie; whether it be a missing policy, weak controls, or absent documentation of procedures. The outcomes of these exercises provide businesses with a clear view of their vulnerabilities. They then help those businesses develop and act on a list of priorities. Thus, when a real crisis appears the business will be in a good position to blunt its impact.

Start off with some clear questions that you’re looking to test. Online resources or industry consultants can help. However, at first, all you might need to do is give the matter some careful thought. For example, 

• What are the most important functions your business needs in order to meet their customers’ expectations and maintain revenue? This would include the people, processes and systems. Answering this question will allow businesses to narrow the focus of what is critical to protect.
• Do your staff know who to contact if they receive a phishing email or suspect a ransomware attack, data breach, virus, or any other IT incident?
• Do the responsible leaders, teams, and service providers understand the steps for investigation, remediation, crisis communications, and any legal responsibilities?

The results of a crisis simulation and the questions it elicits will allow leaders to refine business procedures for a variety of scenarios; from cybersecurity incidents to those in other domains that rely on similar muscles, such as a key vendor going offline, or negative customer feedback going viral.

Lessons from a simulation or test allows one to assign roles and responsibilities in advance, so teams, as well as individuals, know exactly what to do when under pressure. Additionally, practice of response procedures will build confidence, and staff will feel prepared rather than panicked in the event of a real crisis.

Build a company-wide culture of cybersecurity and test/measure it

Cultural change is a major lever in making anything happen across any domain. 

For cyber security to be seen as important to a business, an organisation needs to craft the message that security is everyone’s responsibility (not just IT’s); and that for it to be effective, everyone plays an important role. Most security leaders will agree that most places and people assume that ‘someone else’ handles security and it isn’t really something to worry about. 

This attitude often leads to employees who either created a security incident or are involved in one to ‘pass the buck’ to the technology organisation. This is a damaging mindset that will perpetuate a weak security posture.

Social engineering, particularly phishing, remains the most significant threat for all businesses. Many lack dedicated security teams, thus making employee awareness even more crucial. 

Security teams should explain the most common tactics used by cybercriminals to everyone in the organisation. This means employees are, more average, more likely to spot a scam and report it. Follow-up training is important for people to remain sharp. Without practice, people will eventually succumb to social engineering attacks, as they continue to become more and more convincing. It’s worth checking out the information on the NCSC. 

If your gut reaction is to think ‘we’re above average intelligence, we won’t be scammed’ you should disabuse yourself of that notion. There are scores of statistics showing that bad actors successfully hack, phish, or attack thousands of businesses each year. Those businesses suffer enormous damage to their reputation and revenue.

Recognise that “the basics” when it comes to cybersecurity tools have changed

Some practical technologies that have become ‘non-negotiable’ security include antivirus/anti-malware, multi-factor authentication (MFA), and phishing defences in email platforms. 

These are relatively simple foundational security measures that, when applied properly, cut out many common threats. Antivirus is not a comprehensive solution to all risks. Modern threats, particularly social engineering, require more robust defences like MFA. Cyber teams also need to continuously educate employees, as modern attacks use many techniques to evade detection, including some that don’t use viruses at all. Simulating, as mentioned, and surprise testing or ‘red teaming’ exercises, really cultivate a culture of vigilance, encouraging employees to be suspicious of unexpected requests or unfamiliar communications.

The explosion in AI has benefited the cybercriminal as they are able to quickly and easily create more convincing and sophisticated threats. AI is also helping the cybersecurity industry by introducing a high level of automation in security defences. However, even with AI, some human oversight will still be necessary to validate controls are working as intended.

Clearly, while more sophisticated and comprehensive security solutions can reduce risk more effectively, SMBs without the luxury of enterprise resources can still raise their cybersecurity posture by using resources provided by governmental cybersecurity agencies. Most provide standards, checklists and resources that can help any business to evaluate their preparedness and implement procedures for identifying, slowing, and hopefully, stopping risky activities.

Be concerned, but not alarmed

The cybersecurity industry is a big business, and its marketing relies on pointing out the very real risks that bad actors and their actions can bring on to anyone. In addition, if one were to read security industry articles, it can make for a great deal of doom and gloom for the smaller business who may not have a CISO, large IT staff, or the latest and greatest security technologies.

Have realistic expectations. No security system can guarantee 100% success in stopping all threats. However, even a modest budget and the right information and culture can create robust security measures and significantly reduce the likelihood and impact of an incident, attack, or breach.

Alert fatigue is a real threat to the Security Operations Centre (SOC). The rate of false positives sees analysts quickly become desensitised and struggle to prioritise their responses.  

Automation was supposed to resolve the issue. In reality, however, it has failed to correlate and advance the ability for analytics to respond to threats. This has led to swivel chair operations that see the analyst required to login to, monitor and manage numerous dashboards. Consequently, burnout is at critical levels. A troubling 63% of security professionals reported an increase in stress levels, according to a 2023 report. This effect is exacerbated by a skills shortage in the sector that has grown 19% over the past year. Now, the shortage stands at 4.8m globally according to the ISC2.

It’s a situation further complicated by the way attacks have evolved. In a bid to remain undetected, these seek to utilise the existing tools and functionality that is built into systems. Living off the Land (LotL) attacks, for instance, can harness binaries, scripts and libraries to advance an attack within the environment without the need to deploy additional tools. 

In fact, the LOLBAS Project has now documented over 200 instances of code that can be used in this way on the Windows O/S. From a threat detection point of view, this makes it significantly more difficult to spot attacks. Security solutions have to be tuned to look for the minutest deviations from what is considered ‘normal’ network behaviour, resulting in many more false positive alerts.

Using graphs to grapple with alerts

In short, detection is becoming infinitely more subtle and complex and the human and computing resources we have are struggling. Generative AI has been lauded as a possible solution. However, as in other sectors accused of AI-washing, vendors have been sketchy when it comes to the details of how the technology could help. Simply creating an AI chatbot will not add value, instead we need to look again at how we’re approaching the problem and how Artificial Intelligence (AI), in its original sense, could add value.

For the analyst, attempting to figure out if an alert is indicative of an attack is comparable to looking at every pixel of a display screen while attempting to see the full image. That’s because those alert events need to be correlated with other contextual information such as the endpoint and identity used as well as threat intelligence on known threats. 

Correlation can be best achieved using graphs which allows those additional pieces of information to be factored in. Hyper graphs could be a game changer here because they allow numerous parameters to be considered and applied to an event, in effect creating not two but multiple axis to model the threat. Events that make up those chains of detection could then be scored to determine whether they warrant investigation. 

AI answers to the analyst

Once we have enough of these chains of detections, it becomes possible to use AI’s deductive algorithms to analyse information. Gartner defines AI as applying advanced analysis and logic-based techniques, including machine learning, to interpret events, support and automate decisions, and take actions. This means we can train it to interpret and present the information to the analyst in a digestible format. And, using Generative AI, the analyst can use prompts to gain further details.

Looking to the future, we’re now entering the age of Agentic AI. AI technology is becoming more autonomous and better equipped to make decisions. It’s unlikely that we will see detection become fully automated in this way. However, we could see analysts presented with possible impact scenarios and avenues for effective remediation by an AI “coworker”. 

In the meantime, hyper graphs promise to significantly reduce the numbers of false positives being generated. Lab tests have shown it can cut those numbers by up to 90%. This frees up analysts to focus their efforts on the more rewarding aspects of the job. For example: threat hunting, investigation and response.

Aligning Security Operations (SecOps) with Governance, Risk, and Compliance (GRC) has become a critical challenge for many organisations. As the number of cyber threats increases and regulatory requirements become more stringent, the need for a holistic, integrated approach to cybersecurity has never been more urgent.  

However, many organisations continue to treat SecOps and GRC as separate functions, leading to inefficiencies, communication breakdowns and security gaps. To enhance security posture and risk management, it is crucial for organisations to align these two functions more effectively. 

One of the primary objectives of any organisation’s GRC strategy is to ensure comprehensive and robust cybersecurity. Cyberattacks can compromise regulatory compliance, affect financial stability, damage reputation and hinder operational efficiency. Yet, despite the critical role of GRC in mitigating these risks, many organisations fail to integrate it seamlessly with SecOps. The result is often a disjointed approach to security that leaves organisations vulnerable. 

Bridging the organisational gap 

A major factor contributing to this gap is the organisational structure. In many cases, SecOps and GRC are treated as separate silos within the same company. While both functions may report to the Chief Information Security Officer (CISO), they often operate with distinct teams, tools and processes. This lack of integration can lead to operational inefficiencies, duplicate work, and, most importantly, security blind spots. Without a unified approach, organisations may struggle to respond to cyber threats quickly or ensure compliance with ever-evolving regulations. 

One of the key challenges posed by this separation is a misalignment of priorities.  

GRC teams are typically focused on defining strategies and policies that align with regulatory requirements, corporate objectives, and risk management frameworks. Their work often involves developing long-term security strategies and ensuring the organisation complies with relevant laws and standards.  

On the other hand, SecOps teams are more focused on the day-to-day implementation of these policies. They deal with immediate threats, respond to incidents, and ensure that the technical security controls are in place and functioning. Without collaboration and communication between these teams, the strategic goals set by GRC may not be fully realised at the operational level, leading to gaps in security coverage. 

Compliance missteps and misalignment 

One significant result of this disconnect is the potential for security incidents to occur due to compliance missteps. Misalignment can lead to misunderstandings about the role and importance of compliance in the broader security strategy.  

For example, SecOps may not fully grasp the implications of regulatory requirements, while GRC teams may lack a clear understanding of the practical challenges involved in implementing technical security measures. This lack of clarity can result in non-compliance with laws such as the General Data Protection Regulation (GDPR) or other industry-specific regulations, leading to hefty fines and reputational damage. 

To address these issues, organisations must foster closer collaboration between SecOps and GRC. One way to achieve this is through regular, transparent communication between the two teams. By sharing insights and feedback on emerging threats, regulatory changes and internal security gaps, both functions can better understand how their work contributes to the organisation’s overall security posture. For example, GRC teams can provide SecOps with a clearer understanding of the potential risks posed by non-compliance, while SecOps can offer real-time data on vulnerabilities and incidents, allowing GRC to adjust policies and strategies accordingly. 

Standardise your tech platforms 

Another critical step towards alignment is ensuring that both teams are using compatible tools and platforms. In many organisations, GRC teams rely on documents, spreadsheets and enterprise governance, risk, and compliance (eGRC) platforms to manage compliance tasks.  

However, SecOps teams often work with Security Information and Event Management (SIEM) systems, Extended Detection and Response (XDR) platforms, and Security Orchestration, Automation, and Response (SOAR) solutions to detect and respond to threats.  

This disparity in tools can create additional barriers to collaboration and data sharing. By standardising technology platforms or adopting tools that enable cross-functional collaboration, organisations can break down these silos and create a more cohesive security framework. 

Use an MSSP to bridge the skills gap  

The cybersecurity skills gap also exacerbates the challenges of aligning SecOps and GRC. Both teams often struggle with understaffing and the increasing complexity of cybersecurity tasks. According to research from the Enterprise Strategy Group, 46% of cybersecurity professionals report feeling understaffed, and 81% believe their jobs have become harder in the past two years. This strain on resources can make it even harder for organisations to align their SecOps and GRC efforts effectively.  

To address this issue, many companies are turning to Managed Security Service Providers (MSSPs) to supplement their internal capabilities and bridge the gap between SecOps and GRC. An experienced MSSP can bring an outside perspective, facilitate communication between teams. They can play a pivotal role in ensuring organisations implement security measures to best meet both operational and compliance requirements. 

Another approach to improving SecOps/GRC alignment is by leveraging integrated cybersecurity platforms that centralise data and enable real-time collaboration. For example, Obrela’s SWORDFISH platform provides a unified solution for managing both SecOps and GRC functions. By consolidating security-related data into a single “data lake,” SWORDFISH enables real-time analytics and coordinated responses to threats. This centralised approach helps eliminate silos between the teams and ensures that both sides are working with the same data, improving decision-making and response times. Platforms like these can act as an “ERP” for cybersecurity, providing a comprehensive view of risk and operations and allowing teams to prioritise efforts based on a common understanding of the organisation’s most critical assets. 

Break down silos 

Aligning SecOps with GRC is essential for improving an organisation’s overall security posture and ensuring compliance with regulatory requirements. While the challenges of achieving this alignment are significant, they can be addressed through better communication, standardised tools and a stronger commitment to collaboration. By breaking down silos between functions and fostering a more integrated approach to security, organisations can improve both their operational efficiency and ability to manage risks. 

Obrela’s SWORDFISH platform helps organisations manage risk and maintain clean security hygiene across the organisation, while efficiently managing detection and response. The SWORDFISH platform, combined with Obrela’s security advisory services, is designed to help organisations identify risk and determine its potential impact, helping them plot proper responses to improve their GRC maturity and overall security posture. 

This article contains information gleaned from an Obrela White Paper, available for free download here.

Biometric security measures, including fingerprints, facial recognition, and voice patterns, have revolutionised digital protection. Their widespread adoption in both consumer devices and corporate systems has made them an integral part of modern security protocols. 

However, this reliance has also turned them into prime targets for attackers. The threat demands our attention as, unlike passwords which can be changed, compromised biometric data is permanent, amplifying the risks associated with its theft.

The biometric threat

Organisations face significant risks from biometrics, as evidenced by high-profile breaches in the past. In 2015 the U.S. Office of Personnel Management (OPM) suffered a breach that exposed the fingerprint data of over 5.6 million government employees. Technological advancements, such as liveness detection and infrared scanning, have mitigated some vulnerabilities. Nonetheless, these measures do not entirely eliminate the risk.

The threats posed by biometric and wearable data theft are not confined to organisations though. Wearable devices such as smartwatches and fitness trackers serve as reservoirs of sensitive information. These gadgets not only collect health and geolocation data but also facilitate financial transactions through tap-to-pay functionality. Cybercriminals can exploit these features, analysing wearable usage patterns to orchestrate targeted crimes. For instance, the routine of a high-net-worth individual could be tracked to plan a burglary during a known absence.

Deepfakes compound the problem

The integration of artificial intelligence (AI) into cybercriminal strategies has further compounded the biometric problem. It has enabled the creation of realistic deepfakes that leverage stolen biometric data. These fabrications can deceive even the most discerning systems and individuals, facilitating fraud and allowing attackers to hone their spear phishing attempts. The dangers are evident in cases such as the one in 2020 whereby one threat actor managed to steal $35 million by using AI to replicate a company director’s voice and deceive a bank manager. Similarly, in January 2024, a finance employee at British engineering firm Arup fell victim to a $25 million scam after a video call with a ‘deepfake chief financial officer’. Such examples illustrate that deepfakes are not just a theoretical concern but a tangible threat that businesses must address urgently.

The implications of deepfake technology extend beyond financial fraud, potentially undermining biometric authentication systems altogether. According to our 2024 State of Information Security Report, deepfake incidents accounted for 32% of security breaches among UK businesses in the past year, making it one of the most prevalent forms of cyber intrusion. By combining deepfake technology with stolen biometric data, attackers can craft highly convincing scams, leaving both individuals and enterprises vulnerable.

The role of regulation

Despite these alarming trends, solutions exist. The path forward requires collective action from individuals, manufacturers, and regulators to bolster defences. Device manufacturers must prioritise security features in their products, incorporating measures like end-to-end encryption and data minimisation practices – key principles of GDPR. By collecting only essential data and employing pseudonymisation, manufacturers can significantly reduce the risks associated with breaches; disaggregating biometric data from the individual makes it far less exploitable and significantly diminishes its value to attackers.

Regulatory frameworks, such as the EU AI Act and HIPAA in the U.S., provide critical guidelines for safeguarding sensitive information. While the EU AI Act remains relatively new, the act seeks to prohibit “the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purposes of law enforcement.”

Meanwhile, under the HIPAA Security Rule (2009) in the US, organisations must safeguard Protected Health Information (PHI), with wearables and smart devices increasingly being used to collect PHI. Meanwhile, in 2021, Facebook was forced to pay $650m for violating Illinois privacy law, allegedly using photo face-tagging and other biometric data without the permission of its users.

How can individuals protect themselves?

For individuals, maintaining vigilance is paramount. Using layered security measures – such as combining biometric authentication with strong passwords or multi-factor authentication – can provide an additional buffer against attacks. Regularly updating device software to incorporate the latest security patches is another essential step.

In the unfortunate event of biometric or wearable data theft, immediate action is crucial. For individuals, this includes reassessing the security of compromised accounts and implementing stricter authentication measures.

What protocol should organisations follow in the event of a breach?

For businesses at risk of cyberattack, adhering to compliance requirements is essential. Breaches must be promptly reported to supervisory bodies like the ICO, and pre-established incident management protocols should be activated to mitigate further damage.

Following such incidents, organisations must acknowledge that parts of their authentication framework may no longer be secure. This should prompt a comprehensive risk assessment. Depending on the outcome, businesses might decide that the compromised asset is of low value and tolerable risk or determine that additional protective measures are necessary to address the vulnerability.

Seeking guidance from established standards can be instrumental in navigating these challenges. Frameworks like ISO 27001 offer clear strategies for identifying reliable suppliers and enhancing authentication practices. These standards outline essential actions, serving as invaluable resources for mitigating the risks tied to biometric and wearable data theft.

Looking ahead, the battle against biometric and wearable data theft will only intensify as technology continues to evolve. The integration of AI-powered hacking and the proliferation of advanced devices demands constant innovation on the side of cybersecurity defenders. With increased vigilance and by following best practices, organisations can build their resilience to counter these emerging threats.

Ransomware attacks are on the increase despite concerted international efforts to disrupt ransomware business models. According to the Apricorn annual survey of IT and security decision makers, the risk of ransomware is rising steadily. This year, 31% stated their organisation had suffered an attack over the past twelve months in the UK. This figure is a noticable rise compared to 24% in 2023. Ransomware is now the most sought-after type of cover when organisations take out cyber insurance. Double the number of respondents required ransomware cover in 2024, up from 16% in 2023.

Attempting to break this pattern, the Home Office has launched a new consultation. The document seeks opinions in response to three new proposals by April, 2025. The first entails a targeted ban on the payment of ransoms in the public sector and by critical national infrastructure. The second is a payment prevention regime. This would require victims to report plans to pay before doing so, which could potentially be blocked by the government. And third, the government would make mandatory the reporting of ransomware incidents. 

It’s not yet clear if incident reporting will apply across the board to all commercial organisations. It’s possible a threshold will determine the scale of attack that must be brought to the government’s attention. If the latter, reporting will be encouraged even among those who fall out of scope. This will help the government understand the scale, type and source of ransomware threats. 

The report itself will need to be filed within 72 hours of the attack. A full report will then need to be provided within 28 days. The initial report will need to contain details on whether the organisation can recover using its existing resilience measures, like if it can use backups to restore data and resume operations.

Failed ransomware recoveries

Worryingly, this is often far more difficult than organisations think. Despite having backup processes in place, these are not always fully tested. This can mean that, when the time comes, data restoration is only partially successful. 

The Apricorn survey found that 50% of respondents had to resort to using their backups to recover data last year. Of those, only half were able to so successfully. A quarter of respondents had to settle for partial recovery and 8% were unable to recover any data at all. 

To make matters worse, ransomware attackers are also actively targeting those backups to thwart recovery. 

The 2024 Ransomware Trends report found that 96% of ransomware attacks are now aimed at backup repositories. The Apricorn survey found automated backup to both central and personal repositories has surged to 30%, up from 19% the year before, which is a positive step as it means less are doing so manually, a practice which can see errors occur or the user simply forget to backup their data. But with those repositories now being actively targeted, it’s clear that organisations need to make backups of their backups.

This is precisely the thinking behind the 3-2-1 strategy. It advocates that data be backed up at least three times, with at least two copies of that data held on different media, one of which should be offsite. 

One copy of the data should be offline, for example, effectively airgapping the data and a good example of this would be on an encrypted removable hard drive that can be disconnected from the network. In this way, the organisation can guard against the risk of their backups being compromised.

Testing the process

Taking such proactive measures provides a belt and braces approach to recovery but it’s also important to diligently test the recovery process on a regular basis. The Apricorn survey found 9% of those questioned acknowledged their systems were not robust enough to allow a rapid recovery from an attack, indicating there is still work to be done in this regard. 

But those that do get to grips with improving their backups stand to reap additional benefits. For instance, the survey found a striking 46% of respondents now consider robust backup policies as the most important factor for meeting cyber insurance compliance, a substantial increase from 28% in 2023.

It’s better not to pay 

There’s also a growing realisation that paying a ransom offers little guarantee of the business being reunited with its data. The 2024 Ransomware Risk Report found that over a third of victims (35%) either did not receive decryption keys or received corrupted keys leaving them unable to recover their data. What’s more, they were often extorted multiple times. Of the 78% that paid the ransom, 72% paid multiple times and 33% four times or more. It’s also commonplace for victims to be targeted again if they pay, with 74% reporting being attacked multiple times.

It’s for these reasons that organisations’ approach to ransomware has to change with a move away from negotiations and payments to more resilient business processes that make recovery possible. The advice from the Information Commissioner’s Office (ICO) and National Cyber Security Centre (NCSC) has always been not to simply resort to payment and that doing so does not fulfil the organisation’s regulatory obligations in terms of mitigating the risk posed to data. 

The recommendation was to report the incident but the introduction of mandatory reporting will now formalise that process. In doing so it will make organisations much more aware of the need to detail the resilience measures they have in place and hopefully that will translate into much more diligent backup strategies.

In today’s digital landscape, ransomware has become a significant and persistent threat for organisations.

No longer an emerging risk, ransomware has been a well-established concern facing many companies for some time. In 2021, for example, a survey from Gartner revealed ransomware as the top threat on the minds of business leaders.

However, despite widespread awareness of the challenge, the problem of ransomware has not diminished but grown.

Many ransomware groups are now operating like businesses. They run highly organised operations complete with structured revenue models, marketing strategies and recruitment efforts. They function like legitimate enterprises, and their efforts are proving lucrative, generating substantial profits. Just last year, for instance, one report estimated that ransomware group ‘Black Basta’ had raked in around $107 million in in the short time since it first emerged in early 2022.

On top of this, there’s an entire marketplace dedicated to ransomware-as-a-service (RaaS) solutions. Black markets for ransomware tools mean even those with minimal technical skills can launch attacks. By selecting malware, encryption or distribution tools from various providers, even basic attackers can now easily execute ransomware campaigns. This serves to only lower the bar to entry for cybercrime even further.

Ransomware is rampant

There is no reason why ransomware will cease to be a major threat anytime soon.

Once individuals have crossed the moral threshold of engaging in criminal behaviour, there’s little else to deter them from continuing with ransomware activities. There are two key factors that could dissuade them: high chances of getting caught or low financial reward. However, niether are presently significant concerns for ransomware actors.

Indeed, many major ransomware groups are state sponsored. Some governments actively encourage them to target companies or critical infrastructure in rival nations. This kind of backing significantly reduces the likelihood of arrests. And, as a result, these threat actors often operate with a degree of impunity in their home countries.

Further, it’s not all that hard for ransomware organisations to continue to find targets and extract value, as Semperis’ 2024 Ransomware Risk Report shows.

The survey of almost 1,000 IT and security leaders highlights that ransomware is a reality facing many companies. The majority (83%) of responding organisations having been targeted by ransomware in the past 12 months. Of these enterprises, 74% were attacked multiple times.

The report also shows that, in most cases, firms are not prepared to combat ransomware demands. Over three-quarters (78%) of targeted organisations paid a ransom at least once.

Patch management isn’t currently taking priority

These figures might seem surprising. Shocking, even. Nonetheless, they are a reflection of how much the ransomware threat has evolved as firms have failed to respond.

Today, there are several critical aspects of security that are not always adequately prioritised. Patch management is one of them.

It’s easy to ignore those pop-up notifications prompting you to install an important Windows update. This is especially true when you’re in the middle of something important with a tight deadline. However, dismissing these notifications and moving on can lead to serious risks.

With ransomware attacks becoming more pervasive and opportunistic, this mindset therefore needs to change. According to a report from Deloitte, ransomware groups are increasingly leveraging zero-day exploits to target systems. Currently, over a third of ransomware victims are now breached in this way.

For this very reason, companies need to prioritise patch management. Instead of delaying updates for weeks or months, they must be affirmed in hours or days.

Phishing campaigns have become more sophisticated

Zero-day attacks are not the only technique that threat actors can leverage. Cybercriminals are also continuing to prey on the security vulnerabilities perpetuated by people themselves.

These days, phishing efforts are impressively crafted, making them significantly harder to detect and counter. Campaigns are exceptionally convincing: Attackers meticulously impersonate trusted brands and individuals, often monitoring email communications to understand user behaviours and identify suitable targets.

The advent of artificial intelligence has further complicated this landscape, enabling scammers to generate artwork and compose polished emails that mimic the tone and style of legitimate correspondence.

As a result, phishing attempts are becoming both more persuasive and increasingly difficult for even the most vigilant users to spot.

No industry or organisation is off limits

In addition, ransomware attackers are also focusing on organisations that they perceive as both vulnerable and more inclined to pay ransoms.

Take the healthcare sector as an example. It’s sad to see that cybercriminals are actively targeting hospitals. Even in wartime, the rights championed by organisations like the Red Cross, which offer protection and assistance to victims of armed conflict and strife, are generally upheld. However, with many threat actors being financially motivated, there is no moral barrier and hospitals have become regular targets.

Why? Not only do these organisations often lack the funding to adequately invest in IT and security improvements, but threat actors know that any disruptions they’re able to inflict may cause widespread chaos.

I have witnessed incidents where hospital groups were forced to divert or evacuate patients due to ransomware attacks that disabled critical equipment, such as insulin pumps and X-ray machines. It’s exactly what threat actors hope to achieve. In fact, results from the aforementioned Semperis ransomware report shows that nearly 70 % of healthcare organizations that were victimized by ransomware paid.

The risks of paying a ransom

From zero-days exploits and more sophisticated phishing tactics to targeting those organisations that are more likely to pay out, ransomware actors are continually refining an effective formula for their attacks, thereby bolstering their chances of success.

In contrast, organisations are all too often lagging in their response, failing to develop effective countermeasures to combat these threats. Again, Semperis’ latest report highlights the current gap that exists.

Critically, only about one-quarter of respondents have dedicated backup systems specifically for Active Directory. This is a serious problem. Without the ability to quickly recover their identity systems that are operationally vital, companies can be left feeling that they have no option but to pay their attackers.

Many respondents noted a desire to return to normal business as quickly as possible as a reason for paying ransom. However, firms that opt to do this fail to recognise that paying out once is likely to leave a greater target on your back, making you even more susceptible to future attacks.

A significant portion (32%) of companies that suffered a ransomware attack paid at least four times during the past year. About 10% of companies paid more than $600K in ransoms alone. If you experience a breach and choose to pay the ransom, you essentially set the stage for attackers to come after you again.

Therefore, for any organisation – especially those that have previously been breached or have paid ransoms – it is crucial to take a new approach, prioritising resilience by embracing an effective multilayered security strategy.

Start by getting the basics right

Today, the basics matter. You’d be surprised at how much you can reduce your attack surface through aggressive patch management. Even small, incremental updates can help prevent significant disruptions down the line.

Similarly, while companies have traditionally focused on keeping intruders out, it is equally important to put plans in place in case attackers succeed in breaching these first lines of defence. Critically, that means ensuring that backup systems are not only in place but also continuously tested to ensure they are functioning.

The fact that nearly 70% of respondents said they had an identity recovery plan, yet 78% of targeted organisations paid the ransom, is a problem: Backups, clearly, aren’t working as they’re supposed to be.

The fact that only 27% of organisations have dedicated systems for recovering Active Directory, Entra ID and other identity controls – the Tier 0 infrastructure upon which all systems rely for recovery – is also a major problem. It’s crucial to understand where your data resides, what data is essential for business operations, and how it is protected, and this includes your identity systems.

These things might not be exciting or interesting. But they are the building blocks of an effective security strategy.

Now, more than ever before, it’s about laying the right foundations. Yes, algorithmic flywheel functions and new AI solutions are cool, but firms must not forget to focus on the basics.

Last year saw a number of high profile cases of businesses falling victim to cyber attacks, with financial as well as reputational implications. According to government data, 50% of all businesses have experienced some form of cyber security breach or attack in the last 12 months – and with the likelihood of this trend increasing into 2025, preparing for such an event is vital for businesses of all sizes. Yet, the reality is that even with the best prevention strategies in place, there is currently no guaranteed way of avoiding the risk altogether. 

Create a robust crisis plan 

The first step in preparing for what to do in the event of a cyber attack is putting together a clear plan of action. This plan should outline different potential scenarios and make clear who is responsible for leading the response across your business. 

When doing this it helps to think like a hacker. In what ways might a cyber criminal try to harm your organisation? How will this impact IT, legal, finance, communications, HR, or other departments? It is likely that a successful attack will impact most divisions of the organisation in some way. They all need to be aware of the plan and understand their role. Appointing a specific individual within each department to take the lead and be capable of forming a response team in the event of a threat can help. 

It is important that every person involved in the plan understands the implications of an attack and why these preparations and their involvement is necessary. Getting their buy-in from the beginning will ensure that everyone is aligned and working together when needed. You can help them to take charge in these scenarios by advising them on what they can do to minimise the impact of the attack. You should list theses steps clearly on your crisis management strategy, with the owner of each action and their contact details shared across the crisis response team.

Test the plan 

Everybody should be comfortable and familiar with the steps they need to take. So, once the strategy is finalised and approved, it should be rigorously tested. Much like companies run regular fire drills, the crisis management strategy should be trialled and rehearsed so that it becomes second nature in the event of a real attack. 

Each person on the strategy should also make sure they have prior approval to conduct any of the actions they might need to take. This may include legal approval, pre-authorised spend caps or written agreement from the CEO that a Chief Information Security Officer (CISO), or similar individual, can take charge if difficult decisions need taking in the event of a threat. 

Clear communication is key 

At the recent Probrand IT Expo, Jon Staniforth, former CISO at the Royal Mail, spoke about his experience of a ransomware attack. He described the ‘insatiable’ appetite for communications from many different parties at the time of the attack, with everyone requiring information to suit a different agenda. He explained that handling these communications was the most time-consuming element of his role in the early days of the crisis, occupying 50-70% of his focus. Jon went on to create a dedicated communications team to work with the various stakeholders across PR, corporate communications and public affairs throughout the attack, ensuring the right messaging was getting out in a timely manner, without detracting him from his own role. 

Knowing what to communicate, when and to whom is vital during a crisis. Yet, in the moment, it can be easy to get this wrong and say too much – or too little. Preparing clear messaging in advance and sticking to approved statements in the event of an attack can help to minimise the impact on your business’s reputation. Working with your organisation’s communications team to align on a strategy, as well as investing in any media training to rehearse real-life scenarios can help to create a clear process if and when the time comes. 

Remember the importance of wellbeing

Looking after your own wellbeing – and that of your team – can fall to the bottom of the priority list when a crisis hits, but it should be a top priority. Reflecting on his crisis, Jon explained that he was working 20 hour days in the first week of the attack, doing whatever it took to understand the scale and scope of the damage. But this can become unsustainable as the work to repair the damage of an attack can span many weeks and months. To tackle this in the future, Jon suggested he would appoint a dedicated wellbeing officer whose sole responsibility is to care for the physical and mental wellbeing of the team handling the crisis. 

It is often in the nature of IT teams to get involved and be curious about major events such as these, and many will volunteer to work through the night to get to the root of the problem. Jon explained that part of his role was sometimes to ask people not to get involved and for the benefit of their own wellbeing ensure they stay in their work streams. Segmenting teams and fixing accountability to specific people for pre-determined tasks can also help to keep the process as efficient as possible. 

Handling any kind of crisis is undoubtedly fraught and difficult, but implementing a clear plan in advance and sticking to it in the moment can help to minimise the impact of an attack, not only on the business but on your own wellbeing. If you are currently preparing your IT strategy for 2025, taking some time to prepare for a crisis, and then testing your response at regular intervals, will pay off in the long run. 

With the rapid development of AI, fraudsters are becoming increasingly organised and sophisticated. Instead of lone actors, we’re seeing well-coordinated criminal teams that are more focused and skilled at identifying vulnerabilities than ever before. 

Yet, data shows that 39% of businesses took no action following their most disruptive breach in the previous 12 months, giving cybercriminals the opportunity to continue cashing in and turning fraud into cybercrime. 

The power of AI 

One of the most powerful tools that fraudsters have started implementing into their arsenal is AI bots. These bots enable new types of fraud and present significant challenges for businesses. In 2022 alone, £177.6 million was lost to impersonation scams in the UK, and as AI-powered deepfakes and voice cloning improve, the risk of fraud will only continue to grow.

To protect themselves, businesses must stay informed about the latest fraud tactics. They need to understand how criminals are using AI-powered bots to launch and scale attacks, how deepfakes and synthetic identities are evolving, and most importantly, how to defend against these threats.

Historically, scammers and fraudsters were limited in their resources. They often operated alone, relying on their ability to trick people. Once blocked, they would usually give up and move on. However, this has now changed, and fraudsters are forming organised teams and using AI to enhance their deceptive tactics.

For online businesses, generative AI makes it harder to differentiate between genuine users and fraudsters. One common tactic involves using AI-powered phishing templates to gain access to account information and credit card details. These AI-driven “chatbots” mimic real businesses by copying their speech and text patterns. Deepfake technology further complicates matters by creating highly convincing AI-generated likenesses of real people.

The era of deepfakes

Deepfakes are making fraud increasingly complex. The technology enables attackers to impersonate victims to make high-value purchases by creating synthetic identities and mimicking voices. In this way, deepfakes can trick customer service into approving transactions. Fraudsters can even manipulate videos with lip-syncing techniques that are hard to detect.

Businesses are only just starting to realise what a major problem deepfakes will become for them. In the future, AI-powered bots could make calls without human involvement if we don’t take action now. This poses a significant risk to both businesses and consumers. To combat these sophisticated attacks, businesses need to implement high-performance machine learning models into their technology. To effectively fight deepfakes, we must understand the tools and techniques being used and implement AI-powered tools that match the speed and scale of criminal activities.

Fraud resilience 

Risk intelligence teams play a crucial role in safeguarding businesses against AI-driven fraud. By analysing various fraud types and collaborating with data scientists, they can feed information into models and cross-reference it with past consumer behaviours. This allows them to continuously adapt their defences as fraudsters evolve their tactics. 

To build resilience against AI fraud, companies must work closely with intelligence teams to identify anomalies and incorporate them into feedback loops. This enables systems to learn faster and detect fraudsters more efficiently. By analysing data, such as IP addresses and device information, risk intelligence teams can identify users who repeatedly engage in fraudulent activity using multiple fake accounts, and take steps to block them.

While AI chatbots pose new challenges, the good news is that solutions are also evolving. Prioritising a strong fraud prevention strategy is essential. This might involve partnering with a fraud prevention provider, forming a data intelligence team, or creating a comprehensive fraud prevention framework. 

By combining in-house capabilities with strategic industry partnerships, businesses can focus on customer loyalty, retention, and profitability.

Last year was one of the most punishing in history for cybersecurity firms. Data from IBM puts the global average cost of a data breach in 2024 at $4.88 million. This is a 10% increase over the previous year and the highest total ever. In the UK, almost three-quarters (74%) of large businesses experienced a breach in their networks last year. Cybercrime is a needle that’s been pushing deeper and deeper into the red for over a decade at this point, and the trend shows little sign of reversing or slowing down. 

New tools, including artificial intelligence (AI) are elevating threat levels at the same time as geopolitical tensions are ramping up. For many organisations, a cyber breach feels less like a matter of “if” than “when,” and with the potential to cost large sums of money, it’s no wonder the topic has the power to inspire a certain fatalism in CISOs.  

Responding to an elevated threat 

However, after multiple high-profile cyber incidents over the last 12 months, industry experts expect rising threat levels to spur the adoption of more robust security frameworks and internal policies. 

“The continued sophistication of cyber-attacks, and the increasing number of endpoints targeted are a specific worry, so we expect this challenge will drive more adoption of zero-trust architecture,” says Jonathan Wright, Director of Products and Operations at GCX. 

The UK Government’s official report on cybersecurity breaches last year notes  that the most common cyber threats result from phishing attempts (84% of businesses and 83% of charities), followed by impersonating organisations in emails or online (35% of businesses and 37% of charities) and then viruses or other malware (17% of businesses and 14% of charities).

The report’s authors note that these forms of attack are “relatively unsophisticated,” advising that relatively simple “cyber hygiene” measures can have a significant impact on an organisation’s resilience to threats. 

Ubiquitous zero trust 

Zero Trust is increasingly becoming an industry standard practice — table stakes for basic “cyber hygiene”. 

To take it one step further, Wright explains that he expects organisations to implement microsegmentation as part of their zero-trust initiatives. “This will enable them to further reduce their individual attack surface in the face of these evolving threats, he says. “As it stands, technology frameworks like Secure Access Service Edge (SASE), and specifically zero-trust have helped organisations secure increasingly complex and evolving cloud environments. However, microsegmentation builds on these principles of visibility and granular policy application by breaking down internal environments; across both IT and OT, into discrete operational segments. This allows for a more targeted application and enforcement of security controls and helps to isolate and contain breaches to these sub segmented areas. As a result, we expect to see continued adoption of microsegmentation strategies throughout 2025, and beyond”. 

Cybersecurity has been and will remain a critical concern for organisations as we enter 2025. Risks that were prevalent over a decade ago — like phishing and ransomware — continue to present challenges for cyber professionals. New technologies are giving bad actors new and better ways to access networks and the data they contain. 

Artificial intelligence (AI) is likely to remain a key element in the strategies of both cyber security professionals and the people they are trying to protect against, and therefore dominates a great deal of the conversation around cybersecurity. As noted in GCHQ’s National Cyber Security Centre (NCSC) annual review, “while AI presents huge opportunities, it is also transforming the cyber threat. Cyber criminals are adapting their business models to embrace this rapidly developing technology – using AI to increase the volume and impact of cyber attacks against citizens and businesses, at a huge cost.”

Breaches are becoming more common, the tools available to cybercriminals more effective. This year, conventional wisdom about striving for ever-more-effective security measures in support of an impenetrable membrane around the business may be phased out, as businesses begin to accept it’s not a matter of “if” but “when” a breach occurs.  

Cyber resilience 

The UK government’s Cyber Security Breaches Survey for 2024 found that half of all businesses and approximately one third of charities (32%) in the country experienced some form of cyber security breach or attack in the last 12 months. 

According to Luke Dash, CEO of ISMS.online, resilience will take “centre stage” in the year ahead, as organisations start prioritising continuity over defence, in what he describes as “a shift from merely defending against threats to ensuring continuity and swift recovery.” 

In tandem with this shift in approach, Dash notes that resilience is also becoming more of a priority from the regulatory side. With “changes to frameworks like ISO 27001 expanding to address resilience, and regulations like NIS 2 introducing stricter incident reporting, organisations will be required to proactively prepare for and respond to cyber disruptions,” he explains, adding that this trend will result in “a stronger focus on disaster recovery and operational continuity, with companies investing heavily in systems that allow them to quickly bounce back from cyber incidents, especially in critical infrastructure sectors.”

Regulatory shifts reflect refocusing on continuity 

Regulations will also spur global action to secure critical infrastructure in 2025, as critical infrastructure like utility grids, data centres, and emergency services are expecting to face mounting cyber threats. 

As noted in the NCSC’s report, “Over the next five years, expected increased demand for commercial cyber tools and services, coupled with a permissive operating environment in less-regulated regimes, will almost certainly result in an expansion of the global commercial cyber intrusion sector. The real-world effect of this will be an expanding range and number of victims to manage, with attacks coming from less-predictable types of threat actor.”

This rising tide of cyber threats — both from private groups and state-sponsored organisations — will, Dash believes, prompt governments and operators to adopt stronger defences and risk management frameworks. “Regulations like NIS 2 will push EU operators to implement comprehensive security measures, enforce prompt incident reporting, and face steeper penalties for non-compliance,” he says. “Governments globally will invest in safeguarding essential services, making sectors like energy, healthcare, and finance more resilient to attacks. Heightened collaboration among nations will also emerge, with increased intelligence sharing and coordinated responses to counteract sophisticated threats targeting critical infrastructure.”

According to the European Union Agency for Cybersecurity’s (ENISA) recently updated Foresight Cybersecurity Threats report, AI will continue redefining cybersecurity until 2030.

Although AI has already significantly reshaped the cyber threat landscape, particularly with the widespread use of GenAI, it is likely to increase the volume and heighten the impact of cyber-attacks by 2025. This is a clear indication that the use cases we’ve seen so far are just the beginning. The true challenge lies in the untapped potential of AI, and the long-term risks it poses. 

The direction AI leads in cyber threat landscape

The increased use of AI has led to a surge in more sophisticated cyber-attacks, from data poisoning to deep fakes. Among these, phishing campaigns and deep fakes stand out as the two main avenues where AI tools are effectively employed to orchestrate highly targeted, near-perfect cyber-attack campaigns.

Gen AI-driven deep fake technology in particular has become a standard tool for threat actors, enabling them to impersonate C-level executives and manipulate others into taking specific actions. While impersonation is not a new tactic, AI tools allow threat actors to craft sophisticated and targeted attacks at speed and scale.

For example, large language models (LLMs) enable threat actors to generate human-like texts that appear genuine and coherent, eliminating grammar as a red flag for such attacks. Beyond this, LLMs take it a step further by hyper-personalising attacks to exploit specific characteristics and routines of particular targets or create individualised attacks for each recipient in larger groups.

However, AI’s impact is not only on the sophistication of attacks but also on the alarming increase in the number of threat actors. The user-friendly nature of Gen AI technology, along with publicly available and easily accessible tools, is lowering the barrier of entry to novice cybercriminals. This means that even less skilled attackers can exploit AI to release sensitive information and run malicious code for financial gain.

AI also plays an essential role in the increasing speed of cyber-attacks. Trained AI models and automated systems can analyse and exfiltrate data faster and more efficiently and perform intelligent actions. Creating ten million personalised emails takes a matter of seconds with these tools. They can quickly scan an organisational network, try several alternative paths in split seconds to find a network vulnerability to attack. Once this happens, they automatically attempt to get a foothold into systems.

Utilising AI in blue teams

Although threat actors will continue to use AI to evolve their tactics and increase the risks and threats, AI is also widely used to arm organisations against these cyber threats and prepare against dynamic attacks.

Consider this in terms of red and blue teams for organisational defence. The red team, armed with AI tools, can launch more effective attacks. However, the same tools are equally available to the blue team. This raises the question of how blue teams can also effectively deploy AI to safeguard organisations and systems.

There are many ways for organisations to utilise AI tools to strengthen their cyber defence. These tools can analyse vast amounts of data in real time, identify potential threats, and mitigate risks more efficiently than traditional methods. AI can also be used in model training, replicating the most advanced AI applications and simulating specific scenarios.

Incorporation of AI into cyber exercises to create attack environments allows organisations to detect weak and vulnerable spots that the most advanced AI application could exploit, and also use AI tools to solve real-world cases.

This means organisations can have a deeper, more comprehensive insight into cybersecurity preparedness and how to arm systems against potential AI powered attacks. It is critical to keep training and exercises up to date with the latest threats and technologies to prepare organisations for AI-powered threats.

The best defense…

However, cybersecurity teams cannot adress the risks posed by AI solely from a defensive perspective. The biggest challenge here is speed and planning for the next big AI-powered attack potential. Organisations should work with the utmost dedication and stay ahead of cyber security trends to create proactive defence strategies.

External security operations center (SOC) services and working with specialised consultants is essential for organisations to be able to move as fast as threat actors and aim to be a step ahead – this is the only way to provide a sense of security in the face of ever-evolving AI threats.

AI as a threat to the whole organisation

AI integration in organisations’ systems is also not without risks. While AI is reshaping the cyber landscape in the hands of threat actors, enterprises are also facing accidental insider threats. AI systems integrations are leading companies to new vulnerabilities, which are well-known internal AI threats in cybersecurity.

Employees using Gen AI tools are accessing more organisational data than ever before. Even in the hands of the most well-intended employees, if they are not cyber-trained, AI tools could lead to unintentional leaks or misplaced access to restricted, sensitive data.

As in every cyber-attack scenario, tackling AI-powered threats is not possible without creating an organisation-wide cyber awareness and resilience culture. Training all employees on using AI tools and the potential risks they pose to an organisation’s systems and integrating AI into daily security operations are the first steps for creating a culture of cyber resilience against AI-powered attacks.

Developing organisational cyber awareness from every responsibility level is critical to avoiding emerging vulnerabilities and evolving AI threats. It not only helps mitigate the risks of employees accidentally misusing AI tools, but also helps build strong organisational cyber awareness and the proactive development of robust security measures.

Artificial intelligence (AI) is making its way into cybersecurity systems around the world, and this trend is only beginning. The potential for AI to revolutionise network security is vast. The technology offers new methods to safeguard systems and reduce the manual workload for IT teams. Moreover, with cybercriminals increasingly adopting AI to create more sophisticated attacks, organisations are starting to consider deploying AI to stay ahead.

However, the question remains: How effective is AI in this space?

Streamlining Cybersecurity Systems 

AI-based network security systems differ significantly to well-established methods of identifying malicious activity on a network. Signature-based detection systems only generate alerts when they identify an exact match of a known indicator of an attack. If there is any variation from the known indicator, then the system will be unable to pick it up.  The alternative is an anomaly-based system, which generates alerts when activity is outside an accepted range of ‘normal behavior. While this takes a more comprehensive view of network activity compared to signature-based systems, it is not without shortcomings. Perhaps the one most often discussed is its tendency to generate false positives when there is unusual activity that is not part of a cyberattack.

Both systems can require extensive manual intervention. IT teams must constantly update databases for signature-based detection systems to ensure that new attack techniques will be recognised as malicious activity. The alternative is that they constantly sift through the alerts generated by an anomaly-based system looking for genuine threats.

AI represents a way to streamline cybersecurity systems, by enabling faster and more precise detection of cyber threats. By processing vast quantities of data, AI systems can identify unusual patterns and behaviours in real time. This imparts key benefits to organisations that leverage AI as part of their cybersecurity defences.

The Value of AI 

Reducing Workload: AI-powered tools can significantly reduce the workload for IT teams. They help cut down the number of false alarms generated by security systems. This allows cybersecurity personnel to stay alert without becoming overwhelmed. This reduction in manual work allows security teams to focus on more complex, strategic tasks.

Increased Protection: AI also offers enhanced protection against cyberattacks. Unlike traditional signature-based detection methods, which struggle to identify zero-day threats, AI excels at recognising emerging threats based on behaviour and patterns. This, coupled with near real-time response capabilities, limits the window of opportunity for attackers to cause damage if they manage to infiltrate a system.

Greater scalability and adaptability. Another advantage of AI is that it gives organisations more flexibility.  Security teams can quickly respond to increased threat levels or unusual network behavior without having to expand their personnel.

Human Oversight

Although AI offers numerous benefits, it’s crucial to acknowledge the need for human oversight in cybersecurity. We should not think of AI as replacing cybersecurity experts, but rather as a vital tool to support them in running day-to-day operations.

 AI systems can process and analyse data rapidly, however they still rely on humans to validate findings, fine-tune the models, and make final decisions, especially when dealing with complex cyber threats. The stakes are high when it comes to the security of an organisation’s confidential data and technology infrastructure. That’s why human involvement is vital in ensuring that AI operates correctly and that correct procedures are being followed.

Mitigating the Risks of AI

While AI can enhance cybersecurity, it also brings several challenges that need to be managed, which highlight the need for human involvement and decision making. 

Accuracy of datasets: One significant concern is the accuracy of the data AI systems are trained on. AI’s effectiveness is largely determined by the quality of the data it uses to learn. If training data is incomplete or biased, the system may produce inaccurate results, such as false positives, or a false sense of security, in case of false negatives due to non-detection of e.g. malicious agents. To prevent this, organisations need to rigorously assess the data they feed into their AI models.

Privacy: Another potential issue is privacy. AI systems rely on real-world data to monitor network activity and identify anomalies. This data must be protected through anonymisation or other privacy-preserving techniques to avoid misuse – and should be deleted when it is no longer necessary.

Resource consumption: Running AI models, especially on a large scale, can be demanding in terms of both energy and water, which are required to maintain the systems. This contributes to a higher environmental footprint. By optimising the frequency at which AI models are retrained, organisations can reduce resource consumption. Additionally, the usage of resources will be lower once the model is trained.

Conclusion

While AI offers substantial benefits to cybersecurity, it also presents challenges that must be addressed to ensure its safe and effective implementation. The technology can significantly reduce workload, enhance network security through faster and more accurate detection, and adapt to evolving threats. However, without high-quality data, privacy safeguards, and careful resource management, these advantages may be undermined. 

The deployment of AI models should be carefully managed by cybersecurity professionals in order to fully take advantage of its capabilities while minimising risks. AI is a valuable tool – not a substitute for human experience and expertise.

As technology advances, so do the tactics of cybercriminals. The rise of artificial intelligence has significantly transformed the landscape of cybersecurity, particularly in the realm of online scams and phishing attempts. 

This transformation presents both challenges and opportunities for individuals and organisations aiming to safeguard their digital assets. Importantly, senior leaders can no longer simply rely on their IT teams to stay safe; they need to be active participants in the protection of new attack opportunities for cybercriminals in the age of AI.

The Evolution of Online Scams and Phishing

AI has empowered cybercriminals to create more sophisticated and convincing scams. Phishing, a common cyber threat, has evolved from simple email scams to highly targeted attacks using AI to personalise messages. Generative AI can analyse vast amounts of data to craft emails that mimic legitimate communications. This makes is difficult for individuals to discern between real and fake messages. 

AI-driven tools can scrape social media profiles to gather personal information in seconds. This information is then used to tailor phishing emails that appear to come from trusted sources. These emails often contain malicious links or attachments that, when clicked, can compromise personal or organisational data.

Previous phishing attempts were more obvious when the instigators didn’t have English as their first language. Thanks to Generative AI, criminals are now fluent in any language.

AI as a Double-Edged Sword

While AI enhances the capabilities of cybercriminals, it also offers powerful tools for defence. AI-based security systems can analyse patterns and detect anomalies in real-time, providing a proactive approach to cybersecurity. Machine learning algorithms can identify suspicious activities by monitoring network traffic and user behaviour, enabling quicker responses to potential threats.

AI can automate routine security tasks like patch management and threat intelligence analysis, freeing human resources to focus on more complex security challenges. This automation is crucial in managing the vast amount of data generated in today’s digital landscape.

AI is already having a significant impact on cybersecurity. The World Economic Forum estimates that cybercrime will cost the world $10.5 trillion annually by 2025, partly due to the increased sophistication of AI-powered attacks.

A study by Capgemini found that 69% of organisations believe AI will be necessary to respond to cyberattacks, indicating the growing reliance on AI for cybersecurity measures, and an IBM report in 2023 revealed that the average cost of a data breach is $4.45 million, emphasising the financial impact of inadequate cybersecurity.

Strategies for Staying Safe

Individuals and organisations must adopt comprehensive cybersecurity strategies to combat the evolving threats posed by AI-enhanced cybercrime. Here are some that can be easily implemented.

• Educate and Train: Regular training sessions on recognising new AI phishing attempts and cyber threats are essential. Employees should be aware of the latest tactics used by cybercriminals and understand the importance of cybersecurity best practices.
• Implement Multi-Factor Authentication (MFA): MFA adds an extra layer of security by requiring users to provide two or more verification factors to gain access to a resource, making it more difficult for attackers to breach accounts. Every system in your organisation should be enabled with MFA.
• Ask employees to secure their personal accounts: MFA should already be in place for businesses of any size, but employees must engage MFA (also called 2-factor) security on their accounts to reduce the avenues in which criminals can attack an organisation. The website 2fa.directory provides instructions for all major platforms.
• Use AI-Powered Security Solutions: Deploy AI-driven security tools that detect and respond to threats in real-time. These tools can help identify unusual patterns that may indicate a cyberattack.
• Regularly Update Software: Ensure all software and systems are up-to-date with the latest security patches, including personal mobile devices. This reduces vulnerabilities that cybercriminals can exploit.
• Encourage Digital Curiosity: Promote a culture of digital curiosity that encourages individuals to stay informed about the latest technology trends and cybersecurity threats. This proactive approach can help identify and mitigate risks before they become significant.

The Role of a Family Password

In addition to organisational strategies, simple measures like having a “family password” can be effective in personal cybersecurity. With the rise of AI-generated voice clones, the likelihood of a senior executive being targeted with a phone call that appears to come from a distressed family member is becoming increasingly real. 

A family password is a shared secret known only to trusted family members, used to verify identity during unexpected communications. This can prevent unauthorised access and ensure that sensitive information is only shared with verified individuals.

Criminals frustrated by sophisticated security measures in place protecting company data will move to the path of least resistance. Often, that means personal accounts. If you use Gmail for your personal email and haven’t enabled “2-Step Verification”, then can you be sure criminals aren’t already in your account, silently learning all about you and your family?

The digitally curious executive takes the time to deploy measures in their personal life. Simple measures include a password manager and enabling 2-factor authentication on all their accounts, starting with LinkedIn.

Conclusion

As AI continues to shape cybersecurity’s future, individuals and organisations must adapt and evolve their security practices. By leveraging AI for defence, educating users, implementing robust security measures at work and home, and passing some of the security responsibility onto employees, we can mitigate the risks posed by AI-driven cyber threats and create a safer digital environment.

Andrew Grill is an AI-Expert and Author of Digitally Curious: Your Guide to Navigating the Future of AI and All Things Tech.

While the outcome of Artificial Intelligence (AI) initiatives for the business world – driven by its potential as a transformative force for the creation of new capabilities, enabling competitive advantage and reducing business costs through the automation of processes – remains to be seen, there is a darker flipside to this coin. 

The AI-enhanced cyber attack

Organisations should be aware that AI is also creating a shift in cyber threat dynamics, proving perilous to businesses by exposing them to a new, more sophisticated breed of cyber attack. 

According to a recent report by the National Cyber Security Centre The near-term impact of AI on the cyber threat: “Threat actors, including ransomware actors, are already using AI to increase the efficiency and effectiveness of aspects of cyber operations, such as reconnaissance, phishing and coding. This trend will almost certainly continue to 2025 and beyond.” 

Generative AI has helped threat actors improve the quantity and impact of their attacks in several ways. For example, large language models (LLMs), like ChatGPT have helped produce a new generation of phishing and business email compromise attacks. These attacks rely on highly personalised and persuasive messaging to increase their chances of success. With the help of jailbreaking techniques for mainstream LLMs, and the rise in “dark” analogs like FraudGPT and WormGPT, hackers are making malicious messages more polished, professional, and believable than ever. They can churn them out much faster, too.

AI-enhanced malware 

Another way AI tools are contributing to advances in cyber threats is by making malware smarter. For example, threat actors can use AI and ML tools to hide malicious code behind clean programmes that activate themselves at a specific time in the future. It is also possible to use AI to create malware that imitates trusted system components, enabling effective stealth attacks.

Moreover, AI and machine learning algorithms can be used to efficiently collect and analyse massive amounts of publicly available data across social networks, company websites, and other sources. Threat actors can then identify patterns and uncover insights about their next victim to optimise their attack plan.

Those are only some of the ways that AI is impacting the threat organisations face from cybercrime, and the problem will only get worse in the future as threat actors gain access to more sophisticated AI capabilities. 

Using AI to identify system vulnerabilities 

Whether it translates into adaptive malware or advanced social engineering, AI adds considerable firepower to the cybercrime front. Just as organisations can use AI capabilities to defend their systems, hackers can use them to gather information about potential targets, rapidly exploit vulnerabilities, and launch more sophisticated and targeted attacks that are harder to defend against. 

AI-powered tools can scan systems, applications, and networks for vulnerabilities much more efficiently than traditional methods. Additionally, such tools can make it possible for less skilled hackers to carry out complex attacks, which contributes to the rapid expansion of the IT threat landscape. The exceptional speed and scale of AI-driven attacks is also important to mention, as it empowers attacks to overwhelm traditional security defences. In other words, AI has significant potential to identify vulnerabilities in systems, both for legitimate security purposes and for malicious exploitation.

Three types of AI-enabled scams

The types of scams employed by AI-enabled threat actors include: deepfake audio and video scams, next-gen phishing attacks, and automated scams.

Deepfake Audio and Video

Deepfake technology can create highly realistic audio and video content that mimics real people. Scammers have been using this technology to accurately recreate the images and voices of individuals in positions of power. They then use the images to manipulate victims into taking certain actions as part of the scam. At the corporate level, a famous example is the February deepfake incident that affected the Hong Kong branch of Arup, where a finance worker was tricked into remitting the equivalent of $25.6 million to fraudsters who had used deepfake technology to impersonate the firm’s CFO. The scam was so elaborate that, at one point, the unsuspecting worker attended a video call with deepfake recreations of several coworkers, which he later said looked and sounded just like his real colleagues.

Phishing

AI significantly enhances phishing attacks in several ways, and it is clear that AI-driven tactics are reshaping phishing attacks and elevating their effectiveness. Threat actors can use AI tools to craft highly personalised and convincing phishing emails, which are more likely to trick the recipient into clicking malicious links or sharing personal information. In some scenarios, scammers can deploy AI chatbots to engage with victims in real time, making the phishing attempt more interactive, adaptive, and persuasive.

Automated scamming

AI plays a valuable role in automating and scaling scam attempts. For example, AI can be used to automate credential stuffing on websites, increasing the efficiency of hacking attempts. Furthermore, large datasets can be analysed using AI to identify potential victims based on their online behaviour, resulting in highly personalised social engineering attacks. AI tools can also be used to generate credibility for scams, fake stores, and fake investment schemes by streamlining the creation and management of bots, fake social media accounts, and fake product reviews.

IT measures to defend against the AI-cyber attack threat 

Defending against AI-driven threats requires a comprehensive approach that incorporates advanced technologies, robust policies, and continuous monitoring. Key IT measures organisations can implement to protect their systems and data effectively, include:

1. Utilising AI and ML security tools

Deploy systems driven by AI and machine learning to continuously monitor network traffic, system behaviour, and user activities, which helps detect suspicious activity. Useful tools include anomaly detection systems, automated threat-hunting mechanisms, and AI-enhanced firewalls and intrusion detection systems, all of which can improve an organisation’s ability to identify and respond to sophisticated threats.

2. Conducting regular vulnerability assessments

Run periodic penetration tests to evaluate the effectiveness of security measures and uncover potential weaknesses. Regularly scan systems, applications, and networks to identify and patch vulnerabilities.

3. Building up email and communication security

Use email security solutions that can accurately detect and block phishing emails, spam, and malicious attachments. AI deepfake detection tools designed to identify fake audio and video content are also helpful in ensuring secure and authentic communication.

4. Regular security training and education

Conduct regular training sessions to educate employees about the latest AI-driven threats, phishing techniques, and best practices for cybersecurity in the AI age. Run simulated AI-driven phishing attacks to test and improve employees’ ability to recognise and respond to suspicious communication.

5. Data protection and security

Ensure that you back up sensitive data in accordance with best practices for data protection and disaster recovery to mitigate data loss risks from cyber threats. Follow general security recommendations like encryption and identity and access management controls to address both internal and external security threats to sensitive data and systems.

Cyber threats are constantly evolving. In response, organisations need to adapt and enhance their security programs to protect their digital assets. Managed Detection and Response (MDR) services have emerged as a critical component in the battle against cyber threats. 

A good MDR service will help organisations manage operational risk, significantly reduce their meantime to detect and respond to cyberattacks, and ultimately help them grow and scale their security programmes. 

Here, we explore five key ways in which the right MDR service can help you develop and scale more robust security programs.

1. Real-Time Threat Detection and Response

It is essential to have an MDR service which leverages advanced analytics and real-time monitoring across all infrastructure components. Doing this will help you identify and respond to cyber threats as they occur. By taking this proactive approach, you can ensure you detect threats early. This has the benefit of minimising potential damage and reducing the overall impact on the organisation.

Reduced detection time is a key benefit of MDR. With real-time monitoring 24/7/365 by skilled SOC analyst teams, threats can be detected and investigated much faster.

With immediate response, teams of experts can swiftly mitigate identified threats, preventing them from escalating.

By integrating real-time threat detection and response into their security programmes, organisations can stay ahead of cyber threats and ensure continuous protection of their digital assets.

2. Flexible Service

Your MDR service must be designed to address the constantly changing cybersecurity landscape, provide flexible options for coverage and multiple service tiers considering factors such as organisation size, technology stack and security profile. For example, at Obrela our MDR service uses an Open-XDR approach so clients can integrate and monitor existing infrastructure to improve security posture.

With flexibility in an MDR service to incorporate logs, telemetry and alerts from endpoints (desktops, laptops, servers), network infrastructure, physical or virtual data centre infrastructure, cloud infrastructure and OT, organisations can build a 360-degree view of their cybersecurity.

3. Advanced Threat Intelligence

Sophisticated threat intelligence will help an organisation to stay ahead of emerging threats. Threat intelligence and analytics of an MDR service must be continuously updated to identify patterns and predict potential attacks.

An MDR service must always be aligned with the current threat landscape to consider threat actor behaviour and TTPs, and ensure suspicious activity is detected and flagged prior to an attack taking place.

4. Expert Incident Management

Effective incident management is crucial for minimising the impact of cyber incidents. Without it, it’s impossible to ensure organisations can quickly return to normal operations.

An effective MDR service must include comprehensive incident management, from detection through to resolution. This should also include 24/7 support from cyber security experts to manage and resolve incidents effectively. An incident management service should cover every aspect of an incident, from initial detection to post-incident analysis and reporting.

Organisations today face a shortage of skilled and experienced security personnel. However, an MDR service gives you access to expertise on demand. Access to a team of experienced cybersecurity professionals ensures organisations can manage incidents efficiently and effectively.

5. Continuous Improvement and Optimisation

For businesses looking to strengthen their security posture, cybersecurity cannot be a one-time solution. It needs to be an ongoing partnership, aiming to continuously improve and optimise your organisation-wide cyber security. Regular assessments, feedback and updates will help ensure security measures remain effective and relevant.

Regular assessments and updates also ensure security measures evolve with the ever-changing threat landscape, while feedback and analysis from previous incidents help refine and enhance cyber security over time.

Continuous improvement and optimisation ensure your security is always at its best, providing robust protection against cyber threats.

Managed Detection and Response (MDR) services are essential for growing and scaling security programs in today’s dynamic threat environment. 

Utilising a cloud-native PAAS technology stack, our purpose-built Global and Regional Cyber Resilience Operation Centers (ROCs) provide continuous visibility and situational awareness to ensure the security and availability of your business operations. 

When MDR services detect cyber threats, rapid response services restore and maintain operational resilience with minimal client impact. 

By leveraging the right MDR service from an expert provider, organisations unlock the ability to scale with real-time, risk-aligned cybersecurity that covers every aspect of their business, no matter how far it reaches or how complex it grows, bringing predictability to the seemingly uncertain. 

For more information on how MDR services can enhance your organisation’s security programme, visit the Obrela website.

A new directive designed to safeguard critical infrastructure and protect against cyber threats came into force across the European Union (EU) from October. But although the United Kingdom (UK) is no longer part of the EU, understanding these changes is still important, especially if your business operates in the region. 

Plus, the Network and Information Systems Directive (NIS2) closely aligns with the UK’s own robust cybersecurity frameworks, including the Cyber Security and Resilience Bill introduced in the King’s Speech this summer. Preparing now could make it much easier to comply with future UK regulations as they come into effect. 

Why should UK businesses adapt? 

1. Prepare for future regulations 

Although the UK is no longer part of the EU, the interconnected nature of global cyber threats means it’s not practical to reinvent or move away from existing regulation. With that in mind, it’s not surprising that The UK’s upcoming Cyber Security and Resilience Bill is closely aligned to NIS2. By understanding what’s coming, and aligning with NIS2, UK organisations will be much better prepared for future national regulatory changes too – and of course better protected against cyber threats.

2. Strengthen cyber resilience

This goes beyond compliance for compliance’s sake. When it comes into force, NIS2 is designed to protect organisations from cyber attacks and can significantly enhance cyber resilience. With an emphasis on risk management, incident response, and recovery, UK businesses that adopt these practices can better protect themselves, respond more effectively to incidents, and, ultimately, safeguard their operations and reputation.

3. Cement business relationships with EU partners

Many UK organisations rely on strong relationships with EU partners, and it’s likely that NIS2 compliance could become a prerequisite for future contracts, just as we saw with GDPR. Many EU companies may require suppliers and partners to comply with equivalent cybersecurity measures, and failing to do so could limit opportunities for collaboration. By adopting NIS2 standards now, UK businesses will make it easier for EU partners to work with them. And, if nothing else, demonstrating an understanding of and adhering to high cybersecurity standards can help businesses stand out, especially in sectors where security and trust are crucial.

Prepping for the Cyber Security and Resilience Bill 

When the UK government set out plans for a Cyber Security and Resilience Bill, it heralded a significant strengthening of the UK’s cybersecurity resilience. If passed, this legislation aims to fill critical gaps in the current regulatory framework, which needs to adapt to the evolving threat landscape. 

The good news is, because much of the Bill and NIS2 align, if businesses have already started the process of adapting to the EU directive, the burden isn’t as great as it could be.

The Bill at a glance:

1. Stronger regulatory framework: The Bill will put regulators on a stronger footing, enabling them to ensure that essential cyber safety measures are in place. This includes potential cost recovery mechanisms to fund regulatory activities and proactive powers to investigate vulnerabilities.

2. Expanded regulatory remit: The Bill expands the scope of existing regulations to cover a wider array of services that are critical to the UK’s digital economy. This includes supply chains, which have become increasingly attractive targets for cybercriminals, as we saw in the aftermath of recent attacks on the NHS and the Ministry of Defence. This means that more companies need to be aware of potential legislative changes.

3. Increased reporting requirements: an emphasis on reporting, including cases where companies have been held to ransom, will improve the government’s understanding of cyber threats and help to build a more comprehensive picture of the threat landscape, for more effective national response strategies.

If passed, the Cyber Security and Resilience Bill will apply across the UK, giving all four nations equal protection.

Building on current rules 

The UK has a strong foundation when it comes to cybersecurity, and much of this guidance already closely aligns with the principles of NIS2 and the new Cyber Security and Resilience Bill. The National Cyber Strategy 2022, for example, focuses on building resilience across the public and private sectors, strengthening public-private partnerships, enhancing skills and capabilities, and fostering international collaboration. And National Cyber Security Centre NCSC guidance already complements new rules by focusing on incident reporting and response and supply chain security. Companies that follow these rules will be in a strong position as legislators introduce NIS2 and the Bill. 

Cyber protection for a reason 

This is not just about complying with the latest regulations. Cyber attacks can be devastating to the organisations involved and the customers or users they serve. Take for example the ransomware attack on NHS England in June this year, resulting in the postponement of thousands of outpatient appointments and elective procedures. Or the 2023 cyberattack on Royal Mail’s international shipping business that cost the company £10 million and highlighted the vulnerability of the transport and logistics sector. And how about the security breach at Capita also in 2023, that disrupted services to local government and the NHS and resulted in a £25 million loss. 

We live in an interconnected world where business – and legislation – often extends far beyond their original borders. So please don’t ignore NIS2. By understanding and preparing for it, UK businesses can better protect themselves against cyber attacks. Make themselves more attractive to European partners. And contribute to national cyber resilience.

The global cybersecurity threat landscape is expanding, driven by remote connectivity, the rapid convergence of information technology (IT) and operational technology (OT) systems, as well as an increasingly challenging international security and geopolitical environment.

All these issues present significant challenges – but also opportunities – for high-ranking technology leaders in all industries, not least in the context of ever-more-ubiquitous artificial intelligence (AI). 

Ensuring that cybersecurity standards are being met along the entire supply chain, for example, requires dedicated OT security teams to collaborate with their IT security colleagues to identify and address security gaps that are specific to the OT domain. 

‘Business as usual’ is not an option. Experts expect the global cost of cybercrime to reach an astonishing $23.84trn by 2027. Malicious actors, be they nation states, business rivals or cybercriminal gangs intent on blackmail, are deploying a variety of tools to exploit vulnerabilities.

The geopolitical conflicts taking place around the globe, and related campaigns of cyber espionage and intellectual property theft targeting the West, have propelled the issue even further up the business agenda. 

The onus is now on businesses and institutions of all types to ensure that their cybersecurity measures – beginning with strong foundational security controls and a well-implemented reference architecture – are fit for purpose, and that they both become and stay compliant with evolving legislation

Euro vision: the NIS2 directive 

On January 16^th, 2023, the updated Network and Information Security Directive 2 (NIS2) came into force, updating the EU cyber security rules from 2016 and modernising the existing legal framework. Member states have until 17^th October to ensure they have satisfied the measures outlined, which, in addition to more robust security requirements, address both reporting regulations and supply chain security, as well as introducing stricter supervisory and enforcement measures.

Let’s take the reporting obligations as an example. Incident detection and handling in OT is the basis for timely reporting but many industry sectors lack the requisite tools and experience. Under NIS2, businesses must warn authorities of a potentially significant cyber incident within 24 hours. Doing this effectively requires organisations to align their people, process and technology. However, this is often not the case.  

Importantly, unlike NIS1, which targeted critical infrastructure, the new, stricter rules also apply to public and private sector entities, including those that offer ‘essential’ or ‘important’ services, such as energy and water utilities and healthcare providers.

Cyber standards and risk analysis

Other countries and regions may have different rules. Operating in the US, for instance, requires compliance with several laws dependent upon the state, industry and data storage type, including the Cyber Incident Reporting for Critical Infrastructure Act, the rules of which are still under review.

In other words, companies in specific industry sectors need to look beyond these over-arching rules and refer to sector-specific security standards that cover the components, systems or processes that are critical to the functioning of the critical infrastructures they operate. 

Generally, it is good practice to follow existing standards like ISO27000 Series and IEC62443, which might already be the basis for existing cyber security frameworks. Organisations should certainly consider industrial automation systems, IEC 62443 for example, as it mentions so-called ‘essential’ functions such as functional safety, or the functions for monitoring and controlling the system components. 

Certainly, in terms of NIS2, the IEC62443 risk assessment approach for OT environments is a good place to start in terms of a risk analysis: what is the likelihood of a cyberattack? If a hostile actor targeted our facilities, staff or network without our knowledge, what would be the impact on the business?

Existing hazard and operability (HAZOP) and layers of protection analysis (LOPA) studies and analysis can help to create a needed incident response and disaster recovery plan, helping to define subsequent SLAs, redundancies, and backup and recovery systems.

Future-proofing operations

In all scenarios, foundational controls (patching, malware protection, system backups, an up-to-date anti-virus system, etc) are non-negotiable, helping companies active in all industry sectors and jurisdictions to understand how their system is set up, and the potential threat. 

Organisations should view cybersecurity legislation not as a hurdle but as an opportunity to strengthen and refine cyber defences, in collaboration with specialist technology providers. Organisations should ensure that they protect their reputation and their licence to operate, and future-proof their business against cyberattacks as the threat landscape evolves.

When did ransomware truly ramp up? Historically, many victims didn’t document successful attacks. This makes it hard to say with any certainty when this now widespread technique kicked into the mainstream arsenal of threat actors.

The rise of ransomware 

With that said, I feel as though a shift started in the late 2010s – and reports from others have corroborated my hunch.

The UK’s National Cyber Security Centre (NCSC), for example, stated that “ransomware has been the biggest development in cybercrime” since it published its 2017 report on online criminal activity. Similarly, the New Jersey Cybersecurity & Communications Integration Cell affirmed that “after 2017, the number of ransomware attacks have become more prevalent and continue to increase each year”, tallying with the growing popularisation of cryptocurrencies at that time which have enabled payments to be sent anonymously.

Since then, ransomware has remained an ever-present threat. Indeed, by the third quarter of 2021, Gartner revealed that new ransomware models had become the top concern facing executives.

In response, companies of all shapes and sizes have gradually begun to work towards protecting themselves from the evolving threat of ransomware, working to establish effective security policies and protocols. Further, the fightback has also stemmed from other areas, be it the continual evolution of defensive technologies or the heightening of regulations, with enterprises now required to implement more stringent security measures to ensure compliance and avoid fines.

However, without question, there are still several gaps that need to be bridged.

The state of ransomware in 2024

To explore just how effective (or ineffective) enterprises have become in defending against the impacts of ransomware attacks, Semperis recently carried out a survey of  nearly 1,000 IT and security professionals from global organisations across multiple industries in the first half of 2024.

Looking at the data, it’s clear that the threat of ransomware remains a significant problem, with attacks having become both frequent and continuous. According to the report, ransomware attacks impacted 85% of UK organisations in the past 12 months. Almost half of all organisations (45%) were attacked three times or more.

Repercussions of ransomware 

What is more concerning, however, is the rate at which companies are failing to combat these attempts. Indeed, hackers using ransomware successfully breached more than half (54%) of the UK companies we surveyed were in the space of 12 months – sometimes within the same day.

The damages associated with ransomware attacks are well known. From regulatory fines to business downtime and reputational damages, such threats can cause domino effects of problems for firms, with very few respondents having managed to avoid any kind of impact. Globally, almost nine in 10 (87%) experienced some level of disruption, while for a significant group, the effects were much greater. Indeed, 16% had their cyber insurance cancelled, 21% saw layoffs, and one in five (20%) had to close their business permanently.

Given the potentially devastating consequences, firms can feel cornered into cooperating with threat actors. In fact, more than three quarters of respondents in our survey that had suffered such an attack opted to pay the ransom, with 32% having paid out four or more times in the space of just 12 months.

Further, these sums are not insignificant. Indeed, 62% of UK companies that paid a ransom stumped up funds of between £200,001 and £480,000.

It shouldn’t just be the astronomical sums involved here that cause alarm bells to ring. Equally, it is vital for firms to understand that there is no guarantee that meeting the demands of cybercriminals will make their problems disappear during a ransomware attack. In fact, our findings show that more than a third of organisations that paid ransoms failed to receive decryption keys or were unable to recover their files and assets.

Don’t overlook recovery

Such a status quo cannot continue. Instead, enterprises must go back to the drawing board, working to establish more reliable and effective cybersecurity and system recovery strategies that work effectively against the ever-present threat of ransomware.

As part of this rework, companies must continue to test and trial their methods. This is vital to ensure they work when the company needs them. Indeed, our survey shows that 63% of UK companies took more than a day to recover their systems to a good state, while one in eight took over a week.

This is a problem. Indeed, downtime is more than just an inconvenience. Every second that passes during an outage translates into lost revenue, diminished customer trust and lasting damage to an organisation’s reputation. From sales slipping away to consumers questioning the reliability of your company, the implications can be massive.

On the right track to recovery

Promisingly, it appears that many organisations are on the right track, with nearly 70% of respondents stating that they had an identity-focused recovery plan in place. However, despite this, only 27% actually maintained dedicated systems for recovering Active Directory, Entra ID, and identity controls – the Tier 0 infrastructure that all systems depend on for recovery.

Organisations must bridge this gap. For many companies worldwide, AD is the backbone of their operations, serving as the primary identity platform. Cybercriminals are acutely aware of its significance and continue to target it. If they can gain control of an enterprise’s AD, they can effectively bring everything to a halt, applying immense pressure on unprepared organisations.

To avoid such a scenario from unfolding, organisations must prioritise establishing a dedicated system for backing up and recovering AD, ensuring they can restore operations with both speed and integrity in the event of an attack.

Less than a quarter of firms currently have such a system in place, and that needs to change. Yes, preventative measures are important. However, recovery is an aspect that organisations cannot afford to overlook.

Having evolved from a basic premise of locking down a victim’s data with encryption, then demanding a ransom for its release, research now suggests that ransomware will cost around $265 billion (USD) annually by 2031, with a new attack (on a consumer or business) every two seconds.

Against such a pervasive threat, businesses have sought to better prepare themselves against attacks.  They have developed an array of tools, including better backup management, incident recovery procedures, business continuity and recovery plans. Together, they have all made the encryption of victims’ data less profitable.

In addition, security researchers together with national bodies such as the Cybersecurity and Infrastructure Security Agency (CISA) have made substantial progress in identifying the weaknesses in the methods used by attackers, in order to develop decryption solutions. No More Ransomware, promoted by Europol, the Dutch police, and other stakeholders lists approximately one hundred such tools.

In response to these developments, attacker groups are reconsidering their strategy. Rather than risk detection by encrypting valuable data, they now prefer to extract as much information as possible. Then, they threaten to divulge it. Ransomware has become extortion.

Re-energising the threat of publication

The potential public disclosure of sensitive information is the core of leveraging fear to pressure victims into paying a ransom. The reputational damage and financial repercussions of a data breach can be devastating. 

Ransomware gangs have recognised the potential for damage to a brand or group’s reputation simply by being mentioned on the ransomware operators’ sites. A study found that the stock market value of the companies named in a data leak falls by an average of 3.5% within the first 100 days following the incident and struggles to recover thereafter. On average, the companies surveyed can lose 8.6% over one year.

This threat of loss based on association, now quantified and in the hands of cybercriminals has become an effective tool.

Operational disruption and revenue loss

Modern businesses rely heavily on digital systems for daily operations. A ransomware attack can grind operations to a halt, disrupting critical functions like sales, customer service, and production.

 This disruption translates to lost revenue, employee downtime, and potential customer dissatisfaction. The longer the disruption lasts, the greater the financial impact becomes. Attackers exploit this vulnerability, pressuring victims to pay the ransom quickly to minimize their losses. And they do this most effectively by recognising key operational data. 

This then evolves as a ransomware attack on one company can ripple through its entire supply chain. Suppliers and distributors may be unable to access essential data or fulfil orders. This leads to delays and disruptions across the supply chain. 

Knowledgeable attackers now target a single company as a gateway to extort multiple entities within the supply chain, maximising their leverage and potential payout.

Brand Damage at the regulatory level

Brazen ransomware groups have already realised the value in making direct contact with

end-users or companies that are the customers of their targets as it enables the operators to increase pressure.

However, one new avenue of this direct attack on brand reputation is for the gangs to connect with the authorities.  In November 2023, the ALPHV/BlackCat ransomware gang filed a complaint with the United States Securities and Exchange Commission (SEC) regarding their victim, MeridianLink.

In mid-2023, the SEC adopted new requirements for notifying data leaks effective from September 2023. One of these rules requires notification within four business days of any data leak from the moment it is confirmed. Not only did ALPHV/BlackCat take control of the trajectory of the extortion, but they also even circulated the complaint form among specialist forums as part of a promotional campaign.

Targeting the most vulnerable 

Ransomware gangs are not above using sophisticated, customised extortion strategies on the most vulnerable sectors. Healthcare has long been a key target – there is a step change in urgency when critical medical procedures may be delayed if ransom is not paid. 

Just a few months after the international Cronos Operation, the Lockbit group claimed a new victim in the healthcare sector. The Simone-Veil hospital in Cannes suffered a data compromise, adding to the extensive list of attacks conducted in recent months by other ransomware players against the university hospitals of Rennes, Brest and Lille.

Once the data had been extracted from the hospital on April 17, 2024, an announcement concerning their compromise was made on Lockbit’s showcase site on April 29, 2024. According to the cybercriminals’ terms, the hospital had until midnight on May 1, 2024, to pay the ransom.

The lesson here is that attackers exploit the vulnerabilities and pain points specific to each industry, making their extortion tactics more potent. And they do so with no consideration for the victims.

Ransomware attacks are now more than just data encryption schemes. They are sophisticated operations that exploit a range of vulnerabilities to extract maximum leverage from victims. By understanding the multifaceted nature of ransomware extortion, businesses and individuals can develop a more robust defence against this growing threat.

The ongoing effects of the cyber incident impacting Transport for London (TfL) serves as a stark reminder of the vulnerability of national infrastructure to cyberattacks. In an increasingly digital world, where cities like London depend on interconnected systems to keep essential services running smoothly, the ramifications of such an attack can be significant. 

The potential disruption of public transport services alone can bring daily operations to a halt, affecting millions of commuters, businesses, and the broader economy. Fortunately, law enforcement haven’t detected any damage to data. Nevertheless, this incident highlights the urgent need for a comprehensive and effective Disaster Recovery (DR) plan, tailored to manage both traditional disasters and modern cyber risks.

The evolving threat landscape

Historically, DR planning for organisations like TfL focused on physical threats – floods, fires, and power outages for example – but the landscape of risk has evolved enormously. 

Cyber threats, including data exfiltration, ransomware, phishing, and denial-of-service (DDoS) attacks, have become more sophisticated, capable of compromising critical infrastructure in ways that were previously unimaginable. The recent situation at TfL is a clear example of this shift, where attackers can potentially compromise a city’s transport system infrastructure, leading to widespread disruptions.

The lesson here is clear: DR and containment plans must evolve in tandem with these new threats. They must address both traditional risks and cyber risks in a way that ensures continuity of services even when technology is compromised. A cyberattack affecting national infrastructure can no longer be treated as a niche threat – it must be considered a mainstream risk with serious consequences.

The central role of communication in incident response

A crucial lesson to emerge from the TfL incident is the central role that communication plays in responding to such an event. In any large-scale cyberattack, the ability to communicate effectively and rapidly across different levels of the organisation and with external stakeholders can significantly shape the success of the response.

While TfL’s recent cyber incident did not cause any downtime of public services, primarily affecting internal systems, it serves as a reminder that future attacks could have more severe consequences. 

Ensuring a communication strategy is in place for potential service disruptions is essential for minimising public impact and maintaining operational continuity in the face of future threats.

To that end, a robust communication strategy must be a core component of any DR plan. It should account for multiple scenarios, including the potential failure of primary communication systems due to the cyberattack itself. This is particularly important for organisations like TfL, where clear communication is essential for managing both internal response efforts and external public expectations.

1. Establishing communication redundancies 

One of the first steps to ensuring effective communication during a disaster is building redundancy into the system. Security teams must put alternative methods – such as secure messaging apps, satellite phones, or third-party platforms – in place to secure the flow of critical information, even when primary channels are compromised. 

For instance, where internal networks may be taken down or compromised during a cyber attack, having a backup communication method ensures key personnel can still coordinate responses, share updates, and make informed decisions in real-time.

2. Engaging stakeholders quickly and transparently

A clear protocol for promptly notifying all relevant stakeholders – both internal and external – is essential. Internal teams, including IT, operations, and management, need to be informed immediately to coordinate the technical response, containment, and recovery efforts. Externally, law enforcement agencies, cybersecurity experts, insurance companies, and business partners must be brought into the loop to ensure compliance with legal obligations, expedite recovery, and manage financial repercussions. 

In the case of public services like TfL, this level of coordination is vital, both for restoring disrupted services but also for maintaining trust with the public and stakeholders.

3. Public communication: managing perception and behaviour

In incidents involving public services like TfL, the ability to communicate clearly with the public is crucial. Providing accurate, timely, and transparent updates can help manage expectations, reduce panic, and guide public behaviour during potential disruptions. Clear messaging allows TfL to inform commuters about the nature of the incident, any expected downtime, and available alternatives. This reduces frustration and confusion, ultimately helping maintain public trust in the organisation.

However, the nature of a cyberattack, which may include elements of uncertainty or ongoing investigation, adds complexity to public communications. TfL must balance transparency with caution. They must ensure that public statements do not inadvertently worsen the situation, such as by sharing details that could aid attackers. 

Establishing a pre-defined communication plan that outlines how to handle public relations during a cyberattack can provide a framework for managing these delicate situations.

The importance of a well-tested DR plan

The TfL incident also emphasises the need for regular testing and updates to DR plans. A DR plan is only as effective as its implementation during a crisis. Conducting regular “fire drill” exercises that simulate cyberattacks allows organisations to identify weaknesses in their plan and ensure that all stakeholders know their roles and responsibilities.

Simulated incidents help to refine both the technical aspects of the DR plan – such as isolating compromised systems and restoring backups – and the softer elements, such as communication protocols and leadership response. In the case of cyberattacks, where rapid containment is often critical, these drills can significantly improve response times and minimise the damage caused by the attack.

Additionally, post-incident reviews are essential for learning and improvement. Following the TfL incident, a detailed analysis of what went well and what failed during the response will provide invaluable insights for future preparedness. Lessons learned from real-world incidents allow organisations to continuously evolve their DR strategies to remain resilient in the face of emerging threats.

Developing a secure recovery strategy

When dealing with cyber incidents, particularly ransomware, it is not enough to simply restore services from backups. 

By restoring data directly to its original environment, security teams risk reinfection if theyhaven’t fully eradicated the malware. Instead, recovery should occur in a secure, isolated environment: a “clean room”. Here, security teams can analyse and neutralise the attack vector before they restore any systems or data.

This careful approach ensures that organisations avoid the costly mistake of reintroducing malware into their networks, which could lead to repeated attacks. Incorporating these steps into a DR plan ensures that recovery is not only fast but also secure and complete.

A call to action for strengthening infrastructure resilience 

The cyberattack on TfL serves as a wake-up call for national infrastructure organisations worldwide. 

The lessons learned from this incident highlight the need for a modern, comprehensive DR plan that addresses the full spectrum of risks – from traditional disasters to complex cyber threats. Central to this is a robust communication strategy, regular testing, and secure recovery processes. 

By taking these lessons on board, organisations can better protect their infrastructure, maintain public trust, and ensure resilience in the face of an increasingly dangerous cyber threat landscape.

Despite the number of cyber attacks in the UK increasing dramatically year-on-year, two-thirds of UK organisations still don’t operate with round-the-clock cybersecurity, according to a new report, “Unfunded and Unaccountable” by Trend Micro. The report claims to have found evidence of “major security gaps and lack of board accountability in many companies.” The results cast the UK economy’s cyber readiness in a worrying light.  

Bharat Mistry, Technical Director at Trend Micro argues that the issues are having dire consequences for UK businesses. “A lack of clear leadership on cybersecurity can have a paralysing effect on an organisation—leading to reactive, piecemeal and erratic decision making,” he says, especially as the frequency and severity of cyber attacks in the UK rises once again year-on-year. 

Cybercrime rising in the UK 

Cybercrime cost the average business in the UK £4,200 in 2022. All told, cybercrime costs the UK approximately £27 billion per year. The average cost of a cyber-attack to a medium-sized UK business was £10,830 in 2024. While that’s a necessarily larger figure than the overall average, the data still indicates a meaningful upward trend.

This year, the UK Government’s Cyber Security Breaches Survey found that half of UK businesses had suffered a cyber attack or security breach in the preceding 12 months — an increase from the previous year.

Trend Micro’s research, which surveyed 100 UK cybersecurity leaders as part of a global study, found that concerns over both the ubiquity of attacks, and the UK economy’s lack of preparedness to combat the threat. As noted by twenty-four IT, this year only 31% of businesses and 26% of charities undertook a cyber security risk assessment, suggesting that many businesses are not adequately prepared for the threat of cyber crime. 

Trend Micro’s report backs up that data. The overwhelming majority (94%) of cybersecurity leaders surveyed reported concerns about their organisation’s attack surface. Over one third (36%) are reported being worried about having a way of discovering, assessing and mitigating high-risk areas. Additionally, 16% said they weren’t able to work from a single source of truth. 

Communication, clarity, and cooperation

Trend Micro’s data pins the blame for UK companies’ failure to achieve these cybersecurity basics squarely on a lack of leadership and accountability at the top of the organisation. Emphasising this, almost half (48%) of global respondents claimed that their leadership doesn’t consider cybersecurity to be their responsibility. On the other hand, only 17% disagreed strongly with that statement. 

When asked who does or should hold responsibility for mitigating business risk, respondents returned a variety of answers, indicating a lack of clarity on reporting lines. Nearly a third (25%) of UK respondents said the buck stops with organisational IT teams. 

This lack of clear direction on cybersecurity strategy may be resulting in widespread frustration. Over half (54%) of UK respondents complained that their organisation’s attitude to cyber risk was inconsistent. Some noted that their organisation’s attitude to cyber risk “varies from month to month.” 

“Companies need CISOs to clearly communicate in terms of business risk to engage their boards. Ideally, they should have a single source of truth across the attack surface from which to share updates with the board, continually monitor risk, and automatically remediate issues for enhanced cyber-resilience,” argues Mistry. 

In an increasingly interconnected world, the importance of robust cybersecurity measures cannot be overstated. 

At present, one of the pressing security concerns facing organisations is supply chain attacks. Supply chain attacks are a sophisticated, extremely harmful threat technique in which cybercriminals target organisations by infiltrating or compromising the least secure aspects of a company’s increasingly broad digital ecosystem.

Critically, these attacks specifically exploit interdependencies between companies and their digital suppliers, service providers or other online third-party partners. This makes them particularly challenging to defend against.

Several notable examples of supply chain attacks highlight their potentially devastating impacts, such as the recent attack on the NHS. Several hospitals were forced to cancel operations and blood transfusions following an attack on IT company Synnovis. The IT company was hit by a major ransomware attack. The consequences have affected thousands of patients. In response, the NHS has issued a major call for blood donors as it struggles to match patient’s blood quickly. 

There was also the Okta supply chain breach disclosed in early 2022. Here, a third-party contractor’s systems were breached, subsequently impacting the leading identity and access management firm. Critically, hackers managed to extract information from Okta’s customer support system. This gave them access to sensitive data such as its clients’ names and email addresses. 

Similarly, the MOVEit breach stands as another noteworthy example. Discovered in 2023, this incident involved the exploitation of a zero-day vulnerability in the MOVEit Transfer software—a widely used file transfer application developed by Progress Software. The breach led to the unauthorised access and theft of data from numerous organisations globally. The attack was so bad that the NCSC provided its own information, advice, and assistance to affected companies.

Indeed, these two incidents, among many, highlight a crucial lesson for organisations: as supply chain threats become increasingly prevalent and complex, firms must recognise that their security is only as strong as the weakest link in their network of suppliers and partners. 

79% of UK businesses have experienced supply chain-related security incidents

Seeking to ascertain just how widespread the issue of supply chain attacks is at present, ISMS.online recently surveyed 1,526 security professionals globally to uncover their own experiences. 

Our latest State of Information Security report details the seriousness of the situation facing UK companies. Critically, we discovered that 41% of UK businesses had been subject to partner data compromises in the last 12 months. Further, a staggering 79% reported having experienced security incidents originating from their supply chain or third-party vendors—up 22% versus the previous year.

The message from this dramatic spike in statistics is clear. Supply chain vulnerabilities are not only becoming more prevalent but are also increasingly exploited by cybercriminals. This highlights the urgent need for comprehensive and collaborative cybersecurity measures across all levels of the supply chain.

Indeed, companies must work to mitigate these threats and minimise their risk exposure by reassessing their cybersecurity strategies. But where and how exactly should they focus their efforts? At ISMS.online, we believe that there are four key areas that companies should prioritise when it comes to achieving best practices.

1. Stronger supply chain vetting processes

First, it is critical to implement rigorous security vetting processes when selecting partners and suppliers. This involves thorough due diligence, assessing potential partners’ security posture and cybersecurity measures, and reviewing past security incidents and responses. Companies should also evaluate compliance with relevant regulations and continually monitor their partners’ security practices where appropriate.

2. Enhanced cybersecurity measures

Of course, it’s not good to demand that partners have robust security measures without adopting best practices yourself. Therefore, bolstering internal cybersecurity measures and extending them to the supply chain is needed to significantly reduce risks.

Here, strategies to consider include the regular auditing of internal systems, comprehensive employee training in cyber threat recognition and response, the adoption of advanced cybersecurity technologies like multi-factor authentication and encryption and keeping an updated and unique incident response plan in case of supply chain breaches.

3. Robust partnership agreements

Detailed and stringent partnership agreements will undoubtedly help establish clear cybersecurity expectations and responsibilities. Indeed, it is important to define security requirements, request regular security status reports, and define access controls to safeguard sensitive information.

4. Alignment with essential standards

Aligning with critical standards and asking that partners and clients do the same can be a highly effective way of ensuring consistent and high-security levels across the supply chain. Of course, there are a variety of standards to consider. However, for UK companies, some of the most important ones to align with include:

• Cyber Essentials: A UK government-backed scheme designed to help organisations protect themselves against common cyber threats by providing clear guidance regarding basic security controls.
• ISO 27001: An international standard for information security management systems that provides a systematic approach to managing sensitive company information, ensuring it remains secure.
• NCSC Supply Chain Security Guidance: A comprehensive supply chain security guide providing recommendations about managing supply chain risks, implementing robust cybersecurity measures, and ensuring continuous monitoring and improvement.

Given the growing threat of supply chain attacks, it is imperative to demand the adoption of cybersecurity best practices both internally and among suppliers, service providers, and partners. 

From aligning with essential standards to developing new partnership agreements, it can feel like a daunting or challenging task. Indeed, the difficulty for many companies is knowing where to start. However, achieving best practices on each of these fronts doesn’t need to be as daunting or burdensome as the businesses might think.

Indeed, with proper support and guidance, best practices can be adopted, followed internally, and advocated externally with relative ease.

Cyber threats have evolved into a formidable force capable of bringing down even the most technologically advanced organisations today. Ransomware attacks, data breaches, and sophisticated malware are some of the overwhelming challenges businesses face. These types of attack can disrupt operations, incur staggering financial losses, and erode customer trust.

The numbers speak volumes: in the past year alone, 50% of businesses in the UK reported cyber security breaches. Major incidents, on average, cost medium and larger businesses more than £10,000. 

This underscores an urgent need for a strategic approach to cyber resilience, one that requires a fundamental shift in mindset and a relentless pursuit of adaptation and innovation, involving both technical measures and a security-conscious company culture.

It’s About Mindset and Culture: Moving from Response to Resilience 

The ripple effect of these breaches extends far beyond the target company, crippling entire ecosystems. That is why cyber security has catapulted to the top of boardroom agendas. Forward-thinking enterprises understand that cyber security is not a mere IT issue. They understand cybersecurity is a core business risk that demands a comprehensive approach. 

Ensuring business continuity in the face of evolving cyber threats encapsulates the proactive shift in corporate strategies towards cyber resilience. 

In today’s interconnected digital landscape, businesses no longer solely react to cyber threats but embrace resilient frameworks that safeguard operations amidst constant evolution in threat landscapes. This approach transforms cybersecurity from a reactive measure into a strategic asset. Vitally, it ensures that investments in technology and operations are safeguarded against emerging threats. 

As businesses navigate a landscape marked by digital transformation and interconnectedness, cyber resilience emerges as the linchpin for maintaining trust, preserving operational integrity, and sustaining growth in an increasingly digital world.

Building a Strong Foundation for Cybersecurity

Leveraging AI is no longer an option but a necessity. By harnessing the capabilities of AI, enterprises can achieve unprecedented levels of threat detection accuracy (92.5%), reduce false positives (3.2%), and cut response time (40%). 

AI systems can analyse millions of daily attacks, identifying emerging threats through advanced pattern recognition. This bolsters defences against sophisticated attacks. AI is revolutionising the development of secure code and preventing vulnerabilities from appearing in the first place. AI-powered automation can streamline migration, upgrades, and modernization, reducing risks from manual processes.  

Organisations are also adopting AI-enhanced cybersecurity maturity assessments, which help enterprises build robust, adaptive defences in an evolving threat landscape. These should go beyond traditional crisis response plans and encompass the threat landscape. 

Data Loss Prevention (DLP) solutions are crucial, particularly in the era of open banking and third-party applications. These solutions can identify, monitor, and control access to sensitive data and help enterprises respond to attacks while complying with regulations. 

Partnerships with cyber security firms and the integration of threat intelligence feeds can also be leveraged to provide invaluable insights into the latest attack vectors and emerging threats, empowering organisations to stay ahead and fortify their defences. Additionally, incorporating threat intelligence into an incident response plan can significantly reduce post-breach recovery time. 

From SOC to Cyber Fusion Centre 

Transforming a Security Operations Centre (SOC) into a Cyber Fusion Centre represents a strategic evolution in cybersecurity capabilities, aligning defence strategies with the dynamic and interconnected nature of modern threats. 

Unlike traditional SOCs focused primarily on incident response and threat detection, Cyber Fusion Centres integrate intelligence gathering, analytics, and collaboration across teams and technologies. This proactive approach enhances situational awareness by synthesising data from multiple sources—such as network traffic, endpoint devices, and threat intelligence feeds—into actionable insights. By fostering synergy among cybersecurity teams, including analysts, engineers, and incident responders, Cyber Fusion Centres enable rapid detection, response, and mitigation of sophisticated cyber threats. Moreover, these centres facilitate real-time decision-making through advanced automation and orchestration, empowering organisations to pre-emptively address emerging threats before they escalate. 

As cyber threats continue to evolve in complexity and scale, Cyber Fusion Centres emerge as pivotal hubs for orchestrating comprehensive defence strategies that safeguard critical assets, uphold regulatory compliance, and maintain stakeholder trust in an increasingly digital and interconnected world.

Creating firewalls in the boundaryless world of digital ecosystems requires a paradigm shift towards dynamic and adaptive cybersecurity measures. In today’s interconnected landscape, where data flows seamlessly across platforms and devices, traditional perimeter defences are no longer sufficient. Organisations must deploy sophisticated firewalls that not only protect against external threats but also monitor and manage internal risks effectively. 

This entails implementing robust intrusion detection systems, advanced threat analytics, and continuous monitoring protocols. Moreover, integrating firewalls into the fabric of digital ecosystems ensures that security measures evolve alongside technological advancements, providing resilience against ever-evolving cyber threats.

Additional techniques to enhance security include web content filtering, endpoint security agents, file upload application protection, sandbox testing of applications, browser isolation, off-network security filtering for company devices, prevention of unapproved software installations, and revocation of user access when necessary. 

Best Practices for Building Cyber Resilience

To fortify their cyber resilience, enterprises must adopt a holistic approach. This must include an incident response plan, meticulously tested with all relevant teams including IT, legal, communications and human resources. 

This ensures that the roles and responsibilities are spelled out. Pre-established contracts with legal, communications, and forensics specialists can save valuable time after an attack.

This demands a practical strategy, starting with recovery planning that must occur before an attack. An integrated view of application, server, and network vulnerabilities must be accessible to all management levels, leveraging AI-driven threat intelligence.

Regular and mandatory employee training should also be an essential part of this strategy. Many top risks stem from internal behaviour and compromised or stolen devices. 

In today’s connected systems landscape, implementing a Zero-trust model with shared security and compliance across employees, vendors, and partners is essential.

Lastly, always operate with the mindset that the business will be attacked and that attackers are already in your environment. By integrating these strategies, businesses can enhance their resilience and better navigate the modern digital landscape.

In response to the escalating frequency and complexity of cyber-attacks, the US has implemented measures to bolster cyber resilience. In May 2021, President Biden signed an Executive Order, leveraging  $70 billion worth of US government IT spending power to mandate all federal bodies and their private sector partners to incorporate zero-trust policies throughout their IT infrastructure. 

The legislation enacted gives those in question until September 2024 to comply with tighter security regulations. The implications of which, however, extend far beyond US organisations to any organisation with ties to US business. As such, this policy has international ramifications. All organisations within federal supply chains, regardless of their location, must adhere to these standards. 

This legislation comes at a time when external attack surfaces are under increasing threat, with data breaches increasing by 72% between 2021 and 2023. This legislation makes clear that new security measures must be taken to mitigate these increasing threats across the entire attack surface. This includes increasing identity monitoring and visibility across endpoints, networks and cloud security architecture through to user application protection.

Implementing these comprehensive cybersecurity measures can seem like a complex undertaking and developing a robust and adaptable strategy isn’t always easy, but it is becoming crucial in the face of evolving threats. Let’s unpack. 

The need for collaboration

Zero-trust policies treat every access attempt with suspicion, whether it originates from inside or outside a network. By scrutinising each request, zero-trust enables finer control over who gets access to data and what they can do. This policy creates a security net where nothing slips through unchallenged. The result? A robust defence that keeps cyber threats at bay.

Despite being US legislation, UK businesses with US partners will naturally need to comply with these tighter security regulations. This is because the nature of modern international business means that data is often shared between companies and up and down supply chains.

Considering the extent of the supply chains in question often spans several countries, this presents several complex challenges. These range from navigating diverse data residency laws to bridging communication gaps and aligning with a patchwork of compliance regimes. If these challenges aren’t met, businesses leave themselves open to data breaches that could result in financial and reputational damages. Standard global security policies combined with innovative security solutions can help bolster resilience on a global scale. 

Enhancing visibility 

Properly managing supply chain security leaves a lot to keep track of, and even today, we see siloed approaches to cybersecurity, wherein organisations adopt singular tools to address singular challenges, but this is only a short-term solution. Effective zero-trust policies set out by the US mandate require enhanced visibility across the attack surface. This is because there are more policies to implement, and therefore more techniques and run books to be applied, so increased visibility provides the scope and platform to constantly monitor and resolve threats – a key principle as they increase in volume and sophistication. 

With so many siloed tools out there, organisations should consider deploying network security overlays in a single stack, as this allows them to easily underpin their networks with zero-trust. For example, Software Defined Wide Area Network (SD-WAN), which was built for on-site work, is still prominent today.  The shift to hybrid and remote work accelerated cloud adoption. As a result, cloud security architectures, such as Secure Access Service Edge (SASE), have become increasingly critical.  Deploying both as part of a single stack solution would fortify the supply chain attack surface and unify network operating metrics so they are all visible in one place. 

This is vital in the context of this legislation given its focus on supply chains. Furthermore, while the US has set the mandate, we are now seeing similar proposals to strengthen supply chain security, the European Union’s NIS2 measures and UK’s recently announced cyber security and resilience bill for example. These are great steps in standardising global security practices and must continue if organisations want to tighten security protocols on a global scale. 

Leveraging industry expertise

Years of experience and gathered expertise leave Managed Service Providers (MSPs) uniquely positioned to help organisations through the complexities of the zero-trust mandate. Strengthening cyber defences requires a unique industry perspective, one that can help many navigate increasingly challenging environments. 

MSPs can ensure due diligence is done. They can ensure that businesses can adopt and maintain effective zero-trust policies, strategies and management systems. For example, a single-stack solution would reduce the pressure on in-house IT teams. This comes at a time when these teams are increasingly pressed by the growing attack surface. Equally, a single-stack solution would provide a platform to bolster security and free up internal resources to focus on driving efficiency and innovation.

September 2024 is just around the corner. However, the mandate should not be seen as an inconvenience or hurdle, but rather an opportunity for transformative security enhancements. 

Adopting zero-trust architecture into a single-stack offers a dual benefit in more robust security measures. But there are additional benefits. It also streamlines IT operations that offset skills shortages and the chaos of siloed security tools. 

Embracing zero-trust isn’t simply just about compliance. It’s about protecting your organisation for the future. By partnering with MSPs and committing to the requirements of this mandate, businesses can transform potential challenges into strategic advantages. In doing so, they will position themselves at the forefront of secure, efficient and agile operations.

Over just six months the number of reported cyber-dependent crime incidents in the UK rose by over 20%. As AI continues to lower the barrier to entry for criminals, that number will likely grow even faster over the next two years.

We’re no longer facing a flood of cyber attacks. We’re facing a tsunami. And as we prepare our defences for the colossal wave of threats heading our way, we can take inspiration from the early-warning detection systems used to protect against tsunamis.

Backed by a robust communications infrastructure, these systems harness a network of sensors to detect and verify the threat before issuing timely alarms. Local authorities can notify those at risk in advance and preparations can be made to prevent loss of life and damage to property.

Similarly, in cyber security, Threat Detection and Response (TDR) systems can help identify threats early and mitigate any potential damage. They too utilise effective communications and a network of ‘sensors’ to alert security professionals of any irregularities requiring their attention.

However, for TDR systems to be effective against the current surge of threats, security teams much introduce them as part of an integrated mesh architecture.

Modern security for modern infrastructure

For many years, organisations protected themselves against cyber attacks by establishing defensive measures around a defined perimeter, such as their company intranets. Defences typically comprised of firewalls, antivirus software, and intrusion detection systems. While these are still important tools for defending private networks against outside threats, in today’s digital world they are no longer enough.

Businesses have been rapidly transferring processes and storage to cloud networks. This, combined with the rise in remote working and Software as a Service (SaaS) offerings, has all but dissolved the perimeter that traditional security measures were designed to shield. As companies move assets off-premises, security teams must extend controls into all systems where data is stored.

This once again draws parallels with the tsunami early-warning systems. A sensor on the coastline (the defined perimeter) will still provide a tsunami warning, but it is unlikely that you will be able to do anything about it when it’s already at your door. However, placing a sensor further out at sea provides more advanced notice. The sensor can prompt people to take action before the wave reaches the shore.

Likewise, when properly integrated, TDR can extend security monitoring across your entire IT infrastructure, including third-party applications. This helps security teams detect and respond to threats earlier and greatly reduces the amount of damage they can cause.

Extended visibility with TDR

An effectively integrated TDR collects, aggregates, and analyses security data from various tools to provide comprehensive, accurate threat detection in real-time. It simplifies the approach, while providing greater visibility across on-premises and cloud environments. Achieving this requires focusing on three cyber security solutions at once.

First is Endpoint Detection and Response (EDR), a security solution used to monitor endpoints – i.e., computers, tablets, phones etc – and detect and investigate any potential threats. It uses data analytics to identify suspicious network activity. When it detects suspicious activity, it blocks any malicious actions and alerts security teams.

The second solution is Network Detection and Response (NDR) which, as the name suggests, executes a similar task but at the network level. It uses AI, machine learning and behavioural analytics to monitor traffic. This then allows it to establish a baseline of activity. The NDR solution can then measure activity agains the benchmar to track malicious or anomalous activity.

Finally, at the heart of this approach is Security Incident and Event Management (SIEM). It collects and analyses the data from your EDR and NDR solutions, along with additional security logs, and provides a central view of all potential threats.

Combining these three solutions results in an extended detection and response (XDR) system that reduces false positive alerts, provides better threat identification, and offers greater visibility over network assets. It also presents security teams with contextually rich, triangulated cases assembled from a unique set of high-fidelity detections across multiple layers – giving them the detailed information required to prepare a more effective and timely response.

The implementation and management of XDR systems can be a time consuming and resource intensive process, but it has become an increasingly important part of modern cyber security.

Early warning for a better response

In the face of an escalating cyber tsunami, spurred on by the advanced capabilities of AI, the need for security measures that transcend traditional defences has never been more critical. To quickly identify threats outside the traditional security perimeter, businesses need access to detailed information showing which actions to take.

Much like how tsunami early-warning systems pull together various signals to identify and verify a potential threat, a well-integrated XDR can achieve this by collating data from numerous touchpoints. This further enhances visibility across the entire IT infrastructure, allowing security teams to respond swiftly and effectively to any potential attack.

Ultimately, the evolution of the threat landscape demands an equally dynamic and proactive approach to security. Businesses will be better prepared and more resilient to the ever-growing wave of threats by embracing the principles of early detection, comprehensive monitoring and integrated response mechanisms.

2024 will see half of the global population head to the polls. This includes elections in the US, Europe, Africa, India, and of course, the UK. While this should be a cause for celebration, the threat of cyberwarfare is now jeopardising democracy.

The digital realm has erupted into an invisible war in which the UK is under constant attack. In this kind of warfare, everyone is on the front line; every company, every person. There are no borders. That’s what makes cyberattacks such an effective form of warfare. It’s not simply about data breaches or financial gains either, these attacks are a calculated assault on public trust, aimed at destabilising economies, crippling entire systems and eroding the fabric of democracy.

A parliamentary committee accused the UK government of burying its head in the sand over the “large and imminent” national cyber threat it’s facing. Moreover, global tensions are only heightening this threat, with the National Cyber Security Centre (NCSC) recently exposing Russian intelligence services attempting to interfere in UK politics and its democratic processes.

Now, 37% of IT leaders in the UK believe that cyberwarfare could affect the integrity of an election, spiking significantly from those within the three major pillars of our society: government (60%), healthcare (67%) and financial services (71%). Make no mistake, the nation is teetering on the precipice of a digital catastrophe.  And democracy is in danger.

Democracy on a tightrope

The NCSC highlighted that all types of cyber threat actors – state and non-state, skilled and less skilled – are using and weaponising AI, amplifying their ability to cause harm and supercharging the volume and impact of cyberwarfare. Combine that with the rising geopolitical tensions between the UK and Eastern Axis enemies, and we’re entering a very fragile situation.

Adding insult to injury, the Russian state has also played a proactive and malign role in attacking elections held in the West for years, which is why 45% of UK organisations say that Russia poses a greater threat to global security compared to China. With the UK general elections expected sometime in November 2024, the nation needs the government to step up its cyber defences.

The UK needs to step up and defend its elections

Yet, over half (52%) of UK IT leaders lack faith in the government, believing it can’t defend its citizens and enterprises against an act of cyberwarfare. What’s worse, it’s a significant change in sentiment compared to a year ago. Then, 77% of UK IT leaders had confidence in the government. It’s now simply failing in its first duty: “To keep citizens safe and the country secure”.

In addition, new research shows that 45% also say cyberwar can result in cyberattacks on the media. Nothing is safe. Bad actors have already planted tbhe seeds of discord. From Russian-based disinformation campaigns spreading false content about the Princess of Wales on social media to China attacking UK lawmakers and the national election body, nation-threat actors are destabilising society and democracy is simply balancing  precariously on a tightrope.

Despite this, almost half (46%) of IT leaders say they’re unconcerned or indifferent about the impact of cyberwarfare; a 13% YOY increase. However, it’s not indifference. It’s a result of being overwhelmed. A lack of automation has left 29% of cybersecurity teams feeling overwhelmed, hindering security and IT professionals from effectively remediating or prioritising threats. Faced with a further deluge of information, the mounting pressure to maintain constant vigilance and a lack of  resources, it’s easy to understand why some IT leaders are seemingly indifferent.

However, this is not an excuse for inaction. Especially with democracy on the line. If we’re to mitigate the threat of foreign interference within the electoral process – and avoid democracy being knocked off the tightrope – we must take a more proactive approach.

Taking matters into our own hands

In the face of these escalating threats, it’s crucial for the government and organisations to proactively rebuild national confidence by enhancing defensive cybersecurity strategies. And that starts with being able to see the entire attack surface.

To effectively defend against cyber threats, you need to know what you’re up against. That’s why organisations must conduct a comprehensive assessment of their attack surface. Do to this, they must map all the entry points and vulnerabilities that bad actors could exploit. Most importantly, they need to follow mapping with investment into technology that can help identify and monitor any threats.

With tens of thousands of physical and virtual assets connected to any organisation’s networks on an average day, and over 40% remaining unmonitored, its time organisations start defending against current threats while also positioning themselves for the dynamic challenges and evolving vulnerabilities that lie ahead.

A complex, thorny problem

With that, it’s important to remember that not all vulnerabilities are created equal. In 2023, the cybersecurity community identified and dealt with an astonishing 65,000 unique Common Vulnerabilities and Exposures (CVEs), yet the patch rates for critical CVEs remained noticeably lower than others. Put simply, organisations are failing to prioritise the right vulnerabilities.

From a deluge of data and too many different tools for managing assets connected to a network, organisations must instead equip themselves with the right tools to combat cyberwarfare. Implementing technology that can help teams understand and focus on the vulnerabilities affecting assets, particularly ones that are critical to the core function of the organisation, or are in a vulnerable context, is now a necessity for a robust cybersecurity posture.

Additionally, as cyberwarfare tactics are constantly evolving, organisations must stay ahead of the curve with continuous threat intelligence. Solutions that act as an early warning system, using AI and machine learning to scan the dark web, whilst setting dynamic ‘honeypots’ for bad actors, provides actionable data ahead of vulnerabilities, attacks and impacts.

By combining these early warning systems with automation and other AI-powered solutions, security teams can proactively address threats to elections. After all, nation-state actors are increasingly using AI for attacks, so it’s time to start using it for defence.

Building a digital defence

Global attack attempts more than doubled in 2023, increasing 104% and, when combined with rising geopolitical tensions, the UK has found itself in the crosshairs of bad actors, nation-state or otherwise. With 2024 being such a crucial year for democracy, it’s time organisations – as well as the government – come together to rebuild national trust. The time to act is now.

Starting with a robust investment in cybersecurity, coupled with the deployment of AI-driven tech that can see, secure, protect and manage billions of assets around the world in real-time will be key in an organisation’s cyber defence. If government and organisations take a proactive approach today, then there’s a chance we can still shield democracy from the threat of cyberwarfare.

Designed to exploit weaknesses in third party suppliers, a software supply chain attack turns a trusted supplier into an unsuspecting Trojan horse. In recent years, collective awareness of cyber risk has grown, leading to widespread adoption of stronger safety measures. This has made direct attacks on large organisations more challenging. 

So, hackers have turned to enterprises’ supplier networks as a new source of vulnerabilities to exploit. Smaller software suppliers often have weaker security measures, making them easier targets. Once compromised, these suppliers’ software can be injected with malicious code, providing hackers with a way to breach their target from within.

The results can be catastrophic. According to a new report from BlackBerry, UK companies are especially likely to be at risk of cyberattack in their supply chain. 

 “Unknown components and a lack of visibility on the software supply chain introduce blind spots containing potential vulnerabilities that can wreak havoc across not just one enterprise, but several, through loss of data and intellectual property, operational downtime along with financial and reputational impact,” commented Christine Gadbsy, VP of Product Security at BlackBerry in the report. “How companies monitor and manage cybersecurity in their software supply chain has to rely on more than just trust.”

BlackBerry’s report highlighted the 2020 hacking campaign which targeted a vulnerability in SolarWinds software and managed to penetrate US government departments including the Department of Homeland Security and part of the Pentagon. New research from BlackBerry highlights the extent of the problem for UK software supply chain security. 

UK firms battered by cybersecurity threats 

BlackBerry’s study found that four out of five software supply chains have been either notified of a vulnerability or the target of cyber attacks in the past year. 

Out of those who experienced an attack, 59% were operationally compromised, 58% lost data, 55% lost intellectual property, 52% suffered a perceived loss to their reputation, and 49% were hurt financially. 

Recovery times following an attack were also longer than ideal for many firms. Nine out of ten companies took up to a month for their operations to recover following a software supply chain attack. According to BlackBerry’s researchers, “the damage to reputation and brand lasts much longer.”

This data not only identified an increase in attack frequency but also shows a greater financial impact compared to data from 2022.

One alarming discovery from the report was the presence of hidden entities within software supply chains. According to BlackBerry, three in four businesses uncovered hidden entities in their supply chain, with over two-thirds (68%) of businesses only recently identified these unknown participants. 

This vulnerability typically arises as the result of gaps in regulatory and compliance processes. Troublingly, fewer than 20% of UK companies request security compliance evidence from suppliers beyond the initial onboarding stage.

Also, despite reporting high levels of confidence in their suppliers’ ability to identify and prevent vulnerabilities, few companies consistently verified compliance. This lack of verification and visibility, the report’s authors argue, leaves opportunities for cyber criminals to exploit.