Appian: Why AI is Putting Better Business Within Every Organisation’s Reach
Our cover story highlights how AI is putting better business within everyone’s reach.Mark Talbot, Director – CS AI Initiatives at Appian, reasons that as organisations grow more capable with AI, the challenge shifts from proving its value to expanding access to it. “Instead of concentrating control and decision rights in a small, central group, modern AI tools give more agency to the people closest to the work. They can see what is not working, imagine better approaches, and use AI to help redesign and improve the processes they rely on every day.”
CPL Aromas: How a Leading Fragrance House is Using AI to Amplify Creativity
In the world of retail, a leading fragrance house uses AI to amplify creativity. Alfred Muthunathan, CIO at CPL Aromas, explains how the family-owned business is using AI as a strategic capability to support creativity and accelerate innovation. “We didn’t bolt AI onto our systems; we redesigned the organisation, so AI is native to how we operate… Our new system takes away the workload from perfumers and has allowed us to create something that always keeps the nuances of our industry at its core.”
Vibrant Capital: Scaling AI on Main Street
Shadman Zafar, Founder & CEO of Vibrant Capital, is building a CIO-led model for enterprise transformation. Vibrant Capital is an operator-led investment and company-building platform focused on scaling AI in the real economy. “We don’t spray investments across hundreds of AI startups. We curate a portfolio with purpose – selecting companies that solve the real mission-critical problems CIOs face in scaling AI adoption.”
Also in this issue, we learn about the supply chain transformation journey at Swiss sportswear brand On, unpack the latest AI readiness research from Snowflake and hear from Hitachi Vantara about the importance of strong data foundations for the best utilisation of AI.
Andrew Power, Head of UK&I at Tricentis, on why the right approach to AI can deliver the foundation for more resilient, predictable systems
SHARE THIS STORY
Artificial intelligence is reshaping software delivery in financial services. Code that once took teams weeks to develop can now be generated and deployed in a matter of hours. This isn’t just about faster delivery; it changes the fundamentals of how software is built and how it behaves in production.
Financial institutions have moved quickly to integrate AI across core systems, from customer operations to anti-money laundering (AML) and software development to capture efficiency and innovation gains. UK parliamentary evidence shows adoption is already widespread, with the majority of firms using AI, and more planning to follow.
But as adoption spreads and becomes more embedded within key systems, so does exposure. Risk is no longer confined to individual defects, but shaped by how quickly those defects can spread across interconnected environments.
AI has removed the limits on how quickly software can be created, but not on how confidently it can be trusted, and financial institutions can now generate and deploy code faster than they can safely validate it.
This creates a new paradox: AI is both accelerating the pace of software change and increasing the speed and scale at which failures can materialise.
Machine-Speed Failure
AI-driven development shortens the distance between change and consequence. Software updates can move through the pipeline from creation to production with significantly less friction. However, this also reduces the time available to identify, flag and contain any issues before they have an impact.
AI-driven software changes don’t just move fast, they scale fast. Unlike traditional failures, these are systemic risks. A single misstep in an AI-generated update can propagate unpredictably.
For financial services, this is especially significant when key systems are deeply interconnected, spanning complex layers of infrastructure, integrations, and third-party services. Even a minor defect can propagate quickly across systems, amplifying its impact.
What would once have been contained can now escalate, cascading across systems and causing wider disruption that affects customers, operations and, in some cases, market activity. In financial services, this is not just a technical issue but a business risk with direct implications for customer trust, regulatory compliance and financial stability. The challenge is no longer simply identifying defects but maintaining confidence in what is being deployed.
This risk is already being felt across the sector. Institutions are accelerating delivery to meet customer expectations and competitive pressures, but often without corresponding advances in validation. Tricentis’ research shows 68% of financial services organisations anticipate outages or serious incidents due to poor software quality.
Regulatory Pressure for AI is Increasing
The issue is also drawing attention from regulators. Earlier this year, the UK Treasury Committee warned that current approaches to AI in financial services are inadequate and could expose customers and the wider system to “serious harm”, highlighting the need for stronger guardrails, clearer accountability and more robust oversight to deploy it safely.
Traditional resilience frameworks were never designed for systems evolving in real time, and AI can no longer be treated as a marginal technology risk. It must become central to how organisations manage and assess resilience.
This marks a shift from software quality being an engineering concern to a board-level issue of operational resilience. If machine-speed change is the new operational hazard, then failure to address it becomes a strategic issue rather than a technical one. With that in mind, financial leaders must acknowledge AI’s dual role as both a driver of risk and a mechanism for preventing it.
AI as Both a Safeguard & Source of Risk
AI also offers the most effective and scalable way to manage the risks it introduces. Advanced AI-driven validation, continuous monitoring and risk-prioritised testing can identify issues earlier than any manual process, helping reduce the likelihood they reach production.
In effect, the same AI that accelerates software creation must now be applied to validation and governance – operating at the same speed and scale.
The same capabilities that facilitate rapid software production can be applied to validation and governance, continuously evaluating system behaviour, detecting anomalies and prioritising testing based on potential business impact, rather than volume. This allows organisations to move beyond rigid approaches and towards more adaptive, responsive quality models that more accurately reflect the way AI behaves.
Instead of relying on standard periodic testing cycles, systems can be validated on an ongoing basis. This enables earlier intervention before issues escalate.
AI can also help organisations better understand the complexity of their own systems. By analysing dependencies across applications and infrastructure, it becomes possible to identify which processes are most critical and where failures would have the greatest impact.
From Acceleration to Control
There is a clear mismatch in how financial organisations approach AI. While many are leveraging AI to accelerate development, far fewer are evolving their validation and governance to keep pace, and it’s in this gap that risk emerges.
This is the “confidence gap”, where organisations can create software faster than they can safely deploy it.
To address this imbalance, firms must treat software quality as a core component of their AI strategy. Development and validation must move forward together. Governance must adapt to continuous, AI-driven change. This requires a move from static testing and coverage metrics to continuous, risk-based validation, where software is assessed in real time based on potential business impact.
If AI is the engine driving software creation, validation must act as the braking system – built in, not bolted on at the end. At machine speed, gaps in control become points of failure. The aim is not to slow innovation, but to ensure it progresses in a way that is sustainable and safe. When validation keeps pace with development, firms can move quickly and competitively, whilst maintaining control over how risk is introduced and managed.
This is a change we are seeing across large enterprises adopting AI-driven quality approaches, where validation, monitoring and governance are increasingly orchestrated together rather than treated as separate processes.
Preventing the Next Outage
The financial sector has already seen how quickly failures can escalate in complex, interconnected environments. In March, an IT error at Lloyds Banking Group exposed the private financial information of nearly half a million customers, prompting the bank to issue £139,000 in compensation.
Such incidents aren’t isolated: over the last two years, more than 33 days of unplanned banking outages have been reported to Parliament, underlining the scale of the issue.
As AI increases the velocity of change, it also raises the stakes for getting it wrong. But the irony is that it also provides the tools needed to prevent these failures from happening in the first place. AI is both contributing to the risk of outages and becoming the most effective way to prevent them.
By applying AI to continuous validation, monitoring and risk detection, organisations can spot issues earlier, understand their potential impact and intervene before disruption occurs. This shifts the focus from reacting to outages to preventing them, and it’s where the paradox becomes constructive. AI doesn’t have to be a source of instability.
With the right approach, it can become the foundation for more resilient, predictable systems. Those that fail risk trading innovation for instability. In the AI era, speed without confidence is simply another form of risk.
ZeroThreat co-founder Dharmesh Acharya on why the only way to know if your defences actually hold is to challenge them with continuous penetration testing and exploit validation
SHARE THIS STORY
Your security dashboard is green. No alerts. No critical flags. Everything looks fine. That feeling of calm is exactly what you should be worried about. A clean dashboard does not mean your application is secure. It often means you are measuring the wrong things.
If a threat operates outside those parameters, it stays invisible. Your logs look normal, your vulnerability scanner reads low risk and your compliance status says passing. And somewhere in your environment, an attacker could be moving quietly through systems your dashboard never touches.
Let’s take a look at why green dashboards can be misleading, what they are not showing you, and what real security validation actually looks like.
The False Comfort of a Green Dashboard
There is something deeply reassuring about a green dashboard. No alerts. No red flags. And no critical vulnerabilities screaming for attention. For most security teams, that view signals control. It signals safety. But here is the uncomfortable truth: a clean security dashboard does not mean your environment is secure. It often just means your tools are not seeing the full picture.
Most monitoring systems only report what they are configured to detect. If a threat operates outside those parameters, it stays invisible. Your SIEM logs look normal. Your vulnerability scanner shows low risk and your compliance status reads “passing.” Meanwhile, an attacker could be sitting inside your network, moving quietly, and your dashboard would never know.
According to IBM’s Cost of a Data Breach Report, the average breach takes 168 days to identify and 51 days to contain it in the finance industry. That is over six months of green dashboards while real damage is being done. False confidence in security metrics is not a minor issue. It is one of the most exploited gaps in enterprise security posture today.
5 Problems with Traditional Security Metrics
Traditional security metrics were built for a different era. They measure what is easy to measure, not what actually matters. And when security decisions are based on incomplete or misleading data, the entire security program becomes vulnerable, even when everything looks fine on paper.
1. Visibility Without Context
Knowing that 10,000 events were logged means nothing without understanding what those events represent. Traditional metrics track volume, not relevance. Security teams end up drowning in data while the actual threats, the ones that matter, go unnoticed. Coverage without context is just noise.
2. Compliance Masking Risk
Passing a compliance audit does not mean you are secure. It means you met a checklist. Many organizations confuse regulatory compliance with actual cyber resilience. Attackers do not care about your audit results. They look for gaps, and compliance-focused metrics rarely surface those gaps in time.
3. Perimeter-Focused Thinking
Most traditional security metrics are built around the perimeter. But the perimeter does not exist the way it once did. Remote work, cloud environments, and third-party integrations have dissolved those boundaries. Metrics that still prioritize perimeter health give a dangerously narrow view of your actual attack surface.
4. Lagging Indicator Dependency
Traditional metrics tend to be reactive. They tell you what already happened, not what is happening right now. Mean time to detect, incident counts, patch rates, these are all lagging indicators. By the time they show a problem, the damage is often already in motion. Real security needs leading indicators too.
5. Ignoring Unknown Assets
You cannot protect what you cannot see. Shadow IT, unmanaged endpoints, forgotten cloud instances, these assets rarely show up in traditional security dashboards. Yet they are among the most targeted entry points for attackers. Metrics that only account for known assets create a false sense of complete coverage.
Hidden Risks Your Dashboard Doesn’t Show
Your dashboard reflects what your tools are configured to monitor. Nothing more. Unmanaged devices, misconfigured cloud storage, dormant user accounts with excessive privileges, these risks exist outside the monitoring boundary. They do not trigger alerts. They do not show up in reports. But they are real, and attackers know exactly how to find them.
Lateral movement is one of the most dangerous and least detected attack behaviors. Once an attacker gains initial access, they move quietly across your environment using legitimate credentials and trusted pathways. Traditional security monitoring tools rarely flag this activity because it does not look like an attack. It looks like normal user behavior. That is precisely what makes it so effective.
Third-party risk is another blind spot most dashboards completely ignore. According to Verizon’s Data Breach Investigations Report, 15% of breaches involve a third party. Vendor access, supply chain integrations, and API connections create exposure points that sit entirely outside your visibility. If your dashboard is not showing you that, it is not showing you everything.
What a Genuinely Healthy Security Posture Looks Like
A healthy security posture is not about having zero alerts. It is about having full visibility, fast response capability, and continuous validation. Organisations with mature security programs do not chase green dashboards. They build systems that surface the right information at the right time.
According to IBM, organizations with a fully deployed security AI and automation program contained breaches 108 days faster than those without. Speed of detection and response is one of the clearest indicators of a strong security posture. That cannot be measured by looking at how calm your dashboard appears.
Real security health includes knowing your complete asset inventory, including cloud workloads, third-party connections, and unmanaged endpoints. It means having continuous monitoring that goes beyond compliance checkboxes. It means your team runs regular adversarial testing to find gaps before attackers do.
And it also means your security metrics are tied to business risk, not just technical thresholds. When a CISO can clearly explain what is protected, what is exposed, and why, that is what a genuinely healthy security posture actually looks like.
How to Ensure Real Security: Exploit Validation
Knowing you have vulnerabilities is not enough. You need to know which ones can actually be exploited, and how far an attacker could get if they tried. That is what continuous exploit validation delivers. It moves security testing from a scheduled event to an ongoing process that reflects your real-world risk exposure.
AI-driven automated penetration testing makes this possible at scale. Instead of waiting for an annual pentest, these tools continuously simulate real attacker behavior across your environment. They test your controls, validate your detections, and surface exploitable paths before a real threat actor finds them. Your security team gets evidence, not assumptions.
The result is a security program that is grounded in reality. You stop relying on what your dashboard says and start relying on what has actually been tested and verified. Continuous exploit validation closes the gap between perceived security and actual security, and that gap is exactly where breaches happen.
Conclusion: Stop Trusting Your Dashboards and Start Validating
A green dashboard does not mean you are secure. It means nothing alarming has been detected within the boundaries your tools are configured to monitor. That is a very different thing. Real security is not about how calm your dashboard looks. It is about how thoroughly your environment has been tested and validated.
The only way to know if your defences actually hold is to challenge them. Continuous penetration testing and exploit validation give you evidence, not assumptions. They show you what an attacker would find before an attacker actually finds it. That shift, from monitoring to validating, is what separates a false sense of security from a real one.
Vincent Guillevic, Director of Fraud Labs at Entrust, argues companies that treat identity as a continuous thread rather than a single checkpoint will be better positioned to reduce losses and protect customers
SHARE THIS STORY
Identity verification and tackling fraud began as a face-to-face process, built on human trust. Opening a bank account involved meeting a banker in person and from there, trust was established because both parties could see and interact with each other directly in branch.
Fast forward to the digital age and a lot of services have moved online. Identity verification has therefore shifted from in-person checks to remote identity verification. Today, we’re in an era where identity is now central to every interaction we have online.
Fraud has followed the same trajectory. Much like a burglar would test every possible entry point rather than just the front door, fraudsters probe every stage of the customer journey. They look for weaknesses at onboarding, during login, and throughout ongoing transactions and data requests.
That challenge has intensified in recent years. AI has given fraudsters faster, sophisticated and scalable tools. Deepfakes can bypass checks, AI‑generated documents can appear real, and phishing and impersonation attacks can now be automated at scale.
Once a fraudster gains access to a legitimate account, the damage escalates quickly. Global losses from account takeover (ATO) fraud were projected to reach $17 billion in 2025, up from $13 billion in 2024. While the underlying intent of fraudsters seeking the weakest point of entry, the breadth, speed and sophistication of modern attacks have.
Identity Fraud Patterns Across the Customer Lifecycle
Fraud can occur at any stage of the customer journey. From verifying identity at onboarding to securing connections and fighting fraud in everyday transactions. Each stage introduces its own risks, and attackers adapt their tactics based on where value can be extracted most efficiently.
In 2025, patterns showed a clear distinction between industries targeted for new account fraud and those targeted for account takeover fraud. Businesses that offer immediate incentives such as promotional offers or sign-up bonuses are primarily targeted for new account fraud. In contrast, businesses where accounts accumulate long-term financial or data value face higher levels of ATO.
Industries built around sign-up incentives or instance access experience most fraud at onboarding. For instance, in crypto, 67% of fraud attempts occur during account creation, largely driven by sign-up incentives. Vehicle rental follows a similar pattern, with 67% of fraud taking place at onboarding as attackers use fake identities to gain short-term access to high-value assets. In these sectors, low-friction onboarding creates opportunities to harvest incentives or establish accounts that later become avenues for future money laundering.
Account takeover fraud reflects a different strategy. Rather than creating fake accounts, attackers focus on compromising established accounts using tactics such as stolen credentials, phishing, malware, or social engineering. Entrust data shows this is most common in industries where accounts hold enduring value. In payments, 82% of fraud attempts occur after onboarding, while in professional services the figure is 62%. High-value, long-standing accounts are attractive because they enable fund transfers, loans, and access to identity-rich data, making them more valuable than newly created accounts.
These patterns highlight two critical realities. First, organisations can no longer optimise for one type of risk at the expense of another. Defending a single point in the journey inevitably leaves gaps elsewhere. Second, fraud has become highly professionalised. Modern fraud operations are organised, strategic, and adaptive, moving toward the highest rewards and the weakest controls.
Prevention Must Span the Entire Journey
If fraud can occur at any stage, prevention must operate at every stage. Organisations that implement robust, lifecycle-wide identity strategies save an average of $8 million per year in fraud-related costs. These savings come from detecting threats earlier, more accurately, and beyond a single checkpoint.
There are three areas where that lifecycle approach needs to be strongest.
Get onboarding right
Onboarding is the first opportunity to establish genuine trust. Strong Know Your Customer (KYC) or Know Your Employee (KYE) processes combine document verification with biometric checks such as face recognition or fingerprint scanning to confirm that the person applying is who they claim to be. Liveness detection adds a further layer by distinguishing real users from synthetic identities and deepfakes, which are linked to approximately one in five biometric fraud attempts.
With strong identity verification at onboarding not only reduces immediate fraud, but also limits the downstream damage caused with fraudulent accounts.
Secure existing accounts with continuous authentication
Verifying identity once is no longer sufficient. Continuous authentication, combining multi-factor authentication with biometric re-verification like facial recognition, allows businesses to protect established accounts without creating unnecessary friction for legitimate users.
Crucially, it enables authentication requirements to adapt dynamically as risk levels change, rather than applying the same static check regardless of context. In payments businesses, where most fraud targets the authentication process itself, this adaptability is key to mitigating attacks before losses occur.
Monitor behaviour in real time, not just identity
Device intelligence and behavioural signals make it possible to assess risk based on how users interact with services, flagging unusual login patterns, device anomalies, or out-of-character transactions.
As AI-driven fraud becomes more sophisticated and convincing, behavioural indicators provide another layer of ongoing fraud detection. Focusing monitoring on high-risk actions, rather than only high-risk identities closes a critical gap in traditional defences.
The Window of Opportunity
Fraud has always followed the customer journey. What has changed is the availability of advanced technology capable of tracking, analysing, and responding to threats at every stage. The key question for organisations is whether these capabilities are deployed as a connected strategy or left as isolated controls with gaps in between.
Companies that treat identity as a continuous thread rather than a single checkpoint will be better positioned to reduce losses and protect customers, and preserve the trust that underpins long-term digital relationships.
Michele Centemero, EVP Services, Mastercard Europe on why promoting awareness, stronger collaboration and data-sharing, and continued innovation of payments ecosystems, will be critical in reducing the impact of scams and protecting trust in the digital economy
SHARE THIS STORY
As our world becomes faster, smarter and more interconnected, scammers are evolving in parallel, developing increasingly sophisticated ways to exploit people’s trust. By harnessing new technologies and behavioural insights, they are refining their methods to appear ever more credible and convincing.
While attacks on systems continue, today’s fraudsters are increasingly targeting people, often relying on psychological manipulation to achieve their goals.
Understanding Social Engineering
Many modern scams fall under the umbrella of social engineering,which isthe use of deception and emotional manipulation to influence a person’s behaviour.
In the digital world, cybercriminals use these tactics to build false trust, create urgency or fear, and ultimately trick people into sharing confidential information or taking actions that can cause financial harm to themselves or their employer.
Recent European industry data indicates that social engineering-related fraud and authorised push payments (APPs) – where victims are tricked into sending money to fraudsters posing as legitimate payees – now account for a growing share of overall scam losses[1].
This is directly impacting a growing number of consumers, with the majority of people saying they’ve experienced some form of scam or fraudulent attempt to capture their personal information highlighting why awareness and vigilance are critical for people of all ages.
Education is the First Line of Defence
Protecting consumers and businesses from malicious activity is a priority, and it starts with awareness. When people understand how scams work, they’re more likely to spot the warning signs before it’s too late and be empowered to protect themselves against fraudsters.
Three of the most common social engineering scams to watch out for are:
Imposter fraud – Criminals pose as trusted organisations (such as banks, retailers, or government bodies) to pressure victims into sharing personal or financial details. Research indicates over half (53%) of European consumers have been targeted via phone or voice call scams, with social media scams affecting around two in five people, and tech support impersonation tricking roughly one in three.*
Phishing – Fraudulent emails, texts, or messages that are designed to look legitimate, often urging immediate action like clicking a link or resetting a password, leading victims to disclose sensitive information or install malicious software. Nearly three in five (58%) have received phishing emails or fraudulent text messages (63%) and QR code scams are on the rise, impacting nearly a quarter of Europeans.*
Romance or honeypot scams – Scammers build emotional relationships over time, gaining trust before exploiting it for financial gain. These types of attacks are also widespread, with one in four people (24%) encountering fake profiles, requests for money, or online relationships that lead to financial exploitation. These scams hit younger generations hardest, with 40% of Gen Z and 35% of Millennials affected, compared with 21% of Gen X and 11% of Boomers.*
How Businesses Can Protect Consumers from Scams
With fraudsters increasingly using AI to commit more sophisticated, larger scale attacks, businesses and banks should also consider how they deploy technology to protect customers from bad actors.
The combination of AI, robust identity controls and open banking can help protect consumers from scams, whether across card and account‑to‑account payments or in fraudulent account openings.
Looking at identity controls specifically – take the example of continuous identity verification, a fraud prevention measure that verifies the user is who they claim to be throughout the entire lifecycle journey. This helps to prevent scammers from opening or taking over accounts to apply for credit, create ‘mule’ accounts or impersonate others.
Behavioural biometric data is often used as part of this and can be used to analyse how a user interacts with their device – from typing patterns to on‑screen movements – to flag unusual behaviour.
More in depth, AI powered transaction analysis can also help banks and financial institutions to stay ahead of payment threats. It provides banks with the intelligence needed to detect and stop payments to scammers, using AI and a network-level view of account‑to‑account transactions to enable intervention before funds leave an account.
Staying Ahead of an Ever-Evolving Threat
As social engineering tactics continue to evolve, staying ahead requires a combination of intelligent technology, consumer education, and proactive action from businesses and financial institutions.
While no single measure can eliminate risk entirely, greater awareness, stronger collaboration and data-sharing, and continued innovation of payments ecosystems will be critical in reducing the impact of scams and protecting trust in the digital economy.
*Source: This study was conducted by The Harris Poll on behalf of Mastercard from September 8 to September 25, 2025, among 5000+ consumers in the following European markets: EUR: France (n=1,005), Germany (n=1,002), Italy (n=1,016), Spain (n=1,005), UK (n=1,004)
Mastercard: Transforming the Fight Against Scams
Innovation – Our advanced AI-powered Identity insights examine digital footprints and assess unique patterns to detect risk and flag suspicious activity indicative of scams.
Collaboration – We collaborate across industries, partners and organizations worldwide to secure the digital ecosystem, ensuring payments are safe for all. Combating the growing threat of scams demands a collective effort.
Education – We work with and through our collaborators to provide knowledge and tools that help people protect themselves and their loved ones from scams, while also working to destigmatise the experience of being a victim.
$12.5bn in losses from U.S. consumer reported online scams in 2023
$486bn in global losses from scams and bank fraud schemes in 2023
22% YoY growth in U.S. consumer scam losses suffered in 2023
From sender to recipient, we vigilantly monitor accounts and transactions for any elevated scam risk
Identity insights – Provides actionable identity insights and risk scores for businesses to improve identifying their good customers from the scammers creating “mule” accounts or impersonating someone else with a false identity.
Transaction patterns – Flags suspicious activity across the money movement flow to prevent payments to scammers before it is sent through the real-time analysis of transaction elements.
Account confirmation – Enables account validation to confirm account ownership and validate identity details in real-time through our open banking capability, which draws on the safe exchange of consumer-permissioned data to facilitate frictionless and secure payments.
Richard Ford, Chief Technology Officer at Integrity360, on why cybersecurity must move beyond control and embrace trust
SHARE THIS STORY
Cybersecurity has long been focused on building walls, but the biggest threat is already inside. Today, insider risk accounts for nearly half of all data breaches. This isn’t just about malicious actors, it’s about regular employees and trusted contractors who make simple, costly mistakes.
Remote and hybrid working has only intensified the problem. With teams distributed and work happening across cloud platforms and collaboration tools, it’s harder than ever to track what’s happening, let alone why. Although AI tools promise efficiency, they also introduce new vulnerabilities. Employees pasting code into chatbots or bypassing corporate tools to meet deadlines. All seemingly innocent, but highly risky.
Insider Risk
Ransomware gangs know this and are now skipping the technical breach altogether and going straight to the source – a company’s insiders. Whether through bribery or social engineering, attackers are finding that humans can be the weakest link in even the most well-defended environments. Despite this, most security budgets still focus outward.
Traditional tools like data loss prevention (DLP) struggle to keep up with today’s dynamic and unpredictable user behaviour. Meanwhile, simulated phishing tests and punitive training schemes often breed resentment, not resilience. It’s time to rethink the model.
Human Error, Human Fix
We need to stop treating employees as the problem and start making them part of the solution. Enter Human Risk Management (HRM), a behavioural approach to cybersecurity that recognises the complexity of modern work. HRM tools monitor real-world user behaviour, detect anomalies in context, and deliver just-in-time nudges to prevent risky actions before they happen. Instead of punishing mistakes, they help users avoid them in the first place.
Of course, technology alone won’t fix the issue, culture is key. Leadership must champion security as a shared responsibility, not an IT rulebook. Success should be measured by how quickly employees improve, not how often they slip up. Awareness campaigns need to be practical and rooted in real-world behaviour.
Organisations also need to understand how digital transformation has changed the risk landscape. Shadow IT is no longer a fringe issue, it’s how work gets done. Whether it’s a developer using an AI plugin or a marketer sharing files via a personal drive, employees will always find the fastest path to productivity. Security must meet them there, not block the way.
Cybersecurity Built on Trust
The smartest businesses are those that treat identity like infrastructure, and behaviour like a vital data stream. They invest in tools that adapt to people, not the other way around. This means a move away from a surveillance approach and embracing the nuance of human error and design systems that support.
In a world where threats are increasingly internal and AI is both a risk and a tool, cybersecurity can no longer be about control. It must be about trust, and that starts with understanding the humans behind the keyboards.
Pierre Noel, Field Chief Information Security Officer at Expel, on why security with community-based governance is a key business pillar that better positions organisations to become more resilient and target growth
SHARE THIS STORY
It’s been a particularly rocky start to 2026 for the global cybersecurity landscape. From the Substack data breach to PayPal credential-stuffing attacks in February, we are not looking at IT failures alone. These attacks are balance-sheet events: direct assaults on business value, triggering remediation costs and long-term impacts on financial health. Compounded with the conflict with Iran, leading to potential ramifications in the cyber realm, it’s more important than ever for the C-suite to be aligned on cybersecurity priorities.
Despite this, a glaring disconnect remains in planning and execution. Expel’s research found that while 85% of finance leaders view cybersecurity as a key component of business planning, only 40% express full confidence in security’s ability to align with business strategy. To bridge this gap, CISOs must move from reporting on activity and start reporting on resilience and unit cost.
Translating Alert Volume Into Unit Cost
CISOs must change how they present the value of their operations. CFOs are largely indifferent to technical metrics like the ‘millions of blocks pings’ or ‘SOC alert volume’ – to a finance leader, an alert is simply another form of disruption to daily operations.
To fix this, CISOs should introduce the ‘unit of cost protection’. By breaking down security spend into the cost required for a single transaction or business unit, CFOs can understand and manage it from experience. A tiered approach works best here: high-risk business units justify higher protection costs than low-risk ones. This allows CFOs to treat security as a scalable operational expense rather than a black hole of additional tooling – the kind of framing that also resonates in a boardroom.
Mapping Investment to Business Risk Exposure
Expel’s research shows that while 43% of finance decision-makers are confident that security can prioritise investments based on risk, only 46% are confident that security can deliver cost-efficient solutions. To move in the right direction, CISOs should shift from ‘vulnerability management’ to thinking about ‘business risk exposure’, requiring a different view of how threats unfold over time.
It’s all about asking the right questions. Instead of requesting more firewalls to protect a specific timeframe, start asking for the cost of securing diverse digital ecosystems across an extended risk window. The 2026 Winter Olympics is a good example: Russian-led cyber campaigns began raising concerns months before a single athlete arrived in Italy, proving that risk isn’t a one-day event but an ongoing operational cost.
For European organisations, this framing is increasingly non-negotiable. While NIS2 and DORA help make the cost of under-investment concrete and quantifiable, the upcoming Cyber Resilience Act (CRA), with key reporting requirements starting in September 2026, extends this pressure to anyone manufacturing or selling digital products in the EU. Even for purely domestic UK entities, the new UK Cyber Security and Resilience Bill is moving the goalposts toward these same high standards. Ultimately, CFOs must understand that cybersecurity isn’t just about preventing loss; it’s a prerequisite for safe and secure growth.
The Reputational Multiplier
So those are the questions to ask, but how do CISOs deal with the ‘unknown unknowns’, specifically long-term brand damage? While compliance fines under NIS2 or DORA may be straightforward (and important) to model, they rarely represent the full scope of the potential damage. In such scenarios, CISOs should propose a reputation multiplier: a framework for quantifying the financial fallout of brand damage in a language CFOs know and trust, looking past immediate recovery costs to factor in the long-term implications of re-establishing market trust.
The 2026 CarGurus breach illustrates this well. Impacting 12 million users, the cost wasn’t purely technical; it also came from the stock price dip and marketing spend required to repair the brand. For UK companies, where regulatory scrutiny is heightened, that multiplier effect is even more pronounced. This is the language of a CFO, and it helps CISOs better translate the urgency and relevance of a strong cybersecurity posture.
Standardising the Language of ROI
Closing the gap between CFOs and CISOs needs more than just better data; it needs a shared vocabulary. By standardising the language of ROI, CISOs transform cybersecurity from a vague insurance policy into a transparent value driver fully trusted by finance teams. Move away from complicated defensive jargon toward a unified framework of unit costs, and the gap between the CISO and CFO starts to close.
Security has become a key pillar of business operations, and in the current threat environment, it’s genuinely a community-based governance issue. The organisations that get this right aren’t just more resilient. They’re better positioned to grow.
Dr. Yvonne Bernard, CTO at Hornetsecurity, on meeting the challenge of managing the speed of AI adoption and harnessing its defensive capabilities while mitigating the risk of uncontrolled adoption
SHARE THIS STORY
The past year has been defined by acceleration. Threat actors rapidly embraced automation, AI, and social engineering. Scaling their tactics at unprecedented speed, while defenders raced to keep pace. Historically, defensive resilience evolves in step with attacker innovation, but in 2025 that balance began to falter.
In an analysis of over 6 billion monthly emails, Hornetsecurity’s Security Labs found that the volume of sophisticated threats grew faster than most security teams could adapt to. Malware-infected emails soared by 131%, scams increased by nearly 35%, and phishing attempts – powered by access to advanced AI – rose by 21% from the previous year.
Typically, attacks, even at volume, are easily filtered by good firewalls and secure email gateways. But the sophistication and AI-led nature of 2025’s boom made it even harder for organisations to defend themselves. The question now is: can security teams and businesses wrestle back control?
Evolving Cyberattack Landscape
AI enhances efficiency and precision. As such, cybercriminals use it to launch faster, more convincing and adaptive attacks, ranging from deepfakes to credential stuffing. As an example, there is a concerning trend of attackers increasingly using ‘MFA bypass kits’ to create deceptive login pages. These pages capture not only the user’s credentials but also have logic built in to handle MFA prompts as well. The unsuspecting user is then passed to the real login page for the target service and meanwhile the ‘kit’ grabs a copy of the user’s session token. This allows the attacker to impersonate the person and access their data.
Examples of such kits include Evilginx (open source) and the W3LL panel. Protecting against these attacks can be challenging, as they are adept at bypassing MFA safeguards. Threat actors often use compromised LinkedIn accounts, for example, to gain access to substantial information and connections. This enables them to impersonate trusted business connections. Paired with the weaponisation of Agentic AI, this will magnify existing vulnerabilities within an organisation, while introducing new ones that defy traditional containment models.
As it stands, the lack of oversight within organisations on the extent of AI’s adoption by cybercriminals has enabled the emergence of ‘Ransomware 3.0.’ Ransomware has evolved past simple encryption and exfiltration, with this next phase focusing on LLM-driven orchestration and a shift to data integrity manipulation.
To counter AI-accelerated compromises and ‘Ransomware 3.0’ in 2026, organisations must adopt a Zero Trust-based cyber resiliency strategy. This requires businesses to implement strong, non-phishable machine authentication, strict least-privilege access, and constant monitoring to protect the integrity of the data that users and AI agents can access. It should become the baseline expectations rather than aspirational goals for this year.
The Secret Value of ‘Least Privilege’ Access
Another strategy to proactively improve cybersecurity defences in 2026 is to enforce the principle of ‘least privilege’ access. This tactic grants users access only to the data that’s needed for their role. Limiting excessive access is important for preventing the potential for widespread data exposure and damage in the case of an account compromise.
Businesses, however, must strike a balance over access; if it’s too strict, it can hinder productivity and lead to shadow IT issues. Getting this balance right when it comes to privileged access is where sophisticated permission managers are invaluable tools to work with. They streamline the process and remove the guessing game of who and what to grant access to, thereby ensuring, in the case of an attack, that the entire organisation won’t be brought to its knees.
How CISOs are Adopting ‘Resilience, not Perfection’
The rate at which AI is advancing means not every organisation will be equipped with the tools or the know-how to tackle every AI-inspired attack. But as the saying goes, ‘prevention is better than cure’. It’s better to create a strong security culture than to continually chase after the next best tool.
Organisations can’t strengthen their resilience without involving every single person under their umbrella. That’s why CISOs must continue to invest in cybersecurity awareness programs.
These should include simulated AI-phishing attacks (phishing remains the number one attack vector) to test users and enable them to apply learnings from the modules.
If any user clicks on a phishing email, they should receive additional training at that very moment, to cement the learning. Over time, a good training system should automatically identify users who rarely fall for such attacks and reduce the training they receive while making the simulations they do receive more difficult. Conversely, giving persistent offenders additional bite-sized training and simulations can help improve security outcomes over time.
The key challenge for 2026 is managing the speed of AI adoption and harnessing its defensive capabilities while mitigating the risk of uncontrolled adoption. But with excellent training, cyberattack practice runs, and the adoption of Zero Trust principles, organisations will find themselves in a strong position.
About Dr. Yvonne Bernard
Dr. Yvonne Bernard is the CTO of Hornetsecurity by Proofpoint, Proofpoint’s business unit leveraging the Hornetsecurity product suite dedicated to managed service providers (MSPs) and small to mid-sized businesses (SMBs), providing next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organisations of all sizes around the world.
Nicole Reader, Head of Technology Solutions & Delivery at The Bunker (part of the Cyberfort Group), on finding a measured path forward for the future of cloud
SHARE THIS STORY
For more than two decades, UK organisations have embraced the cloud as the default model for digital growth. Hyperscale platforms have offered flexibility, speed and a route to innovation that would once have required years of capital investment. Cloud first became the business mantra. Cloud native became the ambition. Few stopped to ask what this meant for long term control. Today that question is becoming unavoidable.
Geopolitical relationships are shifting at pace. Trade tensions, regulatory divergence and new data access laws are reshaping the digital landscape as quickly as any technological change. At the same time, businesses are generating and storing more information than ever before. AI tools, collaboration platforms and SaaS applications are accelerating data creation at a rate that is testing infrastructures, supply chains and budgets alike.
In that context, many UK organisations are starting to ask a difficult question. When we moved to the cloud, did we quietly export more control over our data than we realised? The uncomfortable answer in many cases is yes.
The Assumption of Cloud Control
A significant proportion of UK businesses rely on global services, whether hyperscalers such as Amazon Web Services and Microsoft Azure or SaaS platforms headquartered overseas. These providers are sophisticated, resilient and often highly secure. However, their global footprint means that data is frequently stored, processed or managed beyond UK borders.
The challenge is that many boards assume that if data is accessible from the UK, or if a provider has a UK presence, it remains firmly under UK control. This assumption is often incorrect.
There is a crucial difference between data location and legal jurisdiction. Data residency refers to where data is physically stored. Data sovereignty refers to which who ultimately governs access to that data. Those two concepts are not interchangeable.
Legislation such as the US Cloud Act demonstrates why this matters. Under certain circumstances, US authorities can compel US headquartered providers to provide access to data, even if that data is stored outside the United States. The geographic location of a data centre does not automatically determine who can lawfully demand access.
Boards often conflate these terms, believing that selecting a UK service resolves sovereignty concerns. In reality, the corporate structure of the provider, contractual arrangements and cross border processing activities can all shape the legal framework that applies.
This is not an abstract legal debate. It is a question of operational control, regulatory exposure and risk appetite.
The Convenience Compromise
The rise of public cloud was driven by many compelling advantages. Flexibility, scalability and rapid deployment transformed how businesses launched products and expanded into new markets. For many organisations, the cost of building and maintaining their own infrastructure was prohibitive and the hyperscalers offered an attractive alternative at a great price.
However, that convenience came with trade-offs that were not always fully understood at the time. Cloud contracts can be complex. Consumption based pricing models include ingress and egress charges. Including API calls and a range of ancillary costs that can quickly exceed initial forecasts. It is not uncommon for organisations to reach the midpoint of their financial year and discover their cloud budget has already been used.
Meanwhile, operational design decisions made years ago may not have been stress tested against today’s regulatory expectations or geopolitical realities. Many mid-market IT teams have spent the past decade maintaining estates rather than redesigning them. In some cases, institutional knowledge has not kept pace with the evolution of cloud services and their associated risks.
The result is a landscape in which data has been distributed widely, often for operational reasons, but without a holistic understanding of the sovereignty implications.
Repatriation is Not a Silver Bullet
In response, there has been a growing push towards data return and sovereign cloud offerings. European initiatives are seeking to create regional alternatives to US dominated platforms. In the UK, there have been calls by government to expand domestic data centre capacity to retain greater control over national data assets.
The instinct is understandable, particularly for government, defence and heavily regulated sectors where sovereignty can become a non-negotiable requirement. However, it would be naïve to assume that bringing data back to the UK automatically makes it secure or resilient.
Local does not necessarily mean safe. High profile breaches over the past year have affected organisations across multiple jurisdictions, regardless of where their infrastructure is hosted. Security is not guaranteed by postcode.
There are also practical constraints. Data volumes are expanding rapidly, fuelled by AI workloads and increasing digitalisation. Hardware supply chains are under pressure, with significant demand driven by hyperscale AI investments. Price volatility is already evident, with some organisations seeing substantial cost increases within weeks.
Simply building more UK data centres does not eliminate capacity constraints or environmental considerations, particularly around power and cooling.
Furthermore, many businesses rely on global platforms to serve international customers and partners. A purely national approach can undermine interoperability and performance. For most organisations, the right answer will involve a hybrid strategy rather than wholesale repatriation.
From Technical Detail to Board Level Risk
What has changed is not simply the technology, but the level at which these decisions must be made.
Data sovereignty is no longer a technical footnote for the IT department. It is a board level risk issue. Directors must understand where critical data is stored, where it is processed and which legal regimes can assert authority over it. They must assess whether current arrangements align with the organisation’s risk appetite and regulatory obligations.
This is particularly acute in sectors such as financial services, healthcare and defence, where the sensitivity of data and the scrutiny of regulators are intensifying. For these organisations, sovereignty and security are intertwined. Compromises made for convenience or short-term cost savings can carry significant long-term consequences.
Security itself must be treated as a foundational approach rather than an add on. Too often, security controls are bolted on after operational decisions have been made. Minimum standards are implemented, arbitrary certificates are obtained and compliance boxes are ticked. While certifications can provide useful benchmarks, they do not replace rigorous design and ongoing validation.
If data is brought back onshore, but not properly segregated, monitored and protected, the sovereignty objective is completely undermined. There is little value in regaining geographic control if the underlying environment remains vulnerable.
The Business Case Reality
It would be unrealistic to ignore commercial pressures. For many mid-market organisations, cost remains a primary driver of decision making. Risk appetite is frequently calibrated against budget constraints. The perfect solution is rarely affordable.
That is why compromise becomes central. The critical question is not whether to compromise, but where. Does an organisation prioritise flexibility over jurisdictional control? Does it accept higher costs to secure local hosting? Does it rely on hyperscale security capabilities while accepting overseas governance frameworks?
There is no universal answer. The correct balance depends on the nature of the data, the regulatory environment and the strategic objectives of the business. A small retail operation will have different requirements from a growing fintech or a defence contractor. Supplier selection must reflect that risk profile. Not all cloud or data centre providers are equal in capability, assurance or sector expertise.
Boards should therefore ask their providers some direct questions. Where exactly is our data stored and where is it processed? Which legal jurisdictions apply, and under what circumstances could external authorities demand access? Who within your organisation has access to data, and how is it segregated from other customers? What is the exit plan, and how do we ensure data is fully returned and deleted at the end of a contract?
These are not confrontational questions. They are governance essentials.
A Measured Path Forward
As a result the UK should not retreat from global cloud ecosystems, nor should it blindly assume that everything must be deported. The objective is not isolation, but informed control.
Where sovereignty is genuinely critical, particularly in government and national security contexts, local hosting and specialist providers may be essential. In other scenarios, public cloud may remain the most effective platform, provided its legal and operational implications are fully understood and managed.
The most significant risk today is not that UK businesses have embraced the cloud. It is that many have done so without fully mapping the sovereignty, jurisdictional and security consequences that come with relinquishing control of data.
As data volumes grow and geopolitical uncertainty continues, that gap in understanding becomes a strategic vulnerability. The cloud has delivered extraordinary value. Now all these years later, it demands a more mature conversation.
Convenience built the digital economy. Control will define its resilience.
Chris Gunner, vCSO at Thrive – a leading NextGen MSP/MSSP, delivering global AI, cybersecurity, cloud, compliance, and digital transformation managed services – on how CISOs can position their cyber strategy to to become part of how a business navigates uncertainty
SHARE THIS STORY
Quantification of cyber risk is a growing trend. While this can be genuinely useful, in practice it is often misunderstood or over-applied by security leaders. It can range from an arbitrary figure to attempting to model every possible risk on the register in a Monte Carlo simulation. The focus can fall on the mechanics of quantification, rather than how financial decision-makers actually use the information.
Think of the CFO – they don’t walk through every penny in the budget. Instead, they usually focus on the board-level levers that can materially affect the business. These often include three key areas: strategic optionality, removing friction from capital events and avoiding shocks and smoothing operating costs. Security conversations should be anchored the same way.
The Importance of Strategic Optionality
If faced with a credible one-year growth plan, CFOs may recommend a one-year office lease despite a 20% premium. This is because it maintains the option later of moving or re-contracting once the growth trajectory becomes more visible. Like most strategic decisions, it is about preserving flexibility in the face of uncertainty, even if that flexibility comes at a short-term cost.
If we apply this to a cyber context, there are often businesses that have taken a calculated gamble with their existing business strategies. While the plan is sound, there is a chance it might not land as expected. When they require security services, the choice between a ‘standard’ and ‘premium’ SOC frames the decision as one of optionality rather than security spend. Paying more now to preserve the ability to adapt later down the line. A simple illustration is incident response. An on-call retainer with defined response times can look more expensive than ad hoc support. Until an incident occurs and procurement becomes the bottleneck. In those moments, flexibility is often far more valuable than marginal savings achieved earlier.
Removing Friction from Capital Events
For CFOs, especially those operating in the alternative investment space, the focus is on structuring capital events. As opposed to managing day-to-day operational costs. One of the most painful points in that process is due diligence. The careful exchange between acquirer and target that aims to provide enough information for each to price risk, without giving the entire game away.
CISOs can materially influence how smooth or painful that process becomes. The most effective support often comes from understanding upfront what the diligence process will look like and preparing accordingly.
For example, they might develop executive-level ‘Security at ACME’ overviews to sit alongside more detailed trust centre or technical reports. Being available to diligence teams for interviews, and for example clearly articulating which services are outsourced to an MSSP, and why, builds credibility between those executive teams.
Decision-makers often don’t look at penetration test reports at a deal level. They are assessing whether the organisation understands its own control environment. A well-prepared CISO who can clearly explain why certain controls exist acts as a trust amplifier during transactions.
It is often the difference between a diligence process that closes cleanly and one that drifts. Two organisations can have similar maturity. Yet the one that can respond within a day with clear, consistent evidence reduces follow-up questions, avoids uncertainty premiums in pricing discussions and prevents security from becoming a late-stage negotiation point.
Avoiding Shocks and Smoothing Operating Costs
For any individual who has worked with a finance partner to define a departmental budget will know that predictability often takes precedence over absolute cost. Contract value can be secondary to payment terms, renewal timing or the ability to forecast spend with confidence.
CISOs can align with this by looking to reduce unplanned operating expenditure. In addition to understanding the cost structure of their controls by communicating with the technical pre-sales engineer, procurement and account teams.
A good example is cyber insurance. While often purchased directly by finance teams, many policies are relatively off-the-shelf and provide access to services the security team already operates or has under contract. Other policies include notable exclusions for the events most likely to occur. Such as a ransomware incident without business interruption cover. In many cases, these gaps can be addressed in-policy with a flat fee or a more predictable cost model.
The value here extends beyond risk transfer and into more predictable costs: replacing reactive spend with planned expenditure.
Aligning Cyber Conversations to Board Priorities
Across all of the above examples, the common thread is that the board is rarely asking security to prove its value in isolation, and is surprisingly comfortable with uncertainty. But they are asking whether the cyber papers support better decisions, fewer constraints and more predictable outcomes for the business as a whole.
CISOs who frame their priorities in those terms will find their conversations move away from justifying individual controls and towards understanding how security choices shape the organisation’s ability to respond to change. In that context, cyber becomes part of how the business navigates uncertainty, rather than a specialist function defending its budget. Speaking the board’s language, ultimately, is less about converting cyber risk into pounds and pence. It is more about understanding which levers matter at that level and showing how security choices influence them.
Dr. George Papamargaritis & Dr. Konstantia Barmpatsalou
Published
26 February 2026
Estimated Read time
4Mins
Obrela’s Dr. George Papamargaritis (EVP MSS) and Dr. Konstantia Barmpatsalou, (Blue Team Support Manager) on why embracing a risk-led cybersecurity model will leave financial organisations better positioned not just to meet regulatory requirements but to strengthen resilience, protect customers and uphold the trust that is so essential to the future of financial systems
SHARE THIS STORY
Cybersecurity in the financial sector was once viewed as a compliance-driven discipline. But as attackers have increasingly targeted institutions with sophisticated, persistent and often internally driven campaigns, it has become a strategic priority.
According to the Digital Universe Report H1 2025, financial services were the second most targeted industry globally, accounting for 19% of all observed cyberattacks. This reflects both the sector’s value to adversaries and the complexity of the digital ecosystems it now operates within.
Regulatory frameworks such as the FCA and PRA’s operational resilience rules, the EU’s Digital Operational Resilience Act (DORA) and NIS2 have strengthened baseline protections. However, the report’s findings demonstrate that regulation alone cannot deliver true cyber resilience. Institutions must adopt a strategic, risk-led approach that looks beyond compliance to understand real threats, behaviours and operational dependencies.
Tailored, Internal and Stealthier Threats
One of the most striking insights from the report is how targeted financial sector attacks have become. Industry-specific security risks now represent 32% of all incidents in the sector. This is an indication that adversaries are designing attacks using detailed knowledge of financial operations, from trading workflows to payment systems.
Internal activity is also a major concern. Suspicious internal activity accounts for 26% of detections across financial services, reflecting the frequency of compromised accounts, misused privileges and lateral movement. For a sector historically focused on defending the perimeter, this shift highlights the need for deeper visibility into user behaviour and identity-driven risks.
The wider threat landscape reveals adversaries are moving away from overt, signature-based attacks. In H1 2025, brute force activity made up 27% of global alerts, while vulnerability scanning accounted for 22% and known malicious indicators for 20%. Notably, direct malware payloads dropped to 0% of trending alerts, replaced by fileless techniques and living-off-the-land methods that bypass traditional defences.
For financial institutions, this is a challenge. Many compliance requirements still centre on endpoint protection, patching and malware controls. These will of course, remain important, but they cannot address threats that are increasingly behavioural, stealth-driven and identity-focused.
Operational Complexity
The financial sector’s cyber risk is intensified by its expanding operational footprint. Cloud adoption, open banking, digital identity models and extensive third-party ecosystems have all created new points of exposure. Financial services operate within a global digital infrastructure that is both vast and increasingly interconnected. This level of complexity cannot be effectively protected through compliance checklists alone.
Regulators are recognising these realities. DORA’s emphasis on ICT third-party risk, operational resilience testing and continuous oversight reflects the need for more proactive, intelligence-driven approaches. But DORA still only sets a minimum standard. True resilience requires institutions to move beyond regulatory expectations and embed cybersecurity into broader business strategy.
Strategic, Risk-Led Cybersecurity
A risk-led approach begins with understanding the threats that pose the greatest risk to operations and customers. Financial institutions remain priority targets for groups such as FIN7, TA505, Cobalt Group and various state-backed actors. Their tactics, such as credential harvesting, remote access tools, web-injection frameworks and lateral movement, are specifically designed to exploit the digital fabric of financial services.
This evolving threat profile puts identity and behaviour at the heart of cyber defence. With credential-driven and internal threats so prevalent, institutions must prioritise behavioural analytics, continuous authentication and zero-trust models that verify users and devices contextually rather than relying on static controls.
Strategic cyber resilience also needs to have continuous assurance. Traditional audits, annual testing and scheduled penetration exercises cannot keep pace with rapidly evolving threats. Leading institutions are shifting toward continuous control monitoring, automated attack simulation and persistent adversarial testing. These practices align with the Bank of England’s CBEST framework and demonstrate a sector-wide move toward ongoing, intelligence-led assurance.
Crucially, cyber risk must be treated as an operational issue, not just a technical one. Embedding cybersecurity into enterprise risk management, financial planning, product development and board oversight is essential. This integrated approach also mirrors the direction of FCA and PRA regulation, which increasingly emphasises governance, accountability, and resilience across the entire organisation.
Beyond Compliance
Financial services underpin national economies and public confidence. As digital ecosystems grow and adversaries become more sophisticated, the sector faces a dual challenge: meeting rising regulatory expectations while defending against complex, targeted attacks. It is clear that cybersecurity must evolve from compliance-driven activity to a strategic capability built on intelligence, continuous assurance and behavioural insight.
Institutions that embrace this risk-led model will be better positioned not just to meet regulatory requirements but to strengthen resilience, protect customers and uphold the trust that is so essential to the future of financial systems.
Children’s Mental Health Week 2026 spotlights the theme ‘This is My Place’. Tech charity founder James Tweed is calling on…
SHARE THIS STORY
Children’s Mental Health Week 2026 spotlights the theme ‘This is My Place’. Tech charity founder James Tweed is calling on the UK’s IT departments to donate surplus laptops and devices to help some of the country’s most overlooked vulnerable children.
Rebooted
Tweed founded Rebooted to support the children of prisoners and provides laptops so they can learn at home.
“Having a parent in prison can be traumatic and often leads to a child struggling at school,” says Tweed. “If that child then falls behind digitally or is excluded from education, their long-term prospects narrow dramatically. It’s a vicious circle and we need to break it early.
“For many of these children, school is already unstable. If they also lack access to reliable technology at home, they’re starting from behind. In 2026, digital access isn’t a luxury, it’s foundational.”
A Practical Solution
With businesses refreshing hardware on regular cycles, Tweed believes IT leaders are sitting on a practical solution.
“Across the UK, thousands of perfectly usable laptops are sitting in storage cupboards or heading for recycling. Those devices could transform a child’s ability to learn, revise and stay connected to school.”
Crucially for IT heads, data security is central to the model. All donated devices are securely wiped and processed by Rebooted’s technology partner, GeTech, using certified data erasure procedures.
“Security is non-negotiable,” assures Tweed. “Every device is professionally wiped to recognised standards before it’s redeployed. IT teams can donate with complete confidence.”
Children’s Mental Health Week
Children’s Mental Health Week, launched in 2015, focuses this year on belonging and ensuring young people feel they have a place in their communities. Tweed argues that digital access plays a direct role in that sense of inclusion.
“We talk a lot about wellbeing and belonging,” he says. “But if a child can’t access homework platforms, revision tools or basic digital resources, they quickly feel excluded. Technology can either widen the gap — or help close it.”
Rebooted is now urging CIOs, IT directors and managed service providers to review surplus stock and consider structured donation programmes as part of their ESG and sustainability strategies.
“This is practical, measurable impact,” Tweed adds. “Instead of gathering dust, those devices can help ensure a vulnerable child can genuinely say, ‘This is my place.’”
IT leaders interested in donating surplus equipment can find more information at:rebooted.me
JP Cavanna, Director of Cybersecurity at Six Degrees, on balancing the risks and benefits of AI in cyber defence strategies
SHARE THIS STORY
Undeniably, AI is here to stay. Having become part of day-to-day life, it’s hard to remember what life was like without it. But when it comes to cybersecurity, is it causing more harm than good?
Recent research outlines that 73% of organisations have already integrated AI into their security posture. The technology is clearly becoming a cornerstone of modern cybersecurity. Organisations are turning to AI not just as a tool, but as a partner in security operations, leveraging its capabilities to identify malicious activity faster, guide investigations, and automate repetitive tasks.
For it to be truly effective, though, AI must be paired with human expertise – but this is where organisations are starting to become complacent. Given the growing sophistication of cyber-attacks, and even AI-powered attacks, many are removing the human element while expecting AI tools to do all the work for them, leaving them even more vulnerable to threats. This overreliance risks creating blind spots, where critical thinking, contextual understanding, and instinct are overlooked. Without the balance of human judgement, AI can amplify mistakes at scale, turning efficiency into exposure.
The Cybersecurity Paradox
This situation puts many organisations in a potentially difficult position. On the one hand, AI can significantly improve the efficiency of security operations. In the typical SOC, for example, AI technologies can process alerts in around 10-15 minutes. This represents a significant improvement over human analysts, who can easily require twice as long for the same task.
Aside from the obvious efficiency gains, applying AI to these repetitive, time-pressured processes can also significantly reduce the scope for human error. And in turn, take considerable pressure off security analysts. Going some way to battling alert fatigue, an increasingly well-documented and persistent problem. In these circumstances, valuable human experience and specialist expertise can instead be more effectively applied to complex investigations, strategic decision-making, and other higher-value priorities.
On the flipside, however, AI remains prone to generating inaccurate or misleading insights, and users may not realise they are applying the wrong information to potentially serious security issues. Similarly, habitual blind trust in AI outputs can easily erode performance levels and even introduce new vulnerabilities. There is also scope for sensitive data to enter public environments, with the potential to cause compliance issues. This kind of information can also reappear in future versions of the AI model in question, therefore resulting in further data exposure risks.
Parallels with IoT Adoption
The situation mirrors that seen in the early days of IoT adoption, where the rush to innovate would often override security considerations. In this current context, therefore, human oversight and vigilance are extremely important. Clear governance frameworks, defined accountability, and continuous monitoring must underpin any AI deployment. Therefore ensuring that innovation does not outpace risk management or compromise long-term resilience.
A Growing Arms Race
If that wasn’t challenging enough, threat actors are also in on the AI boom in what has already been described as an ‘arms race’. In practical terms, AI tools are already widely used to create more convincing phishing attacks free from some of the more obvious traditional tell-tale signs of criminal intent, such as imperfect grammar or a suspicious tone.
Deepfake technology has also raised the stakes. We’ve all seen how convincing AI-generated video has already become. This is now finding its way into real-world examples, with one fake video reportedly causing a CFO to authorise a large financial transfer as a result.
At the same time, technology infrastructure is constantly under attack by AI-powered tools. They can be used to analyse defensive systems and identify weaknesses faster than humans. The net result of these developments is that defenders constantly play catch-up, as they can only respond to new attack vectors once discovered. The underlying takeaway is that at present, AI cannot be trusted to operate autonomously. Instead, human intuition, scepticism and contextual understanding remain essential to spotting emerging tactics.
As attackers refine their methods at machine speed, organisations need to resist the temptation to match automation with automation alone. They must double down on strategic thinking and continuous skills development.
Balancing Benefits and Risk
So, where does this leave security leaders who are looking to balance the benefits and risks? Firstly, and to underline a fundamental point, while AI offers scale and speed, it cannot replace critical human oversight. Organisations should view AI as an enhancer, not a replacer. Success lies in promoting partnership, not substitution.
Strong governance is vital. This should start with clear AI usage policies that define what can and cannot be shared with AI tools, while proper data classification and access control ensure that sensitive information is protected. In addition, regular validation of AI outputs can help to prevent inaccurate or misleading results from being unnecessarily acted upon.
Then there are the perennial challenges associated with employee awareness training, which is vital for avoiding complacency and understanding the limitations of generative AI tools. Cyber leaders should also monitor how AI is being used inside and outside the corporate environment, as staff often experiment with tools on personal devices.
Get this all right, and security teams can put themselves in a very strong position to embrace AI, safe in the knowledge that they have the guardrails and processes in place to balance innovation and efficiency with effective human-led oversight. Ultimately, success will depend not on how much AI is deployed, but on how intelligently it is governed and refined alongside the people responsible for securing an organisation.
Dan Nichols, Chief Technology Officer at virtualDCS, on why cloud resilience in the financial services sector hinges on shared accountability and an assume-breach philosophy
SHARE THIS STORY
A powerful catalyst for transformation, the cloud is reshaping how organisations compete in the financial services sector. Beyond significant cost savings and flexibility, leaders are eager to unlock the potential of AI-driven insights, intelligent automation, and real-time business modelling. And, in a space governed so strictly by data sovereignty and privacy policies, the cloud’s ability to localise, encrypt, and control data has made it a key enabler of compliance and customer confidence.
But as threats become more frequent and sophisticated – with attackers now targeting shared platforms and partner supply chains – organisations can no longer rely on their own defences alone. For true digital resilience, shared accountability, collective readiness, and clear governance across every cloud touchpoint are equally non-negotiable.
All Eyes on the Money
The industry sits at a valuable intersection of data, technology, and finance. A combination that makes it uniquely attractive to attackers. It holds some of the world’s most sensitive data, directly underpins the flow of global capital, and operates through deeply complex and interconnected systems. With every integration increasing the risk of exposure. Ultimately, the attack motivation is as simple and relentless as it is in most sectors: monetary gain. Cybercriminals target institutions precisely because of the value at stake and the speed at which disruption translates to loss.
How the Threat Landscape is Evolving
Ransomware groups may see insurers and payment providers as high-yield targets. They understand even seconds of downtime can induce multi-million pound losses. Under pressure to protect customer trust and avoid regulatory penalties, some firms may choose to pay in order to restore their service quickly. This dangerous perception only encourages repeat targeting and paves the way for damage to spread even further. Yet it remains a common response tactic among many.
At the same time, the rise of supply chain and third-party attacks has made it possible for criminals to bypass even the most well-defended cloud environments. By exploiting shared platforms, managed service providers, and cloud-hosted applications, perpetrators can move laterally across multiple organisations at once, amplifying both the reach and impact of their attacks. In other words, infiltrating one vendor’s weakness can cripple an entire network in one carefully coordinated strike. And, since some firms may overlook the cloud’s shared responsibility model – presuming end-to-end security sits solely with their cloud provider – multiple blind spots can inevitably emerge, creating easy openings to exploit.
In an environment where boundaries blur and dependencies multiply, traditional perimeter-based defences are no longer enough. Hybrid and multi-cloud infrastructures demand continuous visibility, faster detection, and coordinated response across every partner and provider. The goal is not simply to prevent breaches, but to withstand and recover from them collectively. It’s about recognising that in today’s ecosystem, no financial institution is secure in isolation.
Inside the Ransomware Economy
Evolving beyond the scattergun attacks of the past, ransomware now operates as a professionalised, profit-driven ecosystem, where malicious actors collaborate, trade intelligence, and lease attack tools much like legitimate software vendors. The rise of ransomware-as-a-service (RaaS) has even lowered the barrier to entry, giving less skilled affiliates access to ready-made payloads and automated encryption kits in exchange for a percentage of the ransom.
What makes it especially destructive is the precision and psychology behind the attacks. Rather than randomly striking, attackers conduct weeks of reconnaissance – learning behaviours, studying employee hierarchies, and identifying systems most critical to operations. They often infiltrate through phishing emails or compromised credentials, quietly moving laterally through the network to gain elevated access. Once embedded, they disable defences, exfiltrate sensitive data, and target backup repositories before finally encrypting production systems.
At that point, the goal shifts from technical control to financial coercion. Victims are locked out of their systems and presented with a ransom note demanding payment, sometimes in cryptocurrency, in exchange for a decryption key. Increasingly, the threat includes public exposure of stolen data – a tactic designed to pressure leadership into paying to protect their reputation and customer trust. Even when ransoms are paid, recovery is rarely clean: data may be incomplete, corrupted, or resold on the dark web, and repeat targeting is common once an organisation is identified as a payer.
It’s this blend of stealth, strategy, and human manipulation that makes ransomware so difficult to defend against. By the time the encryption begins, attackers have already spent weeks ensuring recovery options are limited. This background isn’t designed to scaremonger, but to highlight why resilience must start long before an attack ever reaches the endpoint.
The Foundations of Ransomware Resilience
Ransomware resilience isn’t achieved through a single product or policy – it’s the outcome of strategic, technical, and cultural alignment. Financial institutions, in particular, must approach it as a continuous process of readiness: Anticipating compromise, containing impact, and restoring normality quickly and transparently:
Assume-Breach Philosophy
The first step is shifting from a defensive mindset to an assume-breach philosophy. In practice, this means recognising that even the most sophisticated systems can and will be breached – and building architectures and response strategies designed to limit damage when this happens. It’s a pragmatic approach, grounded in the reality that attackers are increasingly sector agnostic. No organisation is too small or too secure to be targeted, but the financial sector remains a favourite because it offers both high disruption value and potentially significant monetary reward.
Building meaningful resilience, therefore, demands layered defence and disciplined execution. The goal is to slow attackers down at every stage – detecting them early, limiting lateral movement, and ensuring business continuity when systems are disrupted. Behavioural analytics and continuous monitoring can surface and neutralise subtle anomalies that would otherwise go unnoticed – such as phishing, spear phishing, and malware, with email still the number one entry point for ransomware.
Zero Trust & MFA
Meanwhile, zero trust policies and multi-factor authentication methods add a second layer of protection, blocking unauthorised access even if credentials are compromised.
When incidents do occur, a well-practised response framework ensures action is fast and coordinated, minimising disruption across critical systems, with the ability to switch to secure replica environments to keep operations running while remediation takes place. Secure, immutable, air-gapped backups underpin it all, providing a safety net that guarantees recovery can begin from a clean and uncompromised state.
Human readiness is equally critical. Technology can contain an attack, but only people can recover from one effectively. Regular simulation exercises, incident rehearsals, and cybersecurity awareness training help teams respond calmly and cohesively, transforming response from reactive to instinctive. This operational maturity is reinforced by strong governance. Frameworks such as DORA, NIST, and ISO 27001 provide the structure to align technical teams, compliance leads, and executive decision-makers around shared resilience goals. When combined with skilled practitioners and clear accountability, they embed security into ‘business as usual’ – moving resilience from a strategy to a sustained organisational capability.
Why Multi-Layered Backup is Critical
When ransomware strikes, the speed and integrity of data recovery determine whether disruption lasts minutes or days – and whether the impact cascades through wider global markets. As the last and most decisive line of defence when every other control fails, it’s also fundamental to customer trust and compliance. Yet too often, backup is treated as a static safeguard rather than a dynamic resilience layer.
Since modern ransomware often seeks out and encrypts traditional backups first, a single backup copy or centralised repository is no longer sufficient. True resilience today depends on a multi-layered approach – combining offsite or cloud-diverse storage, immutable data copies that cannot be altered or deleted, and isolated environments to protect against lateral movement.
How frequently these backups are tested is equally important. Too often, financial institutions only discover weaknesses when recovery is already underway, at which point strategies can’t be magically strengthened, and it becomes a race against the clock to minimise downtime and reputational fallout. Regular, automated recovery testing changes that dynamic. It not only confirms that files can be restored, but provides verifiable assurance that systems come back online in the correct order, data dependencies remain intact, and teams have the muscle memory to act quickly and confidently when the worst happens.
The Power of Shared Accountability
In a digital economy so deeply interconnected, no organisation operates in isolation. This is especially true in financial services, where supply chains and service providers form the backbone of day-to-day operations. While this interdependence is a strength in many ways, it also means resilience is no longer defined by how well a single institution can defend itself, but by how effectively every partner in its ecosystem upholds their part of the security chain.
This is where shared accountability becomes critical. It recognises that cloud providers, managed service partners, and financial institutions each have distinct but complementary roles to play in securing data, systems, and infrastructure. When accountability is clearly defined – and when partners collaborate rather than operate in silos – visibility improves, incident response accelerates, and the risk of systemic failure decreases.
Shared accountability also extends beyond contractual obligation. It’s about building a culture of collective readiness: sharing intelligence, rehearsing joint incident scenarios, and supporting smaller or less-resourced partners to raise their security baseline. The result is a unified entity capable of anticipating, absorbing, and recovering from disruption together.
Looking Ahead
To view cyberattacks as inevitable might seem pessimistic to some, but it’s an unfortunate truth that no amount of investment can eliminate risk entirely. In an era where threats are growing in both scale and sophistication, readiness becomes the true differentiator – particularly in such a high-stakes sector. For financial institutions, that means embedding security into culture, strengthening connections across supply chains, and continually testing their ability to withstand and recover as a united ecosystem. Only then can resilience become a strategic advantage rather than a defensive necessity, and unlock the cloud’s transformative potential with absolute confidence.
Katja Hakoneva, Product Manager at Tuxera, on delivering tomorrow’s data storage security today
SHARE THIS STORY
Smart meters are no longer just data endpoints. They’re intelligent, connected nodes embedded into the national infrastructure. As energy networks undergo rapid digital transformation, the focus has largely been on secure communications and real-time data transmission. But beneath the surface lies the local data storage, which often becomes a critical blind spot.
Smart meters store large volumes of sensitive data from energy usage profiles to firmware logs and grid event histories on embedded memory. If this information is accessed, altered, or deleted, it can trigger billing inaccuracies, regulatory breaches, and customer mistrust. With meters expected to operate in the field for up to 20 years, data-at-rest security is a critical requirement.
Storage Vulnerabilities: The Silent Cyber Threat
These embedded systems face multifaceted risks. Attackers may gain access to stored data by physically tampering with a meter or exploiting software vulnerabilities that bypass weak authentication. Malicious actors could manipulate logs to alter billing records, mislead consumption analytics, or mask larger cyberattacks on grid infrastructure.
In many cases, such intrusions go undetected until tangible damage, such as lost revenue or reputational fallout. With increasing dependence on smart infrastructure, utilities can no longer afford to treat embedded storage as a passive component.
Counting the Real Costs of Cybersecurity
Securing smart meters comes with technical requirements, as well as, operational and resourcing demands. For many UK manufacturers and utilities, managing cybersecurity internally means building and retaining specialist teams, often requiring three to five full-time professionals to handle vulnerability monitoring, patch management, and threat response throughout the year.
Aligning with regulatory frameworks frequently demands hardware upgrades to handle stronger encryption and secure configurations, impacting Bill of Materials (BOM) costs and development timelines. Many existing software stacks require optimisation to support modern security protocols within resource-constrained devices. These efforts are necessary, with a single undetected cyberattack costing companies an average of $8,851 (≈£6,900) per minute, and the consequences extending beyond financial loss to potential regulatory fines and service disruptions.
The CRA and the new Era of Cyber Regulation
The Cyber Resilience Act (CRA), set to come into force across the EU by 2027, will reshape how connected devices are designed, developed, and supported. For UK-based vendors serving the European market, or collaborating with EU counterparts, compliance with CRA is becoming a strategic imperative.
Key CRA requirements include:
Security by design: Devices must be secure from the outset, not retrofitted post-deployment.
No known vulnerabilities at market launch: Products must undergo security validation prior to release.
Default secure configurations: Devices should avoid insecure settings out of the box.
Lifecycle management: Vendors must support patching and vulnerability resolution throughout the device’s operational lifespan.
For smart meters, which often run in the field for two decades or more, the CRA introduces accountability that extends well beyond product launch. Compliance with the CRA will become part of the CE marking process, meaning global manufacturers must align if they wish to sell into the EU energy market.
Engineering Security: Confidentiality, Integrity, and Authenticity
Designing resilient smart meters starts with three pillars:
Confidentiality protects sensitive user data from unauthorised access. This includes encrypting both data and encryption keys, restricting user access levels, and securing communication channels.
Integrity ensures stored data remains unaltered and trustworthy. Power failures, for instance, can corrupt memory. Using flash-optimised file systems and secure boot processes can prevent such vulnerabilities.
Authenticity confirms that firmware and data updates come from trusted sources. Techniques like digital signatures and update validation prevent attackers from injecting malicious code into meters.
Together, these pillars enable smart meters to meet regulatory expectations while protecting both users and grid operations.
Future-proofing Data Storage
Cybersecurity for smart meters is not just a feature; it requires organisational readiness. Frameworks like the CRA, NIST, and IEC 62443 emphasise secure processes, documentation, and people alongside secure products.
For companies looking to prepare, it is smart to start with common pillars such as maintaining up-to-date Software Bills of Materials (SBOMs), conducting regular supply chain and risk assessments, keeping detailed test reports, and establishing clear incident response plans. Internally, training staff on cybersecurity best practices, setting clear data retention policies, and defining access controls and responsibilities are critical steps to ensure cybersecurity is embedded within the culture of the organisation. This approach ensures security is not a one-off compliance task but a sustainable practice that protects smart infrastructure long-term.
Smart meters deployed today could still be operating in the 2040s. This timeline intersects with the anticipated emergence of quantum computing, which may break today’s encryption standards. Though post-quantum cryptography is still evolving, vendors must prepare now to ensure systems remain secure in a post-quantum world. Smart meter software should be designed with cryptographic agility to allow it to adapt and upgrade algorithms as threats evolve.
Lessons from Long-Term Deployment
Smart meters are designed for longevity, but memory wear remains a primary failure point. Meters that lack flash-aware storage systems face early data loss, increasing the cost of maintenance, replacements, and warranty claims.
Utilities and OEMs that embed file systems capable of wear levelling, garbage collection, and secure boot processes have extended meter lifespans by more than 50%, even in challenging conditions. One example showed meters surviving over 15,000 power interruptions without any data loss.
Integrating secure storage delivers operational and commercial benefits. It ensures compliance with CRA and other evolving global frameworks, reduces maintenance and warranty costs, minimises carbon impact through fewer replacements, enhances brand credibility and trust with procurement teams, strengthens the business case for longer-term contracts and partnerships. As the smart energy market matures, these benefits are becoming differentiators, especially as digital infrastructure grows in complexity.
Delivering Tomorrow’s Data Storage Security Today
The next generation of smart infrastructure will be fast and connected, as well as, secure, resilient, and regulation-ready. For vendors and utilities alike, embedding data protection deep into the meter architecture is a business-critical move.
By preparing for the CRA today, smart meter manufacturers will position themselves as forward-thinking, trustworthy partners in tomorrow’s energy ecosystem, delivering technology that’s not only built to last but built to protect today and tomorrow.
Robert Cottrill, Technology Director at digital transformation company ANS, explores how businesses can harness the potential of AI while mitigating the growing risks to cybersecurity and privacy
SHARE THIS STORY
AI can transform businesses, but is it also opening the door to cyber risks? Fuelled by competitive pressure and rising government support through the UK’s Industrial Strategy, it’s no surprise that more and more businesses are racing to adopt AI.
But there’s a catch. The more businesses scale their AI adoption, the bigger their attack surface becomes. Without a proactive and structured approach to securing AI systems, organisations risk trading short-term efficiencies for long-term vulnerabilities.
The AI Boom
AI investment is skyrocketing. Businesses are deploying generative AI tools, machine learning models, and intelligent automation across nearly every function, from customer service and fraud detection to supply chain optimisation. Platforms like DeepSeek and open-source AI models are now part of the mainstream tech stack.
Initiatives like the UK’s AI Opportunities Action Plan are fuelling experimentation and adoption. AI is now seen not just as a productivity tool, but as a critical lever for digital transformation.
However, the rapid pace of AI deployment is outpacing the development of the security frameworks required to protect it. When integrated with sensitive data or critical infrastructure, AI systems can introduce serious risks if not properly secured. These risks include data leakage through AI prompts or model training, as well as AI-generated phishing and social engineering attacks
While technical threats often take centre stage, businesses also can’t forget the increasing regulatory requirements surrounding AI. As AI systems become more powerful, enabling businesses to extract valuable insights from vast datasets, they also raise serious ethical and legal challenges.
Regulatory frameworks like the EU AI Act and GDPR aim to provide guardrails for responsible AI use. But these regulations often struggle to keep up with the rapid advancements in AI technology, leaving businesses exposed to potential breaches and misuse of personal data.
The Need for Responsible AI Adoption
To build resilience while embracing AI, businesses need a dual approach:
1. Prioritise AI-specific training across the workforce
Cybersecurity teams are already stretched. Introducing AI into the mix raises the stakes. Organisations must prioritise upskilling their cybersecurity professionals to understand how AI can both protect and threaten systems.
But this isn’t just a job for the security team. As AI tools become embedded in daily workflows, employees across functions must also be trained to spot risks. Whether it’s uploading sensitive data into a chatbot or blindly trusting algorithms, human error remains a major weak point.
A well-trained workforce is the first and most crucial line of defence.
2. Adopt open-source AI responsibly
Another key strategy for reducing AI-related risks is the responsible adoption of open-source AI platforms. Open-source AI enhances transparency by making AI algorithms and tools available for broader scrutiny. This openness fosters collaboration and collective innovation, allowing developers and security experts worldwide to identify and address potential vulnerabilities more efficiently.
The transparency of open-source AI demystifies AI technologies for businesses, giving them the confidence to adopt AI solutions while ensuring they stay alert about potential security flaws. When AI systems are subject to global review, organisations can tap into the expertise of a diverse and engaged tech community to build more secure, reliable AI applications.
To adopt responsibly, businesses need to ensure that the AI they are using aligns with security best practices, complies with regulations, and is ethically sound. By using open-source AI responsibly, organisations can create more secure digital environments and strengthen trust with stakeholders.
Securing the Future of AI
AI is a transformative force that will redefine cybersecurity. We’re already seeing AI being used to automate threat detection and response. But it’s also powering more advanced attacks, from deepfake impersonation to large-scale automated exploits.
Organisations that succeed will be those that embed cybersecurity into every stage of their AI journey, from innovation to implementation. That means making risk management part of the innovation conversation, not a downstream fix.
By taking a responsible approach, investing in training, leveraging open-source AI wisely, and embedding cybersecurity into every layer of the business, organisations can unlock AI’s potential while defending against its risks.
AI is a double-edged sword, but with thoughtful adoption, businesses can confidently navigate the complex landscape of AI and cybersecurity.
Joe Logan, CIO at iManage, on the need to avoid the hype, manage cybersecurity, focus on ROI and balance change management to get the best results with AI
SHARE THIS STORY
Across the enterprise, AI promises transformational power – however, it’s not as simple as just plugging it into the organisation and instantly reaping the benefits. What are some of the top things CIOs need to focus on to avoid any pitfalls, unlock its value, and best position themselves for success with AI?
1) Separate the Hype from Reality
Here’s what hype looks like: using AI to “radically transform the way you do business” or to “accelerate comprehensive digital transformation” or – heaven forbid – to “completely change our industry.” These are big statements – and absolutely dripping with hype.
Getting real with AI requires identifying specific use cases within the organisation where a particular type of AI can be deployed to achieve a specific goal. For example, maybe you want to reduce customer churn by 20% and have identified an opportunity to use chatbots powered by large language models to provide more effective customer service. That’s what reality looks like.
In separating the hype from reality, organisations gain the added benefit of clearing up any misconceptions – at any level of the organisation – about what AI can and can’t do, thus performing an important “level set” around expectations.
2) Understand the Implications for Cybersecurity
On one side, any AI tool you’re using has access to data, and that means that access needs to be controlled like any other system within your tech stack. The data needs to be secured and governed, and issues around privacy, sovereignty, and any other regulatory requirements need to be thoroughly addressed.
As part of this effort, organisations also need to be aware of the security measures required to protect the AI model itself from bad actors trying to manipulate that model. For example: prompt injection – inputs that prompt the model to perform unintended actions – can affect the model and its responses if not carefully guarded against.
Securing your AI system is one side of the coin; the other side is understanding how to apply AI to cybersecurity. There are a growing number of use cases here where AI can help identify risks or vulnerabilities by analysing large amounts of data, helping organisations to prioritise the areas they need to focus on for risk mitigation.
In summary? While any usage of AI will require you to “play defence” on the security front, it will also enable you to “play offence” more effectively. In that sense, AI has multiple implications for cybersecurity.
3) Focus on the Right Kind of ROI
When it comes to ROI for any AI investments, don’t narrowly focus on absolute numbers when it comes to metrics like time savings or cost savings. While well-suited to industrial workplaces that are churning out widgets every day, absolute numbers can be an awkward fit when applied to a knowledge work setting.
The advice here for any knowledge-centric enterprise is: Don’t get hung up on the idea of actual dollars and cents or a specific number – instead, look for a relative improvement from a baseline. So, rather than saying “We’re going to reduce our customer acquisition costs by $100,000 this year”, it’d be more appropriate to focus on reducing existing customer acquisition costs by 10%. Likewise, don’t focus on each junior associate in the organisation completing five more due diligence projects per calendar year; look to complete due diligence projects in 30% less time.
4) Give Change Management its due
Change management has always mattered when it comes to introducing new technology into the enterprise. AI is no different: Successful adoption requires a focus on people, process, and technology – with a particular emphasis on those first two items.
A major challenge is educating the workforce with an eye towards improving their AI literacy – essentially, enabling them to understand what’s possible and how they can apply AI to their daily workflows.
Know that a centralised model of control that dictates “this is how you can experiment with AI” is probably going to be ineffective. It will be too stifling for innovative individuals in the organisation. Far better to provide centres of excellence or educational resources to those people who are most inclined to take the initiative and move forward with AI experiments in their team or department.
One caveat here: It’s essential to have guardrails in place as teams and individuals experiment with AI, to prevent misuse of the technology. That’s the tightrope that CIOs need to walk when introducing AI into the organisation. Striking the right balance between “total control” and “freedom to explore, but with appropriate oversight and guardrails”.
The Future of AI Depends on what CIOs do next
The promise of AI is massive, but only if CIOs adopting the technology focus on the right areas. And that means filtering out the hype, keeping security implications top of mind, redefining ROI, and guiding change with a steady hand. By paying attention to these areas, CIOs can safely navigate a path forward with AI. And ensure that it isn’t just a technology with promise and potential, but one that delivers actual enterprise-wide impact.
Ben Francis, Insurance Lead at Risk Ledger, on navigating cyber threats by reinforcing security from the inside out
SHARE THIS STORY
Cyber insurance has evolved from a straightforward risk transfer mechanism into an integral component of enterprise risk strategy. As a result, the conversation has shifted beyond simply securing coverage to embracing three foundational elements: transparency in risk exposure, accountability for security measures, and active collaboration throughout the digital ecosystem.
Rather than asking ‘are you covered?’, the more pertinent question has become ‘can you demonstrate measurable risk reduction?’. Insurers and insureds alike are recognising that what matters now is how well an organisation understands and manages its digital exposure, especially across its extended supply chain. Recent data reveals that 46% of organisations experienced at least two separate supply chain-related cyber incidents in the past year, a clear sign that exposure often lies beyond direct control.
From Risk Transfer to Risk Visibility
In recent years, the cyber insurance market has matured significantly. Once viewed as a reactive safety net to cushion the financial impact of attacks, it is now becoming a proactive tool for managing and mitigating risk. This shift is partly driven by insurers, who increasingly expect and work with organisations to demonstrate strong security practices and a nuanced understanding of their threat landscape, including risks deep within their digital supply chains; an area where many businesses still fall short.
At the same time, the industry faces a growing challenge from systemic cyber risk within their portfolios, as many businesses rely on the same cloud providers, payment systems and digital platforms, increasing the chance of a single point of failure. Insurers must gain visibility into how policyholders are connected, not only to suppliers but to each other. Tools and frameworks that map and monitor these interconnections will be essential to avoid underestimating the wider impact of seemingly isolated cyber events.
Mapping Beyond Third Parties
It is no secret that cyber attackers often target the weakest link in a supply chain. These are not always direct suppliers, but fourth, fifth or even sixth-tier vendors that have indirect but critical access to systems and data. Unfortunately, many organisations lack visibility beyond their first tier, creating blind spots that attackers can easily exploit. From an insurance perspective, this presents a clear challenge. If an organisation cannot account for who it is connected to, it cannot adequately quantify its risk and neither can its insurer. Mapping these extended connections is more than just a technical exercise; it means actively practiced risk governance and responsibility. Insurers increasingly want to know how their policyholders are identifying and managing indirect dependencies, particularly in sectors like financial services and retail where disruption can ripple across entire markets.
Collaboration as a Risk Strategy
One of the more underappreciated aspects of cyber resilience is the role of peer collaboration. Unlike physical incidents, cyber threats rarely exist in isolation. A single compromised vendor can impact multiple organisations simultaneously, a fact that has been highlighted by high-profile supply chain attacks such as SolarWinds and MOVEit.
As a result, businesses need to think beyond their own perimeters and adopt a more collective mindset. This includes building relationships with industry peers, sharing threat intelligence and participating in sector-wide initiatives aimed at improving visibility and preparedness.
In highly regulated sectors, such as insurance, this collaboration is increasingly being encouraged by oversight bodies. Frameworks like the Digital Operational Resilience Act (DORA) in the EU and initiatives from the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) in the UK are pushing for more transparency around third-party risk. In this context, openness is no longer optional; it will be a regulatory expectation.
For insurance providers, greater collaboration between policyholders also means better data on emerging threats and more accurate portfolio management. For businesses, it offers a chance to anticipate vulnerabilities that may not yet have hit their own networks but are affecting others in their industry.
Proactive Transparency Builds Trust
Organisations that take a proactive, transparent approach to cyber risk management are more likely to secure cover and potentially favourable terms, not just in terms of premiums, but also in access to additional services such as forensic support, incident response sources and legal counsel.
Demonstrating a mature cyber posture is not about claiming perfection. No organisation is immune to breaches. What insurers are looking for is evidence of a structured approach: the existence of incident response plans, robust governance, effective supply chain risk management, and above all, an honest view of risk.
A Shift in Mindset
Ultimately, our understanding of cyber insurance must keep evolving. It should not be treated as a simple checkbox exercise, but as a collaborative relationship between insurers and the organisations they support – one built on shared insight, clear communication, and a drive for continuous improvement.
The organisations best equipped to navigate today’s threats will be those that prioritise transparency. Not only does it lead to stronger protection, but it also builds a culture of accountability that reinforces security from the inside out.
Robert Cottrill, Technology Director at digital transformation company ANS, explores how businesses can harness the potential of AI while mitigating the growing risks to cybersecurity and privacy
SHARE THIS STORY
AI can transform businesses, but is it also opening the door to cybersecurity risks?
Fuelled by competitive pressure and rising government support through the UK’s Industrial Strategy, it’s no surprise that more and more businesses are racing to adopt AI.
But there’s a catch. The more businesses scale their AI adoption, the bigger their attack surface becomes. Without a proactive and structured approach to securing AI systems, organisations risk trading short-term efficiencies for long-term vulnerabilities.
The AI Boom
AI investment is skyrocketing. Businesses are deploying generative AI tools, machine learning models, and intelligent automation across nearly every function, from customer service and fraud detection to supply chain optimisation. Platforms like DeepSeek and open-source AI models are now part of the mainstream tech stack.
Initiatives like the UK’s AI Opportunities Action Plan are fuelling experimentation and adoption. AI is now seen not just as a productivity tool, but as a critical lever for digital transformation.
However, the rapid pace of AI deployment is outpacing the development of the security frameworks required to protect it. When integrated with sensitive data or critical infrastructure, AI systems can introduce serious risks if not properly secured. These risks include data leakage through AI prompts or model training, as well as AI-generated phishing and social engineering attacks
While technical threats often take centre stage, businesses also can’t forget the increasing regulatory requirements surrounding AI.
As AI systems become more powerful, enabling businesses to extract valuable insights from vast datasets, they also raise serious ethical and legal challenges.
Regulatory frameworks like the EU AI Act and GDPR aim to provide guardrails for responsible AI use. But these regulations often struggle to keep up with the rapid advancements in AI technology, leaving businesses exposed to potential breaches and misuse of personal data.
The Need for Responsible AI Adoption with Cybersecurity
To build resilience while embracing AI, businesses need a dual approach:
1. Prioritise AI-specific training across the workforce
Cybersecurity teams are already stretched. Introducing AI into the mix raises the stakes. Organisations must prioritise upskilling their cybersecurity professionals to understand how AI can both protect and threaten systems.
But this isn’t just a job for the security team. As AI tools become embedded in daily workflows, employees across functions must also be trained to spot risks. Whether it’s uploading sensitive data into a chatbot or blindly trusting algorithms, human error remains a major weak point.
A well-trained workforce is the first and most crucial line of defence.
2. Adopt open-source AI responsibly
Another key strategy for reducing AI-related risks is the responsible adoption of open-source AI platforms. Open-source AI enhances transparency by making AI algorithms and tools available for broader scrutiny. This openness fosters collaboration and collective innovation, allowing developers and security experts worldwide to identify and address potential vulnerabilities more efficiently.
The transparency of open-source AI demystifies AI technologies for businesses, giving them the confidence to adopt AI solutions while ensuring they stay alert about potential security flaws. When AI systems are subject to global review, organisations can tap into the expertise of a diverse and engaged tech community to build more secure, reliable AI applications.
To adopt responsibly, businesses need to ensure that the AI they are using aligns with security best practices, complies with regulations, and is ethically sound. By using open-source AI responsibly, organisations can create more secure digital environments and strengthen trust with stakeholders.
Securing the Future of AI
AI is a transformative force that will redefine cybersecurity. We’re already seeing AI being used to automate threat detection and response. But it’s also powering more advanced attacks, from deepfake impersonation to large-scale automated exploits.
Organisations that succeed will be those that embed cybersecurity into every stage of their AI journey, from innovation to implementation. That means making risk management part of the innovation conversation, not a downstream fix.
By taking a responsible approach, investing in training, leveraging open-source AI wisely, and embedding cybersecurity into every layer of the business, organisations can unlock AI’s potential while defending against its risks.
AI is a double-edged sword, but with thoughtful adoption, businesses can confidently navigate the complex landscape of AI and cybersecurity.
Anna Collard, SVP Content Strategy & Evangelist KnowBe4 – Africa, on leveraging AI-driven cybersecurity systems to fight cybercrime
SHARE THIS STORY
Artificial Intelligence is no longer just a tool. It is a game-changer in our lives, our work as well as in both cybersecurity and cybercrime. While businesses leverage AI to enhance defences, cybercriminals are weaponising AI to make these attacks more scalable and convincing.
In 2025, research shows AI agents, or autonomous AI-driven systems capable of performing complex tasks with minimal human input, are revolutionising both cyberattacks and cybersecurity defences. While AI-powered chatbots have been around for a while, AI agents go beyond simple assistants. They function as self-learning digital operatives that plan, execute, and adapt in real time. These advancements don’t just enhance cybercriminal tactics, they may fundamentally change the cybersecurity battlefield.
How Cybercriminals Are Weaponising AI: The New Threat Landscape
AI is transforming cybercrime, making attacks more scalable, efficient, and accessible. The WEF Artificial Intelligence and Cybersecurity Report (2025) highlights how AI has democratised cyber threats. Thus enabling attackers to automate social engineering, expand phishing campaigns, and develop AI-driven malware. Similarly, the Orange Cyberdefense Security Navigator 2025 warns of AI-powered cyber extortion, deepfake fraud, and adversarial AI techniques. And the 2025 State of Malware Report by Malwarebytes notes, while GenAI has enhanced cybercrime efficiency, it hasn’t yet introduced entirely new attack methods. Attackers still rely on phishing, social engineering, and cyber extortion, now amplified by AI. However, this is set to change with the rise of AI agents. Autonomous AI systems are capable of planning, acting, and executing complex tasks—posing major implications for the future of cybercrime.
Here is a list of common (ab)use cases of AI by cybercriminals:
AI-Generated Phishing & Social Engineering
Generative AI and large language models (LLMs) enable cybercriminals to craft more believable and sophisticated phishing emails in multiple languages. Without the usual red flags like poor grammar or spelling mistakes. AI-driven spear phishing now allows criminals to personalise scams at scale, automatically adjusting messages based on a target’s online activity. AI-powered Business Email Compromise (BEC) scams are increasing. Attackers use AI-generated phishing emails sent from compromised internal accounts to enhance credibility. AI also automates the creation of fake phishing websites, watering hole attacks and chatbot scams. These are sold as AI-powered ‘crimeware as a service’ offerings, further lowering the barrier to entry for cybercrime.
Deepfake-Enhanced Fraud & Impersonation
Deepfake audio and video scams are being used to impersonate business executives, co-workers or family members to manipulate victims into transferring money or revealing sensitive data. The most famous 2024 incident was UK based engineering firm Arup that lost $25 million after one of their Hong Kong based employees was tricked by deepfake executives in a video call. Attackers are also using deepfake voice technology to impersonate distressed relatives or executives, demanding urgent financial transactions.
Cognitive Attacks
Online manipulation—as defined by Susser et al. (2018)—is “at its core, hidden influence, the covert subversion of another person’s decision-making power”. AI-driven cognitive attacks are rapidly expanding the scope of online manipulation. By everaging digital platforms, state-sponsored actors increasingly use generative AI to craft hyper-realistic fake content. They are subtly shaping public perception while evading detection. These tactics are deployed to influence elections, spread disinformation and erode trust in democratic institutions. Unlike conventional cyberattacks, cognitive attacks don’t just compromise systems—they manipulate minds, subtly steering behaviours and beliefs over time without the target’s awareness. The integration of AI into disinformation campaigns dramatically increases the scale and precision of these threats, making them harder to detect and counter.
The Security Risks of LLM Adoption
Beyond misuse by threat actors, business adoption of AI-chatbots and LLMs introduces significant security risks. Especially when untested AI interfaces connect the open internet to critical backend systems or sensitive data. Poorly integrated AI systems can be exploited by adversaries. This enables new attack vectors, including prompt injection, content evasion, and denial-of-service attacks. Multimodal AI expands these risks further, allowing hidden malicious commands in images or audio to manipulate outputs.
Moreover, many modern LLMs now function as Retrieval-Augmented Generation (RAG) systems. Dynamically pulling in real-time data from external sources to enhance their responses. While this improves accuracy and relevance, it also introduces additional risks, such as data poisoning, misinformation propagation, and increased exposure to external attack surfaces. A compromised or manipulated source can directly influence AI-generated outputs. Potentially leading to incorrect, biased, or even harmful recommendations in business-critical applications.
Additionally, bias within LLMs poses another challenge. These models learn from vast datasets that may contain skewed, outdated, or harmful biases. This can lead to misleading outputs, discriminatory decision-making, or security misjudgements, potentially exacerbating vulnerabilities rather than mitigating them. As LLM adoption grows, rigorous security testing, bias auditing, and risk assessment, especially in RAG-powered models, are essential to prevent exploitation and ensure trustworthy, unbiased AI-driven decision-making.
When AI Goes Rogue: The Dangers of Autonomous Agents
With AI systems now capable of self-replication, as demonstrated in a recent study, the risk of uncontrolled AI propagation or rogue AI – AI systems that act against the interests of their creators, users, or humanity at large – is growing. Security and AI researchers have raised concerns that these rogue systems can arise either accidentally or maliciously. Particularly when autonomous AI agents are granted access to data, APIs, and external integrations. The broader an AI’s reach through integrations and automation, the greater the potential threat of it going rogue. This means robust oversight, security measures, and ethical AI governance essential in mitigating these risks.
The Future of AI Agents for Automation in Cybercrime
A more disruptive shift in cybercrime can and will come from AI Agents. These transform AI from a passive assistant into an autonomous actor capable of planning and executing complex attacks. Google, Amazon, Meta, Microsoft, and Salesforce are already developing Agentic AI for business use. However, in the hands of cybercriminals, its implications are alarming. These AI agents can be used to autonomously scan for vulnerabilities, exploit security weaknesses, and execute cyberattacks at scale. They can also allow attackers to scrape massive amounts of personal data from social media platforms. They can automatically compose and send fake executive requests to employees. And, for example, analyse divorce records across multiple countries to identify individuals for AI-driven romance scams, orchestrated by an AI agent. These AI-driven fraud tactics don’t just scale attacks, they make them more personalised and harder to detect. Unlike current GenAI threats, Agentic AI has the potential to automate entire cybercrime operations, significantly amplifying the risk.
How Defenders Can Use AI & AI Agents
Organisations cannot afford to remain passive in the face of AI-driven threats. Security professionals need to remain abreast of the latest developments. Here are some of the opportunities in using AI to defend against AI:
AI-Powered Threat Detection and Response
Security teams can deploy AI and AI-agents to monitor networks in real time, identify anomalies, and respond to threats faster than human analysts can. AI-driven security platforms can automatically correlate vast amounts of data to detect subtle attack patterns. These might otherwise go unnoticed. AI can create dynamic threat modelling, real-time network behaviour analysis, and deep anomaly detection. For example, as outlined by researchers of Orange Cyber Defense, AI-assisted threat detection is crucial as attackers increasingly use “Living off the Land” (LOL) techniques that mimic normal user behaviour. Making it harder for detection teams to separate real threats from benign activity. By analysing repetitive requests and unusual traffic patterns, AI-driven systems can quickly identify anomalies and trigger real-time alerts, allowing for faster defensive responses.
However, despite the potential of AI-agents, human analysts still remain critical. Their intuition and adaptability are essential for recognising nuanced attack patterns. They can leverage real incident and organisational insights to prioritise resources effectively.
Automated Phishing and Fraud Prevention
AI-powered email security solutions can analyse linguistic patterns, and metadata to identify AI-generated phishing attempts before they reach employees, by analysing writing patterns and behavioural anomalies. AI can also flag unusual sender behaviour and improve detection of BEC attacks. Similarly, detection algorithms can help verify the authenticity of communications and prevent impersonation scams. AI-powered biometric and audio analysis tools detect deepfake media by identifying voice and video inconsistencies. However, real-time deepfake detection remains a challenge, as technology continues to evolve.
User Education & AI-Powered Security Awareness Training
AI-powered platforms deliver personalised security awareness training. They can simulate AI-generated attacks to educate users on evolving threats, helping train employees to recognise deceptive AI-generated content. And strengthen their individual susceptibility factors and vulnerabilities.
Adversarial AI Countermeasures
Just as cybercriminals use AI to bypass security, defenders can employ adversarial AI techniques. For example, deploying deception technologies – such as AI-generated honeypots – to mislead and track attackers. As well as continuously training defensive AI models to recognise and counteract evolving attack patterns.
Using AI to Fight AI-Driven Misinformation and Scams
AI-powered tools can detect synthetic text and deepfake misinformation, assisting fact-checking and source validation. Fraud detection models can analyse news sources, financial transactions, and AI-generated media to flag manipulation attempts. Counter-attacks, like those shown by research project Countercloud or O2 Telecoms AI agent “Daisy” show how AI based bots and deepfake real-time voice chatbots can be used to counter disinformation campaigns as well as scammers by engaging them in endless conversations to waste their time and reducing their ability to target real victims.
In a future where both attackers and defenders use AI, defenders need to be aware of how adversarial AI operates. And how AI can be used to defend against their attacks. In this fast-paced environment, organisations need to guard against their greatest enemy: their own complacency. While at the same time considering AI-driven security solutions thoughtfully and deliberately. Rather than rushing to adopt the next shiny AI security tool, decision makers should carefully evaluate AI-powered defences to ensure they match the sophistication of emerging AI threats. Hastily deploying AI without strategic risk assessment could introduce new vulnerabilities, making a mindful, measured approach essential in securing the future of cybersecurity.
To stay ahead in this AI-powered digital arms race, organisations should:
Monitor both the threat and AI landscape to stay abreast of latest developments on both sides.
Train employees frequently on latest AI-driven threats, including deepfakes and AI-generated phishing.
Deploy AI for proactive cyber defense, including threat intelligence and incident response.
Continuously test your own AI models against adversarial attacks to ensure resilience.
Mike Puglia, General Manager, Kaseya Cybersecurity Labs, on how the need for regulatory support to better support industries when tackling cybercrime
SHARE THIS STORY
Cyberattacks keep coming hard and fast, but things are beginning to change. In the past few months, law enforcement has announced arrests of three people in the Marks & Spencer breach, seven members of the hacking group NoName057, five affiliates of Scattered Spider and also disrupted the infrastructure of gangs such as Flax Typhoon, Star Blizzard and others.
Earlier this year, the UK retail industry felt the pressure. Brands, including Marks & Spencer, Harrods and Co-op – and by proxy, their customers – became victims of the hacking group, Scatter Spider. Other businesses are now on high alert as this wave of security breaches is expected to continue. For as long as bad actors can reap rewards and the risk of consequences remains small, they will keep attacking. Ransomware-as-a-service lowers the bar to entry further, allowing even those without specialised skills to launch successful ransomware campaigns.
Along with the threats, regulatory pressure on businesses is growing. Organisations must be able to prove they have strong security defences in place or risk paying hefty fines for non-compliance. However, this means we are essentially punishing the victim, not the perpetrator. By putting the onus on the victims to protect themselves, we are missing an important truth… Because there is no bullet-proof defence, even the best security strategies will not end cybercrime for good.
It’s Time to Treat Cybercrime as Crime
What the industry needs instead is a change in how we approach cybercrime. Rather than blaming the victims, we must start treating it as the serious criminal activity it is. It is high time we addressed cybercrime’s fundamental drivers. Opportunity, motive and the widespread perception that criminals can still get away without punishment. As is the case with physical crime, it takes a two-pronged approach to curb cybercrime: Prevention – and an effective response.
Those who attempt physical theft, for example, face trials and potentially prison. While we have seen a growing number of cybercriminals arrested in recent months, the truth we are only scratching the surface. In the digital world, everything is accessible from everywhere, all the time. This creates an inherent vulnerability that makes perfect protection impossible. In many cases, it also makes it much harder to track down the offenders and hold them accountable.
The Problem with Cryptocurrency and Jurisdiction
The cybercrime landscape has also undergone a significant transformation. While in the past, hackers were mostly focused on stealing financial data, there has been a dramatic shift towards ransomware. It’s far easier to encrypt an organisation’s data and demand a ransom than finding buyers for stolen credit card info.
This transformation has further accelerated because cryptocurrency allows cyber attackers to be paid in anonymous currency. Anywhere in the world, at any time. Previously, criminals had to physically collect payments or transfer money to traceable bank accounts. Now, they can operate with anonymity whilst easily converting their loot into real euros, pounds and dollars. This means ‘following the money’ is no longer a useful way for law enforcement to track nefarious activity. If we made it impossible for criminals to anonymously convert cryptocurrency into real currency, we could change the risk-reward calculation.
The second key issue with fighting cybercrime is the question of jurisdiction. Many cybercriminals are based in countries where western governments have no recourse. When hackers operate from non-cooperative jurisdictions, it may be impossible to extradite them. And they may find their activities tolerated by their local government or even supported. As we have seen with the recent arrests – the threat actors were outside of Russia and China – where many attacks come from.
These two factors – anonymous payment systems and safe havens – create an environment where cybercrime can and will continue to flourish. While organisations can do their best to make it harder for criminals to attack, it is foolish to believe individual businesses will be able to solve the cybercrime problem on their own.
Stop Blaming the Victim
So, what needs to happen? First, the victim-blaming approach must change. We simply cannot regulate every business to become an impenetrable fortress. When a person is physically robbed, police respond to investigate the crime and help recover stolen property. With cybercrime, victims face reputational damage, fines and higher insurance premiums. Incidents often raise questions about where the business’ cybersecurity strategy failed, rather than a recognition that a crime has been committed against them.
A first step forward towards solving the cybercrime problem would require governmental and societal recognition that cyberattacks represent crimes against businesses and individuals, not merely failures of those organisations to adequately defend themselves. While many countries have ramped up policing efforts against cybercrime, these are generally underfunded considering the scale of the problem.
Secondly, we need to urgently address the anonymous payment systems that keep fuelling cybercrime. This is not an easy problem to solve, but governments must find better ways to trace and regulate how cryptocurrency is converted into real money.
It is also time we introduced real and severe consequences for cybercriminals. The number one deterrent to any type of crime is fear of being caught and punished. The internet has essentially eliminated this, enabling hackers to operate from nations that turn a blind eye. To address this will require more political pressure on ‘safe harbour’ countries to charge, punish and extradite cybercriminals. Where nations refuse to cooperate, potential sanctions such as restrictions on internet connectivity might force governments to reconsider their tolerance for criminal activities.
Finally, we need to acknowledge that regulations such as GDPR, PCI and NIS have their limits. Despite increasingly complex compliance requirements, cybercrime has continued to grow. While regulations can provide critical and much-needed guidance to businesses, they must be combined with properly funded law enforcement – empowered with tools to bring criminals to justice across jurisdictions.
To truly disrupt the criminal ecosystem, systemic changes are needed. We are starting to see governments give law enforcement the tools they need, but it is very early in that process. Because ultimately, we will not solve the cybercrime problem with defence measures alone.
About Kaseya
At Kaseya, our mission is to empower you to simplify and transform IT and cybersecurity management with innovative platform solutions.
Our Mission:
Since 2000, Kaseya has delivered the technology that IT departments and managed service providers need to reach new heights of success. More than 500,000 IT professionals globally use Kaseya products to manage and secure 300 million devices.
Kaseya’s commitment to our customers goes beyond listening to your needs and puts words into action to deliver innovative solutions that empower your business. But we don’t stop there. Kaseya’s first-of-its-kind Partner First Pledge program shares the risk our partners experience because we know a true partner is with you through the ups and downs of life.
Andy Swift, Cyber Security Assurance Technical Director at Six Degrees on
SHARE THIS STORY
According to AV-TEST, the independent IT security institute, every day sees at least 450,000 new malware variants added to its database. In June this year, for example, cybercriminals are thought to have used malware to steal over 16 billion login credentials across various major platforms in what is thought to have been the largest breach of its kind in history. For security teams, this represents a relentless challenge that demands constant attention and consumes significant resources.
Malware-Free Attacks
As if that wasn’t enough, malware-free attacks are increasingly favoured by cybercriminals as a way to circumvent organisational security. Typically using legitimate programs and tools, these stealth attacks are particularly complex to detect. And they are invisible to most automated security protection options that are available to buy.
With no obvious malware signatures to detect, automated defences are often powerless to respond. And without robust security foundations, even advanced detection tools offer limited protection once an attacker gains a foothold. When that happens, the consequences can be significant.
At the heart of the matter are the limitations of many traditional security tools, which are simply not designed to stop what they cannot see. Malware-free attacks do not rely on external payloads or binaries with known malicious signatures. This renders many automated detection systems, including standard antivirus solutions, effectively useless. As a result, the burden falls elsewhere.
For most organisations, that means having the right expertise in place to recognise unusual behaviour, supported by technologies that can identify behavioural anomalies quickly. Endpoint detection and response (EDR) platforms offer some of these capabilities. But even the most advanced solutions rely on proper configuration and human oversight to be effective. In an ideal world, every business would have round-the-clock monitoring in place, but in reality, very few do.
Challenging Assumptions Around Risk
So, how can organisations fill the gap? When assessing how to protect against malware-free attacks, many organisations begin with the assumption that they will need to buy new tools or licenses. This can form part of a rounded solution. However, leading with this mindset often overlooks a more fundamental and cost-effective question: What can be improved with the tools already in place?
Reviewing existing capabilities should be the first step. For example, most environments already have some level of EDR, behavioural monitoring or identity protection deployed. Yet these are often underutilised or misconfigured. This can result from a lack of understanding around tool capabilities (and limitations), paying for the wrong level of license coverage, and failing to ensure configurations support behavioural analysis rather than just malware scanning. In many cases, even minor adjustments can significantly increase effectiveness without any additional spend.
Cost vs Risk
Organisations should also reconsider how they approach the question of investment. The cost vs risk conversation needs to shift from what they should buy to what they should fix. Even the most expensive detection tools can be rendered ineffective if attackers can exploit basic oversights such as poor configuration, excessive access rights or the absence of multi-factor authentication. In contrast, identifying and addressing these gaps in existing systems is not only more cost-effective but also more impactful in stopping attacks before they gain momentum.
This kind of review process is also an opportunity to identify gaps and prioritise actions that reduce risk without escalating costs. For example, many organisations find that network segmentation, strict privilege controls and enforcing least-access policies can help prevent lateral movement and minimise credential misuse – two of the most common techniques used in malware-free attacks. Putting these capabilities in place are security fundamentals that often determine whether an attack is stopped early or is able to spread.
In this context, a best practice approach matters more than ever. Not as a one-off initiative, but as a continuous effort to close the windows of opportunity that attackers rely on. This includes reducing privilege levels, adopting MFA by default, limiting binary access and educating users on social engineering techniques. All of which are good examples of cost-effective steps that can limit the opportunity for malware-free attacks to take hold. These are not headline-grabbing technologies, but they remain the strongest defence against attacks that thrive on poor hygiene and overlooked gaps.
So, rather than investing in yet another layer of detection, organisations should focus on strengthening what they already have. This approach not only helps avoid unnecessary expense but also delivers a stronger, more sustainable defence posture in an environment where threat actors continue to be extremely effective.
TechEX Europe – Powering the Future of
Enterprise Technology at Amsterdam’s RAI Arena September 24-25
SHARE THIS STORY
TechEx Europe unites five leading enterprise technology events — AI & Big Data, Cyber Security, Data Centres, Digital Transformation and IoT — into one powerful experience designed for organisations driving change. Five events, two days, one ticket – register for your pass here.
From scaling infrastructure to unlocking new efficiencies, this is where decision-makers and their teams come to connect, explore real-world use cases, and discover the technologies that will shape their next phase of growth.
AI & Big Data Expo
The AI & Big Data Expo is the premier event showcasing Generative AI, Enterprise AI, Machine Learning, Security, Ethical AI, Deep Learning, Data Ecosystems, and NLP
Speakers include:
Cybersecurity & Cloud Expo
The Cyber Security & Cloud Expo, is the premier event showcasing the latest in Application and Cloud Security, Hybrid Cloud, Data Protection, Identity and Access Management, Network and Infrastructure Defence, Risk and Compliance, Threat Intelligence, DevSecOps Integration, and more. Join industry leaders to explore strategies, tools, and innovations shaping the future of secure, connected enterprises.
Speakers include:
IOT Tech Expo
IoT Tech Expo is the leading event for IoT, Digital Twins & Enterprise Transformation, IoT Security, IoT Connectivity & Connected Devices, Smart Infrastructures & Automation, Data & Analytics and Edge Platforms.
Speakers include:
Digital Transformation
The Digital Transformation Expo is the leading event for Transformation Infrastructure, Hybrid Cloud, The Future of Work, Employee Experience, Automation, and Sustainability.
Speakers include:
Data Center Expo
The Data Centre Expoand conference is the premier event tackling key challenges in data centre innovation. It highlights AI’s Impact, Energy Efficiency, Future-Proofing, Infrastructure & Operations, and Security & Resilience, showcasing advancements shaping the future of data centre.
Join thousands of data centre industry leaders and innovators at London’s Business Design Centre for three co-located events – DCD>Connect, DCD>Compute and DCD>Investment September 16-17
SHARE THIS STORY
Data Center Dynamics (DCD) is connecting the data center ecosystem. Secure your pass for three-colocated events covering the entire digital infrastructure ecosystem across two days at London’s Business Design Centre – DCD>Connect, DCD>Compute and DCD>Investment.
Bringing together more than 4,000 senior leaders working on Europe’s largest data center projects. DCD>Connect | London will drive industry collaboration, help you forge new partnerships and identify innovative solutions to your core challenges.
“First class event that presented a wide variety of perspectives and technologies in an engaging and informative forum” – Data Center Project Architect, AWS
DCD Compute
Uniting enterprise and hyperscale leaders driving scalable AI Infrastructure from silicon to software…
New workloads are fundamentally reshaping IT infrastructure, as accelerated hardware innovation is enabling more new workloads. How can you keep up in this rapid cycle of new AI models, new hardware, new software, and the race to be first to market?
The Compute event series, run in partnership with SDxCentral, empowers leaders to make sharp decisions on IT infrastructure and AI deployment. Join 400+ peers from enterprise, hyperscale, and top IT infrastructure and architecture innovators to shape the future of compute—on-prem or in the cloud.
400+ Decision-Makers for IT Infrastructure, Architecture, AI, HPC and Quantum Computing
60+ industry-leading speakers at the forefront of innovation across cloud and on-prem compute
Hosted in partnership with SDxCentral
DCD Investment
Connecting senior dealmakers driving the economic evolution of digital infrastructure…
The world depends on digital infrastructure, and there’s never been more pressure on the industry to scale at speed. The Data Center Dynamics Investment series helps the leading dealmakers behind this growth to make informed decisions faster, through top-tier content, tailored networking, and best-practice sharing.
Dynamic Programme: A brand new format including leadership roundtable discussions allows for 2025 attendees craft their own agenda at the Forum.
50 Speakers: The C-suite operators, leading investors, and advisors in data centers are converging to strategize on the industry’s evolving landscape.
Exclusive Networking Opportunities: The Investment Forum is separated from the main DCD Connect programme and show floor, offering private networking and dealmaking opportunities to take place in an optimal setting.
This month’s cover star, Dr. Noxolo Kubheka-Dlamini – Chief Digital and Information Officer at Telkom Consumer & Small Business, speaks to the process of leading an ongoing digital transformation
SHARE THIS STORY
Welcome to the latest issue of Interface magazine!
Our cover star talks us through the process of leading an ongoing digital transformation that is pragmatic, strategic and embedded in business goals at South Africa’s largest telecommunications platform provider. “By the time we entered the mobile space in 2010, the market was already saturated,” explains Dr. Noxolo Kubheka-Dlamini, Chief Digital & Information Officer at Telkom Consumer & Small Business. “Our ambitions were constrained by limited capital, inherited legacy systems, regulatory shackles, and the sheer inertia of being a former state-run monopoly.” However, Telkom’s “willpower and commitment never faded” resulting in “notable and consistent performance against all odds”. Today, Telkom is playing a pivotal role in ensuring access to meaningful connectivity, driven by the company’s vision to become South Africa’s digital backbone: bridging the digital divide and enabling inclusive participation in its digital economy.
Kynegos: Shining a Spotlight on Transformation, Innovation and Sustainability
Kynegos, a spin-off from Capital Energy, is a business built on strategy. It exists to develop technological solutions for strategic industries. Capital Energy needed an independent platform that could scale digital solutions beyond the energy sector, and foster collaboration with startups and technology centres. Kynegos has filled this gap, and is being leveraged to create co-innovation ecosystems. This allows Capital Energy to develop digital tools that address current and future industrial challenges, keeping the company’s finger on the pulse. We spoke to CEO Victor Gimeno Granda, about its backstory, its values, and the road ahead. “Not only do we develop digital assets for the renewable sector, but for green data centres as well. My perspective is that sustainability is going to be more relevant than ever in the next 18 months.”
York County: The Human Side of AI
York County’s IT team has spent the past decade redefining what local government tech can and should be. From pioneering community cybersecurity workshops to forging statewide collaboration through ValGITE, the county has systematically brought innovation into its operations. This broad portfolio of initiatives has strengthened infrastructure and elevated service delivery. And also earned York County the number one spot in the Digital Counties Survey for jurisdictions under 150,000 population.
“Since I became deputy director eight years ago, this has been one of my goals,” reflects Tim Wyatt, director of information technology at York County. “And over the last eight years, we’ve been in the top 10, but we finally landed that number one place. I think it’s a great reflection for my team, the county, and all the dedication to try to do what’s right by the citizens. It’s just something I’m incredibly proud of. I think it accurately reflects the hard work of my team.”
Wade Trim: Bridging the Cybersecurity Skills Gap
Wade Trim provides consulting engineering, planning, surveying, landscape architecture and environmental science services to meet the infrastructure needs of government and private corporations. With a cybersecurity skills gap leaving vacancies unfilled, Wade Trim’s Senior Manager of Information Security, Eric Miller, spoke with Interface about how stepping away from education-focused rigidity could unlock swathes of latent talent. “Our industry puts emphasis on certifications. However, being passed over for jobs because you don’t have a particular certification or degree in favour of someone fresh out of college has shown me that the best candidates are those that can tell me their story. What brings them to this point in their career? Tell me what qualifies you for this role. That’s how I interview.”
York Catholic District School Board: York Catholic District School Board: Community and Communication at the Heart of IT Strategy
The challenges facing an IT leader in 2025 call for a new kind of approach. One that favours partnerships over transactions, collaboration over competition, and centres people rather than technology for technology’s sake. These perspectives ring especially true in an organisation like the York Catholic District School Board (YCDSB). It emphasises values like “service, community, collaboration, and fait rather than academic excellence alone,” explains Scott Morrow, YCDSB’s Chief Information Officer (CIO). “It’s not actually about the technology; it’s about enablement.”
We spoke with Morrow to learn more about his approach to IT leadership. From building and maintaining a team amid the IT talent crisis, to driving digital transformation initiatives across the organisation. And broader strategic objectives across a changing technology landscape increasingly defined by cybersecurity and the rise of AI.
Magpie Graham, Technical Director of Threat Intelligence at Dragos, on why the organisations best positioned to withstand future threats are those who adopt security practices designed with their operational context in mind.
SHARE THIS STORY
Organisations are realising the importance of securing their operational technology (OT) environments, however many are also finding out that spending alone does not guarantee resilience. Despite adopting new tools and frameworks, core issues persist, these being limited visibility, alert fatigue, and incident response strategies that fail to reflect the operational reality. The reason? Too many approaches are built on IT-centric assumptions.
Working closely with operators of critical infrastructure, we at Dragos frequently encounter well-intentioned security programmes that simply don’t work in practice, because they weren’t designed with OT in mind. It’s no longer a question of why OT security matters. The focus now must be on how to implement it effectively. That begins with thinking differently, and understanding what OT-native security truly looks like.
OT is not just another IT environment
OT environments operate under distinct constraints and priorities. IT security is generally centred on protecting data and managing user access. However, OT security is about maintaining uptime, operational continuity, and safety. A disruption in IT—whether caused by an outage, cyber threat, or unscheduled maintenance— might result in productivity loss. In OT, it could shut down production, essential services such as power and water, or compromise safety systems.
The systems underpinning many OT assets, ranging from programmable logic controllers (PLCs) to SCADA networks, are often decades old and not built with cybersecurity in mind. Many use bespoke protocols, proprietary technologies, and complex hardware combinations that traditional IT tools cannot effectively interrogate.
Vulnerability management must reflect operational constraints
In IT, patching is often the default response to a discovered vulnerability. In OT, it’s rarely that simple. Many industrial systems require months of planning before updates can be deployed. Unplanned downtime is costly and, in some sectors, dangerous.
A more pragmatic approach is required: risk-based vulnerability management that accounts for operational context. Where patching is not immediately feasible or optimal, strategies such as network segmentation, access control, and enhanced monitoring offer mitigations that maintain both uptime and protection.
OT threat detection must be purpose built
Generic anomaly detection, common in IT, produces a high volume of alerts. Many of these alerts are irrelevant in an OT context. This leads to alert fatigue and wasted effort. OT-native detection tools, by contrast, are built around known attacker tactics, techniques and procedures (TTPs) specific to industrial environments.
By focusing on high-fidelity indicators of malicious activity, rather than raw anomalies, these tools enable faster, more decisive responses and help security teams concentrate on what genuinely matters.
OT and IT security must be integrated, but equitably
It is increasingly important for organisations to bring their OT and IT security functions into alignment. But this must be done in a way that respects the unique requirements of each. Too often, integration efforts are driven from the IT side alone, applying unsuitable tools and processes to OT environments.
Successful integration depends on mutual understanding, ensuring that IT and OT teams collaborate on policies, incident response, and risk prioritisation, while still maintaining the protections and performance requirements that OT systems demand.
As cyber threats targeting critical infrastructure become more sophisticated, so too must our response. Many of the most common OT security pitfalls stem not from lack of investment, but from misplaced assumptions – treating OT as an extension of IT, rather than a domain in its own right.
A critical, and often overlooked, component of successful integration is the development of a dedicated OT Incident Response (IR) plan. OT environments have unique operational, safety, and continuity requirements that demand tailored response strategies. Simply adapting existing IT IR plans to OT contexts is insufficient and potentially dangerous. Instead, organisations must invest in OT-specific response plans that account for industrial processes, asset criticality, and the real-world consequences of downtime or missteps.
True resilience
True resilience depends not only on these dedicated OT IR plans, but also on their seamless integration with existing IT incident response processes. This means establishing clear communication protocols, joint playbooks, and shared situational awareness between IT and OT teams—while respecting the specialised requirements of each environment. Policies, risk prioritisation, and incident escalation procedures must be developed collaboratively to avoid gaps or conflicting actions during a crisis.
However, having plans on paper is not enough. The effectiveness of both OT and integrated IT/OT incident response plans hinges on regular validation through realistic exercises, such as tabletop simulations. These exercises expose gaps, foster mutual understanding, and build confidence among cross-functional teams. They are essential for preparing personnel to respond quickly and appropriately to complex cyber-physical scenarios.
At Dragos, we see this reality every day. The organisations best positioned to withstand future threats are those adopting security practices designed with their operational context in mind. These practices prioritise visibility, safety, and continuity, as much as they do compliance.
Dmitry Panenkov, CEO and founder of emma, interrogates the risks of a multi-cloud infrastructure strategy to modern organisations.
SHARE THIS STORY
As organisations accelerate their efforts to modernise IT infrastructure, multi-cloud strategies have become increasingly common. Currently, 78% of organisations rely on two or more cloud providers, highlighting a strong shift towards organisations wanting to achieve greater agility, resiliency and optimised performance. This growing trend is fuelled by organisations wanting to avoid vendor lock-in, reap the benefits of best-in-class services from various providers and align workloads with specific business needs and regulatory demands.
Yet, the speed of multi-cloud adoption is often surpassing organisations’ ability to secure these environments effectively. With operations now spanning multiple public and private cloud platforms, maintaining consistent security policies, visibility and governance is becoming more complex. As data and workloads become more distributed, the challenge of protecting them grows, particularly amid evolving cyber threats and increasing regulatory scrutiny.
So, how can organisations sustain the benefits of multi-cloud environments while ensuring robust data security? Let’s take a closer look…
Navigating the security risks
Although multi-cloud architectures deliver benefits like agility and scalability, they also introduce heightened security risks. A recent survey reveals that 61% of cybersecurity professionals consider security and compliance the primary barriers to expanding cloud adoption. At the same time, 64% expressed concerns about their ability to detect real-time threats.
This highlights a broader issue. As organisations diversify their cloud footprint, risk management becomes more fragmented and harder to control. Diverse cloud platforms each have their own configurations, tools and security models. This can result in inconsistent policies, reduced oversight and an increased likelihood of misconfigurations.
These inconsistencies not only compromise the overall security posture but also expand the attack surface, providing more entry points for potential threats. Security teams often lack unified visibility and control across platforms, making it difficult to respond to incidents effectively and quickly.
To reduce exposure and improve resilience, businesses must adopt an integrated, cross-platform security strategy that delivers consistency, compliance and clarity across their entire cloud infrastructure.
The key foundations for a secure multi-cloud environment
Organisations are scaling globally and deepening their reliance on cloud services. As a result, they face increasing pressure to secure data while complying with complex regional and industry-specific regulations. Traditional, fragmented security tools are no longer sufficient. Securing a multi-cloud environment demands a cohesive, integrated approach that spans cloud platforms, providers and policies.
A resilient multi-cloud security strategy is built on several foundational pillars that work to protect data, ensure regulatory compliance and support operational resilience. The pillars include:
1. Encryption and data protection
Protecting sensitive information is vital. Encryption should be applied to data both in transit and at rest, ensuring that even if data is compromised, it remains unreadable. Effective data protection mechanisms help mitigate the risk of branches and enhance data integrity.
2. Compliance oversight
Regulatory compliance varies across jurisdictions, making continuous monitoring essential. This includes maintaining audit trails, automating policy enforcement and staying adaptive to changes in legal frameworks to avoid penalties and maintain customer trust.
3. Interoperability and standardisation
Security consistency across cloud platforms is key to minimising complexity and risk. By standardising security protocols, organisations can reduce the chances of misconfiguration, simplify management and make it easier to scale or switch providers when needed, without compromising protection.
4. Threat detection and incident response
Real-time visibility across the entire cloud environment is crucial for early threat detection. Proactive monitoring, automated alerts and rapid response mechanisms allow organisations to contain incidents before they escalate and reduce potential damage.
5. Access control and identity management
Only authorised individuals should have access to critical systems and data. Enforcing least-privilege access, implementing multi-factor authentication and centralising identity management are vital for preventing both external breaches and insider threats.
Together, these five foundational pillars form the basis of a secure multi-cloud architecture. They not only protects against a broad range of cyber threats but also ensure resilience, compliance and trust in a complex and dynamic digital landscape.
Securing the future of cloud with resilience and control
As cloud ecosystems become increasingly complex and interconnected, ensuring robust security across multi-cloud environments is more critical than ever. It’s not just about protecting against external threats, it’s about maintaining visibility and control over where data resides, how it’s accessed and how it’s governed.
Achieving a secure cloud future requires strategic planning, strong security foundations and a commitment to digital sovereignty. By embedding data protection into every layer of their cloud strategy, organisations can build last trust, ensure compliance and position themselves for long-term resilience and innovation.
Dave Spencer, Director of Technical Product Management at Immersive, calls for a renewed focus on the fundamentals of cyber security in the AI age.
SHARE THIS STORY
It’s safe to say that if you work within the technology industry, you can’t get through a single conversation without AI coming up. And there’s a good reason for that.
Research shows that 78% of CISOs agree that AI-assisted cyber threats are having a significant impact on their organisation, and 45% of cybersecurity professionals do not feel prepared for the reality of AI-powered cyber threats.
However, Dave Spencer, Director of Technical Product Management at Immersive, argues that, irrespective of how concerned you are about AI-powered attacks or risks, the security fundamentals are still what really make the difference in preventing a breach.
He explains why basic cyber hygiene is in danger of being overlooked, and how to ensure businesses are prepared with the relevant cyber skills needed in the age of AI.
How has AI changed security?
Interestingly, AI is being used in rather similar ways by both attackers and defenders. AI tools are employed by both sides to rapidly automate complex or monotonous tasks. Attackers use them to generate more effective phishing interactions, while defenders use them to wade through the flood of security alerts they receive.
Of course, the obvious difference between the two sides is that whilst defenders are bound by a moral and ethical compass, attackers are not. This means cybercriminals are often able to deploy AI tools much faster than security teams can – attackers don’t care about weakening an organisation’s security posture.
Another key consideration is that, by introducing AI into business operations, it becomes yet another piece of technology that the security team must protect. AI can inadvertently create vulnerabilities that attackers can exploit if proper protocols are not in place.
One of the most pressing threats to AI is prompt injection attacks, where attackers trick Large Language Models (LLMs) into revealing sensitive information. Our own researchers have shown that tricking LLMs is not particularly difficult, and you don’t need to be highly technical to gain access to sensitive data.
In fact, we conducted a test in which participants attempted to get a GenAI chatbot to reveal sensitive information, and 88% of them succeeded in at least one level of an increasingly difficult challenge.
Ultimately, while AI has changed the security team’s role on the surface, when you dig deeper, the fundamentals remain the same. This is why strong cyber hygiene practices are more important than ever.
Why is cyber hygiene so important?
When a company is breached, the most common phrase you’ll see in their immediate statement is that a “sophisticated actor breached our systems.” And whilst the group responsible may indeed be sophisticated, the method they used likely wasn’t.
The majority of breaches occur because basic security fundamentals are not being observed. This includes failing to implement and enforce multi-factor authentication (MFA), using weak passwords, and neglecting to patch known vulnerabilities.
Yet, too many organisations are focused on the latest AI tool they could implement. That mindset is dangerous and means they’ll never be ready for a breach, because hygiene fundamentals should form the absolute baseline of any cybersecurity strategy.
It doesn’t matter if you have the latest AI-powered endpoint detection and response tool, if every device can connect to the network and access systems without requiring MFA approval.
So, why is it still such a struggle?
Much of poor cyber hygiene can be traced back to a lack of development in cyber skills across an organisation’s workforce.
Legacy cyber training, such as presentations, e-learning videos, and multiple-choice tests, remains the primary method for developing cyber skills. However, these sessions are often overly generic and fail to address the specific needs of different teams or roles.
Lacking urgency and realism, such training struggles to capture attention, leaving employees disengaged and viewing it as a poor use of their time. It essentially becomes an attendance test rather than a genuine test and development of cyber skills.
If employees are sitting through training thinking it’s a waste of time, they’re not absorbing the security information being provided, and as a result, they’re not developing good security habits. You can’t tell if they’ll be ready for when a real incident happens. Ultimately, if your cyber skills development is rubbish, your cyber hygiene standards will be too.
The core purpose of cyber training is to build readiness in employees, so they know exactly what good security looks like, and more importantly, what to do in the midst of a cyber crisis.
How can we address the problem of cyber hygiene?
We have to ditch ineffective cyber skills development programmes and replace them with training that is engaging and genuinely valuable to employees, which prepares them to deal with cyber risk. This is where cyber simulations come in.
Unlike traditional training, cyber simulations immerse people in realistic, high-pressure scenarios where they must act, not just observe. They test judgement, coordination, and the ability to follow protocols under stress. Crucially, they reinforce both crisis response and core cyber hygiene through repetition and lived experience to build readiness.
Simulations reveal weaknesses that would otherwise remain hidden. A security strategy that seems flawless on paper might have cracks when tested under real-time pressure. This approach equips individuals and teams to spot cyber risks quickly and respond effectively.
Furthermore, by actively engaging people in cybersecurity, they begin to understand the reasons behind certain practices and decisions. To the average employee, MFA might not mean much, but its importance is crystal clear to someone who understands cybersecurity.
With AI, there’s also the additional challenge that most people don’t know the difference between machine learning, LLMs, agentic AI, supervised data sets, and unsupervised data sets, or what their functions are. If an organisation can’t answer this, then how do they know when and how to leverage AI?
Simulations help employees build their understanding of AI and its distinctions, meaning they know what it’s useful for, and more importantly, understand what the risks are and how to deal with them.
Ultimately, advanced tools can’t protect you if your team isn’t prepared. True cyber resilience isn’t built through annual compliance exercises. It comes from mastering the basics, testing them under pressure, and embedding readiness into the daily rhythm of how teams work, communicate, and make decisions.
From leaked Signal chats to Partygate, Alan Jones, CEO and Co-Founder of YEO Messaging, looks at the growing risk posed when unsecured messaging app use intersects with national politics.
SHARE THIS STORY
When the fate of senior political careers publicly hinges on a single leaked message, the concern isn’t merely the sensational risk of a fall from power; it’s the deeper problem of continued reliance on messaging platforms fundamentally unfit for the demands of public office.
From PM Boris Johnson’s downfall, fuelled by leaked WhatsApp messages revealing how critical decisions were made during the UK’s most severe public health crisis, to the White House’s recent “Signalgate” breach, which exposed details of U.S. military strikes in Yemen, messaging app leaks have become politically fatal. No longer just embarrassing, they seem now to expose national vulnerabilities and dramatically erode public trust. Yet many senior officials still conduct matters of state and national security over consumer-grade platforms like WhatsApp, Signal and Telegram, tools never built for the weight of public office.
As digital communication cements itself at the heart of modern governments, it’s time to face a hard truth: consumer messaging apps are now a structural vulnerability in political infrastructure.
MP Messaging Mayhem: How Apps Took Over the Business of Government
Group chats, DMs, and encrypted threads have quietly replaced cabinet meetings, war rooms and press briefings as the new arenas of political decision-making. During the pandemic, consumer based apps became the UK government’s de facto command centre, where ministers, advisers and scientists debated lockdown restrictions, shaped media narratives, and, in some cases, arranged the very PartyGate rule-breaking gatherings that would later spark national outrage.
Across the Atlantic, Signal seemed to emerge as the preferred ‘secure’ choice among Washington and White House staffers. But time would reveal that encryption alone doesn’t guarantee safety. Without enforced identity checks, audit trails, or granular access controls, even the most encrypted apps leave governments vulnerable to internal leaks and external breaches.
So why do our (we would hope) security-aware leaders still rely on consumer messaging apps? Because they’re fast, familiar, and frictionless, the very qualities that also make them dangerously unaccountable.
Fallout: How Consumer Messaging Leaks Brought Down Two Powerhouses
In the UK, WhatsApp wasn’t just a digital convenience; it was Boris Johnson’s undoing. Leaked messages from Downing Street aides revealed not only a flippant disregard for COVID-19 rules but also active attempts to “get away with” parties while the public remained locked down and facing legal sanctions for contravention. The fallout was unequivocal: resignations, police fines, and ultimately, Johnson’s forced resignation as Prime Minister.
But the damage ran deeper than the fall of a PM. When Johnson refused to hand over unredacted WhatsApp messages to the official COVID-19 Inquiry, it triggered a legal standoff. What began as a straightforward review of pandemic decision-making quickly spiralled into a national debate over privacy, transparency, and the role of private messaging in public office. The inquiry stalled, and public trust eroded further.
In the US, a parallel scandal of equally disturbing magnitude unfolded in April 2025. Dubbed “Signalgate,” it centred on the inadvertent inclusion of a journalist, “JG”, in a Signal group chat discussing classified military operations in Yemen, including precise details of planned airstrikes. While Signal’s encryption remained intact, the breach highlighted a far more human flaw. There was an absence of real time authentication to prove identity and message access controls. Sensitive national security information was exposed not through hacking, but through a basic error, proving that encryption alone is no defence against operational sloppiness and mismanagement. The fallout was swift. Mike Waltz, National Security Advisor, was forced to resign, and the episode served as a stark warning that even encrypted platforms are only as secure as the practices governing their use.
A breakdown of protocol. Another political career ended by insecure messaging.
Why Regulation Is Failing
Most democratic nations pride themselves on transparency and accountability, but messaging apps have quietly circumvented both. Laws like the UK’s Freedom of Information Act and the US Presidential Records Act were drafted in the era of emails and memos. They were never built to handle digital messages, vanishing photos, or encrypted DMs.
This regulatory lag has created a dangerous loophole in the corridors of the central government. Sensitive decisions can be discussed, documented and deleted without scrutiny. Public records are incomplete. FOIA requests go unanswered. Investigators hit encrypted walls.
Some governments have issued internal guidance. A few have tried to ban consumer messaging apps entirely. But most responses have been reactive, inconsistent, and ultimately toothless.
The Missing Infrastructure: Identity-Verified Messaging
What’s needed is infrastructure-level change. Just as classified email systems exist for formal communications, secure messaging must evolve from an optional tool to a mandated platform that offers continuous biometric authentication to avoid unintended additions and, most importantly, to ensure messages can only be read by those addressed.
This is where YEO Messaging enters the frame. Designed in Britain, YEO combines military-grade encryption with continuous biometric authentication, requiring users to verify themselves throughout the reading of the message, not just when logging in.
Its platform includes,
Geofencing controls — messages are only viewable in permitted physical locations. What goes on in the White House stays in the White House.
Continuous Facial Recognition — removing the risk of device theft or spoofing and inadvertent JG’s joining! Ensuring the messages remain confidential after receipt.
Read-tracking and screenshot blocking — protecting confidentiality and auditability.
Expiry and recall features — offering politicians dynamic control over sensitive content.
Message Control – no screenshots, no forwarding, and no copying without sender permission.
YEO Messaging isn’t just a “better WhatsApp” it’s a total rethink of messaging as part of critical national infrastructure.
Conclusion: Trust Begins at the Message Level
In an era defined by information warfare, digital surveillance, accountability and cyber threats, the tools governments use to communicate matter more than ever. They are not politically neutral. They carry risk, shape narratives, and, as we’ve seen, can unmake leaders – fast!
The downfall of Boris Johnson and Mike Waltz and the subsequent unravelling of events that followed wasn’t the result of sophisticated hacking by a foreign state-sponsored actor; it was the consequence of relying on messaging platforms fit for their private lives but grossly unfit for the demands of high office.
We can’t afford another messaging scandal. And we don’t need to. With platforms like YEO Messaging, governments and public institutions now have the chance to reclaim control over their digital communications, and with it, restore confidence in how leadership works in the 21st century.
Tim Mackey, Head of Software Supply Chain Risk at Black Duck, looks at the value of the OWASP for the cybersecurity space, interrogating its practical usefulness for the industry.
SHARE THIS STORY
The Open Web Application Security Project (OWASP) has long been one of the most trusted names in application security. Its most famous project, the OWASP Top 10, has been a go-to resource for developers and security teams alike, offering a standardised list of the most critical web application vulnerabilities.
Since its introduction, it’s been marketed as a starting point for secure coding practices. But with the next update expected shortly, we must now ask a difficult question: Has the OWASP Top 10 failed us, or have we simply failed to act upon it?
Same List, Same Problems
Let’s be clear: the OWASP Top 10 has value. It brings awareness to critical issues. But when we examine its impact over time, the evidence is troubling. Many of the vulnerabilities first highlighted in early versions of the list, injection flaws, cross-site scripting (XSS), broken authentication, and security misconfiguration, continue to appear in every subsequent edition.
This isn’t just disappointing; it suggests that, despite widespread awareness, we’re not solving the underlying problems. In fact, the total number of software vulnerabilities continues to climb. The CVE list grows every year. What should have been resolved by now has instead become normalised. So, why aren’t we making more progress?
Why the OWASP Top 10 Isn’t Driving Change
In my experience, there are three core reasons the OWASP Top 10 isn’t delivering the transformation we hoped for: lack of context, lack of education, and lack of actionability.
1. Developers Lack Context
Modern developers are often handed user stories, tasked with building specific features, and measured against functional requirements, not security ones. Rarely do they have visibility into how their code will be used in the real world. Is it going into a healthcare platform? A consumer-facing mobile app? A component in a critical infrastructure system?
That kind of context matters. If a developer doesn’t understand the operational environment, how can they effectively prioritise security? Assumptions take the place of understanding, and those assumptions can introduce serious risk. What’s more, the industry often treats developer capabilities as interchangeable: junior developers should all know X, senior developers should all know Y, but not all developers have the same training or exposure. This inconsistency becomes more dangerous in a world where AI-generated code is gaining traction. If models are trained on insecure practices, or if developers don’t know what to watch for, the problems will only compound.
And before you say “how can a developer working for company X not know what their code goes into”, think about this – how many companies have grown by acquisition, or how many companies create SDKs or APIs, or how much of your code is from open-source libraries? The moment your code is used by someone else, that’s when context starts to get lost. The greater the separation, the harder it is for a developer to account for user requirements in their testing.
2. Security Education Is Declining
We assume that awareness translates into knowledge, but that’s not how education works.
The Building Security in Maturity Model (BSIMM) Report tracks how real-world organisations implement software security initiatives. In its 15th edition, released in January 2025, one of the most striking findings was that security awareness training has dropped nearly 50% since 2008. That’s despite an ever-growing attack surface, increases in cyber-attack complexity, and increasing regulatory pressure. It’s not enough to circulate a PDF or hold an annual security talk. Developers need to be actively trained, not just on what to avoid, but on how to write secure code for the specific environments and technologies they use. Without that, the OWASP Top 10 becomes little more than a checklist for compliance rather than a driver of change.
3. The List Lacks Actionability
Let’s face it, awareness without empowerment is performative. The OWASP Top 10 tells you what the most common risks are, but it doesn’t help organisations operationalise that knowledge. There’s no built-in guidance for remediation, no framework for prioritisation, and no accountability for fixing the issues once they’re known. As a result, many developers and even AppSec teams view the list as someone else’s problem. A static document can’t drive dynamic change unless the surrounding ecosystem is built to act on it.
Web Apps vs the Wider World: What CWEs Tell Us
Another major shortcoming of the OWASP Top 10 is its narrow scope. It’s designed specifically for web applications, but today’s software landscape is far broader. API-driven services, cloud-native platforms, embedded systems, and mobile apps all play significant roles in enterprise ecosystems.
OWASP’s list doesn’t address the risks these platforms face. To get a more complete picture, we must look beyond OWASP. The MITRE CWE Top 25, for example, offers a platform-agnostic view of the most dangerous software weaknesses based on real-world exploitability and impact.
Here’s the shocking bit: 40% of the weaknesses in the 2024 CWE Top 25 aren’t even mentioned in the OWASP Top 10. One of the most common software weaknesses, CWE-787: Out-of-bounds Write, is entirely absent from OWASP’s list. Why? Because OWASP is focused on web applications, and CWE is focused on software security at large. This divergence is dangerous. It reinforces a fragmented view of risk and one that leaves organisations blind to issues that lie outside of the web app domain.
Accountability Is Coming
For years, security was about raising awareness, but now we’re entering a new era of accountability. Consider the Digital Operational Resilience Act (DORA), which came into effect across the EU in January 2025. It will force financial institutions to meet strict security requirements, from incident reporting to third-party risk assessments. Non-compliance will no longer be optional. Even more sweeping is the Cyber Resilience Act (CRA), set to take effect in 2027. It will mandate security standards for all hardware and software products with digital elements sold in the EU, backed by fines large enough to make company boards take notice.
These laws mark a profound shift from guidelines to governance. Sure, it’s important to understand the risks, but if organisations aren’t implementing proactive security strategies, then they’ll become a relic, untrusted by customers and obsolete in the eyes of the market.
What You Can Do Today
So how do we move forward? First, treat the OWASP Top 10 as a baseline and not a benchmark of success. It’s a good place to start, but by no means a complete solution – particularly if your app isn’t a web app. Expand your visibility by incorporating the MITRE CWE Top 25, which offers a more comprehensive, real-world view of dangerous vulnerabilities across all types of software.
Second, empower developers, not just with knowledge, but with tools and authority. Integrate secure coding practices into your CI/CD pipelines. Use security tooling that provides feedback in real time, not just in postmortems. And most importantly, make security part of the definition of “done” and not a side process.
Third, invest in contextual training. Developers shouldn’t just learn what to avoid but also understand why it matters in the environments they build for. Generic training won’t cut it. Tailor your education programmes to your domain, your risk profile and your tech stack.
Fourth, benchmark your practices against real-world data. Resources like the BSIMM Report give insights into what some of the most mature security programmes are doing. Use it to identify gaps and plan improvements; not in theory, but in how your team actually works.
And finally, build accountability into processes. Track key security metrics. Make them part of quarterly reviews. Tie them to incentives and governance. Because when security stops being bolted on to products and becomes everyone’s responsibility, that’s when real change happens.
Final Thought
Fifteen years. That’s how long we’ve been cycling through the same vulnerabilities in the OWASP Top 10. In that time, we’ve built space-grade cloud platforms, invented AI copilots and redefined how we work and live. And yet, we’re still being taken down by injection flaws and broken authentication.
So maybe the question isn’t just whether the OWASP Top 10 has failed us. Maybe the real question is: Why haven’t we done more with what we already know?
Across three prestigious events, the Software Testing Awards recognise the leading teams, individuals, and projects across the APAC, European, and North American QA communities.
SHARE THIS STORY
The Asia Pacific Software Testing Awards
Bangalore, India | September 23, 2025
For nearly two decades, the Asia Pacific Software Testing Awards have celebrated excellence and innovation in the QA community. Open to professionals across the Asia Pacific and UAE, this prestigious event highlights the best minds and breakthrough projects in the field.
Enter one or more of 15 award categories, from innovation to diversity and agile excellence. The awards will be judged by an elite panel including executives from Standard Chartered, PWC, and British Telecom. The high-profile awards ceremony promises an unforgettable evening and unmatched networking opportunities. Whether you’re looking to showcase your achievements or connect with the region’s top QA leaders, this event offers recognition and visibility at the highest level.
the famous st pauls cathedral of london during sunset
The European Software Testing Awards
London, UK | November 18, 2025
The European Software Testing Awards are among the highest honours in software testing. They have celebrated innovation, expertise, and impact in this fast-evolving and highly competitive landscape for nearly two decades.
This prestigious awards programme recognises companies, teams, and individuals who have made significant advancements in software testing and quality engineering. Open to participants across the UK and Europe, the awards offer multiple entry opportunities across 16 categories.
Held in London, this event is a powerful platform for you to showcase your capabilities, and demonstrate your expertise among the best in the industry. The awards ceremony also serves as a premier networking opportunity, bringing together the brightest minds in the industry. Start celebrating excellence by entering the awards today.
Toronto Skyline with purple light – Toronto, Ontario, Canada
The North American Software Testing Awards
Toronto, Canada | November 26, 2025
The North American Software Testing Awards celebrate excellence in software testing and quality engineering, recognising outstanding achievements from individuals, teams, and companies across the region.
Open to businesses and professionals throughout North America, the program offers the chance to submit entries in 16 diverse categories. By participating, you not only showcase the excellence of your work but also boost your brand’s visibility, positioning it alongside the industry’s best.
All Software Testing Awards events share the same categories, with this year’s award categories including:
Best Agile Project: Awarded for the best software testing project in an agile environment.
Most Innovative Project: Awarded to the project that has significantly advanced the methods and practices of software testing and QA.
Leading Supplier of Products and Services: Focused on impact, value, and organisation history.
Diversity and Inclusion Award: Awarded to the company, team, or person that has shown a long-term commitment to Diversity & Inclusion (D&I) within their culture.
Best AdvancingSoftware Testing Practice: Awarded to the outstanding person, team, or initiative that has made a positive contribution to the software testing profession. This is in recognition of those that go above and beyond to make the testing industry or practice better. It means breaking down barriers, thinking beyond the employers or clients, and using skills and knowledge for the betterment of the profession.
Testing Newcomer of the Year: This is awarded to a newcomer from all walks of life that has made an impact in the software testing and QA industry.
Best Test Automation Project – Functional: The award for the Best Use Of Automation in a Functional software testing project.
Best Test Automation Project – Non-Functional: The award for the Best Use Of Automation in a Non-Functional software testing project.
Testing Champion of the Year: Awarded to the testing champion for the most outstanding performance over the last 12 months.
Best Use of Technology in a Project: Awarded for outstanding application of technology in a testing project.
Testing Team of the Year: Awarded to the most outstanding overall testing team of the year.
Testing Leader of the Year: Awarded to the most outstanding business leader that manages a team.
On October 30th, 2025, London will play host to the National DevOps Awards — the preeminent event recognising excellence in the DevOps and QA sector.
SHARE THIS STORY
For almost a decade, the DevOps Awards have celebrated innovation and excellence in DevOps, recognising the hard work and achievements driving the sector forwards year after year.
The independent awards program highlights leaders who are shaping the future of DevOps, as well as providing unmatched opportunities for networking with other industry leaders.
Award categories
This year’s awards honour industry leaders in the following categories:
Most Innovative Project
Best DevOps Project Delivering Outstanding Business Value
Entries opened on the 10th of March, and will close on the 19th of October. During judging week, a category or categories will be allocated to the most relevant judge based on their job function, experience, and/or request. The elite panel of judges have a week in which to mark, review and send back all scores and feedback in advance of judging day.
To make it through to the finals a minimum score must be achieved – if the minimum score is not reached the journey ends for that entry/company. Judging day is a collective meeting involving only the judges in a private location. The shortlist of the top two scoring entries across all categories is reviewed and all judges unanimously decide what entry is the winner.
The judges announce the finalists a day after judging day and winners on the 20th of October at the gala dinner.
Reaching the shortlisted is a significant achievement in of itself. The awards are open to businesses of all sizes, as well as teams and individuals worldwide. With 16 diverse categories, judges evaluate entries against a clear set of criteria, ensuring fairness and prestige.
The awards offer a unique platform to showcase your expertise, gain visibility, and connect with top professionals in DevOps and quality engineering.
Attendees will meet in London on October 30th this year and share your insights with some of the brightest minds in the field.
Richard Ford, Chief Technology Officer, at Integrity360, breaks down how to develop an effective Incident Response Plan.
SHARE THIS STORY
The question is no longer whether your organisation will face a security incident, but when. Sooner or later, an attack will happen, which is why a robust Incident Response Plan is critical, because the size of an organisation does not matter. Big or small, they are all at risk.
An effective Incident Response Plan includes the following four components:
1. A straightforward structure
Simplicity and structure are your allies when creating an Incident Response Plan. A complicated plan will only create confusion. Use charts, bullet points, and clear language to make it easily understandable.
2. Using recognised frameworks
Many organisations opt to use established frameworks ISO standards as templates for their plans. These frameworks offer a structured approach, providing sections and subsections that cover all essential areas, from governance to technical responses.
By using a recognised framework, you not only ensure completeness but also facilitate easier communication with external parties who may be familiar with the framework.
3. Stakeholder responsibility
An Incident Response Team (IRT), typically led by a Chief Information Security Officer (CISO), should be designated to take charge during an incident. The plan should also specify roles and responsibilities for each stakeholder, from IT personnel to legal advisors.
4. Proportional funds
Budget considerations must be part of the planning process. Allocate sufficient funds for personnel, technologies, and training. This allocation should be proportional to the organisation’s size and risk profile.
Small businesses might not have the same resources as larger corporations. A good Incident Response Plan for a small business should be scaled to their specific needs, focusing on the most critical assets and functions. It should prioritise simplicity, clarity, and actionable steps that can be taken with limited cybersecurity personnel.
Overcoming the hurdles of Incident Response Plan implementation
Whilst implementing an Incident Response Plan, various challenges may arise. One example of this could be ensuring all team members are fully trained and understand their roles within the plan.
Another challenge might be maintaining the plan’s effectiveness over time. To overcome these challenges, companies should enforce regular training sessions, continuous plan updates based on new threats and lessons learned from past incidents, and ensure clear communication channels within the organisation.
Examining the effectiveness of an Incident Response Plan
The effectiveness of an Incident Response Plan can be measured through regular testing, such as tabletop exercises or live drills, to ensure team readiness. Additionally, metrics like the time to detect, respond to, and recover from incidents can provide insights into the plan’s effectiveness. Continuous improvement based on these metrics and feedback from incident post-mortems is crucial for maintaining a robust incident response capability.
The importance of detection, reporting, and identification
Proactively monitoring systems
Your first line of defence is detecting an incident quickly. Invest in advanced monitoring systems and allocate personnel to supervise them around the clock.
Streamlining reporting
Streamline reporting protocols so that incidents can be rapidly identified and acted upon. Simplicity is key here, ensuring even the least technical person can report a problem.
Internal and external communication strategies
The role of good PR
Public Relations (PR) and your marketing team (if you have one) play a pivotal role in managing perceptions during an incident. Transparent, timely communication can mitigate panic, control misinformation, and maintain your organisation’s reputation.
Internal communications
Internal stakeholders need to be in the loop as well. Have a plan to keep everyone from top management to the frontline workers informed.
External communication plan
Customers, partners, suppliers, and sometimes the media will require timely and accurate updates. Your plan should specify who communicates this information, how, and when. A failure to report an incident to customers can land you in hot water with regulators and impact your reputation.
Identification, containment, eradication, and recovery
Containment procedures
After identifying an incident, containment is the first priority. Your plan should have procedures for immediate and long-term containment actions, such as isolating affected systems or updating security protocols.
Elimination and restoration
The plan must spell out how to find the root cause of an incident and eliminate it. It should also outline the steps to restore and validate system functionality for business operations to resume.
Security testing services
Regularly scheduled simulated attack scenarios help keep your team prepared and your strategy up to date. It’s crucial for identifying gaps in your plan and rectifying them.
Some notable security testing services include penetration testing, red team testing, vulnerability assessments, and cyber security risk assessments.
The role of cyber insurance
Cyber insurance can be a lifesaver, covering costs that can range from legal fees to ransom payments. Your Incident Response Plan should clearly state how and when to engage your cyber insurance coverage.
The dos and don’ts organisations should follow
Dos
Train staff regularly
Update plans frequently
Communicate transparently
Analyse and learn from every incident
Don’ts
Ignore early warning signs
Underestimate the importance of employee training
Neglect to update stakeholders
Fail to adapt your strategy post-incident
It is important to remember that an effective plan must continuously adapt and evolve – it shouldn’t be static. By integrating these elements, your organisation isn’t just preparing for potential threats, but actively fostering a resilient and secure operational environment for the future.
Rob O’Connor, EMEA CISO at Insight explores why businesses must overcome the fear of adopting new technologies to truly protect themselves from evolving cyber threats.
SHARE THIS STORY
The relationship between machine learning (ML) and cybersecurity began with a simple yet ambitious idea. Let’s harness everything algorithms have to offer to help identify patterns in massive datasets.
Before this, traditional threat detection relied heavily on signature-based techniques – essentially digital fingerprints of known threats. These methods, while effective against familiar malware, struggled to meet the demand of zero-day attacks and the increasingly sophisticated tactics of cybercriminals.
Eventually, this created a gap, which led to a surge of interest in using ML to identify anomalies, recognise patterns indicative of malicious behaviour, and ultimately predict attacks before they could fully unfold. For example, some of the earliest successful applications of ML in the space included spam detection and anomaly-based intrusion detection systems (IDS).
These early iterations relied heavily on supervised learning, where historical data – both benign and malicious – was fed to algorithms to help them differentiate between the two. Over time, ML-powered applications grew in complexity, incorporating unsupervised learning and even reinforcement learning to adapt to the evolving nature of the threats at hand.
Alas — all is not as it seems
In recent years, conversation has turned to the introduction of large language models (LLM) like GPT-4. These models excel at synthesising large volumes of information, summarising reports, and generating natural language content. In the cybersecurity space, they’ve been used to parse through threat intelligence feeds, generate executive summaries, and assist in documentation. All of which are tasks that require handling vast amounts of data and presenting it in an understandable form.
As part of this, we’ve seen the concept of a “copilot for security” emerge – a tool intended to assist security analysts like a coding copilot helps a developer. Ideally, the AI-powered copilot would act as a virtual Security Operations Center (SOC) analyst. It would not only handle vast amounts of data and present it in a comprehendible way but also sift through alerts, contextualise incidents, and even propose response actions.
However, the vision has fallen short.
“Despite promising utility in specific workflows, LLMs have yet to deliver a transformative, indispensable use case for cybersecurity operations” – Rob O’Connor, EMEA CISO, Insight
But why is that?
Modern cybersecurity is inherently complex and contextual. SOC analysts operate in a high-pressure environment. They piece together fragmented information, understand the broader implications of a threat, and make decisions that require a nuanced understanding of their organisation. These copilots can neither replace the expertise of a seasoned analyst nor effectively address the glaring pain points that these analysts face. This is because they lack the situational awareness and deep understanding needed to make critical security decisions.
Therefore, rather than serving as a dependable virtual analyst, these tools have often become a “solution looking for a problem.” Essentially, adding another layer of technology that analysts need to understand and manage, without delivering equal value. While tools like Microsoft’s Security Copilot shows promise, it has faced challenges in meeting expectations as an effective augmentation to SOC analysts – sometimes delivering contextually shallow suggestions that fail to meet operational demands.
Using AI to overcome AI barriers
Undoubtedly, current implementations of AI are struggling to find their stride. But, if businesses are going to truly support their SOC analysts, how do we overcome this barrier?
The answer could lie in the development of agentic AI – systems capable of taking proactive independent actions, helping to bridge the gap between automation and autonomy. Its introduction will help transition AI from a helpful assistant to an integral member of the SOC team.
Agentic AI offers a more promising direction for defensive security by potentially allowing AI-driven entities to actively defend systems, engage in threat hunting, and adapt to novel threats without the constant need for human direction. For example, instead of waiting for an analyst to interpret data or issue commands, agentic AI could act on its own: isolating a compromised endpoint, rerouting network traffic, or even engaging in deception techniques to mislead attackers. Such capabilities would mark a significant leap from the largely passive and assistive roles that AI currently plays.
However, organisations have typically been slow in adopting any new security technology that can take action on its own. And who can blame them? False positives are always a risk, and no one wants to cause an outage in production or stop a senior executive from using their laptop based on a false assumption.
Putting your trust in the machine
Nevertheless, with the relationship between ML and cybersecurity continuing to evolve, businesses can’t afford to be deterred.
Unlike businesses, attackers don’t have this handicap. Without missing a beat, they will use AI to steal, disrupt and extort their chosen targets. Unfortunately, this year, organisations will likely face the bleakest threat landscape on record, driven by a malicious use of AI.
Therefore, the only way to combat this will be to be part of the arms race – using agentic AI to relieve overwhelmed SOC teams. This is achieved through proactive autonomous actions, which will allow organisations to actively engage in threat hunting, defend systems and adapt to novel threats without requiring human involvement.
Cyber attacks happen every minute of every day, but the recent retail hacks at M & S, Co-op, Harrods and Dior have put cyber security in the UK under the spotlight.
Holly Foxcroft, Cyber Security Business Partner at OneAdvanced, discusses why such attacks seem to be ramping up, what makes businesses vulnerable to cyber-crime and why the threat landscape continues to grow.
Holly draws on insights from a 10+ years career in the Navy, as a cyber security lecturer and now working with the Department of Education on responsible AI.
SHARE THIS STORY
Cyber attacks still seem like a dystopian ‘it will never happen to us’ to so many people. While these retail breaches have disrupted operations, and inflicted substantial financial losses, it is the compromised customer data and direct public impact to household names that has turned lots of attention to these latest cyber attacks.
Put frankly, the recent hacks have grabbed headlines because so many members of the public have directly been affected which makes the story sensational and newsworthy.
Why the Sudden Rise in Retail Cyberattacks?
The escalation in attacks is attributed to the activities of sophisticated cybercriminal groups such as Scattered Spider and DragonForce. These groups employ advanced social engineering tactics in their attacks. They often impersonating employees to deceive IT help desks and gain unauthorised access to systems. The retail industry’s vast repositories of customer data and its reliance on digital operations make it an attractive target for such malicious actors. A key word is ‘employ’, showing that cybercrime itself is a booming and growing industry.
Retailers’ Vulnerability to Cyber Threats
Several factors contribute to the retail sector’s susceptibility:
Legacy Systems: Many retailers operate on outdated IT infrastructures, which are more prone to security breaches.
Third-Party Dependencies: The extensive use of third-party vendors and suppliers increases the attack surface, providing multiple entry points for cybercriminals.
High-Volume Transactions: The sheer volume of daily transactions makes it challenging to monitor and detect anomalies promptly.
As mentioned, the cybercriminal groups recognised as being the driving forces behind the attacks focus on sophisticated social engineering tactics. Cyber professionals like to focus on tooling and technology as our main defenders. However, human risk management and understanding insider threats and behaviours of employees remain a vulnerability.
Indicators of Cyber Maturity Deficiencies
The delayed detection and response to breaches suggest a lack of cyber maturity within the sector. For instance, M&S experienced prolonged disruptions, with online services remaining unreliable weeks after the initial attack. Such extended recovery times point to inadequate incident response plans or major incident plans and a need for more robust cybersecurity frameworks in some instances.
However, without fully understanding the nature of what happened once attackers gained access to the network, I would not fully support the statement. An area that M&S got very right in the process was their continued communication with their customers. They were transparent and shared information on what was happening. Communication during an incident is often left out of the incident response plan. However including this as part of your preparation within an incident response will save time and ensure clear and appropriate messages are relayed in a time of crisis.
Historical Context: Lessons from 2014
The current wave of attacks echoes the cyber incidents of 2014, where retailers faced a series of breaches. In the world of cyber security, it’s not IF we get breached, it’s WHEN.
Unfortunately, with the development of new technologies and attacks becoming more sophisticated, it is not history repeating itself as such, it is the fact that the threat landscape continues to grow and employees leave and join new companies. Therefore, there should be collaboration between cyber security and HR to understand the risks and ensure timely cyber security awareness training for joiners, movers and leavers.
Why Is It Happening Again?
I believe it is down to ongoing vulnerabilities, disjointed cybersecurity teams to the business need and the evolving tactics of cybercriminals. While technology has advanced, so have the methods employed by attackers. It could be suggested the retail sector’s slow adaptation to these evolving threats has left it exposed.
Proactive Measures for the Future
History will always repeat itself, that’s the biggest lesson to learn! Unfortunately, we spend most of the time being reactive in cyber security as we fundamentally respond to the presence of an attack or impending risk. Businesses need to spend more time understanding what proactive measures look like – both inside and outside the cyber security team.
Invest in Modern Infrastructure
Updating legacy systems to more secure, modern platforms can reduce vulnerabilities and reduce tech debt. Doing so frees up more potential budget for other endeavours.
Enhance Employee Training
Regular training sessions can equip staff to recognise and respond to phishing attempts and other social engineering tactics. Step away from generic security training and understand how specific risks can affect the business or individuals in the business and deliver bespoke training. Training does not stop at recognising threats, it must also extend to ensuring employees understand what to do when they suspect suspicious activity, and the roles they play during a crisis.
Implement Multi-Factor Authentication (MFA) or Single Sign – on (SSO)
MFA and SSO adds an extra layer of security, making unauthorised access more difficult. Also embed a two-factor authentication for requests such as financial transactions.
Regular Security and Risk Audits
Conducting frequent audits can help identify and address potential weaknesses before they are exploited. Not only that, but they can help identify risks there are to the business. Also, ensure that patch management is understood and fluid through the business. There should be full visibility of all of the environments and assets of the business.
Develop Comprehensive Incident Response Plans
Having a well-defined and tested response strategy ensures quicker recovery and minimises damage in the event of a breach. IRPs should be tested regularly with different scenarios including different areas of the business, not only sitting in the cyber security teams.
To be clear, cyber security is not going away. Technology, and AI is advancing all the time, and criminals will keep evolving their hacking tactics. Businesses need to understand that cyber resilience is business resilience.
Richard Ford, Chief Technology Officer, at Integrity360, breaks down five steps to getting through the early stages in the wake of a ransomware attack.
SHARE THIS STORY
A ransomware attack is one of the most critical threats an organisation can face. It can bring operations to a halt, resulting in significant financial losses, and inflicting serious reputational damage. The way you react in the first 24 hours can make all the difference between containment and catastrophe. During this pivotal window, fast and informed action is essential. Not only to limit damage, but to enable recovery, and identify the root cause.
Whether you’re currently navigating an active breach or want to prepare your response plan in advance, here’s what needs to happen during those first 24 hours.
Step one: verify the attack and isolate affected systems
The moment ransomware is suspected, the priority is to confirm what’s happened. Ransomware doesn’t always announce itself with a dramatic pop-up, it may start quietly, encrypting files and spreading laterally across your network. Early warning signs include inaccessible files, failed logins, or unusual outbound traffic.
Once an attack is confirmed, isolate affected systems from the network immediately. Time is now of the essence. Ransomware attacks often seek to maximise damage by spreading across shared drives and cloud platforms. You should disconnect devices, disable Wi-Fi and VPNs, and block access at the firewall level to prevent further infection.
Having a cyber security team on standby allows for experts to provide step-by-step guidance in real time, helping you make the right moves to contain the threat without destroying forensic evidence. In high pressure moments, panic can lead to costly mistakes. Having a calm, expert-led approach ensures you stay focused and strategic.
Step two: alert internal stakeholders and assemble your response team
Ransomware response is not just an IT issue—it’s a business-wide challenge. Once containment is underway, you must inform key internal stakeholders. This includes executive leadership, legal, compliance, and communications teams. You should appoint a central response lead, ideally from your crisis management team. It will be their responsibility to coordinate efforts and make key decisions quickly.
If you’ve already established an incident response plan, now is the time to activate it.
Step three: protect your backups and avoid engaging attackers
It may be tempting to click the ransom note or initiate contact with attackers to understand their demands. This is strongly advised against. Not only does it carry legal and ethical risks, but it may compromise your recovery options or make you more vulnerable to secondary attacks.
Instead, secure all backups and logs. Identify when the attack began, which systems are affected, and what data may be at risk. Taking note of this information will be crucial for both remediation and regulatory reporting.
Partnering with an expert will significantly improve this process, by providing rapid forensic support to help assess the impact by identifying indicators of compromise (IOCs), tracing the attack vector, and determining the attacker’s dwell time. This information can help you understand if data exfiltration occurred, an increasingly common element of modern ransomware attacks.
Step four: report the incident and review legal responsibilities
Depending on your industry and location, you may have regulatory or legal requirements to report a ransomware incident. This could include notifying the Information Commissioner’s Office (ICO), your industry regulator, or affected third parties.
It is vital not to delay these conversations. By following previous steps, you should have clear documentation and technical insights which will back up your reporting. This will help the process run smoothly.
Step five: begin recovery with help from a cyber security expert
Once the ransomware is contained and systems are stabilised, it’s time to begin recovery. This involves more than just restoring files from backup. You must ensure the attacker’s access is removed, vulnerabilities are patched, and your environment is safe to bring back online.
Having a trusted partner makes all the difference at this stage. Incident response specialists will work alongside IT and cyber teams to validate clean systems, conduct a secure restoration, and put new protections in place. Your business shouldn’t just bounce back; it should come back stronger.
How timely action and skilled expertise makes a difference
The impact of a ransomware attack goes far beyond financial loss – it’s operational, reputational, and often long-lasting. The quicker and more effectively you respond, the more you reduce the long-term impact.
Cyber security firms offer several solutions to ensure organisations are ready to face ransomware. One is emergency incident response, where teams can rapidly deploy to help take control, contain the threat, and recover operations; either on-site or remotely. Another option is to hold an incident response retainer. Retainer services give you guaranteed access to expert responders when you most need them. With predefined SLAs, threat intelligence, and environment familiarity, these tools can help businesses respond faster and more effectively.
Proactive planning leads to a stronger future
The initial 24 hours of a ransomware attack can be overwhelming – but they don’t have to be. With thorough preparation and expert support, you can respond quickly, minimise the impact, and restore operations with confidence. In moments where every minute counts, experience is your strongest defence.
Pierre Samson, CRO at Hackuity, explores the role of a Vulnerability Operations Centre (VOC) in protecting organisations from cyber threats.
SHARE THIS STORY
Software vulnerabilities do not politely queue up waiting for security teams to deal with them one at a time. They emerge constantly, from every corner of the digital estate. There were an average of 108 new Common Vulnerabilities and Exposures (CVEs) recorded every day last year. Cyber teams in most organisations have a huge number of vulnerabilities jostling for attention.
Traditional approaches to deal with these vulnerabilities are typically rely on manual processes and use on disconnected tools and teams with reactive prioritisation. They simply are not suitable for the scale of modern risks, or the speed at which cybercriminals turn exposures into attacks. Practitioners can quickly find themselves spending most of their days running around fighting fires rather than making any meaningful security progress.
This is where the Vulnerability Operations Centre (VOC) comes into its own. Purpose-built as a mission control for vulnerability management (VM), the VOC enables organisations to move from reactive scrambling to strategic action, giving them the best chance of identifying, prioritising and neutralising risks before they escalate. Here’s what a typical day in the VOC could look like.
Scanning the horizon for new risks
One of the most important aspects of the VOC approach is that it provides a centralised platform for all vulnerability management needs. This could be handled by a dedicated team, or as a function of the existing SOC set apart from other activities. It’s a sharp contrast to the common practice of different departments handling VM responsibility in isolation.
Cyber threats can emerge at any time and SOC teams will typically be on alert 24/7. The VOC however means that the team works in a different rhythm from the traditional, firefighting pace of an SOC. Overnight, scanners, threat intelligence feeds and internal asset inventories have populated the VOC platform with fresh data.
Rather than sifting through disconnected reports or spreadsheets, analysts open predefined queries that immediately highlight what matters most. Newly discovered critical vulnerabilities, trending exploits, and urgent exposures are presented with context tying them to the organisation’s most mission-critical assets.
Instead of treating every vulnerability as equally urgent, the VOC applies a risk-led lens. Context is key. A mid-severity CVE on a public-facing server may demand immediate action. However, a higher-scoring flaw deep inside an isolated system can wait for later review.
For critical findings, the VOC team deep-dives into the threat landscape. Has someone weaponised this vulnerability? Is it linked to ransomware campaigns? Has a proof-of-concept exploit been published overnight?
Within the first hours of the day, teams can triaged, ranked and assign vulnerabilities. This ensures security teams focus on the issues that genuinely threaten the business, not the noise that clutters traditional workflows.
Co-ordinating the response
Equipped with this information the VOC can shift from triage to orchestration. Newly identified vulnerabilities are funnelled into structured remediation campaigns, with tickets automatically raised through the organisation’s ITSM platform. Each item is categorised by urgency — whether it needs to be resolved within hours, days, or weeks. This systems sets with clear deadlines and assigns responsible teams.
Rather than flooding IT or DevOps with disconnected alerts, the VOC ensures that the right teams receive the right tasks, supported by all the context they need to act swiftly. Analysts monitor campaign progress in real time, checking which remediation actions are on track and which need escalation.
Suppose a critical patch has not been applied by the set deadline. In that case, VOC analysts chase it directly through the platform. They can comment within the ticketing system to find out what blockers exist and ensure accountability without adding friction.
This approach transforms vulnerability management from an endless, shapeless to-do list into a disciplined, measurable operation.
Security teams are no longer stuck manually chasing updates or duplicating efforts across silos. Instead, they can stay focused on strategic oversight, ensuring the business stays one step ahead of active threats.
Proactive hunting and resilience building
As the day unfolds, the VOC team moves beyond immediate remediation into proactive defence. Analysts use the platform to monitor for older vulnerabilities that may have gained new relevance. This is a crucial task, given that most successful exploits target weaknesses over a year old.
The VOC’s intelligence feeds and risk scoring models automatically flag any shifts in threat activity. For example, a three-year-old vulnerability that once posed little danger might suddenly spike in priority if new exploits are published or threat actors begin weaponising it in the wild.
Service Level Agreements (SLA) help structure this activity. Analysts review SLA dashboards to ensure ongoing remediation campaigns remain on track. As with urgent patching, if deadlines are slipping, they can follow up directly within the platform. Progress stays visible to all stakeholders without bogging them down in manual reporting.
Teams also put this proactive time towards preparation for monthly management reporting. Using real-time data, the VOC team can effortlessly demonstrate key metrics: the volume of vulnerabilities discovered and closed, time-to-fix averages, SLA adherence rates, and high-risk areas requiring further attention.
Delivering resilience through visibility and action
The centralised, structured VOC approach delivers clear results. It means fewer surprises, stronger resilience, and a security function that operates with foresight rather than afterthought.
Transforming vulnerability management from a reactive scramble into a proactive, strategic activity not only better secures the organisation, it also drastically improves the experience for practitioners. Alternating between time-consuming manual drudgework and panicked emergencies makes for a stressful and unsatisfying workday. A burnt-out security team is going to be off their game, and they’re also likely to look for greener pastures – a huge problem in the ongoing skills crisis.
With the VOC in place, security leaders can stop reacting to threats and start each day already armed with a proactive plan to improve the company’s resilience.
Mark Dando, General Manager, North EMEA, at SUSE, looks at the need for observability throughout the tech stack in order to keep organisations agile and competitive.
SHARE THIS STORY
For those IT professionals responsible for modern technology infrastructure, monitoring performance and reliability has never been more important. Not only do systems need to support a myriad of operational needs, but there is also constant pressure to innovate. Whether it’s the opportunities presented by cloud computing and AI or dealing with ubiquitous security challenges, an IT team’s approach to observability plays a major role in organisational agility and competitiveness.
Part of the challenge is that legacy monitoring tools rely on static thresholds. This makes it hard to detect emerging or complex issues and operate reactivel. Not only that, but it lacks the context needed to correlate data across systems for root cause analysis. In contrast, the latest observability tools
extend this functionality to proactive troubleshooting and intelligent alerting powered by AI/ML. Observability is now geared towards wider priorities such as cloud native application monitoring, the performance of microservices and container-based workloads.
The use cases are everywhere. For security professionals, the focus is on threat detection and incident response. At the edge, observability is now a core component of effective technology implementation and management. Organisations bring these capabilities together in what, ideally, is a coherent platform. Doing so delivers actionable insights and supports fast, effective responses across complex environments.
On the edge
Look more closely at what’s happening at the infrastructure edge. Today’s distributed environments are becoming more complex. This trend is driven by organisations looking to process data closer to its source to enable faster, more reliable performance.
But these organisations have thousands or potentially millions of edge devices under their care. This means the impracticalities of legacy systems have become increasingly apparent for tech professionals with competing priorities to address and limited resources to allocate.
Here, the role of observability is to provide the performance and reliability information IT teams require across components’ operational lifecycles. The challenge is to implement a solution capable of handling the enormous volume of data generated by edge infrastructure to ensure comprehensive visibility across diverse geographic locations.
How does this work? Fundamentally, edge observability captures and then utilises telemetry data, including logs, metrics and traces, to monitor the performance state of associated applications and infrastructure. These systems not only gather data but also provide actionable insights that support holistic monitoring across the entire lifecycle of edge components, including services, hardware, applications and networks.
An example is centralised observability, which is used to maintain control over distributed systems, even though these edge technologies will be geographically dispersed. In this context, operators can still manage and respond to issues in real time, ensuring distributed systems perform as required.
The role of OpenTelemetry
Among the most important tools supporting modern observability strategies is OpenTelemetry. As an open source project, it has quickly become a standard approach for cloud native environments, giving developers and operators the ability to consistently collect and transmit telemetry data across an increasingly complex infrastructure landscape. OpenTelemetry establishes the technical groundwork needed to deliver standardised telemetry. But collecting data alone isn’t enough.
This is where observability platforms come in. By integrating capabilities such as AI-powered analytics and anomaly detection, among other features, these platforms make it possible to turn streams of telemetry into insight that informs action. The result is proactive incident resolution, better security outcomes and optimised performance across distributed systems.
Crucially, this also moves the observability conversation away from issues focused around data collection and towards much broader and more concrete business outcomes. Here, the emphasis is on enabling organisations to build resilience, maintain uptime and operate with greater efficiency at the edge and beyond.
To be truly effective, however, cloud-native edge observability must go beyond raw telemetry. On its own, this raw data risks being fragmented and difficult to interpret. Instead, it should be delivered through a platform that combines topology mapping, intelligent correlation, issue detection and automated remediation – providing a real-time view of infrastructure health that’s both comprehensive and actionable.
This matters because user expectations are higher than ever. Organisations expect their edge environments to operate seamlessly, with minimal downtime, consistent performance and effective security. Meeting these demands means observability must evolve from passive data capture to active insight delivery, empowering teams to optimise operations and resolve issues before they escalate – all as part of a culture of organisational resilience and compliance.
Daz Preuss, Chief Operating Officer, UK, at CybExer, looks at the potential evolution of ransomware attacks and how to train cybersecurity teams to combat them.
SHARE THIS STORY
Depending on which data you review and trust, ransomware attacks are either in decline or reached record levels in 2024. The truth as is often the case may well be somewhere in between. What is clear however, is that governments are increasingly exploring new approaches with how to counter the threat of ransomware and cybercrime.
Late last year, the US government focused on reforms to cyber insurance policies as a potential avenue for disrupting ransomware networks. The then deputy national security advisor for cyber and emerging technologies, Ann Neuberger, told the Financial Times that many of the insurance policies covering reimbursement in the case of ransomware are inadvertently feeding the criminal ecosystems they are designed to disrupt.
“We don’t negotiate with (cyber) terrorists”
It was proposed that preventing cyber insurance companies from reimbursing companies impacted by ransomware attacks could in fact help disrupt the cycle. More recently, this approach has also been mooted for consideration by the UK government, with proposals to protect UK businesses and critical national infrastructure by banning ransomware payments.
The thought process being that this will in time deter cybercriminals from targeting such organisations or networks if they know that payment will not be forthcoming. In its reporting when announcing the consideration of these proposals, the UK government revealed that the National Crime Agency managed 13 ransomware incidents between September 2023 – August 2024 that it categorised as posing “serious harm to essential services or the wider economy.”
Regardless of what regulators propose and what they may eventually adopt, however, there are a number of things businesses should be doing to make sure things don’t even get that far in terms of navigating around the potential requirement not to pay.
The key to keeping ransomware at bay
The key when it comes to ransomware is to think about deterrence; and specifically how to create deterrence against perpetrators. While banning ransomware payments may be one solution, another is forcing cybercriminals to work much harder with their attacks. That means ensuring that employees become a vital first line of defence at businesses.
Bad actors undoubtedly see the human element as the weakest link in organisations, and stats show that the majority of breaches involve some sort of human element. However, with the right education and training in place, organisation can flip this statistic on its head.
This means actively promoting cybersecurity awareness and educating employees is vital for businesses to achieve and maintain strong organisational cyber resilience. Providing practical training helps mitigate the risks of employees misunderstanding concepts and also aids in implementing best practices for developing robust security measures and ensuring regulatory compliance at a much higher level.
What’s more, cybersecurity training should be ongoing, not a one-time event. Organisations should conduct regular training sessions, at least quarterly, to ensure that employees stay updated on emerging threats and retain the skills they learn.
Better ransomware training
Some of the most effective training methods include simulating cyberattacks and ransomware threats in real-time. These practical, scenario-based exercises reinforce critical thinking, teamwork, and decision-making under pressure, as well as helping organisations measure preparedness and identify gaps in knowledge or processes.
Ultimately, the key is to make training engaging and relevant to each employee’s role, empowering them to be confident in recognising and responding to potential cyber threats. By combining regular training with advanced defensive tools, organisations can transform the human element at a business from a potential liability into a robust line of defence.
The other important consideration for businesses arming themselves against ransomware attacks is to factor in that even when they have taken all of the precautions and proactive preparedness steps they can, the reality is that it is extremely difficult to protect everything at all times.
This means prioritisation is vital, which in turn means understanding where and what the most significant aspects of the company’s ‘crown jewels’ are and making sure those have the most robust protection in place. This likely means detaching critical core systems from business systems in order to do so.
Preparing for the future
While banning ransomware payments to disincentivise attackers may have its merits, the flip side is that it will make it harder to detect, analyse and prevent future incidents with no visibility into payment flows. This means there is a clear need for balance between regulatory enforcement and intelligence gathering.
However, while strengthening forensic capabilities may be one avenue to mitigate future ransomware threats, the only way to ensure an organisation’s security in this environment comes back to developing the preparedness to respond to these attacks. That means conducting regular cyber exercises and training programmes to ensure employees are up to date with the latest trends, threats and tactics.
We spoke to Rob Pocock, Technical Director at Red Helix on the need to demystify technology for non-cyber specialists, and what the evolution of IT education means in the real world.
SHARE THIS STORY
Red Helix is a leader in cyber security and network performance that has been supporting UK businesses and infrastructure for four decades. Rob Pocock began his career there nearly 25 years ago after moving over from the UK Atomic Energy Authority (UKAEA).
Why does demystification matter?
People at board level want evidence and explanations when investing in technology to defend their organisation from new cyber threats or improve network performance. In many boardrooms – especially in the small and medium-sized segment of the UK market – expertise in these areas is limited.
If boards are not careful, trends, fashions and buzzwords can exert undue influence with unwelcome and costly long-term consequences. We currently, for example, see AI, machine learning and “post-quantum” labels slapped on so many solutions.
Uncertainty and the fear of complexity can also paralyse decision-making, leaving an organisation exposed or under-performing. Many of us are familiar with the Gartner Hype Cycle, so we should be able to step back and simplify the options we put in front of decision-makers. We should demystify what appears to be a complex idea and say, actually, it is not.
What do you mean by simplifying?
As an industry we like to over-complicate and make ourselves sound clever. Technology has improved but it has not changed as fundamentally as people claim. If you step back, you will find a lot of technology is recycled with a different name.
I have worked with mainframe computing, PCs, the shift to data centres and the adoption of thin clients, followed by disaster recovery and the evolution of cloud. But if you listen to the media, you gain the impression these were explosive revolutions, whereas they were step-by-step developments. The cloud is essentially a data centre in a different place.
The whole industry is renowned for reinventing the wheel. About 15 years ago we were all talking about anti-virus and now we talk about EPP (end-point protection platforms) and EDR (end-point detection and response). These are evolutions rather than revolutions.
How do you approach this?
A problem-solving approach should be fundamental. Being a glass-half-full person is admittedly unusual on the cyber side of business where FUD (fear, uncertainty and doubt) is still a sales technique.
I stress the positive effects more than the fear factor. If you remember, the messaging around GDPR was always menacing rather than about the benefits of being resilient, secure and compliant.
I also seek to be a bridge between technology vendors and customers. Vendors often want their kit to seem complicated and innovative, but I am ready to tell them it is not what customers need right now. When the solutions are ready, it is my job to break down the complications so customers understand the value they can gain.
Any aspiring Technical Director or equivalent should be focusing on simplification in these discussions. If you want traction with a board, you need to be armed with explanations and recognise that IT risk is still not well understood in many enterprises.
Where do complex technologies like AI and quantum fit into these discussions?
AI is everywhere but is losing some of its mystery. We know, for example, that cyber criminals use AI in phishing attacks which seemed very threatening when they began. Essentially, they use AI to gather data more efficiently and to draft better-worded and more relevant phishing emails at scale.
Yet we can defeat these AI-powered phishing attacks with updated awareness training and a variety of AI tools such as behavioural analysis and simulated phishing attacks.
We are starting to see where AI and machine learning really work and where they don’t. They can be hugely beneficial, enabling us, for example, to monitor network traffic and spot anomalous activity in network detection and response (NDR) technology. This is more efficient than alternatives – we just need to explain it.
Quantum is certainly becoming bigger, with a lot of noise about cracking encryption in minutes rather than years. As technology advances, we will have quantum-resilient algorithms, entering a game of cat-and-mouse between threat actors on one side, and IT and national security on the other. The biggest current problem with quantum is data-harvesting, as criminals steal data now, hoping to decrypt it when the technology is available to them.
You entered IT at an early age – how do you see changes in training and education?
I got into the digital world early on when serving an electronic apprenticeship at UKAEA. Moving to Red Helix, I gained a deep understanding of many technologies and the challenges facing network operators, the Ministry of Defence and enterprise customers – which was an excellent grounding.
What is different now is the younger generations have gone through IT education and have IT-based degrees, including cyber, whereas when I started 25 years ago this was less widespread.
Youngsters come into the industry with a rounded education and are transferring and absorbing knowledge quickly, which is what we need. But that does have a downside because they have a narrower, more uniform experience which can restrict insight. This affects their approaches to risk management. At Red Helix, we work with our technically advanced recruits to develop their skillset in this area, which is paying off.
IT education at school level is important, as are coding skills. We need more children with the right aptitude to consider a career in IT instead of game development or finance. As an industry, we should also push on with more neuro-diverse recruitment, which has the potential to bring different aptitudes and approaches to problem-solving.
Security, AI, and Digital Resilience: A look inside Visions CIO + CISO
SHARE THIS STORY
The cybersecurity landscape has never been so fast-moving or complex. The stakes have never been higher. A worsening geopolitical reality and increasingly sophisticated cyber threats mean that the role of security leaders is more pivotal than ever as devastating cyber breaches become a matter of “when,” not “if.” It’s a time for information and skill sharing, networking, and collective action in an industry facing a more challenging future than ever.
Visions CIO + CISO Summit brings together executive security and technology leaders and experts from the largest organisations in multiple industries to network and learn from the people driving innovation in the IT and cyber spaces. This year’s event took place between April 28-30, and featured 8 tentpole sessions, over 30 presentations from key industry figures, and more than 30 speakers across the various panels, fire-side chats and peer-to-peer round tables that comprise the rest of the event. Speakers and solutions providers at this year’s event included Illumio, Threatlocker, LastPass, Claranet, Okta, Covertswarm, Intruder, and Ripjar RPC Services. Also in attendance were IT and security professionals from large scale enterprises, including Currys, Astley Digital, 24/7 Home Rescue, H&M Group, IBM, MUFG (Mitsubishi Financial Group), Federated Hermes, Deliveroo, Experian, Saint-Gobain, and Nordea GSK.
At the event, and afterwards, we were lucky enough to catch up with some of the leaders speaking at Visions and get their perspectives on key trends affecting the IT space — from the ever-relevant issue of security to AI and digital resilience.
1. What’s the general outlook for the IT and fintech sectors right now? Is this a scary time? An exciting one?
“It’s an exciting time, particularly within the UK banking sector, where we’re seeing a real shift toward customer-centric innovation. Financial institutions are working hard to deliver seamless, secure, and personalised experiences—often by leveraging cloud, AI, and advanced analytics.”
“There’s a strong emphasis on modernising legacy systems, improving digital onboarding, and enhancing fraud prevention without compromising user experience. This push for technology-driven customer satisfaction is creating space for smarter, faster, and more agile solutions—making it a great time to be contributing to the evolution of digital trust and transformation in financial services.”
2. What are some of the challenges organisations are facing that you can help them with? What problems are they asking you to solve?
“Many organisations are grappling with how to secure cloud environments at scale without slowing down innovation. Key challenges include visibility across hybrid or multi-cloud setups, managing identity and access with precision, and operationalising zero trust.”
“There’s also a strong demand for integrating security earlier in the development lifecycle—what we often refer to as shifting security left. People are asking how to reduce complexity, automate controls, and move away from reactive postures to proactive, real-time risk mitigation.”
1. What kind of outlook does an organisation like Federated Hermes have right now towards the industry? Is this a scary time? An exciting one?
2025 is shaping up to be a very dynamic year for the markets at large. There are rapid developments, from geopolitics to booming technology innovation with AI, that are impacting how the markets move as well changing the environment we operate in as a business. As a global asset manager, Federated Hermes is staying abreast of these changes to ensure we can be where the markets are, whilst maintaining efficiency in our operations for strong profitability.
2. What problems are people asking you to solve right now?
The ever changing world of cyber has historically been difficult for businesses to decipher. In the last few years, it has become even more difficult to keep up, with the advent of AI and how it is changing the technology landscape. Whilst businesses are trying to understand this new technology and embed it into their products and operations, cyber-criminal enterprises are leaping ahead in innovation and starting to leverage it in novel ways. The challenge this brings is two-fold.”
“On one hand, businesses are trying to find the right use cases for AI to get their return on investment at every level. This applies to core business functions, as well as Technology departments and the Security organisations. As cyber strategists we are now being forced to be innovators ourselves and not just passive consumers of the latest products and market trends. This brings a new perspective to how we design controls, build our roadmaps and prioritize our budget items. Boards and executive teams are looking for Security teams who are embracing AI and maximizing the effectiveness and efficiency of their programmes.”
“The second challenge is on the defensive side. The average person, as well as the average corporate employee, is lagging behind in understanding what the latest AI models are capable of, let alone understanding how they can be used to conduct cybercrime. Working in security, we find ourselves in a situation where we both need to find ways to keep up with cyber criminals to defend our enterprises, as well as keep educating our staff and management teams so that we can bring them on this journey.”
1. Would you say this is an exciting time for Astley Digital?
“Astley Digital is at a pivotal point in its journey, experiencing remarkable growth and expanding our service offerings. We’re actively exploring partnerships with innovative cybersecurity companies like ThreatLocker, enabling us to provide even more robust endpoint security solutions for our clients.”
“Additionally, the evolving landscape of cybersecurity is presenting us with unique opportunities to leverage AI for predictive threat analysis, streamline incident response, and enhance our managed security services. This moment is particularly exciting as we are positioning ourselves not just as a service provider but as a thought leader in cybersecurity strategy, risk management, and digital transformation for businesses across various sectors.”
2. What are some of the key challenges organisations are facing that you can help them with? What problems are they asking you to solve?
“Organisations today are grappling with a rapidly changing threat landscape, and one of the most significant challenges is maintaining a strong cybersecurity posture amidst evolving threats. At Astley Digital, we address critical issues such as:
“Endpoint Security: Many organisations struggle with managing endpoint security across remote and hybrid workforces. We provide comprehensive solutions that restrict unauthorised software and applications, preventing potential breaches and maintaining data integrity.”
“Third-Party Risk Management: Ensuring third-party vendors maintain security standards is another pressing concern. We work closely with our clients to assess, monitor, and mitigate third-party risks to prevent supply chain attacks.”
“Incident Response and Recovery: Companies are seeking rapid and effective incident response strategies. We offer real-time monitoring, response planning, and post-incident analysis to minimise business disruptions.”
“Regulatory Compliance: Compliance is a growing concern, especially in highly regulated industries. Our team assists with implementing frameworks that align with industry standards, ensuring data protection and reducing legal risks.”
“We are really fortunate to have reach and presence with clients across different sectors. We have professional service specialisms that respond to many of the trickiest and most important strategy and skill challenges that clients face; technology, cyber security, AI, data, and digital regulations to name a few. Not only is it a great time to be helping clients with those issues and helping them make their businesses more capable, effective, successful and resilient, from a selfish perspective it’s an incredible privilege for our people to be trusted by clients to help with these super interesting initiatives.”
2. What are some of the key challenges organisations are facing that you can help them with? What problems are they asking you to solve?
“We help clients with everything from assessing and improving their resilience positions, to complying with the intersections of a range of existing regulations, frameworks and standards, through to future gazing and thinking about what’s possible through challenging the status-quo.”
“Lately that has included a lot of work on things like AI readiness, development of use cases, working on AI explainability and the human element of potential resistance to the kinds of change that AI and other emerging tech are delivering.”
“Of course an evergreen core of our work is digital resilience, including cyber security, so we do a lot on ensuring that new technology adoptions including those with AI sprinkled throughout them, are digitally and operationally resilient by design.”
“We’re at a turning point where AI is no longer a side conversation—it’s embedded in the way Deliveroo operates. That shift brings real momentum and urgency to the work we do in securing AI adoption and protecting digital environments.”
2. What are some of the key challenges organisations are facing that you can help them with? What problems are they asking you to solve?
“The main concern is how to adopt AI without opening the door to unmanaged risk. Businesses know they can’t sit this one out, but they’re looking for help building the right guardrails to manage risk; especially with evolving regulation and the rise of AI-powered threats like deepfake vishing and advanced phishing.”
1. What are you here at Visions to discuss with your peers in the cybersecurity and IT space?
“The first panel I was part of was the Threat Detection & AI Panel Discussion. We were looking at establishing trust, mitigating risks, and safeguarding security in the age of AI. I focused on how to balance the benefits of AI with the challenges of building trust, managing risks, and ensuring security.”
“Then, I had a deep dive into looking at an age where individuals don’t verify, they just take information, no longer researching to see if the information is correct.”
“I always remain sceptical, whilst understanding the value of efficiency. AI is now embedded in so many tools, but now the main concern is the people within the organisation. Monitoring and education are essential. People will often try to find a shortcut and the easy way to go about things. Until training, governance and understanding is at a level where there can be trust, I suggest turning it off.”
1. These are challenging times for cybersecurity teams. How has 2025 been going for you and Ripjar?
“Ripjar utilises new and emerging technology to solve customer problems in cyber threat investigations and anti-financial crime compliance. We’ve been able to help organisations achieve record results – identifying connections, anomalies and potential risks, while reducing false positives and increasing true positives – leading to best-in-class results in many industries. We’re excited to be sharing that technology, alongside further innovations, with other organisations as we expand our global coverage.”
“The advent of generative AI creates vast risks and opportunities. It also shifts perspectives on existing machine learning and artificial intelligence technologies. It has been exciting to see how the newest AI can be combined with non-generative AI and other technologies to create new solutions to the problems that keep our customers awake at night.”
2. What are some of the challenges organisations are facing that you can help them with?
“Ripjar serves customers in several areas. Our anti-financial crime customers are trying to make sense of the ever-expanding business risks presented by their customers and counterparties in a tumultuous world. We’re able to help them in that journey, whether it’s responding to changing Russian or Middle East sanctions or aligning with the massive political changes that have impacted PEP (politically exposed persons) regimes all around the world.”
“Using foundational AI, we find broad risks in the media – which is often referred to as negative news or adverse media. That means reading through millions of daily news articles to identify risk signals which are important to those handling the world’s global payments or trading internationally. Agility is a key requirement for our customers, and machine learning and AI make it possible to make sense of huge quantities of structured and unstructured data quickly and accurately.”
“Our cyber customers are sophisticated threat investigators working in complex environments, including a number of MSSPs. They rely on our data fusion and investigations software to identify potential threats to their data and ultimately their businesses.”
Looking at the future
The shadows of GenAI, looming threats, and a shifting regulatory landscape loom over the global cybersecurity and IT communities, but the tone is also optimistic. While every leader we spoke to at Visions CIO + CISO acknowledged the threat posed by emerging technologies, many were also excited by the potential of GenAI tools to detect threats and help strengthen cybersecurity defenses.
Given how quickly the circumstances surrounding cybersecurity have changed in just a few short years, it’s almost impossible to predict where we’ll be by the end of the decade. However, the experts we spoke to at Visions are approaching the future with both eyes open — watchful for new risks, and determined to capitalise on new opportunities.
The next Visions CIO + CISO Summit (Autumn, UK) is taking place at the Allianz Stadium in London on 13 – 15 October, 2025. Learn more and register to attend here.
Mohammad Ismail, VP EMEA at Cequence Security, explores business logic abuses as an increasingly common source of cyber breaches.
SHARE THIS STORY
On Valentine’s Day of this year, one of the largest cases of business logic abuse was detected. It saw a botnet distributed over 11million unique IP addresses use API calls to the login systems of a Fortune 500 hospitality provider based in the UK with the express purpose of carrying out fraud by using credential stuffing in an attempt to identify valid user accounts and access payment details.
Timed to coincide with one of its busiest days of the year for the business, the attackers sought to hide among the general influx of bookings but it wasn’t just the timing of the attack that allowed it to fly under the radar.
Business logic abuse
The attack used a technique known as business logic abuse which technically isn’t an attack at all, at least not in the traditional sense. This is because business logic abuse uses the functionality of the API or application against it in order to manipulate workflow processes and/or gain unauthorised access. In these attacks, the calls to the API look legitimate and syntactically correct. In reality, however, the attacker will have studied how it works and whether it can be tricked into oversharing data or if a sequence of events can be reordered to allow them to avoid paying, for instance.
Such attacks are bot-driven and see stolen user credentials, infrastructure such as proxies, compromised servers and devices, and management toolkits from the Dark Web such as SNIPR, BlackBullet or SentryMBA used to repeatedly attempt to complete sign up forms, account logins, partially complete purchases or make bookings. And because these actions appear bona fide, it’s incredibly difficult for defensive measures to detect them. Firewalls, Intrusion Prevention Systems, Web Application Firewalls (WAFs), and security gateways can’t stop them.
Hiding in plain sight
In the case of the Valentine’s Day attack, IP-based detection was ineffective because the attackers used residential proxy networks to mimic legitimate traffic. As a result, even though the attack generated over 28 million security events, these were only equivalent to three events per unique IP address and so failed to raise the alarm.
Preventing these attacks is also problematic. Often the subversion of business logic is not a top priority which means that perfectly coded APIs that are compliant with API protocols can still fall foul of these attacks.
This is because while the API functions correctly, the developer will have failed to anticipate if those functions can be accessed and altered or combined to achieve malicious ends. These forms of abuse are covered in several of the attack types documented in the OWASP API Security Top 10 which provides a useful starting point and should form the basis for building test cases for API testing.
A massive attack surface
But what about those APIs that have already gone live? There’s now a massive installed base of APIs. In fact, API calls now account for 71% of web traffic. This represents an enormous attack surface which business logic attacks are increasingly targeting. In fact, business logic abuse is thought to account for more than a quarter of attacks against APIs.
Addressing business logic issues post-production in applications has principally been done using bot mitigation tools. These use application instrumentation to collect signals from the client by injecting Javascript code into the web application but as both APIs and mobile applications do not use Javascript, typically interacting using XMl/JSON, the attacker can simply bypass the web application and go straight to these. Mobile applications can be compiled with SDK to receive the missing signal but there is no workaround for APIs. What’s more, application instrumentation inevitably adds to development and QA cycles and can even risk breaking the application.
Fingerprinting an attack
What organisations need is a solution that can see all the traffic to a given application or API and detect anomalies based on multiple behavioural-based criteria.
Using a central threat intelligence database of behavioural patterns, known malicious infrastructure and third party intelligence and machine learning to analyse API headers and payloads while local models determine behaviour and intent, it’s possible to create a behavioural fingerprint of the attack.
The unique fingerprint is traceable so that even if the attacker pivots and changes their strategy to avoid detection, they remain under observation. And crucially, as the approach is agentless, it does not require anyone to inject code into the API or application.
It was using this form of behavioural based analysis that allowed the hospitality provider to identify what was happening to its application APIs. It was able to determine that the botnet was predominantly made up of compromised routers and IoT devices and to track the high volume, low and slow and attack, determining that the source traffic was widely distributed over more than nine million IP addresses.
A machine learning-based policy was then devised to block the malicious traffic based on a single unique fingerprint without the need to upload an IP address list. IP lists have limited use because, as anticipated, the attacker quickly attempted to change the infrastructure they were using to continue the attack.
Because the fingerprint was tracked, this too could be successfully blocked.
De-risking the database
As a case example, the attack highlights the importance of not relying on IP-based solutions. In a world where organisations are going API-first, these interfaces now represent key ingress points and if compromised can have significant impacts on the business. These include the potential for increased infrastructure costs incurred from handling the higher traffic volumes resulting from bot attacks.
The loss of revenue from stolen goods and services and risk to the company’s reputation, with customers losing confidence in the ability of the business to deliver. And the cost of investing additional personnel into monitoring and responding to the security incident. But by using behavioural-based analysis, the business can mitigate these risks and using a light tough approach detect and block business logic abuse.
Richard May, director of virtualDCS, explores the key priorities to minimise disruption and protect critical data.
SHARE THIS STORY
Ransomware attacks have evolved from a disruptive nuisance to an existential threat for businesses of all sizes. No longer confined to simple file encryption, modern ransomware campaigns target entire cloud environments, backups, and identity management systems, leaving organisations with few options for recovery.
The evolution of ransomware: beyond file encryption
Ransomware attacks have undergone a troubling transformation in recent years. Attackers no longer limit themselves to encrypting files and demanding payment for their release. They now aim for maximum disruption. And once inside a business’s network, these attacks can spread rapidly, locking down systems, stealing sensitive data, and rendering traditional recovery solutions useless.
One of the most alarming developments is the targeting of backup systems. Many businesses assume their data is safe if they have backups in place, but modern ransomware strains actively seek out and destroy backups before deploying their final payload. Attackers know that if they eliminate the safety net, companies are left with no choice but to comply with their demands.
But this isn’t the only risk. Identity management systems, such as Entra ID (formerly Azure Active Directory), are also increasingly in the firing line. A compromised identity system can grant attackers access to a company’s entire cloud environment, allowing them to manipulate settings, create new user accounts, and maintain persistence within the network long after the initial attack. Without the ability to verify trusted users and access controls, businesses may struggle to recover – even after the ransomware has been removed.
The false sense of security: why built-in Microsoft protections aren’t enough
Many organisations assume that Microsoft’s inclusive built-in security features, within the standard service, offer sufficient protection against ransomware. However, these default security measures are not designed to withstand sophisticated, targeted cyberattacks. Microsoft provides some level of backup and recovery. However, these tools have limitations in scope and retention policies, meaning critical data can still be lost if an attack succeeds.
Cybercriminals specifically exploit these gaps. They know that many businesses operate under the false assumption that their basic security systems adequately protect their data. In reality, while Microsoft secures the infrastructure, its shared responsibility model holds businesses accountable for protecting their own data. Without additional proactive security measures, these vulnerabilities will only increase.
UK ransomware payment ban: raising the stakes for business continuity
In light of the UK government’s proposed ban on ransomware payments, businesses in the public and private sectors could soon be under greater scrutiny in how they report and respond to ransomware threats. If enacted, this legislation would make it illegal for public sector bodies and CNI operators to pay ransoms, removing what has often been seen as a last resort to regain access to critical systems and data. While the outright ban isn’t currently proposed for private companies, they would still be required to report any intention to pay a ransom, with the possibility of the payment being blocked if it violates legal regulations.
Paying a ransom has never been a guaranteed solution, with many organisations never receiving decryption keys even after fulfilling demands – which is one of many reasons cyber security specialists advise against making payment. Not only does it perpetuate cybercrime, but it also fails to address the fundamental security issues at play, meaning companies remain equally vulnerable to future attacks. Still, for many organisations, the ability to do so has provided a desperate fallback. Without it, companies must prioritise building robust backup systems and disaster recovery strategies more than ever, to minimise downtime and prevent catastrophic data loss.
Shifting to a ‘when, not if’ cybersecurity mindset
Given the growing sophistication of ransomware and the rapid rise in threats, companies must shift from a reactive stance to a proactive one. Instead of hoping an attack won’t happen, organisations should operate under the assumption that it will, and take steps to mitigate its impact before it occurs. Prevention is always better than the cure, after all.
One of the most effective ways to do this is by implementing a comprehensive cybersecurity framework, such as ISO 27001 or the updated National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0. This structured approach consists of six core functions that, when properly executed, can help businesses prevent, detect, and recover from ransomware attacks:
1. Govern (GV): shaping cybersecurity governance
This critical function defines and communicates an organisation’s cybersecurity risk management strategy in context, aligning it with its mission and stakeholder expectations. It integrates cybersecurity into broader enterprise risk management (ERM) by setting policies, roles, and responsibilities, and overseeing cybersecurity strategy and supply chain risk management – ultimately strengthening governance across every touchpoint.
2. Identify (ID): understanding cyber risks
Before a business can defend against ransomware, it must first understand its vulnerabilities. Regular risk assessments and audits can help identify weak points in infrastructure, access controls, and backup strategies. Mapping out critical assets and dependencies ensures an organisation can focus its cybersecurity efforts on the most valuable and high-risk areas, in accordance with the its broader risk management strategy
3. Protect (PR): building stronger defences
Prevention is the first line of defence. Implementing multi-factor authentication (MFA), network segmentation, endpoint detection, and secure backup solutions can significantly reduce the risk of successful attacks. Security awareness training for employees is also crucial, especially since human error remains one of the leading causes of a breach.
4. Detect (DE): spotting threats early
The earlier an organisation detects a ransomware attack, the better their chances of mitigating its impact. Continuous monitoring tools, anomaly detection software, and advanced threat intelligence feeds can help businesses identify suspicious activity before it escalates into a full-blown attack, enabling timely response and reducing potential damage.
5. Respond (RS): acting quickly and effectively
When an attack occurs, having a well-rehearsed incident response plan can make all the difference. Businesses should establish clear protocols for isolating infected systems, notifying relevant stakeholders, and executing recovery procedures. Regular drills and simulations ensure that employees know their roles and responsibilities in the event of an attack, ensuring swift and effective action.
6. Recover (RC): ensuring business continuity
A robust recovery strategy is essential for minimising downtime and financial losses. Businesses should implement off-site, immutable backups that cannot be modified or deleted by attackers. A clean room environment – a separate, secure infrastructure used to restore data and verify its integrity before reintroducing it into the production environment – can also prevent reinfection and ensure a smooth recovery process.
The time to act is now
More thana disruptive inconvenience, ransomware is a significant risk that can bring operations to a standstill, spiral costs, and damage reputation beyond repair. With cybercriminals targeting backups, identity management systems, and cloud environments, and the UK government considering increased scrutiny surrounding ransom payments, businesses must take action before they too become victims.
James Neilson, SVP International at OPSWAT, looks at the growing threat of document-borne malware, and how financial organisations can respond.
SHARE THIS STORY
The financial sector has long been a favourite target of cybercriminals. While financial institutions are aware of cyber threats such as phishing and ransomware, a growing attack vector is document-borne malware – malicious code embedded within seemingly harmless files.
James Neilson explains how financial firms are being targeted, what attackers are after and, most importantly, how organisations can defend against these attacks.
Why has document-borne malware become such a significant threat to financial institutions?
Most financial firms are no strangers to cyberattacks and have spent years strengthening their defences and response against cyber threats. However, organised cybercriminals are innovating their attack methods.
Document-borne malware is one such method. Attempting to hide malicious code inside a seemingly benign document is one of the oldest tricks in the book. However, a modern twist has made it an underestimated yet highly effective attack vector.
This is partly due to our growing reliance on cloud-based productivity tools such as Microsoft 365, Google Drive, and Dropbox. Employees routinely upload, combine, archive, share, and download files and documents through these platforms.
Although most firms have security systems to detect traditional malicious attachments, cloud-based files often evade detection. Attackers exploit these workflows, embedding harmful code within Word documents, Zip file archives, PDFs, and Excel spreadsheets.
Common techniques include malicious macros hidden in Office documents, which execute harmful scripts when opened, and JavaScript embedded in PDFs, capable of stealing credentials or downloading additional malware.
Attackers often disguise files using spoofed extensions and seemingly innocent names like “invoice.pdf.” Social engineering tactics further increase the chances of employees opening these disguised files, with attackers impersonating trusted contacts or senior personnel.
What are cybercriminals trying to achieve with these attacks?
Cybercriminals targeting financial institutions are typically motivated by monetary gain—it is rational to go where the money is. There is also a growing threat from state-sponsored actors working toward a political agenda, such as the recent breach of the US Treasury by actors believed to be working for China.
Attackers targeting the financial sector can use document-borne malware to achieve various malicious objectives. Data exfiltration is one of the most common, targeting the sector’s vast stores of sensitive customer data, including payment details, National Insurance numbers, and account credentials. Stolen data is highly valuable on the dark web and can be sold to other cybercriminals or used in identity fraud.
Some criminal groups also attempt to illicitly access internal banking systems directly, manipulating transactions or stealing login credentials that allow them to siphon money from customer accounts. While this is more difficult than simple data exfiltration, previous attacks on the SWIFT bank transfer system have netted criminals millions of dollars.
Attackers can also use document-borne malware to deploy ransomware—encrypting systems and exfiltrating data, which they can then sell on. Ransomware attacks continue to be one of the most pressing cybersecurity concerns for organisations, with 65% of financial services organisations hit by ransomware in 2024.
What are the biggest mistakes financial institutions make when it comes to document security?
Driven by the near-constant threat of cyberattacks and strict regulatory demands, most financial institutions have invested heavily in perimeter defences, endpoint security, and employee training. However, they often overlook the security risks posed by documents themselves.
Security tools and policies have struggled to keep up with cloud-based file-sharing practices. This blind spot allows attackers to exploit common file formats as a gateway to sensitive systems.
One of the most common errors is relying solely on traditional malware detection. Many organisations depend on signature-based antivirus tools, which can miss malware hidden within embedded objects in PDFs and Office files, as well as more sophisticated threats like zero-day exploits and script-enabled attacks.
Another common mistake is trusting files from familiar sources. Attackers often compromise legitimate accounts to distribute malware-laden documents. Just because a file comes from a trusted partner, supplier, or even an internal source doesn’t mean it’s safe.
Financial firms’ sheer volume of incoming files presents a critical security risk. Invoices, loan applications, and account statements arrive by the thousands every day. Without robust file scanning and sanitisation, malicious documents can slip through unnoticed.
Finally, while most organisations are aware of the harmful potential of malicious macros, they often overlook other document-based threats. These include ActiveX controls, OLE objects, and embedded JavaScript, which can execute harmful actions once a file is opened.
What proactive measures should financial firms take to protect themselves?
Catching malicious documents requires a multi-layered approach. Since most of these attacks are designed to act quickly, firms must be able to detect and neutralise them before they infiltrate networks.
Ideally, a combination of policies and technical solutions should be in place. Educating employees on document security risks is essential, as human error remains a significant vulnerability. Employees should be trained to identify common signs of suspicious file attachments, phishing attempts, and social engineering tactics. Security awareness training and a culture of shared security responsibility are key.
However, employees should not be the principal line of defence. Advanced email scanning tools should be configured to detect malicious attachments, embedded links, and spoofed sender addresses before they reach employees. Files don’t just enter via email, though. Consider files uploaded through web apps from customers, suppliers, business partners and affiliates, even across business unit boundaries.
Rather than relying on a single antivirus solution, firms should implement multi-engine malware scanning to detect threats that singular security tools might miss. Layer on advanced sandboxing to use behavioural detection to identify previously unknown threats by their actions before they cause damage.
Additionally, all incoming files should undergo sanitisation using Content Disarm and Reconstruction (CDR) technology. This process removes active threats by stripping out malicious macros, scripts, and embedded objects while preserving file usability. As a result, only safe, clean files reach users.
By taking these steps, firms can significantly reduce the risk of document-borne malware infiltrating their systems. A successful breach of the financial sector is a prime target for profit-driven gangs and state actors alike. All organisations must be prepared to defend against the latest attack tactics.
David Sancho, Senior Antivirus Threat Researcher at Trend Micro, investigates the threat of “hacktivism” against the modern enterprise.
SHARE THIS STORY
The term itself may have been coined in the late 1990s, but hacktivism is still thriving in the mid-2020s. In fact, what were once loosely connected and decidedly amateur activist groups are increasingly evolving into more highly skilled, focused and formidable “digital militias”. And they are determined to make an impact.
The bad news for corporate network defenders is that hacktivists can always contrive a pretence to attack. That means no organisation is safe. It’s time to expect the unexpected.
From activism to impact
For many years, hacktivism was associated with groups like Anonymous and LulzSec. These organisations mainly used distributed denial of service (DDoS) attacks and web defacement to make political points. Although their rhetoric may have been fierce, these highly distributed collectives mainly worked to raise awareness of political causes. Notably, these included the Occupy movement, the Arab Spring, and the treatment of Julian Assange. Their campaigns rarely caused significant financial, reputational or operational harm to the chosen victims. Websites soon came back online, defaced pages were returned to normal, and the world quickly forgot about any non-sensitive information that may have been leaked.
That’s certainly not the case in 2025. The hacktivist groups we encounter today are usually focused on impact as well as attention. They want to hack and leak sensitive information, destabilise governments and businesses, and even disrupt critical services. As a result, they’re more likely to be made up of a tighter inner circle of skilled operatives. These operatives then recruit carefully in secret and focus on operational security (OpSec) to evade the authorities.
Understanding the drivers for hacktivism
Their motivation could be ideological, political, nationalist or simply opportunistic—and in some cases, a blend of more than one of these drivers. Most tend to be ideologues focused on religious or geopolitical conflicts. Think: pro-Russian “NoName057(16)”, which accuses its detractors of “supporting Ukrainian nazis”, or GhostSec, which claims fight for a free Palestine.
Then there are the politically motivated groups that seek to influence government policy. SiegedSec has targeted conservative initiative Project 2025, while being a vocal participant in #OpTransRights. GlorySec, a likely South American group of self-described anarcho-capitalists, aligned with Taiwan in its attempt to break free from China’s sphere of influence.
Nationalist groups are less common but often go heavy on cultural symbols and patriotic rhetoric to justify their actions. The Indian “Team UCC” likes to position itself as a defender of persecuted Hindus worldwide, especially in Bangladesh. Several pro-Russian groups also fit the nationalist mould, with prominent Russian flags and jingoistic pronouncements about defending the motherland.
Opportunistic groups, on the other hand, seem to target victims simply because they are easy to hack. SiegedSec hacked into a Chinese messaging application’s website, claiming that “it’s not secure at all”, for example.
The whole picture gets more confusing still, when one peers closer. The Israel-Hamas conflict has drawn in other groups for which this fight is not their main focus, such as TeamUCC (pro-Israel). Pro-Russian groups often side with China in disputes, for example. Also, GlorySec aligns with Ukraine, NATO, and Israel but seems unsupportive of trans rights. The bottom line is that these loose cannons could theoretically find a reason to turn their firepower on any potential target.
Hacktivism, cybercrime and state-level attacks
They do this using many familiar TTPs. DDoS is a favourite, with attacks now fairly straightforward to launch given the number of booter sites open for business. Although these attacks have become more advanced of late, incorporating multiple attack vectors to bypass traditional mitigations, they are relatively low impact. Likewise, web defacements are usually short-lived, even though some more recent attacks include malicious code injections to compromise victim networks.
More concerning for organisations caught in the hacktivist crossfire are hack-and-leak campaigns. These campaigns are designed to exfiltrate and publish sensitive data via file-sharing platforms. Iranian state-aligned group Cyber Av3ngers was a prolific exponent of this, sharing details of SCADA systems from an Israeli facility, which were subsequently assessed to be recycled.
The same group has been pegged for attacks on critical infrastructure systems, an increasingly popular tactic for hacktivists. Its compromise of Israeli-made industrial control devices in utilities facilities led to much hand-wringing from American security experts, and residents in Ireland going without drinking water for two days.
Perhaps most concerning is the increasingly blurred lines between hacktivism and cybercrime activity. Some groups, like CyberVolk, are using ransomware to fund their operations. Others have promoted a variant dubbed “SMTX_GhostLocker”, which seems to be developed by GhostSec. And some hacktivists, like Ikaruz Red Team, use ransomware to target their victims, although not ostensibly to generate profits.
An equally concerning development is the alignment of state activity with hacktivism. This is most obvious in Russia, where groups like NoName and KillNet have long been suspected of government direction or arms-length involvement. The UK’s NCSC has warned about the potential for destructive attacks by such groups.
Playing the long game
Against this fast-evolving backdrop, the best response for CISOs is to get back on the front foot through investment in DDoS mitigation, and documenting and patching external systems to reduce the risk of defacements. For more sophisticated threats, the best approach is attack surface risk management (ASRM). This approach continuously monitors assets for security gaps and then recommends remediation steps. Combined with extended detection and response (XDR), it provides both resilience and rapid discovery and containment of threats before they can cause harm.
Above all, plan for the long term. These digital militias aren’t going anywhere.
Sam Peters, Chief Product Officer at ISMS.online looks at whether the latest regulations around ransomware payments will be as effective as the government hopes.
SHARE THIS STORY
Ransomware attacks remain a persistent danger to businesses. And according to the National Cyber Security Centre’s (NCSC) Annual Review 2024, these attacks continue to pose the most immediate and disruptive threat to the UK’s critical national infrastructure.
The Government’s initiative to widen the ransomware payment ban to public sector organisations, the NHS, schools, councils, and critical infrastructure providers, to make them unattractive to cybercriminals, is a daring move in fighting cybercrime. For too long, ransomware operators have benefitted from a “pay-and-forget” culture, reaping profits with little consequence.
Cutting off the financial incentives is a significant move. But will this ban stop the attacks?
The ransomware payment ban: The proposals
The Home Office is currently carrying out a three-month consultation on three proposals. The first is a targeted ban on ransom payments for public sector organisations and critical national infrastructure providers. The second, a requirement for private organisations to report payment intentions before proceeding; And the third, mandatory incident reporting for all victims enhancing the intelligence available to UK law enforcement agencies. This will enable law enforcement to identify emerging ransomware threats and focus their investigations on the most active and harmful ransomware groups.
While these proposals aim to deter attacks and improve intelligence-sharing, they also present issues.
The government hopes that a complete, although targeted, ban on ransom payments for public sector organisations will remove the financial motivation for cybercriminals. However, without adequate investment in resilience, these organisations may be unable to recover as quickly as they need to, putting essential services at risk.
Many NHS healthcare providers and local councils are already dealing with outdated infrastructure and cybersecurity staff shortages. If they are expected to withstand ransomware attacks without the option of paying, they must be given the resources, funding, and support to defend themselves and recover effectively.
Short term wins; long term losses
A payment ban may disrupt criminal operations in the short term. However, it doesn’t address the root of the issue – the attacks will persist, and vulnerable systems remain an open door. Cybercriminals are adaptive. If one revenue stream is blocked, they’ll find other ways to exploit weaknesses, whether through data theft, extortion, or targeting less-regulated entities.
The requirement for private organisations to report payment intentions before proceeding aims to help authorities track ransomware trends. However, this approach risks delaying essential decisions in high-pressure situations. During a ransomware crisis, people need to make decisions in a matter of hours, if not minutes. Adding bureaucratic hurdles to these critical moments could exacerbate operational chaos.
Similarly, if an organisation needs urgent access to its systems to maintain critical services, a delay caused by regulatory reporting could increase the damage. There is also the possibility that some businesses may avoid disclosure, undermining the intended benefits of the policy. Also, who foots the bill for the operational chaos if payment is denied?
Mandatory reporting of ransomware incidents is also an important step in building a clearer understanding of the threat landscape. However, fears remain about how organisations will respond. Many may be concerned about regulatory scrutiny or reputational damage which could lead to underreporting. If this policy is to be effective, the government must ensure that reporting mechanisms offer practical support rather than retributive consequences.
Resilience is essential
Resilience is the key here. Rather than focusing solely on banning payments and implementing regulatory reporting, organisations should prioritise preventing attacks and ensuring they have robust recovery strategies. However, without the right funding and support, under-resourced organisations won’t just struggle to prevent attacks, they’ll also flounder in recovery.
Leveraging a framework like ISO 27001 has proven effective in bolstering defences and preparing organisations for worst-case scenarios.
This framework helps organisations integrate security into their daily operations rather than treating it as a second thought. Public sector bodies can strengthen their defences by systematically identifying vulnerabilities and reducing the likelihood of falling victim to an attack. ISO 27001’s emphasis on regular testing and monitoring ensures that threats are detected early, limiting the potential damage.
One of the most critical aspects of resilience is business continuity. ISO 27001 places significant focus on incident response planning, ensuring that organisations have a clear and tested strategy for restoring services. This is especially key for public sector organisations that cannot afford extended disruption. By having a set recovery plan, organisations can avoid the difficult decision of whether to pay a ransom simply to get back online.
Yet many public sector bodies simply lack the staffing, expertise, or funding to adopt these strategies at scale. Without significant investment in cyber resilience, the ban might feel like the Government is tying public sector organisations’ hands behind their backs.
So, if this ban comes into effect, what other options does the Government have to support and help public sector organisations?
Additional initiatives
The government, instead of relying on overstretched and underfunded bodies to manage ransomware response on their own, could assist with developing cyber expertise and supporting these businesses. One way to do this is to enhance the UK Cyber Cluster Collaboration (UKC3) initiative. This would increase the support these regional cybersecurity support hubs can offer by pooling cybersecurity professionals to assist multiple councils, schools, or NHS trusts rather than each trying (and failing) to build their own team.
Similarly, the government could also establish a Cyber Civil Defence initiative which engages vetted cybersecurity professionals who can volunteer to assist in national or regional cyber emergencies – like that of voluntary organisations supporting emergency response like St John Ambulance. This could be structured as a public-private partnership, tapping into the expertise of private-sector security firms that handle ransomware incidents.
Public sector bodies also often face slow, bureaucratic procurement processes that prevent them from quickly obtaining the necessary cybersecurity tools. The government could create pre-approved cybersecurity solution frameworks (similar to the G-Cloud procurement model), allowing organisations to deploy vetted security solutions rapidly without red tape.
Ultimately, the government’s ambition is commendable, but ambition without actionable support, risks failure. If this ban is to succeed, it must be paired with tangible investments in cybersecurity for the public sector: grants for modernising infrastructure, workforce training, and robust incident response resources.
Cyber resilience should be a fundamental component of organisational operations rather than merely an afterthought or compliance exercise. Without this, the ban could fail, penalising victims while allowing attackers to remain unaffected.
Andrew Lintell, General Manager, EMEA at Claroty, looks at why your business should be investing in Operational Technology (OT) security in 2025.
SHARE THIS STORY
State-sponsored cyber threats are escalating. In a recent speech at the UK Government’s Cyber Security Conference, NCSC Richard Horne highlighted nation-state activity as a leading issue in an increasingly hostile cyber threat landscape.
While many industries are at risk of this heightened aggression, critical infrastructure is particularly vulnerable. Essential services such as energy, water, and transport have become key targets in aggressive geopolitical cyber strategies.
The risk is made worse by the fact that so much critical infrastructure relies on operational technology (OT) systems that are often outdated, heavily siloed, and easy prey for dedicated threat actors. To withstand these evolving threats, 2025 must be the year of OT security investment, where IT and OT teams work in unison to defend against nation-state adversaries.
How nation-state cyber threats are accelerating
Cyberattacks against critical infrastructure have become a fundamental tool of statecraft, with activity aimed at disrupting economies, weakening rivals, and asserting geopolitical influence.
The CRINK nations – China, Russia, Iran, and North Korea – are among the most active. You can connect almost all nation-state-sponsored cyber incidents to one of the four. In just one example, last year multiple security agencies around the world, including the NCSC and CISA, issued a joint advisory against Chinese state-sponsored actor ‘Volt Typhoon’. The group targets water, energy and transportation sectors around the world with the intention of setting up significant and disruptive attacks in the future.
The most worrying aspect of these attacks is their potential to cripple essential services. Attacks on cyber-physical systems causing operational downtime and widespread disruption can create very real damage in the physical world, from energy blackouts to preventing emergency healthcare.
One of the most prominent examples is Sandworm, an APT linked to Russian military intelligence, which is believed responsible for multiple attacks on Ukraine’s power grid over the last decade. The group deployed the Industroyer and Industroyer 2 malware, custom-built for targeting industrial equipment using specific protocols. Sandworm is also responsible for the notorious NotPetya malware, which spread far beyond its intended Ukrainian targets.
The convergence of IT and OT environments has inadvertently expanded the attack surface and given cyber adversaries new opportunities to infiltrate industrial control systems.
The outdated siloed model of IT and OT security is no longer viable
For years, businesses have treated IT and OT security as separate disciplines, with little in the way of united visibility or strategy. This may have worked in years past. However, the increasing crossover between the two fields means this fragmented approach is no longer sufficient.
Traditional IT security models – typically focused on protecting data and network perimeters – fail to address the unique risks posed to OT environments, where system uptime and physical safety are paramount.
Visibility is one of the key challenges. OT networks tend to include a large number of legacy systems that were not designed for modern security controls. Further, it’s common to find multiple different proprietary operating systems. This makes it more difficult to effectively monitor the network and detect signs of intrusion and malicious activity.
Attackers can exploit connectivity between IT and OT systems, using IT breaches as stepping stones to disrupt critical operations, while also using the visibility gaps to avoid detection.
Budget priorities must shift towards OT security
Despite the rising threat to OT environments, cybersecurity budgets have traditionally focused on IT security, leaving industrial systems vulnerable. This must change in the year ahead, and budget trends must shift to favour OT-specific investments if organisations are to defend against nation-states and other advanced threats.
Key investment areas should include both OT-specific threat detection and intrusion prevention systems and network segmentation to limit lateral movement in case of a breach. It’s also important to implement secure remote access solutions to mitigate third-party risks from the expansive supply chains present in most critical sectors.
Prioritising the budget for OT also needs to go beyond common vulnerabilities and exposures (CVEs) because there are just so many potential vulnerabilities out there. In a sample of 270 organisations, we found more than 111,000 known exploited vulnerabilities (KEVs) in OT devices – an impossible number to budget for.
The key to making it manageable is to filter for public exploits linked to threat groups and insecure connectivity to find the most critical issues. From our sample, this reduced 111,000 to around 3,800 – creating a manageable, targeted remediation approach.
Equally as important as this, any technology must be backed by close collaboration between IT and OT departments.
Bridging the IT-OT cultural divide is key
OT management often remains heavily siloed from IT, even as the two sets of technology have become increasingly interconnected to facilitate better automation and remote access.
The two fields also have different priorities. Historically, IT has focused on data confidentiality and access control, while OT is more concerned with delivering safety, uptime, and operational efficiency. These differing objectives often lead to resistance when implementing cybersecurity measures, particularly if stakeholders perceive them as disruptive to critical processes.
To bridge this divide, organisations must actively seek to foster cross-functional collaboration between IT and OT teams. On an operational level, investing in OT-specific cybersecurity education can help teams understand emerging threats.
CISOs play a crucial role in aligning these teams, ensuring that security controls enhance, rather than hinder, operational continuity. Companies that successfully embed cybersecurity into their organisational culture will be far better positioned to detect, mitigate, and respond to OT threats.
Why IT-OT security task forces are the next step in cyber resilience
One of the most effective ways to align OT security with the rest of the organisation is to establish joint IT-OT security task forces that report directly to the board. These groups can not only improve collaboration between the two environments, but also make it easier to raise OT security as a board-level issue. This level of stakeholder visibility can make it easier to secure dedicated resources for OT-specific threat detection, vulnerability management, and incident response.
A well-structured IT-OT security task force should conduct regular risk assessments to identify vulnerabilities across converged environments, working together to implement solutions like network segmentation to contain potential breaches. It’s also important to develop OT-specific incident response plans to minimise downtime during attacks.
Treating OT security as a business essential
As state-sponsored threats escalate, OT security can no longer play second fiddle to IT. All organisations managing cyber-physical systems must ensure they prioritise investing in OT-specific protections in the year ahead, along with the education and collaboration needed to use them effectively.
Those who take a proactive approach to OT security in 2025 have the best chance of foiling cyber adversaries’ intent on disrupting critical infrastructure as part of their geopolitical agenda.
Peer Software CEO Jimmy Tam presents a new approach to unlocking business resilience and continuity with real-time file synchronisation.
SHARE THIS STORY
Your system has crashed. It’s 3pm and your last snapshot was two hours ago. All the work your organisation has done for the last couple of hours is lost. This includes all the user and application files your employees and partners have been collaborating on and sharing with others.
And now, as well as trying to bring your system back online, your team is also fielding calls and emails, asking what’s happened to valuable work that simply can’t be retrieved.
It’s easy to imagine, because just about all of us have been there. Backup solutions act as a safety net. But the cost and the sheer volume of storage required for backing up data means that we have to compromise on how often we snapshot our data. The impact of this is two-fold. As well as the time and cost of restoring backed up data, you’re also left with gaps, data that wasn’t captured in the last snapshot is lost forever.
Ten years ago, losing a few hours’ data would perhaps have been a manageable setback. But now, as we increasingly rely on digital workflows and real-time collaboration, even small data losses can result in serious financial, operational and reputational damage.
You might already have something in your IT arsenal that could help and you may not even realise it. Some real-time distributed file management systems, which are often used for basic file access or collaboration, offer the opportunity to synchronise your data across different locations in real time. Which means you already have a copy of your data – and it’s up-to-date not just a snapshot from earlier in the day.
Making your real-time file sync work harder
To protect your data from loss, a real-time file sync solution just needs a few adjustments. Do this to maximise your software’s potential:
1. Optimise your data synchronisation for backup and recovery
If you’re already using real-time file sync software, it likely enables your colleagues to share and collaborate on documents wherever they are. The technology replicates data in different data centres to enable local file access for performance and may even have file locking to ensure versioning. It’s this functionality that we can tap into.
To make sure critical files are safeguarded, set up real-time synchronisation to multiple locations, including a designated backup target. For added protection, consider using immutable Object storage, which prevents unauthorised changes and is resistant to ransomware and malware attacks. This approach ensures that data is continuously replicated and readily recoverable.
2. Automate failover and failback
When designing real-time file replication workflows, consider implementing a global namespace like Microsoft DFSN. This enables seamless failover and failback capabilities, ensuring uninterrupted access to project files across primary file servers and other servers in collaboration environments, even during an outage.
After a failover event, the system automatically synchronises all changes made when they come back online.
This approach reduces reliance on fragmented backups, maintains productivity during system downtime, and eases the burden on admin teams.
3. Secure your sync
Using real-time file sync to protect your data can only work if you’re certain that the system is secure. There are so many different ways your data could be lost or changed in error. Mitigate risks by using end-to-end encryption for in-transit and stored data.
Then limit access to essential users. Use role-based permissions to restrict file access to authorised users. For example, you could only allow HR or legal staff to view or modify specific files.
And monitor for unusual activity with alerts to detect and respond to suspicious behaviour. So, if a large number of files are suddenly modified or deleted, your team can respond quickly and protect your data.
4. Monitor and test your sync performance
With real-time file sync now part of a business continuity plan, it’s even more important to make sure it’s working well, that all critical data is synced and that any bottlenecks or weak points are spotted early.
Include performance monitoring in your continuity strategy. Set realistic targets and be clear what level of performance you need to protect your most critical data. And agree to the actions you’ll take if your software’s performance falls short.
5. Integrate with business continuity plans
It’s time to think beyond the IT tool label, and instead position real-time file sync as a critical component of your broader business continuity strategy. Integrating it into continuity planning ensures you don’t end up overlooking it. And it’ll be easier to spot opportunities to bridge gaps in disaster recovery protocols.
Position real-time sync as part of your continuity framework – show how you’ll sync data to geographically redundant servers and ensure teams can work remotely during outages.
Take another look at real-time sync
IT teams often view file sync as a collaboration tool. A closer look shows that it can significantly benefit business continuity too, often outperforming traditional snapshot backups. With zero recovery gap, continuous workflow and faster recovery times, teams can pick up right where they left off. With real-time synch, there’s no need to manually restore large snapshot data.
And while snapshots have an important role to play as part of a layered backup strategy, your existing real-time file sync helps to ensure business continuity during day-to-day operations.
Chuck Herrin, Field CISO at F5, looks at AI-powered cyberattacks, supply chain risk, and other threats converging to define 2025.
SHARE THIS STORY
AI-driven attacks fuelled the threat landscape in 2024
In 2024, threat actors moved beyond experimenting with artificial intelligence to mastering it for exploitation. AI has amplified familiar attacks like ransomware and phishing. However it has also made advanced techniques like hardware hacking accessible to more inexperienced threat actors.
The challenges AI presents will compound in 2025. Last year saw a 44% increase in cyber-attacks, predominantly fuelled by AI, which targeted governments around the world. This year, threat actors will continue their efforts to undermine federal systems and provoke an already tumultuous global landscape.
API will be the critical control point
All organisations, from small businesses to nation states, are adopting AI at breakneck speed with the mindset of “if we don’t, ‘they’ will”, in a race to beat competitors without thoroughly thinking through plans for AI implementation.
The race to AI adoption shouldn’t just be about speed. We’re seeing this mindset developing into a dangerous repeating cycle where the pressure to deploy AI faster is making us more dependent on it to manage the complex systems we’re creating. We are already seeing the push for AI adoption in government systems experience teething issues, and while this is to be expected, it does raise concerns. If it continues at this breakneck speed, it won’t be long before these teething issues turn into significant security vulnerabilities.
In many ways, we’re seeing a dangerous parallel to the rushed cloud adoption of the early 2010s, only with greater stakes. To avoid history repeating itself, governments and organisations need to prioritise AI architecture and defence systems, with application programming interface (API) security used as the critical control point. Every AI interaction happens through APIs, making it both the enabler, and the potential Achilles’ heel, of the AI transformation.
Organisations today are woefully unaware of their API ecosystem and attack surface. As a result, unmonitored and unmanaged APIs could be an organisation’s downfall.
Rethinking supply chains and reducing risk
Organisations caught between prioritising efficiency with reduced workforces and restrictions in technology supply chains, have the potential to create new classes of systemic risk as they attempt to do more with less.
In the face of these challenges, it can be expected for supplier due diligence to drop, and an increase in an organisations’ vulnerabilities to third, and fourth, party risks. Many companies will then also turn their focus to AI adoption and platform consolidation to reduce supply chain risk and ensure only trusted vendors remain.
Dangerous trends will converge
Right now, we’re seeing a convergence of three dangerous trends. Rushed AI adoption is colliding with a proliferation of unmanaged APIs, and a reduction in human oversight
Left unchecked, these trends will inadvertently centralise governments’, or organisations’, vulnerabilities, creating perfect ‘watering hole’ targets. By compromising one frontier model, the impact will cascade across multiple entities. At the heart of this, unmanaged APIs connecting AI systems, will reduce oversight and governance, leaving organisations vulnerable.
Reminiscent of early GPS users driving into fields and lakes because “the computer said to turn right”, over trust in AI combined with reduced oversight has the potential to impact everything from policy decisions and intelligence analysis to emergency response. We’re facing an increasingly turbulent global landscape. Organisations must reevaluate their approach to AI implementation or risk threat actors exploiting these weaknesses for nefarious purposes.
We speak to James O’Sullivan, CEO and Founder of Nuke From Orbit, about the changing mobile security landscape, and how to keep devices safe.
SHARE THIS STORY
1. How at-risk is my smartphone now compared to a few years ago? How is the cybersecurity landscape around personal mobile devices evolving?
The UK has seen a worrying shift in how criminals target smartphones. Over 200 phone or bag snatch thefts happen every day in England and Wales, and the consequences go far beyond losing a device. A stolen phone can mean financial fraud, data breaches, and reputational damage—not just for individuals but also for businesses.
I know this firsthand because it happened to me. Losing my phone wasn’t just inconvenient; it also allowed criminals to access my financial, social, and corporate accounts. That’s why I created Nuke From Orbit, a security solution designed to instantly cut off criminal access and help victims regain control of their digital identities.
And the problem is getting worse:
62% of victims suffer further losses after their phone is stolen, with 1 in 5 having their banking apps breached and 1 in 4 losing money from their digital wallets.
With mobile payments now overtaking cash and card transactions in the UK, criminals are targeting smartphones for resale and the personal and financial data inside them. This means we must act now—before more people fall victim to this growing threat.
2. The rising cost of cybercrime: What does it mean for individuals and businesses?
Smartphone theft in the UK has more than doubled, with 78,000 reported incidents in the past year alone. That’s a sign of how much we rely on our mobiles in daily life—whether for banking, work, or social connections. But it also means the risks are more significant than ever.
I recently spoke with ethical hacker Nikhil Raine, who put it bluntly:
“Once criminals have access to your accounts, you’re at risk of a full-scale account takeover. If your phone is lost or stolen, you must act fast—report it to your bank, freeze your accounts, and change all your passwords. Check your bank statements regularly for suspicious transactions, and monitor your credit score. If your personal details end up on the dark web, you could face identity fraud, deepfake scams, and criminals impersonating you to steal from your friends and family.”
This isn’t just an inconvenience—it’s a long-term security risk that can impact everything from your finances to your reputation.
3. The role of AI: A game-changer in security—or a new weapon for criminals?
AI is already transforming mobile security, but its implementation presents serious challenges. While AI-driven fraud detection is improving, it still struggles to differentiate between genuine transactions and suspicious activity, especially when users make one-off or high-value purchases.
At Nuke From Orbit, we’re exploring how AI can analyse phone behaviour—like usage patterns, location data, and unexpected changes—to detect theft and trigger immediate protective
measures. However the challenge is ensuring accuracy without creating false alarms that frustrate users and lead them to disable security features altogether.
At the same time, criminals are weaponising AI to power a new wave of cybercrime. Voice cloning, AI-driven phishing, and deepfake scams are becoming more advanced, allowing hackers to impersonate people with alarming accuracy.
That’s why the tech, finance, and telecoms industries must step up—investing in AI-powered behavioural analysis and multi-layered authentication to keep people safe. But technology alone isn’t enough; user education is critical in helping people spot and avoid AI-powered scams.
4. Emerging threats: What should smartphone users be on the lookout for?
Cybercriminals are evolving their tactics. One growing concern is “shoulder surfing”—when criminals watch people enter their PINs or passwords in public places. It might sound low-tech, but it’s highly effective. A thief who spots your unlock code can steal your phone and access everything inside it within seconds.
Simple steps can help prevent this:
Be aware of your surroundings when entering passwords.
Use biometric authentication whenever possible.
Enable privacy screens to block prying eyes.
Beyond that, there are clear warning signs that your phone may have been compromised. If you notice:
Unfamiliar activity on your accounts (transactions you didn’t authorise, messages you didn’t send). Strange app behaviour (apps opening or closing unexpectedly, settings changing on their own). Performance issues (sudden battery drain, overheating, or increased data usage).
These could all be signs that your device has been hacked. If that happens, act immediately: change all your passwords, run a malware scan, and use a security app to lock down your accounts before further damage is done.
5. Has remote work blurred the lines between personal and work devices?
Absolutely. Since the pandemic, the way we use our phones has changed dramatically. People now access confidential work emails, sensitive documents, and corporate messaging apps on personal devices—often without realising the security risks.
This is a huge problem because:
Personal devices are harder for IT teams to secure.
Work files and emails can be automatically backed up to personal cloud accounts.
A single stolen phone can expose both personal and business data.
Companies need to get serious about this. If possible, issue dedicated work devices to employees. If that’s not an option, businesses should at least restrict access to critical systems on personal devices and use mobile device management (MDM) tools to enforce security policies.
Security and convenience will always be at odds, but businesses must accept that prioritising security may require trade-offs.
6. The future of mobile security: What needs to change?
The old security methods are no longer enough. Criminals are adapting, and cybersecurity needs to evolve just as fast.
When it comes to mobile payments, the stakes are incredibly high. Unlike contactless cards with transaction limits, smartphones provide seamless access to bank accounts, investment platforms, and crypto-wallets—making them a goldmine for criminals.
To combat this:
Banks must educate users on treating their phones as critical security devices, not just everyday gadgets.
AI-powered identity verification (KYC) must improve to detect fake IDs and prevent fraud.
Two-factor authentication (2FA) should involve a secondary device, like a tablet or smartwatch, instead of relying solely on the phone.
Consumers must take security seriously—using strong passwords, enabling 2FA, and adopting passkeys instead of traditional logins.
The future of mobile security is about more than stopping theft—it’s about preventing criminals from exploiting stolen devices. We can keep people safe in an increasingly digital world by staying ahead of emerging threats and embracing new security measures.
At Nuke From Orbit, our mission is simple: make smartphone theft as useless to criminals as possible. The more we raise awareness and push for better security, the harder we make it for hackers and thieves to profit from stolen devices.
It’s time to take mobile security seriously—before it’s too late.
John Mutuski, CISO of Pipedrive, interrogates the idea that UK cybersecurity risks really are being “widely underestimated”.
SHARE THIS STORY
A new year always brings a fresh impetus to look again at the business’ cybersecurity posture – and perhaps to find ways to strengthen it.
At the tail end of 2024, the UK’s National Cyber Security Centre highlighted the fact that cyber-related risks facing the UK are being “widely underestimated“, the cyber chief warned in their first major speech after last year’s appointment. As businesses evolve and digital threats grow more sophisticated, prioritising readiness has never been more critical. In 2024, only 2% of UK organisations achieved a ‘mature’ level of readiness according to research from Cisco: a 15% drop from the previous year.
There’s every reason to turn this trend around in 2025. If the threats from continuing geopolitical, warfare and cybercrime were not enough motivation; the rapid acceleration and adoption of AI will surely keep the CISO up at night. Fortunately, the security industry doesn’t require any upending. There are globally recognised best practices, widely understood technologies, and well-respected regulations and certifications to support businesses improving their security posture. The difficulty in the management of these threats comes from the limited supply of time, personnel, resources, all of which are in demand throughout a business and the IT organisation that supports them.
Crises are sure to come. Why not practice?
Simulating crises is a very practical way of identifying where ones’ weaknesses lie; whether it be a missing policy, weak controls, or absent documentation of procedures. The outcomes of these exercises provide businesses with a clear view of their vulnerabilities. They then help those businesses develop and act on a list of priorities. Thus, when a real crisis appears the business will be in a good position to blunt its impact.
Start off with some clear questions that you’re looking to test. Online resources or industry consultants can help. However, at first, all you might need to do is give the matter some careful thought. For example,
What are the most important functions your business needs in order to meet their customers’ expectations and maintain revenue? This would include the people, processes and systems. Answering this question will allow businesses to narrow the focus of what is critical to protect.
Do your staff know who to contact if they receive a phishing email or suspect a ransomware attack, data breach, virus, or any other IT incident?
Do the responsible leaders, teams, and service providers understand the steps for investigation, remediation, crisis communications, and any legal responsibilities?
The results of a crisis simulation and the questions it elicits will allow leaders to refine business procedures for a variety of scenarios; from cybersecurity incidents to those in other domains that rely on similar muscles, such as a key vendor going offline, or negative customer feedback going viral.
Lessons from a simulation or test allows one to assign roles and responsibilities in advance, so teams, as well as individuals, know exactly what to do when under pressure. Additionally, practice of response procedures will build confidence, and staff will feel prepared rather than panicked in the event of a real crisis.
Build a company-wide culture of cybersecurity and test/measure it
Cultural change is a major lever in making anything happen across any domain.
For cyber security to be seen as important to a business, an organisation needs to craft the message that security is everyone’s responsibility (not just IT’s); and that for it to be effective, everyone plays an important role. Most security leaders will agree that most places and people assume that ‘someone else’ handles security and it isn’t really something to worry about.
This attitude often leads to employees who either created a security incident or are involved in one to ‘pass the buck’ to the technology organisation. This is a damaging mindset that will perpetuate a weak security posture.
Social engineering, particularly phishing, remains the most significant threat for all businesses. Many lack dedicated security teams, thus making employee awareness even more crucial.
Security teams should explain the most common tactics used by cybercriminals to everyone in the organisation. This means employees are, more average, more likely to spot a scam and report it. Follow-up training is important for people to remain sharp. Without practice, people will eventually succumb to social engineering attacks, as they continue to become more and more convincing. It’s worth checking out the information on the NCSC.
If your gut reaction is to think ‘we’re above average intelligence, we won’t be scammed’ you should disabuse yourself of that notion. There are scores of statistics showing that bad actors successfully hack, phish, or attack thousands of businesses each year. Those businesses suffer enormous damage to their reputation and revenue.
Recognise that “the basics” when it comes to cybersecurity tools have changed
Some practical technologies that have become ‘non-negotiable’ security include antivirus/anti-malware, multi-factor authentication (MFA), and phishing defences in email platforms.
These are relatively simple foundational security measures that, when applied properly, cut out many common threats. Antivirus is not a comprehensive solution to all risks. Modern threats, particularly social engineering, require more robust defences like MFA. Cyber teams also need to continuously educate employees, as modern attacks use many techniques to evade detection, including some that don’t use viruses at all. Simulating, as mentioned, and surprise testing or ‘red teaming’ exercises, really cultivate a culture of vigilance, encouraging employees to be suspicious of unexpected requests or unfamiliar communications.
The explosion in AI has benefited the cybercriminal as they are able to quickly and easily create more convincing and sophisticated threats. AI is also helping the cybersecurity industry by introducing a high level of automation in security defences. However, even with AI, some human oversight will still be necessary to validate controls are working as intended.
Clearly, while more sophisticated and comprehensive security solutions can reduce risk more effectively, SMBs without the luxury of enterprise resources can still raise their cybersecurity posture by using resources provided by governmental cybersecurity agencies. Most provide standards, checklists and resources that can help any business to evaluate their preparedness and implement procedures for identifying, slowing, and hopefully, stopping risky activities.
Be concerned, but not alarmed
The cybersecurity industry is a big business, and its marketing relies on pointing out the very real risks that bad actors and their actions can bring on to anyone. In addition, if one were to read security industry articles, it can make for a great deal of doom and gloom for the smaller business who may not have a CISO, large IT staff, or the latest and greatest security technologies.
Have realistic expectations. No security system can guarantee 100% success in stopping all threats. However, even a modest budget and the right information and culture can create robust security measures and significantly reduce the likelihood and impact of an incident, attack, or breach.
Kennet Harpsoe, Lead Security Researcher at Logpoint, explores how false positive alerts can erode our security vigilance, and proposes a way to prevent them.
SHARE THIS STORY
Alert fatigue is a real threat to the Security Operations Centre (SOC). The rate of false positives sees analysts quickly become desensitised and struggle to prioritise their responses.
Automation was supposed to resolve the issue. In reality, however, it has failed to correlate and advance the ability for analytics to respond to threats. This has led to swivel chair operations that see the analyst required to login to, monitor and manage numerous dashboards. Consequently, burnout is at critical levels. A troubling 63% of security professionals reported an increase in stress levels, according to a 2023 report. This effect is exacerbated by a skills shortage in the sector that has grown 19% over the past year. Now, the shortage stands at 4.8m globally according to the ISC2.
It’s a situation further complicated by the way attacks have evolved. In a bid to remain undetected, these seek to utilise the existing tools and functionality that is built into systems. Living off the Land (LotL) attacks, for instance, can harness binaries, scripts and libraries to advance an attack within the environment without the need to deploy additional tools.
In fact, the LOLBAS Project has now documented over 200 instances of code that can be used in this way on the Windows O/S. From a threat detection point of view, this makes it significantly more difficult to spot attacks. Security solutions have to be tuned to look for the minutest deviations from what is considered ‘normal’ network behaviour, resulting in many more false positive alerts.
Using graphs to grapple with alerts
In short, detection is becoming infinitely more subtle and complex and the human and computing resources we have are struggling. Generative AI has been lauded as a possible solution. However, as in other sectors accused of AI-washing, vendors have been sketchy when it comes to the details of how the technology could help. Simply creating an AI chatbot will not add value, instead we need to look again at how we’re approaching the problem and how Artificial Intelligence (AI), in its original sense, could add value.
For the analyst, attempting to figure out if an alert is indicative of an attack is comparable to looking at every pixel of a display screen while attempting to see the full image. That’s because those alert events need to be correlated with other contextual information such as the endpoint and identity used as well as threat intelligence on known threats.
Correlation can be best achieved using graphs which allows those additional pieces of information to be factored in. Hyper graphs could be a game changer here because they allow numerous parameters to be considered and applied to an event, in effect creating not two but multiple axis to model the threat. Events that make up those chains of detection could then be scored to determine whether they warrant investigation.
AI answers to the analyst
Once we have enough of these chains of detections, it becomes possible to use AI’s deductive algorithms to analyse information. Gartner defines AI as applying advanced analysis and logic-based techniques, including machine learning, to interpret events, support and automate decisions, and take actions. This means we can train it to interpret and present the information to the analyst in a digestible format. And, using Generative AI, the analyst can use prompts to gain further details.
Looking to the future, we’re now entering the age of Agentic AI. AI technology is becoming more autonomous and better equipped to make decisions. It’s unlikely that we will see detection become fully automated in this way. However, we could see analysts presented with possible impact scenarios and avenues for effective remediation by an AI “coworker”.
In the meantime, hyper graphs promise to significantly reduce the numbers of false positives being generated. Lab tests have shown it can cut those numbers by up to 90%. This frees up analysts to focus their efforts on the more rewarding aspects of the job. For example: threat hunting, investigation and response.
James Sherlow, Systems Engineering Director, EMEA, at Cequence Security, looks at the evolution of Agentic AI and how cybersecurity teams can make AI agents safe.
SHARE THIS STORY
Agentic AI systems are capable of perceiving, reasoning, acting, and learning. As a result, they are set to revolutionise how AI is used by both defenders and adversaries. They’ll see AI used not just to create or summarise content but to provide recommended actions. Then, Agentic AI will follow through so that the AI is making autonomous decisions.
It’s a big step. Ultimately, it will test just how far we are willing to trust the technology. Some would argue it takes us perilously close to the technological singularity, where computer intelligence surpasses our own. As a result, it will require some guard rails to be put in place.
One thing has become clear from the most recent generations of AI. Evidently, technology needs to be protected, not just from attackers but from itself. There have been numerous instances of AI succumbing to the issues as highlighted in the OWASP Top 10 Guide for LLM Applications which has just been newly updated for 2025. Issues range from incorrectly interpreting data leading to hallucinations to exfiltrating or leaking data. There are a host of challenges associated already with Generative AI. The problem becomes even more complex once it becomes agentic.
This elevated risk is reflected in the new Top 10. It now sees LLM06, which was formerly ‘Over reliance on LLM-generated content’, become ‘Excessive Agency’. Essentially, agents or plug-ins could be assigned excessive functionality, permissions or autonomy, resulting in them having unnecessary free rein.
Another new addition to the list is LLM08 ‘Vector and embedding weaknesses’. Tis refers to the risks posed by Retrieval-Augmented Generation (RAG) which agentic systems use to supplement their learning.
Agentic AI and APIs
As with Generative AI, agentic relies upon Application Programming Interfaces (APIs). The AI uses APIs in order to access data and communicate with other systems and LLMs.
Because of this, AI is intrinsically linked to API security, meaning that the security of LLMs, agents and plug-ins will only be as good as that of the APIs. In fact, the likelihood is that APIs will become the most targeted asset when it comes to AI attacks, with smarter and stealthier bots set to exploit APIs for the purposes of credential stuffing, data scraping and account takeover (ATO).
To counter these attacks, organisations will need to deploy real-time AI defences. These systems will need to be able to adapt on the fly while remaining, to all intents and purposes, invisible.
The Agentic AI impact on security
Because agentic AI is autonomous, there will need to be more effective controls that govern what it can to do. From a technological perspective, it will be necessary to secure how it collects and transfers data. Policies detailing expected behaviours, will have to be enforced and measures put in place to mitigate attacks on the data.
When it comes to developing AI applications, having a Secure Development Life Cycle will be key to ensure security is considered at every stage of development.
We’ll also see AI itself used as part of the process to test and optimise code. The technology will move from being used to assist the developer to augmenting them by supplementing any skills gaps, anticipating bottlenecks and pre-empting issues to make the DevOps process much more efficient.
Equally important is how we will govern the deployment of these technologies in the workplace to prevent the technology running amok. There will need to be ownership assigned over the governance of these systems and it will need to be determined who has access to these systems and how they will be authenticated. There are a myriad of ethical questions to consider too, such as how the organisation can prevent the AI from overstepping or abusing its function but, at the other end of the scale, how we can avoid it simply following orders that might result in a logical but not a desirable conclusion.
Agentic assists attackers too
Of course, all of this also has implications for API security and bot management. Attacks too will be driven by intelligent self-directed bots so will be far more difficult to detect and stop.
Against these AI-powered attacks, existing methods of detecting malicious activity that look for high volume automated attacks by tracking speeds and feeds will lose their relevance. Instead, we’ll see a shift towards security solutions that target behaviour, seeking to predict intent. It will be a paradigm moment that will usher in a new age of more sophisticated tools and strategies.
Preparing for the age of agentic AI
We’re at the threshold of an exciting new era in AI but how can organisations prepare for this eventuality?
The likelihood is that if your business currently uses Generative AI it is now looking at agentic. Deloitte predicts 25% of companies in this category will launch pilots this year and 50% in 2027. It’s expected that companies will naturally progress from one to the other. Therefore , it’s imperative that they look to lay the groundwork now with their existing AI.
The common ground here is the API and this is where attention needs to be focused to ensure that the AI operates securely. Conducting a discovery exercise to create an inventory of all Generative AI APIs is a must together with an approved list of Generative AI tools and this will reduce the risk of shadow AI. Sensitive data controls should also be put in place that prescribe what can be accessed by the AI to prevent intellectual property from leaving the environment. And from a development perspective, guard rails must be put in place that govern the reach and functionality of the application.
There are a myriad of uses to which agentic AI will be put. Expect it to work with other LLMs, make faster, more informed decisions, and to improve that decision making over time. All of this could help businesses achieve its objectives and goals quicker. In fact, Gartner predicts it will play an active role in 15% of decision making by 2028. The genie is well and truly out of the bottle which means companies that fail to prioritise trust and transparency and implement the necessary controls will find themselves in the middle of an AI trust crisis they simply can’t afford to ignore.
Nik Levantis, senior consultant at global cybersecurity experts Obrela, describes how to align your security operations with governance, risk and compliance.
SHARE THIS STORY
Aligning Security Operations (SecOps) with Governance, Risk, and Compliance (GRC) has become a critical challenge for many organisations. As the number of cyber threats increases and regulatory requirements become more stringent, the need for a holistic, integrated approach to cybersecurity has never been more urgent.
However, many organisations continue to treat SecOps and GRC as separate functions, leading to inefficiencies, communication breakdowns and security gaps. To enhance security posture and risk management, it is crucial for organisations to align these two functions more effectively.
One of the primary objectives of any organisation’s GRC strategy is to ensure comprehensive and robust cybersecurity. Cyberattacks can compromise regulatory compliance, affect financial stability, damage reputation and hinder operational efficiency. Yet, despite the critical role of GRC in mitigating these risks, many organisations fail to integrate it seamlessly with SecOps. The result is often a disjointed approach to security that leaves organisations vulnerable.
Bridging the organisational gap
A major factor contributing to this gap is the organisational structure. In many cases, SecOps and GRC are treated as separate silos within the same company. While both functions may report to the Chief Information Security Officer (CISO), they often operate with distinct teams, tools and processes. This lack of integration can lead to operational inefficiencies, duplicate work, and, most importantly, security blind spots. Without a unified approach, organisations may struggle to respond to cyber threats quickly or ensure compliance with ever-evolving regulations.
One of the key challenges posed by this separation is a misalignment of priorities.
GRC teams are typically focused on defining strategies and policies that align with regulatory requirements, corporate objectives, and risk management frameworks. Their work often involves developing long-term security strategies and ensuring the organisation complies with relevant laws and standards.
On the other hand, SecOps teams are more focused on the day-to-day implementation of these policies. They deal with immediate threats, respond to incidents, and ensure that the technical security controls are in place and functioning. Without collaboration and communication between these teams, the strategic goals set by GRC may not be fully realised at the operational level, leading to gaps in security coverage.
Compliance missteps and misalignment
One significant result of this disconnect is the potential for security incidents to occur due to compliance missteps. Misalignment can lead to misunderstandings about the role and importance of compliance in the broader security strategy.
For example, SecOps may not fully grasp the implications of regulatory requirements, while GRC teams may lack a clear understanding of the practical challenges involved in implementing technical security measures. This lack of clarity can result in non-compliance with laws such as the General Data Protection Regulation (GDPR) or other industry-specific regulations, leading to hefty fines and reputational damage.
To address these issues, organisations must foster closer collaboration between SecOps and GRC. One way to achieve this is through regular, transparent communication between the two teams. By sharing insights and feedback on emerging threats, regulatory changes and internal security gaps, both functions can better understand how their work contributes to the organisation’s overall security posture. For example, GRC teams can provide SecOps with a clearer understanding of the potential risks posed by non-compliance, while SecOps can offer real-time data on vulnerabilities and incidents, allowing GRC to adjust policies and strategies accordingly.
Standardise your tech platforms
Another critical step towards alignment is ensuring that both teams are using compatible tools and platforms. In many organisations, GRC teams rely on documents, spreadsheets and enterprise governance, risk, and compliance (eGRC) platforms to manage compliance tasks.
However, SecOps teams often work with Security Information and Event Management (SIEM) systems, Extended Detection and Response (XDR) platforms, and Security Orchestration, Automation, and Response (SOAR) solutions to detect and respond to threats.
This disparity in tools can create additional barriers to collaboration and data sharing. By standardising technology platforms or adopting tools that enable cross-functional collaboration, organisations can break down these silos and create a more cohesive security framework.
Use an MSSP to bridge the skills gap
The cybersecurity skills gap also exacerbates the challenges of aligning SecOps and GRC. Both teams often struggle with understaffing and the increasing complexity of cybersecurity tasks. According to research from the Enterprise Strategy Group, 46% of cybersecurity professionals report feeling understaffed, and 81% believe their jobs have become harder in the past two years. This strain on resources can make it even harder for organisations to align their SecOps and GRC efforts effectively.
To address this issue, many companies are turning to Managed Security Service Providers (MSSPs) to supplement their internal capabilities and bridge the gap between SecOps and GRC. An experienced MSSP can bring an outside perspective, facilitate communication between teams. They can play a pivotal role in ensuring organisations implement security measures to best meet both operational and compliance requirements.
Another approach to improving SecOps/GRC alignment is by leveraging integrated cybersecurity platforms that centralise data and enable real-time collaboration. For example, Obrela’s SWORDFISH platform provides a unified solution for managing both SecOps and GRC functions. By consolidating security-related data into a single “data lake,” SWORDFISH enables real-time analytics and coordinated responses to threats. This centralised approach helps eliminate silos between the teams and ensures that both sides are working with the same data, improving decision-making and response times. Platforms like these can act as an “ERP” for cybersecurity, providing a comprehensive view of risk and operations and allowing teams to prioritise efforts based on a common understanding of the organisation’s most critical assets.
Break down silos
Aligning SecOps with GRC is essential for improving an organisation’s overall security posture and ensuring compliance with regulatory requirements. While the challenges of achieving this alignment are significant, they can be addressed through better communication, standardised tools and a stronger commitment to collaboration. By breaking down silos between functions and fostering a more integrated approach to security, organisations can improve both their operational efficiency and ability to manage risks.
Obrela’s SWORDFISH platform helps organisations manage risk and maintain clean security hygiene across the organisation, while efficiently managing detection and response. The SWORDFISH platform, combined with Obrela’s security advisory services, is designed to help organisations identify risk and determine its potential impact, helping them plot proper responses to improve their GRC maturity and overall security posture.
This article contains information gleaned from an Obrela White Paper, available for free download here.
Tech Show London is coming to Excel March 12-13. Register for your free ticket now!
SHARE THIS STORY
Unlock unparalleled value with a single ticket that gets you free access to five industry-leading technology shows. Welcome to Cloud & AI Infrastructure, DevOps Live, Cloud & Cyber Security Expo, Big Data & AI World, and Data Centre World.
Tech Show London has it all. Don’t miss this immersive journey into the latest trends and innovations.
Discover tomorrow’s tech today
Unleash Potential, Embrace the Future. Hear from the greatest tech minds, all in one place.
Dive into a world where cutting-edge ideas shape your tomorrow. Tech Show London is the epicentre of technology innovation in London and beyond, hosting the brightest minds in technology, AI, cyber security, DevOps, and cloud all under one roof.
The Mainstage Theatre is not just a stage; it’s a launchpad for innovative ideas. Witness a stellar lineup featuring world-renowned experts from across the tech stack, influential C-level executives, key government figures, and the vanguards of AI and cybersecurity. All ready to share ideas set to rock the industry.
GLOBAL INSPIRATION, LOCAL IMPACT
Seize the opportunity to be inspired by global visionaries. Furthermore, with speakers from the UK, USA, and beyond, prepare to be inspired by transformative concepts and actionable strategies from technology insiders, ensuring your business stays ahead in an ever-evolving technology landscape.
Where the future of technology takes the stage
Secure your competitive edge at Tech Show London, the UK’s award-winning convergence of the industry’s brightest tech minds.
On 12-13 March 2025, gain vital foresight into the disruptive technologies reshaping your market, and position your organisation at the forefront of technology’s next frontier.
If you’re defining your business’s tech roadmap, register for your free ticket to join us at Excel London.
Sam Peters, Chief Product Officer at ISMS.online, explores the trends amplifying the risks associated with biometric data theft.
SHARE THIS STORY
Biometric security measures, including fingerprints, facial recognition, and voice patterns, have revolutionised digital protection. Their widespread adoption in both consumer devices and corporate systems has made them an integral part of modern security protocols.
However, this reliance has also turned them into prime targets for attackers. The threat demands our attention as, unlike passwords which can be changed, compromised biometric data is permanent, amplifying the risks associated with its theft.
The biometric threat
Organisations face significant risks from biometrics, as evidenced by high-profile breaches in the past. In 2015 the U.S. Office of Personnel Management (OPM) suffered a breach that exposed the fingerprint data of over 5.6 million government employees. Technological advancements, such as liveness detection and infrared scanning, have mitigated some vulnerabilities. Nonetheless, these measures do not entirely eliminate the risk.
The threats posed by biometric and wearable data theft are not confined to organisations though. Wearable devices such as smartwatches and fitness trackers serve as reservoirs of sensitive information. These gadgets not only collect health and geolocation data but also facilitate financial transactions through tap-to-pay functionality. Cybercriminals can exploit these features, analysing wearable usage patterns to orchestrate targeted crimes. For instance, the routine of a high-net-worth individual could be tracked to plan a burglary during a known absence.
Deepfakes compound the problem
The integration of artificial intelligence (AI) into cybercriminal strategies has further compounded the biometric problem. It has enabled the creation of realistic deepfakes that leverage stolen biometric data. These fabrications can deceive even the most discerning systems and individuals, facilitating fraud and allowing attackers to hone their spear phishing attempts. The dangers are evident in cases such as the one in 2020 whereby one threat actor managed to steal $35 million by using AI to replicate a company director’s voice and deceive a bank manager. Similarly, in January 2024, a finance employee at British engineering firm Arup fell victim to a $25 million scam after a video call with a ‘deepfake chief financial officer’. Such examples illustrate that deepfakes are not just a theoretical concern but a tangible threat that businesses must address urgently.
The implications of deepfake technology extend beyond financial fraud, potentially undermining biometric authentication systems altogether. According to our 2024 State of Information Security Report, deepfake incidents accounted for 32% of security breaches among UK businesses in the past year, making it one of the most prevalent forms of cyber intrusion. By combining deepfake technology with stolen biometric data, attackers can craft highly convincing scams, leaving both individuals and enterprises vulnerable.
The role of regulation
Despite these alarming trends, solutions exist. The path forward requires collective action from individuals, manufacturers, and regulators to bolster defences. Device manufacturers must prioritise security features in their products, incorporating measures like end-to-end encryption and data minimisation practices – key principles of GDPR. By collecting only essential data and employing pseudonymisation, manufacturers can significantly reduce the risks associated with breaches; disaggregating biometric data from the individual makes it far less exploitable and significantly diminishes its value to attackers.
Regulatory frameworks, such as the EU AI Act and HIPAA in the U.S., provide critical guidelines for safeguarding sensitive information. While the EU AI Act remains relatively new, the act seeks to prohibit “the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purposes of law enforcement.”
Meanwhile, under the HIPAA Security Rule (2009) in the US, organisations must safeguard Protected Health Information (PHI), with wearables and smart devices increasingly being used to collect PHI. Meanwhile, in 2021, Facebook was forced to pay $650m for violating Illinois privacy law, allegedly using photo face-tagging and other biometric data without the permission of its users.
How can individuals protect themselves?
For individuals, maintaining vigilance is paramount. Using layered security measures – such as combining biometric authentication with strong passwords or multi-factor authentication – can provide an additional buffer against attacks. Regularly updating device software to incorporate the latest security patches is another essential step.
In the unfortunate event of biometric or wearable data theft, immediate action is crucial. For individuals, this includes reassessing the security of compromised accounts and implementing stricter authentication measures.
What protocol should organisations follow in the event of a breach?
For businesses at risk of cyberattack, adhering to compliance requirements is essential. Breaches must be promptly reported to supervisory bodies like the ICO, and pre-established incident management protocols should be activated to mitigate further damage.
Following such incidents, organisations must acknowledge that parts of their authentication framework may no longer be secure. This should prompt a comprehensive risk assessment. Depending on the outcome, businesses might decide that the compromised asset is of low value and tolerable risk or determine that additional protective measures are necessary to address the vulnerability.
Seeking guidance from established standards can be instrumental in navigating these challenges. Frameworks like ISO 27001 offer clear strategies for identifying reliable suppliers and enhancing authentication practices. These standards outline essential actions, serving as invaluable resources for mitigating the risks tied to biometric and wearable data theft.
Looking ahead, the battle against biometric and wearable data theft will only intensify as technology continues to evolve. The integration of AI-powered hacking and the proliferation of advanced devices demands constant innovationon the side of cybersecurity defenders. With increased vigilance and by following best practices, organisations can build their resilience to counter these emerging threats.
Jon Fielding, Managing Director, EMEA, at Apricorn, looks at rising ransomware attacks and the impact of changing government policy on how to respond to a breach.
SHARE THIS STORY
Ransomware attacks are on the increase despite concerted international efforts to disrupt ransomware business models. According to the Apricorn annual survey of IT and security decision makers, the risk of ransomware is rising steadily. This year, 31% stated their organisation had suffered an attack over the past twelve months in the UK. This figure is a noticable rise compared to 24% in 2023. Ransomware is now the most sought-after type of cover when organisations take out cyber insurance. Double the number of respondents required ransomware cover in 2024, up from 16% in 2023.
Attempting to break this pattern, the Home Office has launched a new consultation. The document seeks opinions in response to three new proposals by April, 2025. The first entails a targeted ban on the payment of ransoms in the public sector and by critical national infrastructure. The second is a payment prevention regime. This would require victims to report plans to pay before doing so, which could potentially be blocked by the government. And third, the government would make mandatory the reporting of ransomware incidents.
It’s not yet clear if incident reporting will apply across the board to all commercial organisations. It’s possible a threshold will determine the scale of attack that must be brought to the government’s attention. If the latter, reporting will be encouraged even among those who fall out of scope. This will help the government understand the scale, type and source of ransomware threats.
The report itself will need to be filed within 72 hours of the attack. A full report will then need to be provided within 28 days. The initial report will need to contain details on whether the organisation can recover using its existing resilience measures, like if it can use backups to restore data and resume operations.
Failed ransomware recoveries
Worryingly, this is often far more difficult than organisations think. Despite having backup processes in place, these are not always fully tested. This can mean that, when the time comes, data restoration is only partially successful.
The Apricorn survey found that 50% of respondents had to resort to using their backups to recover data last year. Of those, only half were able to so successfully. A quarter of respondents had to settle for partial recovery and 8% were unable to recover any data at all.
To make matters worse, ransomware attackers are also actively targeting those backups to thwart recovery.
The 2024 Ransomware Trends report found that 96% of ransomware attacks are now aimed at backup repositories. The Apricorn survey found automated backup to both central and personal repositories has surged to 30%, up from 19% the year before, which is a positive step as it means less are doing so manually, a practice which can see errors occur or the user simply forget to backup their data. But with those repositories now being actively targeted, it’s clear that organisations need to make backups of their backups.
This is precisely the thinking behind the 3-2-1 strategy. It advocates that data be backed up at least three times, with at least two copies of that data held on different media, one of which should be offsite.
One copy of the data should be offline, for example, effectively airgapping the data and a good example of this would be on an encrypted removable hard drive that can be disconnected from the network. In this way, the organisation can guard against the risk of their backups being compromised.
Testing the process
Taking such proactive measures provides a belt and braces approach to recovery but it’s also important to diligently test the recovery process on a regular basis. The Apricorn survey found 9% of those questioned acknowledged their systems were not robust enough to allow a rapid recovery from an attack, indicating there is still work to be done in this regard.
But those that do get to grips with improving their backups stand to reap additional benefits. For instance, the survey found a striking 46% of respondents now consider robust backup policies as the most important factor for meeting cyber insurance compliance, a substantial increase from 28% in 2023.
It’s better not to pay
There’s also a growing realisation that paying a ransom offers little guarantee of the business being reunited with its data. The 2024 Ransomware Risk Report found that over a third of victims (35%) either did not receive decryption keys or received corrupted keys leaving them unable to recover their data. What’s more, they were often extorted multiple times. Of the 78% that paid the ransom, 72% paid multiple times and 33% four times or more. It’s also commonplace for victims to be targeted again if they pay, with 74% reporting being attacked multiple times.
It’s for these reasons that organisations’ approach to ransomware has to change with a move away from negotiations and payments to more resilient business processes that make recovery possible. The advice from the Information Commissioner’s Office (ICO) and National Cyber Security Centre (NCSC) has always been not to simply resort to payment and that doing so does not fulfil the organisation’s regulatory obligations in terms of mitigating the risk posed to data.
The recommendation was to report the incident but the introduction of mandatory reporting will now formalise that process. In doing so it will make organisations much more aware of the need to detail the resilience measures they have in place and hopefully that will translate into much more diligent backup strategies.
Head of Group Payment Strategy, Lee McNabb, explains how a customer-centric vision, allied with a culture of innovation, is positioning NatWest at the heart of UK plc’s Open Banking revolution: “The market we live in is largely digital, but we have to be where customers are and meet their needs where they want them to be met. That could be in physical locations, through our app, or that could be leveraging the data we have to give them better bespoke insights. The important thing is balance… At NatWest, we’ll keep pushing the envelope on payments for a clear view of the bigger picture with banking that’s open for everyone.”
EBRD: People, Purpose & Technology
We speak with the European Bank for Reconstruction & Development’s Managing Director for Information Technology, Subhash Chandra Jose. With the help of Hexaware’s innovation, his team are delivering a transformation programme to support the bank’s global investment efforts: “The sweet spot for EBRD is a triangular union of purpose, people, and technology all coming together. This gives me energy to do something innovative every day to positively impact my team and our work for the organisation across our countries of operation. Ultimately, if we don’t get the technology basics right, we can’t best utilise the funds we have to make a real difference across the bank’s global efforts.”
Begbies Traynor Group: A strategic approach to digital transformation
We learn how Begbies Traynor Group is taking a strategic approach to digital transformation… Group CIO Andy Harper talks to Interface about building cultural consensus, innovation, addressing tech debt and scaling with AI: “My approach to IT leadership involves creating enough headroom to handle transformation while keeping the lights on.”
University of Cinicinnati: Where innovation comes to life
Bharath Prabhakaran, Chief Digital Officer and Vice President at the University of Cincinnati (UC), on technology, innovation and impact, and how a passion for education underpins his team’s work. “The foundation of any digital transformation in my opinion is people, process, technology – in that order,” he states. “People and culture are always the most challenging areas to evolve because you’re changing mindset and behaviour; process comes a close second as in most organisations people are wedded to legacy ways of working. In some respects, technology is the easy part, you always implement the tools but they’ll not be effective if you don’t have the right people and processes.”
IT: A personal career retrospective
It’s fascinating, looking back at something as complex and profoundly impactful as IT. And for Claudé Zamboni, who is preparing to retire after over 40 years in the sector, it’s been an incredible time to be deeply involved in technology. “There have been monumental changes from when I first entered IT, where it was basically a black box,” says Zamboni. “People didn’t know what the IT team was doing, and those in IT would just handle problems without telling anyone how. It only started to become more egalitarian when the internet got more pervasive. We realised that with information being available everywhere, we would lose the centralisation function of IT. But that was okay, because data is universal.”
Todd Weber, Vice President of Professional Services at Semperis, looks at why it’s more important than ever not to pay up when hit by a ransomware attack.
SHARE THIS STORY
In today’s digital landscape, ransomware has become a significant and persistent threat for organisations.
No longer an emerging risk, ransomware has been a well-established concern facing many companies for some time. In 2021, for example, a survey from Gartner revealed ransomware as the top threat on the minds of business leaders.
However, despite widespread awareness of the challenge, the problem of ransomware has not diminished but grown.
Many ransomware groups are now operating like businesses. They run highly organised operations complete with structured revenue models, marketing strategies and recruitment efforts. They function like legitimate enterprises, and their efforts are proving lucrative, generating substantial profits. Just last year, for instance, one report estimated that ransomware group ‘Black Basta’ had raked in around $107 million in in the short time since it first emerged in early 2022.
On top of this, there’s an entire marketplace dedicated to ransomware-as-a-service (RaaS) solutions. Black markets for ransomware tools mean even those with minimal technical skills can launch attacks. By selecting malware, encryption or distribution tools from various providers, even basic attackers can now easily execute ransomware campaigns. This serves to only lower the bar to entry for cybercrime even further.
Ransomware is rampant
There is no reason why ransomware will cease to be a major threat anytime soon.
Once individuals have crossed the moral threshold of engaging in criminal behaviour, there’s little else to deter them from continuing with ransomware activities. There are two key factors that could dissuade them: high chances of getting caught or low financial reward. However, niether are presently significant concerns for ransomware actors.
Indeed, many major ransomware groups are state sponsored. Some governments actively encourage them to target companies or critical infrastructure in rival nations. This kind of backing significantly reduces the likelihood of arrests. And, as a result, these threat actors often operate with a degree of impunity in their home countries.
Further, it’s not all that hard for ransomware organisations to continue to find targets and extract value, as Semperis’ 2024 Ransomware Risk Report shows.
The survey of almost 1,000 IT and security leaders highlights that ransomware is a reality facing many companies. The majority (83%) of responding organisations having been targeted by ransomware in the past 12 months. Of these enterprises, 74% were attacked multiple times.
The report also shows that, in most cases, firms are not prepared to combat ransomware demands. Over three-quarters (78%) of targeted organisations paid a ransom at least once.
Patch management isn’t currently taking priority
These figures might seem surprising. Shocking, even. Nonetheless, they are a reflection of how much the ransomware threat has evolved as firms have failed to respond.
Today, there are several critical aspects of security that are not always adequately prioritised. Patch management is one of them.
It’s easy to ignore those pop-up notifications prompting you to install an important Windows update. This is especially true when you’re in the middle of something important with a tight deadline. However, dismissing these notifications and moving on can lead to serious risks.
With ransomware attacks becoming more pervasive and opportunistic, this mindset therefore needs to change. According to a report from Deloitte, ransomware groups are increasingly leveraging zero-day exploits to target systems. Currently, over a third of ransomware victims are now breached in this way.
For this very reason, companies need to prioritise patch management. Instead of delaying updates for weeks or months, they must be affirmed in hours or days.
Phishing campaigns have become more sophisticated
Zero-day attacks are not the only technique that threat actors can leverage. Cybercriminals are also continuing to prey on the security vulnerabilities perpetuated by people themselves.
These days, phishing efforts are impressively crafted, making them significantly harder to detect and counter. Campaigns are exceptionally convincing: Attackers meticulously impersonate trusted brands and individuals, often monitoring email communications to understand user behaviours and identify suitable targets.
The advent of artificial intelligence has further complicated this landscape, enabling scammers to generate artwork and compose polished emails that mimic the tone and style of legitimate correspondence.
As a result, phishing attempts are becoming both more persuasive and increasingly difficult for even the most vigilant users to spot.
No industry or organisation is off limits
In addition, ransomware attackers are also focusing on organisations that they perceive as both vulnerable and more inclined to pay ransoms.
Take the healthcare sector as an example. It’s sad to see that cybercriminals are actively targeting hospitals. Even in wartime, the rights championed by organisations like the Red Cross, which offer protection and assistance to victims of armed conflict and strife, are generally upheld. However, with many threat actors being financially motivated, there is no moral barrier and hospitals have become regular targets.
Why? Not only do these organisations often lack the funding to adequately invest in IT and security improvements, but threat actors know that any disruptions they’re able to inflict may cause widespread chaos.
I have witnessed incidents where hospital groups were forced to divert or evacuate patients due to ransomware attacks that disabled critical equipment, such as insulin pumps and X-ray machines. It’s exactly what threat actors hope to achieve. In fact, results from the aforementioned Semperis ransomware report shows that nearly 70 % of healthcare organizations that were victimized by ransomware paid.
The risks of paying a ransom
From zero-days exploits and more sophisticated phishing tactics to targeting those organisations that are more likely to pay out, ransomware actors are continually refining an effective formula for their attacks, thereby bolstering their chances of success.
In contrast, organisations are all too often lagging in their response, failing to develop effective countermeasures to combat these threats. Again, Semperis’ latest report highlights the current gap that exists.
Critically, only about one-quarter of respondents have dedicated backup systems specifically for Active Directory. This is a serious problem. Without the ability to quickly recover their identity systems that are operationally vital, companies can be left feeling that they have no option but to pay their attackers.
Many respondents noted a desire to return to normal business as quickly as possible as a reason for paying ransom. However, firms that opt to do this fail to recognise that paying out once is likely to leave a greater target on your back, making you even more susceptible to future attacks.
A significant portion (32%) of companies that suffered a ransomware attack paid at least four times during the past year. About 10% of companies paid more than $600K in ransoms alone. If you experience a breach and choose to pay the ransom, you essentially set the stage for attackers to come after you again.
Therefore, for any organisation – especially those that have previously been breached or have paid ransoms – it is crucial to take a new approach, prioritising resilience by embracing an effective multilayered security strategy.
Start by getting the basics right
Today, the basics matter. You’d be surprised at how much you can reduce your attack surface through aggressive patch management. Even small, incremental updates can help prevent significant disruptions down the line.
Similarly, while companies have traditionally focused on keeping intruders out, it is equally important to put plans in place in case attackers succeed in breaching these first lines of defence. Critically, that means ensuring that backup systems are not only in place but also continuously tested to ensure they are functioning.
The fact that nearly 70% of respondents said they had an identity recovery plan, yet 78% of targeted organisations paid the ransom, is a problem: Backups, clearly, aren’t working as they’re supposed to be.
The fact that only 27% of organisations have dedicated systems for recovering Active Directory, Entra ID and other identity controls – the Tier 0 infrastructure upon which all systems rely for recovery – is also a major problem. It’s crucial to understand where your data resides, what data is essential for business operations, and how it is protected, and this includes your identity systems.
These things might not be exciting or interesting. But they are the building blocks of an effective security strategy.
Now, more than ever before, it’s about laying the right foundations. Yes, algorithmic flywheel functions and new AI solutions are cool, but firms must not forget to focus on the basics.
Richard Nelson, senior technical consultant at Probrand, walks you through creating and executing a plan to survive a cyber attack.
SHARE THIS STORY
Last year saw a number of high profile cases of businesses falling victim to cyber attacks, with financial as well as reputational implications. According to government data, 50% of all businesses have experienced some form of cyber security breach or attack in the last 12 months – and with the likelihood of this trend increasing into 2025, preparing for such an event is vital for businesses of all sizes. Yet, the reality is that even with the best prevention strategies in place, there is currently no guaranteed way of avoiding the risk altogether.
Create a robust crisis plan
The first step in preparing for what to do in the event of a cyber attack is putting together a clear plan of action. This plan should outline different potential scenarios and make clear who is responsible for leading the response across your business.
When doing this it helps to think like a hacker. In what ways might a cyber criminal try to harm your organisation? How will this impact IT, legal, finance, communications, HR, or other departments? It is likely that a successful attack will impact most divisions of the organisation in some way. They all need to be aware of the plan and understand their role. Appointing a specific individual within each department to take the lead and be capable of forming a response team in the event of a threat can help.
It is important that every person involved in the plan understands the implications of an attack and why these preparations and their involvement is necessary. Getting their buy-in from the beginning will ensure that everyone is aligned and working together when needed. You can help them to take charge in these scenarios by advising them on what they can do to minimise the impact of the attack. You should list theses steps clearly on your crisis management strategy, with the owner of each action and their contact details shared across the crisis response team.
Test the plan
Everybody should be comfortable and familiar with the steps they need to take. So, once the strategy is finalised and approved, it should be rigorously tested. Much like companies run regular fire drills, the crisis management strategy should be trialled and rehearsed so that it becomes second nature in the event of a real attack.
Each person on the strategy should also make sure they have prior approval to conduct any of the actions they might need to take. This may include legal approval, pre-authorised spend caps or written agreement from the CEO that a Chief Information Security Officer (CISO), or similar individual, can take charge if difficult decisions need taking in the event of a threat.
Clear communication is key
At the recent Probrand IT Expo, Jon Staniforth, former CISO at the Royal Mail, spoke about his experience of a ransomware attack. He described the ‘insatiable’ appetite for communications from many different parties at the time of the attack, with everyone requiring information to suit a different agenda. He explained that handling these communications was the most time-consuming element of his role in the early days of the crisis, occupying 50-70% of his focus. Jon went on to create a dedicated communications team to work with the various stakeholders across PR, corporate communications and public affairs throughout the attack, ensuring the right messaging was getting out in a timely manner, without detracting him from his own role.
Knowing what to communicate, when and to whom is vital during a crisis. Yet, in the moment, it can be easy to get this wrong and say too much – or too little. Preparing clear messaging in advance and sticking to approved statements in the event of an attack can help to minimise the impact on your business’s reputation. Working with your organisation’s communications team to align on a strategy, as well as investing in any media training to rehearse real-life scenarios can help to create a clear process if and when the time comes.
Remember the importance of wellbeing
Looking after your own wellbeing – and that of your team – can fall to the bottom of the priority list when a crisis hits, but it should be a top priority. Reflecting on his crisis, Jon explained that he was working 20 hour days in the first week of the attack, doing whatever it took to understand the scale and scope of the damage. But this can become unsustainable as the work to repair the damage of an attack can span many weeks and months. To tackle this in the future, Jon suggested he would appoint a dedicated wellbeing officer whose sole responsibility is to care for the physical and mental wellbeing of the team handling the crisis.
It is often in the nature of IT teams to get involved and be curious about major events such as these, and many will volunteer to work through the night to get to the root of the problem. Jon explained that part of his role was sometimes to ask people not to get involved and for the benefit of their own wellbeing ensure they stay in their work streams. Segmenting teams and fixing accountability to specific people for pre-determined tasks can also help to keep the process as efficient as possible.
Handling any kind of crisis is undoubtedly fraught and difficult, but implementing a clear plan in advance and sticking to it in the moment can help to minimise the impact of an attack, not only on the business but on your own wellbeing. If you are currently preparing your IT strategy for 2025, taking some time to prepare for a crisis, and then testing your response at regular intervals, will pay off in the long run.
Xavier Sheikrojan, Senior Risk Intelligence Manager at Signifyd, looks at the ways AI-powered chat bots are changing the face of fraud.
SHARE THIS STORY
With the rapid development of AI, fraudsters are becoming increasingly organised and sophisticated. Instead of lone actors, we’re seeing well-coordinated criminal teams that are more focused and skilled at identifying vulnerabilities than ever before.
Yet, data shows that 39% of businesses took no action following their most disruptive breach in the previous 12 months, giving cybercriminals the opportunity to continue cashing in and turning fraud into cybercrime.
The power of AI
One of the most powerful tools that fraudsters have started implementing into their arsenal is AI bots. These bots enable new types of fraud and present significant challenges for businesses. In 2022 alone, £177.6 million was lost to impersonation scams in the UK, and as AI-powered deepfakes and voice cloning improve, the risk of fraud will only continue to grow.
To protect themselves, businesses must stay informed about the latest fraud tactics. They need to understand how criminals are using AI-powered bots to launch and scale attacks, how deepfakes and synthetic identities are evolving, and most importantly, how to defend against these threats.
Historically, scammers and fraudsters were limited in their resources. They often operated alone, relying on their ability to trick people. Once blocked, they would usually give up and move on. However, this has now changed, and fraudsters are forming organised teams and using AI to enhance their deceptive tactics.
For online businesses, generative AI makes it harder to differentiate between genuine users and fraudsters. One common tactic involves using AI-powered phishing templates to gain access to account information and credit card details. These AI-driven “chatbots” mimic real businesses by copying their speech and text patterns. Deepfake technology further complicates matters by creating highly convincing AI-generated likenesses of real people.
The era of deepfakes
Deepfakes are making fraud increasingly complex. The technology enables attackers to impersonate victims to make high-value purchases by creating synthetic identities and mimicking voices. In this way, deepfakes can trick customer service into approving transactions. Fraudsters can even manipulate videos with lip-syncing techniques that are hard to detect.
Businesses are only just starting to realise what a major problem deepfakes will become for them. In the future, AI-powered bots could make calls without human involvement if we don’t take action now. This poses a significant risk to both businesses and consumers. To combat these sophisticated attacks, businesses need to implement high-performance machine learning models into their technology. To effectively fight deepfakes, we must understand the tools and techniques being used and implement AI-powered tools that match the speed and scale of criminal activities.
Fraud resilience
Risk intelligence teams play a crucial role in safeguarding businesses against AI-driven fraud. By analysing various fraud types and collaborating with data scientists, they can feed information into models and cross-reference it with past consumer behaviours. This allows them to continuously adapt their defences as fraudsters evolve their tactics.
To build resilience against AI fraud, companies must work closely with intelligence teams to identify anomalies and incorporate them into feedback loops. This enables systems to learn faster and detect fraudsters more efficiently. By analysing data, such as IP addresses and device information, risk intelligence teams can identify users who repeatedly engage in fraudulent activity using multiple fake accounts, and take steps to block them.
While AI chatbots pose new challenges, the good news is that solutions are also evolving. Prioritising a strong fraud prevention strategy is essential. This might involve partnering with a fraud prevention provider, forming a data intelligence team, or creating a comprehensive fraud prevention framework.
By combining in-house capabilities with strategic industry partnerships, businesses can focus on customer loyalty, retention, and profitability.
Paul Holland, CEO of Beyond Encryption, takes a look at the cybersecurity threats facing the UK and what the country can do to prevent them.
SHARE THIS STORY
The Labour Party is facing significant challenges as it looks to shape the future of the nation. One key area that requires their immediate attention is the UK’s cybersecurity strategy. Over 50% of UK businesses experienced a cyber breach or attack in the past year. Therefore, the evolving cyber threat landscape can no longer be ignored.
A commitment to change and promises of driving modernisation across the UK following 14 years of Conservative leadership were at the heart of the Labour Government’s campaign. Within its manifesto, the Labour Party even acknowledged the evolving cyber threat landscape and the increased risk of cyber attacks. Especially with technologies such as AI enabling cybercriminals to launch more sophisticated attacks at scale – the threats to the UK’s cybersecurity will only continue to proliferate.
One of the most common vulnerabilities across all UK businesses is a heavy reliance on outdated, legacy systems. Recent research revealed that a cyber attack occurs every 44 seconds. Despite this, over two-thirds of UK businesses continue to leverage legacy technologies to run their core operations. Worryingly, over 60% of customer-facing applications also rely on these outdated technologies.
With this in mind, we must ask ourselves what actions the Government and private sector should be taking to safeguard the UK’s digital landscape once and for all.
The key to modernising the UK’s cybersecurity — digital transformation
Legacy systems are a cybercriminal’s dream as they were not designed with today’s sophisticated cybersecurity landscape in mind. This means they do not have the necessary protections to counter today’s tech-savvy attacks. Troublingly, many systems run on outdated operating platforms. This means they no longer receive the critical patches and security updates which protect them from exploitation by cybercriminals.
Cybercriminals are also adding AI to their arsenals more and more frequently. They are using this technology to launch more sophisticated attacks than ever before. Therefore, it is crucial that businesses recognise the importance of retiring legacy systems and moving towards secure, modern alternatives. As the threat landscape continues to proliferate, this transition is now a necessity for survival against the growing cybercrime wave.
Another element of building cyber resilience which is often overlooked is businesses’ continued reliance on outdated postal communications. As businesses continue to transform their customer communications, they should look to replace traditional postal services with secure, digital alternatives as part of this process. With Ofcom’s Residential Postal Tracker revealing that 54% of consumers prefer not to receive post from any organisation and 70% prefer email communications over postal communications, this transition only grows in importance. Businesses should look to leverage secure digital communication tools underpinned by encryption and authentication technologies to ensure that data is protected across its entire journey. Secure digital alternatives also enable a faster digital delivery, and unlock cost-saving benefits and enhanced reliability in comparison to traditional postal communications which are being increasingly targeted by fraudsters.
The time for legislative action is now
As the new Labour Government continues to decide its priorities for the years ahead, it is crucial that bolstering the UK’s cybersecurity is at the forefront of these conversations and policy decisions. To help businesses and consumers alike stay safe from the growing cybercrime wave, the Government should look to implement legislation which mandates the transition from legacy systems to more modern and secure alternatives. As it stands, private and public sectors alike continue to operate using legacy systems. This leaves them increasingly vulnerable to cyber attacks. Therefore, a strong legislative framework is critical to compelling these organisations to regularly update their infrastructure.
The Government invests billions of pounds in the military to protect the public from physical attacks. The same attention must be given to protecting the nation from hidden, digital dangers. With recent attacks, such as the NHS cyber attack, demonstrating the detrimental effect that cyber attacks can have on the general public – cybersecurity should now be treated as a key requirement for protecting the UK’s infrastructure.
The importance of education to empower individuals and businesses across the nation
As cyber threats continue to proliferate and evolve, public education is crucial in helping to mitigate this risk. It is the Government’s duty to lead on public awareness efforts. Not only that, but it must also provide the resources required to help consumers and businesses alike stay protected. A strong national focus on proper cyber hygiene is key. This journey starts by educating those who are least familiar with digital risks. By empowering the public, the Government will be able to foster a culture of cyber hygiene across the nation.
Now is the time for the Labour Government to showcase its commitment to driving meaningful change. It must introduce the measures required to keep businesses and consumers’ data safe from the hands of threat actors. By providing statutory underpinning to the retirement of legacy technology, transitioning to secure digital communication methods and increasing public education efforts, the UK can stay safe against the growing cybercrime wave ensuring a safer digital future for all.
Ouyang Xin, General Manager of Security Products at Alibaba Cloud Intelligence, examines the pros and cons of AI as a tool for cloud security.
SHARE THIS STORY
There is no doubt that the rapid growth of the Artificial Intelligence (AI) large language models (LLMs) market has brought both new opportunities and challenges. Safety is the one most concerning issues in the development of LLMs. This includes elements like ethics, content safety and the use of AI by bad actors to transform and optimise attacks. As we have seen recently, one significant risk is the rise of deepfake technology. This can be used to create highly convincing forgeries of influencers or of those in power.
As an example, phishing and ransomware attacks sometimes leverage the latest generative AI technology. An increasing number of hackers are using AI to quickly compose phishing emails that are even more deceptive. Sadly, leveraging LLM tools for ransomware optimisation is a new trend that’s expected to increase, adding to an already challenging cyberthreat landscape.
However, we should take comfort in knowing that AI also offers powerful tools to enhance security. It can significantly improve the efficiency and accuracy of security operations. It does this by providing users with advanced methods to detect and prevent such threats.
This sets the stage for an ongoing battle where cutting-edge AI technologies are employed to counteract malicious use of the very same technology. In essence, it’s a battle of using “magic to fight magic”, where both warring parties are constantly raising their game.
The latest AI applications to boost security
Recently, we have seen a huge uptake in the application of AI assistants to further enhance security features. For example, Alibaba Cloud Security Center has launched a new AI assistant for users in China. This innovative solution leverages Qwen, Alibaba Cloud’s proprietary LLM. Qwen is used to enhance various aspects of security operations, including security consultation, alert evaluation, and incident investigation and response. By 2025, the AI assistant had covered 99% of alert events and served 88% of users in China.
Specifically, in the area of malware detection, by leveraging the code understanding, generation, and summarisation capabilities of LLMs, it is possible to effectively detect and defend against malicious files. At the same time, by utilising the inferencing capabilities of LLMs, anomalies can be quickly identified, reducing false positives and enhancing the accuracy of threat detection, which helps security engineers significantly increase their work efficiency.
The common cloud security failures businesses face today
Nowadays, a growing number of organisations are adopting multi-cloud and hybrid cloud environments, leading to increased complexity in IT infrastructure. A recent survey from Statista revealed that, as of 2024, 73 percent of enterprises reported using a hybrid cloud setup in their organisation. An IDC report also indicates that almost 90% of enterprises in Asia Pacific are embracing multiple clouds.
This trend, however, has a notable downside: it drives up the costs associated with security management. Users must now oversee security products spread across public and private clouds, as well as on-premises data centres. They must address security incidents that occur in various environments. This complexity inevitably leads to extremely high operational and management costs for IT teams.
Moreover, companies are facing significant challenges with data silos. Even when they use products from the same cloud provider, achieving seamless data interoperability is often difficult. Security capabilities are fragmented, data cannot be integrated, and security products become isolated islands, unable to coordinate. This fragmentation results in a disjointed and less effective security framework.
Additionally, in many enterprises, the internal organisational structure is often fragmented. For example, the IT department generally handles office security, whereas individual business units are responsible for their own production network security. This separation can create vulnerabilities at the points where these distinct areas overlap.
Cloud security products – a resolution to these issues
We found it effective to apply a three-dimension Integration strategy for our security products. It means that we adopt a unified approach that addresses three key scenarios. These include integrated security for cloud infrastructure, cohesive security technology domains, and seamless office and production environments.
The integrated security for cloud infrastructure is designed to tackle the challenges posed by increasingly complex IT environments. Primarily, it focuses on the unified security management of diverse infrastructures, including public and private clouds. Advanced solutions enable enterprises to manage their resources through a single, centralised console, regardless of where those resources are located. This approach ensures seamless and efficient security management across all aspects of an organisation’s IT infrastructure.
Unified security technology domains bring together security product logs to create a robust security data lake. This centralised storage enables advanced threat intelligence analysis and the consolidation of alerts, enhancing the overall security posture and response capabilities.
The integrated office and production environments aim to streamline data and processes across departments. This integration not only boosts the efficiency of security operations, but also minimises the risk of cross-departmental intrusions, ensuring a more secure and cohesive working environment.
Cloud security trends in AI era
We believe that the integration of AI with security is becoming increasingly vital for data protection, wherever it is stored. This is why we are dedicated to advancing AI’s role in the security domain, aiming for more profound, extensive, and automated applications. For example, using AI to discover zero-day vulnerabilities and more efficient automation based on Agents.
In response to the growing trend of enhancing AI security and compliance, cloud service providers are offering comprehensive support for AI, ranging from infrastructure to AI development platforms and applications. Cloud service providers can assist users in many aspects of AI security and compliance, such as data security protection and algorithmic compliance. Among them, the focus must always be on helping users build fully connected data security solutions and providing customers with more efficient content security detection products.
With cyber threats once more on the rise, organisations are expected to turn in even greater numbers to zero trust when it comes to their cybersecurity architecture in 2025.
SHARE THIS STORY
Last year was one of the most punishing in history for cybersecurity firms. Data from IBM puts the global average cost of a data breach in 2024 at $4.88 million. This is a 10% increase over the previous year and the highest total ever. In the UK, almost three-quarters (74%) of large businesses experienced a breach in their networks last year. Cybercrime is a needle that’s been pushing deeper and deeper into the red for over a decade at this point, and the trend shows little sign of reversing or slowing down.
New tools, including artificial intelligence (AI) are elevating threat levels at the same time as geopolitical tensions are ramping up. For many organisations, a cyber breach feels less like a matter of “if” than “when,” and with the potential to cost large sums of money, it’s no wonder the topic has the power to inspire a certain fatalism in CISOs.
“The continued sophistication of cyber-attacks, and the increasing number of endpoints targeted are a specific worry, so we expect this challenge will drive more adoption of zero-trust architecture,” says Jonathan Wright, Director of Products and Operations at GCX.
The UK Government’s official report on cybersecurity breaches last year notes that the most common cyber threats result from phishing attempts (84% of businesses and 83% of charities), followed by impersonating organisations in emails or online (35% of businesses and 37% of charities) and then viruses or other malware (17% of businesses and 14% of charities).
The report’s authors note that these forms of attack are “relatively unsophisticated,” advising that relatively simple “cyber hygiene” measures can have a significant impact on an organisation’s resilience to threats.
Ubiquitous zero trust
Zero Trust is increasingly becoming an industry standard practice — table stakes for basic “cyber hygiene”.
To take it one step further, Wright explains that he expects organisations to implement microsegmentation as part of their zero-trust initiatives. “This will enable them to further reduce their individual attack surface in the face of these evolving threats, he says. “As it stands, technology frameworks like Secure Access Service Edge (SASE), and specifically zero-trust have helped organisations secure increasingly complex and evolving cloud environments. However, microsegmentation builds on these principles of visibility and granular policy application by breaking down internal environments; across both IT and OT, into discrete operational segments. This allows for a more targeted application and enforcement of security controls and helps to isolate and contain breaches to these sub segmented areas. As a result, we expect to see continued adoption of microsegmentation strategies throughout 2025, and beyond”.
Resilience promises to take “centre stage” in the year ahead, as organisations start to prioritise continuity over cyber defence.
SHARE THIS STORY
Cybersecurity has been and will remain a critical concern for organisations as we enter 2025. Risks that were prevalent over a decade ago — like phishing and ransomware — continue to present challenges for cyber professionals. New technologies are giving bad actors new and better ways to access networks and the data they contain.
Artificial intelligence (AI) is likely to remain a key element in the strategies of both cyber security professionals and the people they are trying to protect against, and therefore dominates a great deal of the conversation around cybersecurity. As noted in GCHQ’s National Cyber Security Centre (NCSC) annual review, “while AI presents huge opportunities, it is also transforming the cyber threat. Cyber criminals are adapting their business models to embrace this rapidly developing technology – using AI to increase the volume and impact of cyber attacks against citizens and businesses, at a huge cost.”
Breaches are becoming more common, the tools available to cybercriminals more effective. This year, conventional wisdom about striving for ever-more-effective security measures in support of an impenetrable membrane around the business may be phased out, as businesses begin to accept it’s not a matter of “if” but “when” a breach occurs.
Cyber resilience
The UK government’s Cyber Security Breaches Survey for 2024 found that half of all businesses and approximately one third of charities (32%) in the country experienced some form of cyber security breach or attack in the last 12 months.
According to Luke Dash, CEO of ISMS.online, resilience will take “centre stage” in the year ahead, as organisations start prioritising continuity over defence, in what he describes as “a shift from merely defending against threats to ensuring continuity and swift recovery.”
In tandem with this shift in approach, Dash notes that resilience is also becoming more of a priority from the regulatory side. With “changes to frameworks like ISO 27001 expanding to address resilience, and regulations like NIS 2 introducing stricter incident reporting, organisations will be required to proactively prepare for and respond to cyber disruptions,” he explains, adding that this trend will result in “a stronger focus on disaster recovery and operational continuity, with companies investing heavily in systems that allow them to quickly bounce back from cyber incidents, especially in critical infrastructure sectors.”
Regulatory shifts reflect refocusing on continuity
Regulations will also spur global action to secure critical infrastructure in 2025, as critical infrastructure like utility grids, data centres, and emergency services are expecting to face mounting cyber threats.
As noted in the NCSC’s report, “Over the next five years, expected increased demand for commercial cyber tools and services, coupled with a permissive operating environment in less-regulated regimes, will almost certainly result in an expansion of the global commercial cyber intrusion sector. The real-world effect of this will be an expanding range and number of victims to manage, with attacks coming from less-predictable types of threat actor.”
This rising tide of cyber threats — both from private groups and state-sponsored organisations — will, Dash believes, prompt governments and operators to adopt stronger defences and risk management frameworks. “Regulations like NIS 2 will push EU operators to implement comprehensive security measures, enforce prompt incident reporting, and face steeper penalties for non-compliance,” he says. “Governments globally will invest in safeguarding essential services, making sectors like energy, healthcare, and finance more resilient to attacks. Heightened collaboration among nations will also emerge, with increased intelligence sharing and coordinated responses to counteract sophisticated threats targeting critical infrastructure.”
Dr. Andrea Cullen, CEO and Co-Founder at CAPSLOCK, explains why a strong cybersecurity team is a company-wide endeavour.
SHARE THIS STORY
The most recent ISC2 cyber workforce study found that the global cyber skills gap has increased 19% year-on-year and now sits at 4.8 million. Alongside a smaller hiring pool, tighter budgets and hiring freezes are also adding fuel to the fire when it comes to leaders’ concerns over staffing. They’re navigating hiring freezes and fighting a landscape of competitive salaries. And, once they have the right people in place, the business tasks them with cultivating a culture that encourages retention.
As the c-suite representative of the cyber security function, it would be tempting to place the responsibility on the CISO. But the reality is that they can’t do it alone and organisations shouldn’t expect them to either. Building a workplace that hires and keeps hold of top cyber talent requires the tandem force of HR and CISOs.
The CISO is an important cultural role model
The truth is that CISOs – or heads of cyber departments – are under more pressure than ever, fulfilling an already challenging managerial role while experiencing tight financial and human resources. Over a quarter (37%) have faced budget cuts and 25% have experienced layoffs. On top of this, 74% say the threat landscape is the worst they’ve seen in five years.
Fundamentally, they do not have the bandwidth or indeed, necessarily all the right skillsets, to act as both the technical and people lead. That’s not to say they shouldn’t be in the thick of it with their team, though. They should. But this should focus more on how they can be a strong, present role model for their team and lead from the top to maintain a healthy team culture. Having someone who leads by example is crucial for improving job satisfaction and increasing retention in an intense industry like cyber.
This could be as simple as championing a good work-life balance to empower their teams to protect their own time outside of work, especially in a career where the workforce often feels pressure to be ‘on’ 24/7. For example, providing the flexibility for their team to work outside of the traditional 9 to 5 hours to be able to pick up children from school if they’re working parents.
Forming a close ally in HR to build team resiliency
With job satisfaction in cybersecurity down 4%, there is a need to improve working environments to preserve employees from burnout and encourage top talent to stay. Creating a strong, trusted and inclusive team culture is one way that the CISO can do this. But they should also be forming a close allyship with HR and hiring managers to build further resiliency. In my experience, here are some of the key ways that these two functions can come together to build a robust cyber team:
Supporting teams with temporary resources
It can be a challenge to alleviate pressure on the team when budgets are constrained – or when there is a flat-out hiring freeze policy across the company.
However, the CISO and HR must take action so the team doesn’t suffer from burnout or low morale. They can circumnavigate hiring freezes and budget constraints with temporary contractual help.
Deploying temporary cyber practitioners can be financed through a different “CaPex” budget, rather than permanent staff allocation and saves companies the cost of national insurance and holiday pay for example.
Looking beyond traditional CVs when hiring
Hiring from a small talent pool and with competitive salaries is difficult.
That’s why it’s important for cyber and HR leaders not to overlook CVs that may not fit the traditional mould of what a cyber employee looks like. For example, this could be opening up hiring cycles to be more accommodating to career changers with valuable transferrable skills such as communication and teamwork, or those from non-traditional cyber backgrounds such as not having a degree in computer science.
Identifying appetite for cyber within the business
Leaders can look from within for potential talent to fill much-needed roles.
For example, individuals responsible for championing cyber best practices in other lines of business might be interested in a career change. Or if redundancies are on the table, it may be a way of keeping loyal staff with business knowledge within the company and cutting out lengthy external hiring processes.
The CISO and HR team can then work closely to reskill individuals in the technical and impact foundational skills they need.
Championing diversity of experiences and thinking
To tackle the dangers of cyber-attacks, HR must focus on breaking down barriers in cyber by promoting diversity in skills and backgrounds within their teams. This comes from taking different approaches to hiring.
This not only broadens the talent pool but also provides unique perspectives on how cyber threats impact different business areas, ultimately creating a more resilient cyber team and strengthening the organisation’s defences.
Final thoughts
The CISO must be a dynamic role model. They must drive team culture and values from the top down to foster an environment that motivates and engages their team. They must also collaborate closely with HR to recruit, train, and retain top talent, ensuring the cyber function is well-equipped to tackle the ever-evolving threat landscape.
Dr. John Blythe, Director of Cyber Psychology at Immersive Labs, explores how psychological trickery can be used to break GenAI models out of their safety parameters.
SHARE THIS STORY
Generative AI (GenAI) tools are increasingly embedded in modern business operations to boost efficiency and automation. However, these opportunities come with new security risks. The NCSC has highlighted prompt injection as a serious threat to large language model (LLM) tools, such as ChatGPT.
I believe that prompt injection attacks are much easier to conduct than people think. If not properly secured, anyone could trick a GenAI chatbot.
What techniques are used to manipulate GenAI chatbots?
It’s surprisingly easy for people to trick GenAI chatbots, and there is a range of creative techniques available. Immersive Labs conducted an experiment in which participants were tasked with extracting secret information from a GenAI chat tool, and in most cases, they succeeded before long.
One of the most effective methods is role-playing. The most common tactic is to ask the bot to pretend to be someone less concerned with confidentiality—like a careless employee or even a fictional character known for a flippant attitude. This creates a scenario where it seems natural for the chatbot to reveal sensitive information.
Another popular trick is to make indirect requests. For example, people might ask for hints rather than information outright or subtly manipulate the bot by posing as an authority figure. Disguising the nature of the request also seems to work well.
Some participants asked the bot to encode passwords in Morse code or Base64, or even requested them in the form of a story or poem. These tactics can distract the AI from its directives about sharing restricted information, especially if combined with other tricks.
Why should we be worried about GenAI chatbots revealing data?
The risk here is very real. An alarming 88% of people who participated in our prompt injection challenges were able to manipulate GenAI chatbots into giving up sensitive information.
This vulnerability could represent a significant risk for organisations that regularly use tools like ChatGPT for critical work. A malicious user could potentially trick their way into accessing any information the AI tool is connected to.
What’s concerning is that many of the individuals in our test weren’t even security experts with specific technical knowledge. Far from it; they were just using basic social engineering techniques to get what they wanted.
The real danger lies in how easily these techniques can be employed. A chatbot’s ability to interpret language leaves it vulnerable in a way that non-intelligent software tools are not. A malicious user can get creative with their prompts or simply work by rote from a known list of tactics.
Furthermore, because chatbots are typically designed to be helpful and responsive, users can keep trying until they succeed. A typical GenAI-powered bot will pay no mind to continued attempts to trick it.
Can GenAI tools resist prompt injection attacks?
While most GenAI tools are designed with security in mind, they remain quite vulnerable to prompt injection attacks that manipulate the way they interpret certain commands or prompts.
At present, most GenAI systems struggle to fully resist these kinds of attacks because they are built to understand natural language, which can be easily manipulated.
However, it’s important to remember that not all AI systems are created equal. A tool that has been better trained with system prompts and equipped with the right security features has a greater chance of detecting manipulative tactics and keeping sensitive data safe.
In our experiment, we created ten levels of security for the chatbot. At the first level, users could simply ask directly for the secret password, and the bot would immediately oblige. Each successive level added better training and security protocols, and by the tenth level, only 17% of users succeeded.
Still, as that statistic highlights, it’s essential to remember that no system is perfect, and the open-ended nature of these bots means there will always be some level of risk.
So how can businesses secure their GenAI chatbots?
We found that securing GenAI chatbots requires a multi-layered approach, often referred to as a “defence in depth” strategy. This involves implementing several protective measures so that even if one fails, others can still safeguard the system.
System prompts are crucial in this context, as they dictate how the bot interprets and responds to user requests. Chatbots can be instructed to deny knowledge of passwords and other sensitive data when asked and to be prepared for common tricks, such as requests to transpose the password into code. It is a fine balance between security and usability, but a few well-crafted system prompts can prevent more common tactics.
This approach should be supported by a comprehensive data loss prevention (DLP) strategy that monitors and controls the flow of information within the organisation. Unlike system prompts, DLP is usually applied to the applications containing the data rather than to the GenAI tool itself.
DLP functions can be employed to check for prompts mentioning passwords or other specifically restricted data. This also includes attempts to request it in an encoded or disguised form.
Alongside specific tools, organisations must also develop clear policies regarding how GenAI is used. Restricting tools from connecting to higher-risk data and applications will greatly reduce the potential damage from AI manipulation.
These policies should involve collaboration between legal, technical, and security teams to ensure comprehensive coverage. Critically, this includes compliance with data protection laws like GDPR.
Usman Choudhary, Chief Product & Technology Officer at VIPRE Security Group, looks at the effect of programming bias on AI performance in cybersecurity scenarios.
SHARE THIS STORY
AI plays a crucial role in identifying and responding to cyber threats. For many years, security teams have used machine learning for real-time threat detection, analysis, and mitigation.
By leveraging sophisticated algorithms trained on comprehensive data sets of known threats and behavioural patterns, AI systems are able to distinguish between normal and atypical network activities.
They are used to identify a wide range of cyber threats. These include sophisticated ransomware attacks, targeted phishing campaigns, and even nuanced insider threats.
Through heuristic modelling and advanced pattern recognition, these AI-powered cybersecurity solutions can effectively flag suspicious activities. This enables them to provide enterprises with timely and actionable alerts that enable proactive risk management and enhanced digital security.
False positives and false negatives
That said, “bias” is a chink in the armour. If these systems are biased, they can cause major headaches for security teams.
AI bias occurs when algorithms generate skewed or unfair outcomes due to inaccuracies and inconsistencies in the data or design. The flawed outcomes reveal themselves as gender, racial, or socioeconomic biases. Often, these arise from prejudiced training of data or underlying partisan assumptions made by developers.
For instance, they can generate excessive false positives. A biased AI might flag benign activities as threats, resulting in unnecessary consumption of valuable resources, and overtime alert fatigue. It’s like your racist neighbour calling the police because she saw a black man in your predominantly white neighbourhood.
AI solutions powered by biased AI models may overlook newly developing threats that deviate from preprogrammed patterns. Furthermore, improperly developed, poorly trained AI systems can generate discriminatory outcomes. These outcomes disproportionately and unfairly target certain user demographics or behavioural patterns with security measures, skewing fairness for some groups.
Similarly, AI systems can produce false negatives, unduly focusing heavily on certain types of threats, and thereby failing to detect the actual security risks. For example, a biased AI system may develop biases that misclassify network traffic or incorrectly identify blameless users as potential security risks to the business.
Preventing bias in AI cybersecurity systems
To neutralise AI bias in cybersecurity systems, here’s what enterprises can do.
Ensure their AI solutions are trained on diverse data sets.
By training the AI models with varied data sets that capture a wide range of threat scenarios, user behaviours, and attack patterns from different regions and industries will ensure that the AI system is built to recognise and respond to a variety of types of threats accurately.
Transparency and explainability must be a core component of the AI strategy.
Foremost, ensure that the data models used are transparent and easy to understand. This will inform how the data is being used and show how the AI system will function, based on the underlying decision making processes. This “explainable AI” approach will provide evidence and insights into how decisions are made and their impact to help enterprises understand the rationale behind each security alert.
Human oversight is essential.
AI is excellent at identifying patterns and processing data quickly, but human expertise remains a critical requirement for both interpreting complex security threats and minimising the introduction of biases in the data models. Human involvement is needed to both oversee and understand the AI system’s limitations so that timely corrective action can be taken to remove errors and biases during operation. In fact, the imperative of human oversight is written into regulation – it is a key requirement of the EU AI Act.
To meet this regulatory requirement, cybersecurity teams should consider employing a “human-in-the-loop” approach. This will allow cybersecurity experts to oversee AI-generated alerts and provide context-sensitive analysis. This kind of tech-human collaboration is vital to minimising the potential errors caused by bias, and ensuring that the final decisions are accurate and reliable.
AI models can’t be trained and forgotten.
They need to be continuously trained and fed with new data. Withouth it, however, the AI system can’t keep pace with the evolving threat landscape.
Likewise, it’s important to have feedback loops that seamlessly integrate into the AI system. These serve as a means of reporting inaccuracies and anomalies promptly to further improve the effectiveness of the solution.
Bias and ethics go hand-in-hand
Understanding and eliminating bias is a fundamental ethical imperative in the use of AI generally, not just in cybersecurity. Ethical AI development requires a proactive approach to identifying potential sources of bias. Critically, this includes finding the biases embedded in training data, model architecture, and even the composition of development teams.
Only then can AI deliver on its promise of being a powerful tool for effectively protecting against threats. Alternatively, its careless use could well be counter-productive, potentially causing (highly avoidable) damage to the enterprise. Such an approach would turn AI adoption into a reckless and futile activity.
Experts from IBM, Rackspace, Trend Micro, and more share their predictions for the impact AI is poised to have on their verticals in 2025.
SHARE THIS STORY
Despite what can only be described as a herculean effort on behalf of the technology vendors who have already poured trillions of dollars into the technology, the miraculous end goal of an Artificial General Intelligence (AGI) failed to materialise this year. What we did get was a slew of enterprise tools that sort of work, mounting cultural resistance (including strikes and legal action from more quarters of the arts and entertainment industries), and vocal criticism leveled at AI’s environmental impact.
It’s not to say that generative artificial intelligence hasn’t generated revenue, or that many executives are excited about the technology’s ability to automate away jobs— uh I mean increase productivity (by automating away jobs), but, as blockchain writer and research Molly White pointed out in April, there’s “a yawning gap” between the reality that “AI tools can be handy for some things” and the narrative that AI companies are presenting (and, she notes, that the media is uncritically reprinting). She adds: “When it comes to the massively harmful ways in which large language models (LLMs) are being developed and trained, the feeble argument that ‘well, they can sometimes be handy…’ doesn’t offer much of a justification.”
Two years of generative AI and what do we have to show for it?
Blood in the Machine author Brian Merchant pointed out in a recent piece for the AI Now Institute that the “frenzy to locate and craft a viable business model” for AI by OpenAI and other companies driving the hype trainaround the technology has created a mixture of ongoing and “highly unresolved issues”. These include disputes over copyright, which Merchant argues threaten the very foundation of the industry.
“If content currently used in AI training models is found to be subject to copyright claims, top VCs investing in AI like Marc Andreessen say it could destroy the nascent industry,” he says. Also, “governments, citizens, and civil society advocates have had little time to prepare adequate policies for mitigating misinformation, AI biases, and economic disruptions caused by AI. Furthermore, the haphazard nature of the AI industry’s rise means that by all appearances, another tech bubble is being rapidly inflated.” Essentially, there has been so much investment so quickly, all based on the reputations of the companies throwing themselves into generative AI — Microsoft, Google, Nvidia, and OpenAI — that Merchant notes: “a crash could prove highly disruptive, and have a ripple effect far beyond Silicon Valley.”
What does 2025 have in store for AI?
Whether or not that’s what 2025 has in store for us — especially given the fact that an incoming Trump presidency and Elon Musk’s self-insertion into the highest levels of government aren’t likely to result in more guardrails and legislation affecting the tech industry — is unclear.
Speaking less broadly, we’re likely to see not only more adoption of generative AI tools in the enterprise sector. As the CIO of a professional services firm told me yesterday, “the vendors are really pushing it and, well, it’s free isn’t it?”. We’re also going to see AI impact the security sector, drive regulatory change, and start to stir up some of the same sanctimonious virtue signalling that was provoked by changing attitudes to sustainability almost a decade ago.
To get a picture of what AI might have in store for the enterprise sector this year, we spoke to 6 executives across several verticals to find out what they think 2025 will bring.
“Over the past few years, enterprises have dealt with Shadow IT – the use of non-approved Cloud infrastructure and SaaS applications without the consent of IT teams, which opens the door to potential data breaches or noncompliance.
“Now enterprises are facing a new challenge on the horizon: Shadow AI. Shadow AI has the potential to be an even bigger risk than Shadow IT because it not only impacts security, but also safety.
“The democratisation of AI technology with ChatGPT and OpenAI has widened the scope of employees that have the potential to put sensitive information into a public AI tool. In 2025, it is essential that enterprises act strategically about gaining visibility and retaining control over their employees’ usage of AI. With policies around AI usage and the right hybrid infrastructure in place, enterprises can put themselves in a better position to better manage sensitive data and application usage.”
“In the next 12 months, we will start to see a fundamental shift away from the traditional SaaS model, as businesses’ expectations of what new technologies should do evolve. This is down to two key factors – user experience and quality of output.
“People now expect to be able to ask technology a question and get a response pulled from different sources. This isn’t new, we’ve been doing it with voice assistants for years – AI has just made it much smarter. With the rise of Gen AI, chat interfaces have become increasingly popular versus traditional web applications. This expectation for user experience will mean SaaS providers need to rapidly evolve, or get left behind.
“The current SaaS models on the market can only tackle the lowest dominator problem felt by a broad customer group, and you need to proactively interact with it to get it to work. Even then, it can only do 10% of a workflow. The future will see businesses using a combination of proprietary, open-source, and bought-in models – all feeding a Gen AI-powered interface that allows their teams to run end-to-end processes across multiple workstreams and toolsets.”
“New standards drive ethical, transparent, and accountable AI practices: In 2025, businesses will face escalating demands for AI governance and compliance, with frameworks like the EU AI Act setting the pace for global standards. Compliance with emerging benchmarks such as ISO 42001 will become crucial as organisations are tasked with managing AI risks, eliminating bias, and upholding public trust.
“This shift will require companies to adopt rigorous frameworks for AI risk management, ensuring transparency and accountability in AI-driven decision-making. Regulatory pressures, particularly in high-stakes sectors, will introduce penalties for non-compliance, compelling firms to showcase robust, ethical, and secure AI practices.”
“This year has seen the adoption of AI skyrocket, with businesses spending an average of $2.5million on the technology. However, legislation such as the EU AI Act has led to heightened scrutiny into how exactly we are using AI, and as a result, we expect 2025 to become the year of Responsible AI.
While we wait for further insight on regulatory implementation, many business leaders will be looking for a way to stay ahead of the curve when it comes to AI adoption and the answer lies in establishing comprehensive AI Operating Models – a set of guidelines for responsible and ethical AI adoption. These frameworks are not just about mitigating risks, but about creating a symbiotic relationship with AI through policies, guardrails, training and governance.
This not only prepares organisations for future domestic and international AI regulations but also positions AI as a co-worker that can empower teams rather than replace them. As AI technology continues to evolve, success belongs to organisations that adapt to the technology as it advances and view AI as the perfect co-worker, albeit one that requires thoughtful, responsible integration”.
“In 2025 – don’t expect the all too familiar issues of skills gaps, budget constraints or compliance to be sidestepped by security teams. Securing local large language models (LLMs) will emerge as a greater concern, however, as more industries and organisations turn to AI to improve operational efficiency. A major breach or vulnerability that’s traced back to AI in the next six to twelve months could be the straw that breaks the camel’s back.
“I’m also expecting to see a large increase in the use of cyber security platforms and, subsequently, integration of AI within those platforms to improve detection rates and improve analyst experience. There will hopefully be a continued investment in zero-trust methodologies as more organisations adopt a risk-based approach and continue to improve their resilience against cyber-attacks. I also expect we will see an increase in organisations adopting 3rd party security resources such as managed SOC/SIEM/XDR/IR services as they look to augment current capabilities.
“Heading into the new year, security teams should maintain a focus on cyber security culture and awareness. It needs to be driven by the top down and stretch far. For example, in addition to raising base security awareness, Incident Response planning and testing
should also be an essential step taken for organisations to stay prepared for cyber incidents in 2025. The key to success will be for security to keep focusing on the basic concepts and foundations of securing an organisation. Asset management, MFA, network
segmentation and well-documented processes will go further to protecting an organisation than the latest “sexy” AI tooling.”
“2024 saw financial services organisations harness the power of AI-powered processes in their decision-making, from using machine learning algorithms to analyse structured data and employing regression techniques to forecast. Next year, I expect that firms will continue to fine-tune these use cases, but also really ramp up their use of unstructured data and advanced LLM technology.
“This will go well beyond building a chatbot to respond to free-form customer enquiries, and instead they’ll be turning to AI to translate unstructured data into structured data. An example here is using LLMs to scan the web for competitive pricing on loans or interest rates and converting this back into structured data tables that can be easily incorporated into existing processes and strategies.
“This is just one of the use cases that will have a profound impact on financial services organisations. But only if they prepare. To unlock the full potential of AI and analytics in 2025, the sector must make education a priority. Employees need to understand how AI works, when to use it, how to critique it and where its limitations lie for the technology to genuinely support business aspirations.
“I would advise firms to focus on exploring use cases that are low risk and high reward, and which can be supported by external data. Summarising large quantities of information from public sources into automated alerts, for example, plays perfectly to the strengths of genAI and doesn’t rely on flawless internal data. Businesses that focus on use cases where data imperfections won’t impede progress will achieve early wins faster, and gain buy-in from employees, setting them up for success as they scale genAI applications.”
Bernard Montel, EMEA Technical Director and Security Strategist at Tenable, breaks down the cybersecurity trend that could define 2025.
SHARE THIS STORY
When looking back across 2024, what is evident is that cyberattacks are relentless. We’ve witnessed a number of Government advisories of threats to the computing infrastructure that underpins our lives. Cyberattacks targeting software that took businesses offline.
We’ve seen record breaking tomes of data stolen in breaches with increasingly larger volumes of information extracted. And in July many felt the implications of an unprecedented outage due to a non-malicious ‘cyber incident’, that illustrated just how reliant our critical systems are on software operating as it should at all times while also a sobering reminder of the widespread impact tech can have on our daily lives.
Why Can’t We Secure Ourselves?
While I’d like to say that the adversaries we face are cunning and clever, it’s simply not true.
In the vast majority of cases, cyber criminals are optimistic and opportunistic. The reality is attackers don’t break defences, they get through them. Today, they continue to do what they’ve been doing for years because they know it works, be it ransomware, DDoS attacks, phishing, or any other attack methodology.
The only difference is that they’ve learned from past mistakes and honed the way they do it for the biggest reward. If we don’t change things then 2025 will just see even more successful attacks.
Against this the attack surface that CISO’s and security leaders have to defend has evolved beyond the traditional bounds of IT security and continues to expand at an unprecedented rate. What was once a more manageable task of protecting a defined network perimeter has transformed into a complex challenge of securing a vast, interconnected web of IT, cloud, operational technology (OT) and internet-of-things (IoT) systems.
Cloud Makes It All Easier
Organisations have embraced cloud technologies for their myriad benefits. Be it private, public or a hybrid approach, cloud offers organisations scalability, flexibility and freedom for employees to work wherever, whenever. When you add that to the promise of cost savings combined with enhanced collaboration, cloud is a compelling proposition.
However, it doesn’t just make it easier for organisations but also expands the attack surface threat actors can target. According to Tenable’s 2024 Cloud Security Outlook study, 95% of the 600 organisations surveyed said they had suffered a cloud-related breach in the previous 18-months. Among those, 92% reported exposure of sensitive data, and a majority acknowledged being harmed by the data exposure. If we don’t address this trend, in 2025 we could likely see these figures hit 100%.
In Tenable’s 2024 Cloud Risk Report, which examines the critical risks at play in modern cloud environments, nearly four in 10 organisations globally are leaving themselves exposed at the highest levels due to the “toxic cloud trilogy” of publicly exposed, critically vulnerable and highly privileged cloud workloads. Each of these misalignments alone introduces risk to cloud data, but the combination of all three drastically elevates the likelihood of exposure access by cyber attackers.
When bad actors exploit these exposures, incidents commonly include application disruptions, full system takeovers, and DDoS attacks that are often associated with ransomware. Scenarios like these could devastate an organisation. According to IBM’s Cost of a Data Breach Report 2024 the average cost of a single data breach globally is nearly $5 million.
Taking Back Control
The war against cyber risk won’t be won with security strategies and solutions that stand divided. Organisations must achieve a single, unified view of all risks that exist within the entire infrastructure and then connect the dots between the lethal relationships to find and fix the priority exposures that drive up business risk.
Contextualization and prioritisation are the only ways to focus on what is essential. You might be able to ignore 95% of what is happening, but it’s the 0.01% that will put the company on the front page of tomorrow’s newspaper.
Vulnerabilities can be very intricate and complex, but the severity is when they come together with that toxic combination of access privileges that creates attack paths. Technologies are dynamic systems. Even if everything was “OK” yesterday, today someone might do something, change a configuration by mistake for example, with the result that a number of doors become aligned and can be pushed open by a threat actor.
Identity and access management is highly complex, even more so in multi-cloud and hybrid cloud. Having visibility of who has access to what is crucial. Cloud Security Posture Management (CSPM) tools can help provide visibility, monitoring and auditing capabilities based on policies, all in an automated manner. Additionally, Cloud Infrastructure Entitlement Management (CIEM) is a cloud security category that addresses the essential need to secure identities and entitlements, and enforce least privilege, to protect cloud infrastructure. This provides visibility into an organisation’s cloud environment by identifying all its identities, permissions and resources, and their relationships, and using analysis to identify risk.
2025 can be a turning point for cybersecurity in the enterprise
It’s not always about bad actors launching novel attacks, but organisations failing to address their greatest exposures. The good news is that security teams can expose and close many of these security gaps. Organisations must bolster their security strategies and invest in the necessary expertise to safeguard their digital assets effectively, especially as IT managers expand their infrastructure and move more assets into cloud environments. Raising the cybersecurity bar can often persuade threat actors to move on and find another target.
Sten Feldman, Head of Software Development at CybExer Technologies, explores the evolving impact of the AI boom on cybersecurity.
SHARE THIS STORY
According to the European Union Agency for Cybersecurity’s (ENISA) recently updated Foresight Cybersecurity Threats report, AI will continue redefining cybersecurity until 2030.
Although AI has already significantly reshaped the cyber threat landscape, particularly with the widespread use of GenAI, it is likely to increase the volume and heighten the impact of cyber-attacks by 2025. This is a clear indication that the use cases we’ve seen so far are just the beginning. The true challenge lies in the untapped potential of AI, and the long-term risks it poses.
The direction AI leads in cyber threat landscape
The increased use of AI has led to a surge in more sophisticated cyber-attacks, from data poisoning to deep fakes. Among these, phishing campaigns and deep fakes stand out as the two main avenues where AI tools are effectively employed to orchestrate highly targeted, near-perfect cyber-attack campaigns.
Gen AI-driven deep fake technology in particular has become a standard tool for threat actors, enabling them to impersonate C-level executives and manipulate others into taking specific actions. While impersonation is not a new tactic, AI tools allow threat actors to craft sophisticated and targeted attacks at speed and scale.
For example, large language models (LLMs) enable threat actors to generate human-like texts that appear genuine and coherent, eliminating grammar as a red flag for such attacks. Beyond this, LLMs take it a step further by hyper-personalising attacks to exploit specific characteristics and routines of particular targets or create individualised attacks for each recipient in larger groups.
However, AI’s impact is not only on the sophistication of attacks but also on the alarming increase in the number of threat actors. The user-friendly nature of Gen AI technology, along with publicly available and easily accessible tools, is lowering the barrier of entry to novice cybercriminals. This means that even less skilled attackers can exploit AI to release sensitive information and run malicious code for financial gain.
AI also plays an essential role in the increasing speed of cyber-attacks. Trained AI models and automated systems can analyse and exfiltrate data faster and more efficiently and perform intelligent actions. Creating ten million personalised emails takes a matter of seconds with these tools. They can quickly scan an organisational network, try several alternative paths in split seconds to find a network vulnerability to attack. Once this happens, they automatically attempt to get a foothold into systems.
Utilising AI in blue teams
Although threat actors will continue to use AI to evolve their tactics and increase the risks and threats, AI is also widely used to arm organisations against these cyber threats and prepare against dynamic attacks.
Consider this in terms of red and blue teams for organisational defence. The red team, armed with AI tools, can launch more effective attacks. However, the same tools are equally available to the blue team. This raises the question of how blue teams can also effectively deploy AI to safeguard organisations and systems.
There are many ways for organisations to utilise AI tools to strengthen their cyber defence. These tools can analyse vast amounts of data in real time, identify potential threats, and mitigate risks more efficiently than traditional methods. AI can also be used in model training, replicating the most advanced AI applications and simulating specific scenarios.
Incorporation of AI into cyber exercises to create attack environments allows organisations to detect weak and vulnerable spots that the most advanced AI application could exploit, and also use AI tools to solve real-world cases.
This means organisations can have a deeper, more comprehensive insight into cybersecurity preparedness and how to arm systems against potential AI powered attacks. It is critical to keep training and exercises up to date with the latest threats and technologies to prepare organisations for AI-powered threats.
The best defense…
However, cybersecurity teams cannot adress the risks posed by AI solely from a defensive perspective. The biggest challenge here is speed and planning for the next big AI-powered attack potential. Organisations should work with the utmost dedication and stay ahead of cyber security trends to create proactive defence strategies.
External security operations center (SOC) services and working with specialised consultants is essential for organisations to be able to move as fast as threat actors and aim to be a step ahead – this is the only way to provide a sense of security in the face of ever-evolving AI threats.
AI as a threat to the whole organisation
AI integration in organisations’ systems is also not without risks. While AI is reshaping the cyber landscape in the hands of threat actors, enterprises are also facing accidental insider threats. AI systems integrations are leading companies to new vulnerabilities, which are well-known internal AI threats in cybersecurity.
Employees using Gen AI tools are accessing more organisational data than ever before. Even in the hands of the most well-intended employees, if they are not cyber-trained, AI tools could lead to unintentional leaks or misplaced access to restricted, sensitive data.
As in every cyber-attack scenario, tackling AI-powered threats is not possible without creating an organisation-wide cyber awareness and resilience culture. Training all employees on using AI tools and the potential risks they pose to an organisation’s systems and integrating AI into daily security operations are the first steps for creating a culture of cyber resilience against AI-powered attacks.
Developing organisational cyber awareness from every responsibility level is critical to avoiding emerging vulnerabilities and evolving AI threats. It not only helps mitigate the risks of employees accidentally misusing AI tools, but also helps build strong organisational cyber awareness and the proactive development of robust security measures.
Vincent Lomba, Chief Technical Security Officer at Alcatel-Lucent Enterprise, examines the efficacy of AI in the network security space.
SHARE THIS STORY
Artificial intelligence (AI) is making its way into cybersecurity systems around the world, and this trend is only beginning. The potential for AI to revolutionise network security is vast. The technology offers new methods to safeguard systems and reduce the manual workload for IT teams. Moreover, with cybercriminals increasingly adopting AI to create more sophisticated attacks, organisations are starting to consider deploying AI to stay ahead.
However, the question remains: How effective is AI in this space?
Streamlining Cybersecurity Systems
AI-based network security systems differ significantly to well-established methods of identifying malicious activity on a network. Signature-based detection systems only generate alerts when they identify an exact match of a known indicator of an attack. If there is any variation from the known indicator, then the system will be unable to pick it up. The alternative is an anomaly-based system, which generates alerts when activity is outside an accepted range of ‘normal behavior. While this takes a more comprehensive view of network activity compared to signature-based systems, it is not without shortcomings. Perhaps the one most often discussed is its tendency to generate false positives when there is unusual activity that is not part of a cyberattack.
Both systems can require extensive manual intervention. IT teams must constantly update databases for signature-based detection systems to ensure that new attack techniques will be recognised as malicious activity. The alternative is that they constantly sift through the alerts generated by an anomaly-based system looking for genuine threats.
AI represents a way to streamline cybersecurity systems, by enabling faster and more precise detection of cyber threats. By processing vast quantities of data, AI systems can identify unusual patterns and behaviours in real time. This imparts key benefits to organisations that leverage AI as part of their cybersecurity defences.
The Value of AI
Reducing Workload: AI-powered tools can significantly reduce the workload for IT teams. They help cut down the number of false alarms generated by security systems. This allows cybersecurity personnel to stay alert without becoming overwhelmed. This reduction in manual work allows security teams to focus on more complex, strategic tasks.
Increased Protection: AI also offers enhanced protection against cyberattacks. Unlike traditional signature-based detection methods, which struggle to identify zero-day threats, AI excels at recognising emerging threats based on behaviour and patterns. This, coupled with near real-time response capabilities, limits the window of opportunity for attackers to cause damage if they manage to infiltrate a system.
Greater scalability and adaptability. Another advantage of AI is that it gives organisations more flexibility. Security teams can quickly respond to increased threat levels or unusual network behavior without having to expand their personnel.
Human Oversight
Although AI offers numerous benefits, it’s crucial to acknowledge the need for human oversight in cybersecurity. We should not think of AI as replacing cybersecurity experts, but rather as a vital tool to support them in running day-to-day operations.
AI systems can process and analyse data rapidly, however they still rely on humans to validate findings, fine-tune the models, and make final decisions, especially when dealing with complex cyber threats. The stakes are high when it comes to the security of an organisation’s confidential data and technology infrastructure. That’s why human involvement is vital in ensuring that AI operates correctly and that correct procedures are being followed.
Mitigating the Risks of AI
While AI can enhance cybersecurity, it also brings several challenges that need to be managed, which highlight the need for human involvement and decision making.
Accuracy of datasets: One significant concern is the accuracy of the data AI systems are trained on. AI’s effectiveness is largely determined by the quality of the data it uses to learn. If training data is incomplete or biased, the system may produce inaccurate results, such as false positives, or a false sense of security, in case of false negatives due to non-detection of e.g. malicious agents. To prevent this, organisations need to rigorously assess the data they feed into their AI models.
Privacy: Another potential issue is privacy. AI systems rely on real-world data to monitor network activity and identify anomalies. This data must be protected through anonymisation or other privacy-preserving techniques to avoid misuse – and should be deleted when it is no longer necessary.
Resource consumption: Running AI models, especially on a large scale, can be demanding in terms of both energy and water, which are required to maintain the systems. This contributes to a higher environmental footprint. By optimising the frequency at which AI models are retrained, organisations can reduce resource consumption. Additionally, the usage of resources will be lower once the model is trained.
Conclusion
While AI offers substantial benefits to cybersecurity, it also presents challenges that must be addressed to ensure its safe and effective implementation. The technology can significantly reduce workload, enhance network security through faster and more accurate detection, and adapt to evolving threats. However, without high-quality data, privacy safeguards, and careful resource management, these advantages may be undermined.
The deployment of AI models should be carefully managed by cybersecurity professionals in order to fully take advantage of its capabilities while minimising risks. AI is a valuable tool – not a substitute for human experience and expertise.
Dave Manning, Chief Information Security Officer at Lemongrass, explores why modern CSIOs are calling for the gamification of cybersecurity practices.
SHARE THIS STORY
As more businesses embrace the cloud and digital transformation, traditional cybersecurity training methods are becoming increasingly outdated. The rapid emergence of new threats demands a more dynamic approach to security education—one that both informs and engages. Despite numerous bulletins, briefings, and conventional training sessions, the human element remains a critical factor. Human error is a contributing factor to 68% of data breaches. This underscores the urgent need for more innovative cybersecurity training.
Modern Chief Information Security Officers (CISOs) increasingly advocate for the gamification of cybersecurity training; but what makes gamification so effective, and how can businesses leverage it to enhance their security posture?
The Challenges of Traditional Training
The accelerating evolution of technology has outpaced the traditional rote-learning security training methods that many organisations still rely upon. Employees cannot effectively internalise dry security bulletins and briefings, leaving organisations more vulnerable to an increasing range of attacks.
This lack of readiness is particularly evident during major incidents, when rapid responses are required, and many foundational security assumptions are suddenly found wanting. How do we correctly authenticate an MFA reset request? Can we restore our systems from those backups? How do we know if they’ve been tampered with? Who is in charge? How do we pass information, and to whom? What if this critical SaaS service is unavailable? Do all our users have access to a fallback system if their primary fails to boot? What are our reversionary communications channels?
In such a crisis, organisations may be forced to rely on non-technical personnel to execute complex procedures or to effectively communicate complex messages to other users – tasks for which they are typically unprepared. This disconnect between policy and reality demands a new approach — one that actively engages employees in the learning process so that they are practiced and experienced when it really matters.
Gamifying Cybersecurity Training
Gamification turns passive learning into an interactive experience where employees can apply their knowledge in simulated environments and adds a healthy element of competition to reward desirable behaviours. Gamified training can include exercises tailored to the specific challenges a particular environment presents – simulations focused on threats to critical SAP systems, data theft, and ransomware scenarios.
These exercises provide a safe space for employees to practice securing their environments, ensuring they can manage and protect critical systems like SAP in real-world scenarios. Mistakes during these exercises serve as crucial learning opportunities without any real-world impact, helping employees avoid these errors when it matters most.
By making security training more engaging, organisations can increase participation, improve knowledge retention, and ultimately reduce the potential for human error.
Capture the Flag (CTF) Exercises: The Value of Hands-On Learning
One particularly effective gamification approach is Capture the Flag (CTF). These exercises allow participants to play at being the bad guys. Knowing your enemy and how they operate makes you a much more effective defender. And most importantly – it’s fun!
CTF exercises are particularly valuable in teaching technical security fundamentals and providing hands-on experience with modern threats. This practical approach bridges the gap between theoretical knowledge and its real-world application. It ensures that employees are better prepared to respond swiftly and effectively when an actual threat materialises.
Fostering Competition while Improving Compliance
Gamified training can significantly enhance compliance by turning dry, mandatory protocols into engaging, interactive experiences. Employees are naturally motivated to adhere more-closely to the organisation’s security policies when they are scored against their peers.
By regularly updating leaderboards and recognising top performers, organisations create a culture where applying the correct security controls is no longer an onerous requirement but becomes a rewarding habit.
Gamifying the Path Forward
In today’s fast-paced digital environment, innovative cybersecurity training methods are essential for companies to maintain their defensive edge. Traditional approaches no longer suffice to prepare employees to face today’s sophisticated threats. Gamification offers a solution that educates and engages, ensuring that security knowledge is engrained and applied effectively.
As organisations implement new technologies, their security challenges evolve. Gamified training offers the flexibility to adapt, ensuring that employees remain proficient in managing and protecting critical cloud and SAP systems. This ongoing evolution of training keeps the workforce informed about the latest threats and security protocols. This, in turn, helps the organisations maintain a strong security posture even as technology shifts.
By integrating gamified training into their cybersecurity strategies, organisations can reduce human error, improve compliance, and strengthen their overall security posture. Adopting gamified training is an important element of building a security-aware culture that is equipped to handle tomorrow’s challenges.
Andrew Grill, author, former IBM Global Managing Partner and one of 2024’s top futurist speakers, explores the relationship between AI and cybersecurity.
SHARE THIS STORY
As technology advances, so do the tactics of cybercriminals. The rise of artificial intelligence has significantly transformed the landscape of cybersecurity, particularly in the realm of online scams and phishing attempts.
This transformation presents both challenges and opportunities for individuals and organisations aiming to safeguard their digital assets. Importantly, senior leaders can no longer simply rely on their IT teams to stay safe; they need to be active participants in the protection of new attack opportunities for cybercriminals in the age of AI.
The Evolution of Online Scams and Phishing
AI has empowered cybercriminals to create more sophisticated and convincing scams. Phishing, a common cyber threat, has evolved from simple email scams to highly targeted attacks using AI to personalise messages. Generative AI can analyse vast amounts of data to craft emails that mimic legitimate communications. This makes is difficult for individuals to discern between real and fake messages.
AI-driven tools can scrape social media profiles to gather personal information in seconds. This information is then used to tailor phishing emails that appear to come from trusted sources. These emails often contain malicious links or attachments that, when clicked, can compromise personal or organisational data.
Previous phishing attempts were more obvious when the instigators didn’t have English as their first language. Thanks to Generative AI, criminals are now fluent in any language.
AI as a Double-Edged Sword
While AI enhances the capabilities of cybercriminals, it also offers powerful tools for defence. AI-based security systems can analyse patterns and detect anomalies in real-time, providing a proactive approach to cybersecurity. Machine learning algorithms can identify suspicious activities by monitoring network traffic and user behaviour, enabling quicker responses to potential threats.
AI can automate routine security tasks like patch management and threat intelligence analysis, freeing human resources to focus on more complex security challenges. This automation is crucial in managing the vast amount of data generated in today’s digital landscape.
AI is already having a significant impact on cybersecurity. The World Economic Forum estimates that cybercrime will cost the world $10.5 trillion annually by 2025, partly due to the increased sophistication of AI-powered attacks.
A study by Capgemini found that 69% of organisations believe AI will be necessary to respond to cyberattacks, indicating the growing reliance on AI for cybersecurity measures, and an IBM report in 2023 revealed that the average cost of a data breach is $4.45 million, emphasising the financial impact of inadequate cybersecurity.
Strategies for Staying Safe
Individuals and organisations must adopt comprehensive cybersecurity strategies to combat the evolving threats posed by AI-enhanced cybercrime. Here are some that can be easily implemented.
Educate and Train: Regular training sessions on recognising new AI phishing attempts and cyber threats are essential. Employees should be aware of the latest tactics used by cybercriminals and understand the importance of cybersecurity best practices.
Implement Multi-Factor Authentication (MFA): MFA adds an extra layer of security by requiring users to provide two or more verification factors to gain access to a resource, making it more difficult for attackers to breach accounts. Every system in your organisation should be enabled with MFA.
Ask employees to secure their personal accounts: MFA should already be in place for businesses of any size, but employees must engage MFA (also called 2-factor) security on their accounts to reduce the avenues in which criminals can attack an organisation. The website 2fa.directory provides instructions for all major platforms.
Use AI-Powered Security Solutions: Deploy AI-driven security tools that detect and respond to threats in real-time. These tools can help identify unusual patterns that may indicate a cyberattack.
Regularly Update Software: Ensure all software and systems are up-to-date with the latest security patches, including personal mobile devices. This reduces vulnerabilities that cybercriminals can exploit.
Encourage Digital Curiosity: Promote a culture of digital curiosity that encourages individuals to stay informed about the latest technology trends and cybersecurity threats. This proactive approach can help identify and mitigate risks before they become significant.
The Role of a Family Password
In addition to organisational strategies, simple measures like having a “family password” can be effective in personal cybersecurity. With the rise of AI-generated voice clones, the likelihood of a senior executive being targeted with a phone call that appears to come from a distressed family member is becoming increasingly real.
A family password is a shared secret known only to trusted family members, used to verify identity during unexpected communications. This can prevent unauthorised access and ensure that sensitive information is only shared with verified individuals.
Criminals frustrated by sophisticated security measures in place protecting company data will move to the path of least resistance. Often, that means personal accounts. If you use Gmail for your personal email and haven’t enabled “2-Step Verification”, then can you be sure criminals aren’t already in your account, silently learning all about you and your family?
The digitally curious executive takes the time to deploy measures in their personal life. Simple measures include a password manager and enabling 2-factor authentication on all their accounts, starting with LinkedIn.
Conclusion
As AI continues to shape cybersecurity’s future, individuals and organisations must adapt and evolve their security practices. By leveraging AI for defence, educating users, implementing robust security measures at work and home, and passing some of the security responsibility onto employees, we can mitigate the risks posed by AI-driven cyber threats and create a safer digital environment.
Jonathan Wright, Director of Products and Operations at GCX, explores the battle to safeguard businesses’ digital assets and the role of Managed Service Providers in ensuring business continuity.
SHARE THIS STORY
Businesses of all sizes are fighting a constant battle to safeguard their digital assets. Cybersecurity threats have grown complex and dangerous, with organisations worldwide grappling with an average of 1,636 attacks per week. This onslaught of cyber attacks not highlights the increasing sophistication and persistence of threat actors. Not only that, however, but it also emphasises the critical need for robust IT security solutions.
As a result, some organisations are struggling to keep up with these threats. In response, many Managed Service Providers (MSPs) have evolved beyond technology vendors into strategic partners.
The evolution of MSPs
In recent years, the more agile MSPs have transformed their approach and service offerings. No longer content with providing and maintaining technology, they can now help address the ever-changing security needs of their customers. This has led MSPs to shift their focus toward consultancy and strategic guidance. Increasingly, these organisations are fostering deeper, long-term partnerships that extend far beyond basic technology implementation.
By getting to know each customer’s unique business headaches and growth-orientated goals, MSPs are now able to provide tailored security solutions that align with an organisation’s specific requirements.
One of the key attractions of modern MSPs is their ability to demystify complex security technologies and offer them as part of a comprehensive service package.
This means that businesses can access advanced monitoring tools, regular security updates and protection measures without the need for significant in-house expertise or investment. By opting for security solutions as a service, organisations gain the flexibility to adapt quickly to new threats and benefit from continuous improvements in their security package.
The partnership between MSPs and security vendors has also revolutionised the way security solutions are delivered to end-users. For vendors, alongside the clear commercial benefits of working with a channel, MSPs serve as intermediaries who can effectively communicate the value of security products and services to customers.
This allows for a more efficient distribution of security solutions and facilitates a smoother exchange of information about relevant challenges and emerging needs.
The result? MSPs handle security concerns more promptly than if vendors were dealing with customers one-on-one.
The importance of building strong partnerships
To stay on top of IT security, MSPs must balance their vendor relationships. While it might be tempting to partner with numerous security vendors to offer a wide range of solutions, successful MSPs understand the importance of quality over quantity.
They’re picking their partnerships carefully, focusing on strong relationships. This way, MSPs can invest in skills development for both sales and technical fulfilment of specific security solutions.
The success of MSPs in IT security hinges on their ability to build lasting partnerships with both customers and vendors.
It’s not just about offering high-quality security products – that’s a given, it’s about adapting to needs, keeping the lines of communication open, providing strong technical support and making everything as user-friendly as possible.
In an industry where threats evolve rapidly, the ability to quickly resolve problems and evolve security strategies is key.
Creating unified protection
]Furthermore, MSPs play an important role in integrating various security solutions into manageable systems for their customers. This is crucial for creating a unified, simplified security front that can effectively protect against multi-faceted cyber threats. By leveraging their expertise and vendor relationships, MSPs can design and implement comprehensive security systems that address the unique needs of each organisation they work with.
As cyber threats become more sophisticated and inevitably more frequent, it will only make MSPs more critical to business security.
Their ability to stay ahead of emerging threats, provide ongoing monitoring and management, and offer strategic guidance on security best practices makes them indispensable partners in the fight against cybercrime.
Organisations that leverage the full expertise of MSPs are better positioned to keep their security strong. Not only that, they are better positioned to comply with evolving regulations and protect their digital assets.
Sergei Serdyuk, VP of product management at NAKIVO explores how a combination of malicious AI tools, novel attack tactics, and cybercrime as-a-service models is changing the threat landscape forever.
SHARE THIS STORY
While the outcome of Artificial Intelligence (AI) initiatives for the business world – driven by its potential as a transformative force for the creation of new capabilities, enabling competitive advantage and reducing business costs through the automation of processes – remains to be seen, there is a darker flipside to this coin.
The AI-enhanced cyber attack
Organisations should be aware that AI is also creating a shift in cyber threat dynamics, proving perilous to businesses by exposing them to a new, more sophisticated breed of cyber attack.
According to a recent report by the National Cyber Security Centre The near-term impact of AI on the cyber threat: “Threat actors, including ransomware actors, are already using AI to increase the efficiency and effectiveness of aspects of cyber operations, such as reconnaissance, phishing and coding. This trend will almost certainly continue to 2025 and beyond.”
Generative AI has helped threat actors improve the quantity and impact of their attacks in several ways. For example, large language models (LLMs), like ChatGPT have helped produce a new generation of phishing and business email compromise attacks. These attacks rely on highly personalised and persuasive messaging to increase their chances of success. With the help of jailbreaking techniques for mainstream LLMs, and the rise in “dark” analogs like FraudGPT and WormGPT, hackers are making malicious messages more polished, professional, and believable than ever. They can churn them out much faster, too.
AI-enhanced malware
Another way AI tools are contributing to advances in cyber threats is by making malware smarter. For example, threat actors can use AI and ML tools to hide malicious code behind clean programmes that activate themselves at a specific time in the future. It is also possible to use AI to create malware that imitates trusted system components, enabling effective stealth attacks.
Moreover, AI and machine learning algorithms can be used to efficiently collect and analyse massive amounts of publicly available data across social networks, company websites, and other sources. Threat actors can then identify patterns and uncover insights about their next victim to optimise their attack plan.
Those are only some of the ways that AI is impacting the threat organisations face from cybercrime, and the problem will only get worse in the future as threat actors gain access to more sophisticated AI capabilities.
Using AI to identify system vulnerabilities
Whether it translates into adaptive malware or advanced social engineering, AI adds considerable firepower to the cybercrime front. Just as organisations can use AI capabilities to defend their systems, hackers can use them to gather information about potential targets, rapidly exploit vulnerabilities, and launch more sophisticated and targeted attacks that are harder to defend against.
AI-powered tools can scan systems, applications, and networks for vulnerabilities much more efficiently than traditional methods. Additionally, such tools can make it possible for less skilled hackers to carry out complex attacks, which contributes to the rapid expansion of the IT threat landscape. The exceptional speed and scale of AI-driven attacks is also important to mention, as it empowers attacks to overwhelm traditional security defences. In other words, AI has significant potential to identify vulnerabilities in systems, both for legitimate security purposes and for malicious exploitation.
Three types of AI-enabled scams
The types of scams employed by AI-enabled threat actors include: deepfake audio and video scams, next-gen phishing attacks, and automated scams.
Deepfake Audio and Video
Deepfake technology can create highly realistic audio and video content that mimics real people. Scammers have been using this technology to accurately recreate the images and voices of individuals in positions of power. They then use the images to manipulate victims into taking certain actions as part of the scam. At the corporate level, a famous example is the February deepfake incident that affected the Hong Kong branch of Arup, where a finance worker was tricked into remitting the equivalent of $25.6 million to fraudsters who had used deepfake technology to impersonate the firm’s CFO. The scam was so elaborate that, at one point, the unsuspecting worker attended a video call with deepfake recreations of several coworkers, which he later said looked and sounded just like his real colleagues.
Phishing
AI significantly enhances phishing attacks in several ways, and it is clear that AI-driven tactics are reshaping phishing attacks and elevating their effectiveness. Threat actors can use AI tools to craft highly personalised and convincing phishing emails, which are more likely to trick the recipient into clicking malicious links or sharing personal information. In some scenarios, scammers can deploy AI chatbots to engage with victims in real time, making the phishing attempt more interactive, adaptive, and persuasive.
Automated scamming
AI plays a valuable role in automating and scaling scam attempts. For example, AI can be used to automate credential stuffing on websites, increasing the efficiency of hacking attempts. Furthermore, large datasets can be analysed using AI to identify potential victims based on their online behaviour, resulting in highly personalised social engineering attacks. AI tools can also be used to generate credibility for scams, fake stores, and fake investment schemes by streamlining the creation and management of bots, fake social media accounts, and fake product reviews.
IT measures to defend against the AI-cyber attack threat
Defending against AI-driven threats requires a comprehensive approach that incorporates advanced technologies, robust policies, and continuous monitoring. Key IT measures organisations can implement to protect their systems and data effectively, include:
1. Utilising AI and ML security tools
Deploy systems driven by AI and machine learning to continuously monitor network traffic, system behaviour, and user activities, which helps detect suspicious activity. Useful tools include anomaly detection systems, automated threat-hunting mechanisms, and AI-enhanced firewalls and intrusion detection systems, all of which can improve an organisation’s ability to identify and respond to sophisticated threats.
2. Conducting regular vulnerability assessments
Run periodic penetration tests to evaluate the effectiveness of security measures and uncover potential weaknesses. Regularly scan systems, applications, and networks to identify and patch vulnerabilities.
3. Building up email and communication security
Use email security solutions that can accurately detect and block phishing emails, spam, and malicious attachments. AI deepfake detection tools designed to identify fake audio and video content are also helpful in ensuring secure and authentic communication.
4. Regular security training and education
Conduct regular training sessions to educate employees about the latest AI-driven threats, phishing techniques, and best practices for cybersecurity in the AI age. Run simulated AI-driven phishing attacks to test and improve employees’ ability to recognise and respond to suspicious communication.
5. Data protection and security
Ensure that you back up sensitive data in accordance with best practices for data protection and disaster recovery to mitigate data loss risks from cyber threats. Follow general security recommendations like encryption and identity and access management controls to address both internal and external security threats to sensitive data and systems.
Muhammed Mayet, Obrela Sales Engineering Manager, explores the role of managed detection and response techniques in modern security measures.
SHARE THIS STORY
Cyber threats are constantly evolving. In response, organisations need to adapt and enhance their security programs to protect their digital assets. Managed Detection and Response (MDR) services have emerged as a critical component in the battle against cyber threats.
A good MDR service will help organisations manage operational risk, significantly reduce their meantime to detect and respond to cyberattacks, and ultimately help them grow and scale their security programmes.
Here, we explore five key ways in which the right MDR service can help you develop and scale more robust security programs.
1. Real-Time Threat Detection and Response
It is essential to have an MDR service which leverages advanced analytics and real-time monitoring across all infrastructure components. Doing this will help you identify and respond to cyber threats as they occur. By taking this proactive approach, you can ensure you detect threats early. This has the benefit of minimising potential damage and reducing the overall impact on the organisation.
Reduced detection time is a key benefit of MDR. With real-time monitoring 24/7/365 by skilled SOC analyst teams, threats can be detected and investigated much faster.
With immediate response, teams of experts can swiftly mitigate identified threats, preventing them from escalating.
By integrating real-time threat detection and response into their security programmes, organisations can stay ahead of cyber threats and ensure continuous protection of their digital assets.
2. Flexible Service
Your MDR service must be designed to address the constantly changing cybersecurity landscape, provide flexible options for coverage and multiple service tiers considering factors such as organisation size, technology stack and security profile. For example, at Obrela our MDR service uses an Open-XDR approach so clients can integrate and monitor existing infrastructure to improve security posture.
With flexibility in an MDR service to incorporate logs, telemetry and alerts from endpoints (desktops, laptops, servers), network infrastructure, physical or virtual data centre infrastructure, cloud infrastructure and OT, organisations can build a 360-degree view of their cybersecurity.
3. Advanced Threat Intelligence
Sophisticated threat intelligence will help an organisation to stay ahead of emerging threats. Threat intelligence and analytics of an MDR service must be continuously updated to identify patterns and predict potential attacks.
An MDR service must always be aligned with the current threat landscape to consider threat actor behaviour and TTPs, and ensure suspicious activity is detected and flagged prior to an attack taking place.
4. Expert Incident Management
Effective incident management is crucial for minimising the impact of cyber incidents. Without it, it’s impossible to ensure organisations can quickly return to normal operations.
An effective MDR service must include comprehensive incident management, from detection through to resolution. This should also include 24/7 support from cyber security experts to manage and resolve incidents effectively. An incident management service should cover every aspect of an incident, from initial detection to post-incident analysis and reporting.
Organisations today face a shortage of skilled and experienced security personnel. However, an MDR service gives you access to expertise on demand. Access to a team of experienced cybersecurity professionals ensures organisations can manage incidents efficiently and effectively.
5. Continuous Improvement and Optimisation
For businesses looking to strengthen their security posture, cybersecurity cannot be a one-time solution. It needs to be an ongoing partnership, aiming to continuously improve and optimise your organisation-wide cyber security. Regular assessments, feedback and updates will help ensure security measures remain effective and relevant.
Regular assessments and updates also ensure security measures evolve with the ever-changing threat landscape, while feedback and analysis from previous incidents help refine and enhance cyber security over time.
Continuous improvement and optimisation ensure your security is always at its best, providing robust protection against cyber threats.
Managed Detection and Response (MDR) services are essential for growing and scaling security programs in today’s dynamic threat environment.
Utilising a cloud-native PAAS technology stack, our purpose-built Global and Regional Cyber Resilience Operation Centers (ROCs) provide continuous visibility and situational awareness to ensure the security and availability of your business operations.
When MDR services detect cyber threats, rapid response services restore and maintain operational resilience with minimal client impact.
By leveraging the right MDR service from an expert provider, organisations unlock the ability to scale with real-time, risk-aligned cybersecurity that covers every aspect of their business, no matter how far it reaches or how complex it grows, bringing predictability to the seemingly uncertain.
For more information on how MDR services can enhance your organisation’s security programme, visit the Obrela website.
Keepit CISO Kim Larsen breaks down the ripple effects of the EU’s Cyber Security and Readiness bill on the UK tech sector.
SHARE THIS STORY
A new directive designed to safeguard critical infrastructure and protect against cyber threats came into force across the European Union (EU) from October. But although the United Kingdom (UK) is no longer part of the EU, understanding these changes is still important, especially if your business operates in the region.
Plus, the Network and Information Systems Directive (NIS2) closely aligns with the UK’s own robust cybersecurity frameworks, including the Cyber Security and Resilience Bill introduced in the King’s Speech this summer. Preparing now could make it much easier to comply with future UK regulations as they come into effect.
Why should UK businesses adapt?
Prepare for future regulations
Although the UK is no longer part of the EU, the interconnected nature of global cyber threats means it’s not practical to reinvent or move away from existing regulation. With that in mind, it’s not surprising that The UK’s upcoming Cyber Security and Resilience Bill is closely aligned to NIS2. By understanding what’s coming, and aligning with NIS2, UK organisations will be much better prepared for future national regulatory changes too – and of course better protected against cyber threats.
Strengthen cyber resilience
This goes beyond compliance for compliance’s sake. When it comes into force, NIS2 is designed to protect organisations from cyber attacks and can significantly enhance cyber resilience. With an emphasis on risk management, incident response, and recovery, UK businesses that adopt these practices can better protect themselves, respond more effectively to incidents, and, ultimately, safeguard their operations and reputation.
Cement business relationships with EU partners
Many UK organisations rely on strong relationships with EU partners, and it’s likely that NIS2 compliance could become a prerequisite for future contracts, just as we saw with GDPR. Many EU companies may require suppliers and partners to comply with equivalent cybersecurity measures, and failing to do so could limit opportunities for collaboration. By adopting NIS2 standards now, UK businesses will make it easier for EU partners to work with them. And, if nothing else, demonstrating an understanding of and adhering to high cybersecurity standards can help businesses stand out, especially in sectors where security and trust are crucial.
Prepping for the Cyber Security and Resilience Bill
When the UK government set out plans for a Cyber Security and Resilience Bill, it heralded a significant strengthening of the UK’s cybersecurity resilience. If passed, this legislation aims to fill critical gaps in the current regulatory framework, which needs to adapt to the evolving threat landscape.
The good news is, because much of the Bill and NIS2 align, if businesses have already started the process of adapting to the EU directive, the burden isn’t as great as it could be.
The Bill at a glance:
Stronger regulatory framework: The Bill will put regulators on a stronger footing, enabling them to ensure that essential cyber safety measures are in place. This includes potential cost recovery mechanisms to fund regulatory activities and proactive powers to investigate vulnerabilities.
Expanded regulatory remit: The Bill expands the scope of existing regulations to cover a wider array of services that are critical to the UK’s digital economy. This includes supply chains, which have become increasingly attractive targets for cybercriminals, as we saw in the aftermath of recent attacks on the NHS and the Ministry of Defence. This means that more companies need to be aware of potential legislative changes.
Increased reporting requirements: an emphasis on reporting, including cases where companies have been held to ransom, will improve the government’s understanding of cyber threats and help to build a more comprehensive picture of the threat landscape, for more effective national response strategies.
If passed, the Cyber Security and Resilience Bill will apply across the UK, giving all four nations equal protection.
Building on current rules
The UK has a strong foundation when it comes to cybersecurity, and much of this guidance already closely aligns with the principles of NIS2 and the new Cyber Security and Resilience Bill. The National Cyber Strategy 2022, for example, focuses on building resilience across the public and private sectors, strengthening public-private partnerships, enhancing skills and capabilities, and fostering international collaboration. And National Cyber Security Centre NCSC guidance already complements new rules by focusing on incident reporting and response and supply chain security. Companies that follow these rules will be in a strong position as legislators introduce NIS2 and the Bill.
Cyber protection for a reason
This is not just about complying with the latest regulations. Cyber attacks can be devastating to the organisations involved and the customers or users they serve. Take for example the ransomware attack on NHS England in June this year, resulting in the postponement of thousands of outpatient appointments and elective procedures. Or the 2023 cyberattack on Royal Mail’s international shipping business that cost the company £10 million and highlighted the vulnerability of the transport and logistics sector. And how about the security breach at Capita also in 2023, that disrupted services to local government and the NHS and resulted in a £25 million loss.
We live in an interconnected world where business – and legislation – often extends far beyond their original borders. So please don’t ignore NIS2. By understanding and preparing for it, UK businesses can better protect themselves against cyber attacks. Make themselves more attractive to European partners. And contribute to national cyber resilience.
Tobias Nitszche, Global Cyber Security Practice Lead at ABB, explains how digital solutions can help chief information, technology and digital officers from all industry sectors comply with new rules and regulations, while protecting their operations and reputation.
SHARE THIS STORY
The global cybersecurity threat landscape is expanding, driven by remote connectivity, the rapid convergenceof information technology (IT) and operational technology (OT) systems, as well as an increasingly challenging international security and geopolitical environment.
All these issues present significant challenges – but also opportunities – for high-ranking technology leaders in all industries, not least in the context of ever-more-ubiquitous artificial intelligence (AI).
Ensuring that cybersecurity standards are being met along the entire supply chain, for example, requires dedicated OT security teams to collaborate with their IT security colleagues to identify and address security gaps that are specific to the OT domain.
‘Business as usual’ is not an option. Experts expect the global cost of cybercrime to reach an astonishing $23.84trn by 2027. Malicious actors, be they nation states, business rivals or cybercriminal gangs intent on blackmail, are deploying a variety of tools to exploit vulnerabilities.
The geopolitical conflicts taking place around the globe, and related campaigns ofcyber espionage and intellectual property theft targeting the West, have propelled the issue even further up the business agenda.
The onus is now on businesses and institutions of all types to ensure that their cybersecurity measures – beginning with strong foundational security controls and a well-implemented reference architecture – are fit for purpose, and that they both become and stay compliant with evolving legislation
Euro vision: the NIS2 directive
On January 16th, 2023, the updated Network and Information Security Directive 2 (NIS2) came into force, updating the EU cyber security rules from 2016 and modernising the existing legal framework. Member states have until 17th October to ensure they have satisfied the measures outlined, which, in addition to more robust security requirements, address both reporting regulations and supply chain security, as well as introducing stricter supervisory and enforcement measures.
Let’s take the reporting obligations as an example. Incident detection and handling in OT is the basis for timely reporting but many industry sectors lack the requisite tools and experience. Under NIS2, businesses must warn authorities of a potentially significant cyber incident within 24 hours. Doing this effectively requires organisations to align their people, process and technology. However, this is often not the case.
Importantly, unlike NIS1, which targeted critical infrastructure, the new, stricter rules also apply to public and private sector entities, including those that offer ‘essential’ or ‘important’ services, such as energy and water utilities and healthcare providers.
Cyber standards and risk analysis
Other countries and regions may have different rules. Operating in the US, for instance, requires compliance with several laws dependent upon the state, industry and data storage type, including the Cyber Incident Reporting for Critical Infrastructure Act, the rules of which are still under review.
In other words, companies in specific industry sectors need to look beyond these over-arching rules and refer to sector-specific security standards that cover the components, systems or processes that are critical to the functioning of the critical infrastructures they operate.
Generally, it is good practice to follow existing standards like ISO27000 Series and IEC62443, which might already be the basis for existing cyber security frameworks. Organisations should certainly consider industrial automation systems, IEC 62443 for example, as it mentions so-called ‘essential’ functions such as functional safety, or the functions for monitoring and controlling the system components.
Certainly, in terms of NIS2, the IEC62443 risk assessment approach for OT environments is a good place to start in terms of a risk analysis: what is the likelihood of a cyberattack? If a hostile actor targeted our facilities, staff or network without our knowledge, what would be the impact on the business?
Existing hazard and operability (HAZOP) and layers of protection analysis (LOPA) studies and analysis can help to create a needed incident response and disaster recovery plan, helping to define subsequent SLAs, redundancies, and backup and recovery systems.
Future-proofing operations
In all scenarios, foundational controls (patching, malware protection, system backups, an up-to-date anti-virus system, etc) are non-negotiable, helping companies active in all industry sectors and jurisdictions to understand how their system is set up, and the potential threat.
Organisations should view cybersecurity legislation not as a hurdle but as an opportunity to strengthen and refine cyber defences, in collaboration with specialist technology providers. Organisations should ensure that they protect their reputation and their licence to operate, and future-proof their business against cyberattacks as the threat landscape evolves.
Mike Britton, CISO at Abnormal Security, tackles the threat of file sharing phishing attacks and how to stop them from harming your organisation.
SHARE THIS STORY
File-sharing platforms have seen a huge boost in recent years as remote and hybrid workers look for efficient ways to collaborate and exchange information – it’s a market that’s continuing to grow rapidly, expected to increase by more than 26% CAGR through to 2028.
Tools like Google Drive, Dropbox, and Docusign have become trusted, go-to tools in today’s businesses. Cybercriminals know this and unfortunately, they are finding ways to take advantage of this trust as they level up their phishing attacks.
According to our recent research, file-sharing phishing attacks – whereby threat actors use legitimate file-sharing services to disguise their activity – have tripled over the last year, increasing 350%.
These attacks are part of a broader trend we’re seeing across the threat landscape, where cybercriminals are moving away from traditional phishing attacks and toward sophisticated social engineering schemes that can more effectively deceive human targets, while evading detection by legacy security tools.
As employees become more security conscious, attackers are adapting. The once telltale signs of phishing, like poorly written emails and the inclusion of suspicious URLs, are quickly fading as cybercriminals shift to more subtle and advanced tactics, including exploiting file-sharing services.
So, what do these attacks look like? And what can organisations do to prevent them?
How file-sharing phishing attacks work
All phishing attacks are focused on exploiting the victim’s trust, and file-sharing phishing is no different. In these attacks, threat actors impersonate commonly used file-sharing services and trick targets into sharing their credentials via realistic-looking login pages. In some cases, cybercriminals even exploit real file-sharing services by creating genuine accounts and sending emails with legitimate embedded links that lead them to these fraudulent pages, or otherwise expose them to harmful files.
They will often use subject lines and file names that are enticing enough to click without arousing suspicion (like “Department Bonuses” or “New PTO Policy”). Plus, since many bad actors now use generative AI to craft their communications, phishing messages are more polished, professional, and targeted than ever.
We found that approximately 60% of file-sharing phishing attacks now use legitimate domains, such as Dropbox, DocuSign, or ShareFile, which makes these attacks especially challenging to detect. And since these services often offer free trials or freemium models, cyber criminals can easily create accounts to distribute attacks at scale, without having to invest in their own infrastructure.
While every industry is at risk for file-sharing phishing attacks, we found that certain industries were easier to target than others. The finance sector, for example, frequently uses file-sharing and e-signature platforms to exchange documents with partners and clients, and usually amid high pressure, fast moving transactions. File-sharing phishing attacks that appear time sensitive and blend in seamlessly with legitimate emails are unlikely to raise red flags.
Why file-sharing phishing attacks are so challenging to detect
File-sharing phishing attacks demonstrate just how effective (and dangerous) social engineering can be. Because these attacks appear to come from trusted senders and contain seemingly innocuous content, they feature virtually no indicators of compromise, leading even the most security conscious employees to fall for these schemes.
And it’s not just humans that these attacks are deceiving. Without any malicious content to flag, these attacks can also bypass traditional secure email gateways (SEGs), which rely on picking up on known threat signatures such as malicious links, blacklisted IPs, or harmful attachments. Meanwhile, socially engineered attacks that appear realistic—including those that exploit legitimate file-sharing services—slip through the cracks.
A modern approach to mitigating social engineering attacks
While security education and awareness training will always be an important component of any cybersecurity strategy, the rate at which social engineering attacks are advancing means that organisations can no longer depend on awareness training alone.
It’s time that we rethink their cyber defence strategies, focusing on capabilities to detect the more subtle, behavioural signs of social engineering, rather than spotting the most obvious threats.
Advanced threat detection tools that employ machine learning, for example, can analyse patterns around a user’s typical interactions and communication patterns, email content, and login and device activity, creating a baseline of known-good behaviour. Advanced AI models can then detect even the slightest deviations from that baseline, which might signal malicious activity. This allows security teams to detect the threats that signature-based tools (and their own employees) might miss.
As cybercriminals continue to evolve their attack tactics, we have to evolve our cyber defences in kind if we hope to keep pace. The static, signature-based tools of yesterday simply can’t keep up with how quickly social engineering techniques are advancing. The organisations that embrace modern, AI-powered threat detection will be in the best position to enhance their resilience against today’s – and tomorrow’s – most complex attacks.
Dan Lattimer, Area VP UK&I at Semperis, breaks down the industry’s best route to recovery in the wake of a ransomware attack.
SHARE THIS STORY
When did ransomware truly ramp up? Historically, many victims didn’t document successful attacks. This makes it hard to say with any certainty when this now widespread technique kicked into the mainstream arsenal of threat actors.
The rise of ransomware
With that said, I feel as though a shift started in the late 2010s – and reports from others have corroborated my hunch.
The UK’s National Cyber Security Centre (NCSC), for example, stated that “ransomware has been the biggest development in cybercrime” since it published its 2017 report on online criminal activity.Similarly, the New Jersey Cybersecurity & Communications Integration Cell affirmed that “after 2017, the number of ransomware attacks have become more prevalent and continue to increase each year”, tallying with the growing popularisation of cryptocurrencies at that time which have enabled payments to be sent anonymously.
Since then, ransomware has remained an ever-present threat. Indeed, by the third quarter of 2021, Gartner revealed that new ransomware models had become the top concern facing executives.
In response, companies of all shapes and sizes have gradually begun to work towards protecting themselves from the evolving threat of ransomware, working to establish effective security policies and protocols. Further, the fightback has also stemmed from other areas, be it the continual evolution of defensive technologies or the heightening of regulations, with enterprises now required to implement more stringent security measures to ensure compliance and avoid fines.
However, without question, there are still several gaps that need to be bridged.
The state of ransomware in 2024
To explore just how effective (or ineffective) enterprises have become in defending against the impacts of ransomware attacks, Semperis recently carried out a survey of nearly 1,000 IT and security professionals from global organisations across multiple industries in the first half of 2024.
Looking at the data, it’s clear that the threat of ransomware remains a significant problem, with attacks having become both frequent and continuous. According to the report, ransomware attacks impacted 85% of UK organisations in the past 12 months. Almost half of all organisations (45%) were attacked three times or more.
Repercussions of ransomware
What is more concerning, however, is the rate at which companies are failing to combat these attempts. Indeed, hackers using ransomware successfully breached more than half (54%) of the UK companies we surveyed were in the space of 12 months – sometimes within the same day.
The damages associated with ransomware attacks are well known. From regulatory fines to business downtime and reputational damages, such threats can cause domino effects of problems for firms, with very few respondents having managed to avoid any kind of impact. Globally, almost nine in 10 (87%) experienced some level of disruption, while for a significant group, the effects were much greater. Indeed, 16% had their cyber insurance cancelled, 21% saw layoffs, and one in five (20%) had to close their business permanently.
Given the potentially devastating consequences, firms can feel cornered into cooperating with threat actors. In fact, more than three quarters of respondents in our survey that had suffered such an attack opted to pay the ransom, with 32% having paid out four or more times in the space of just 12 months.
Further, these sums are not insignificant. Indeed, 62% of UK companies that paid a ransom stumped up funds of between £200,001 and £480,000.
It shouldn’t just be the astronomical sums involved here that cause alarm bells to ring. Equally, it is vital for firms to understand that there is no guarantee that meeting the demands of cybercriminals will make their problems disappear during a ransomware attack. In fact, our findings show that more than a third of organisations that paid ransoms failed to receive decryption keys or were unable to recover their files and assets.
Don’t overlook recovery
Such a status quo cannot continue. Instead, enterprises must go back to the drawing board, working to establish more reliable and effective cybersecurity and system recovery strategies that work effectively against the ever-present threat of ransomware.
As part of this rework, companies must continue to test and trial their methods. This is vital to ensure they work when the company needs them. Indeed, our survey shows that 63% of UK companies took more than a day to recover their systems to a good state, while one in eight took over a week.
This is a problem. Indeed, downtime is more than just an inconvenience. Every second that passes during an outage translates into lost revenue, diminished customer trust and lasting damage to an organisation’s reputation. From sales slipping away to consumers questioning the reliability of your company, the implications can be massive.
On the right track to recovery
Promisingly, it appears that many organisations are on the right track, with nearly 70% of respondents stating that they had an identity-focused recovery plan in place. However, despite this, only 27% actually maintained dedicated systems for recovering Active Directory, Entra ID, and identity controls – the Tier 0 infrastructure that all systems depend on for recovery.
Organisations must bridge this gap. For many companies worldwide, AD is the backbone of their operations, serving as the primary identity platform. Cybercriminals are acutely aware of its significance and continue to target it. If they can gain control of an enterprise’s AD, they can effectively bring everything to a halt, applying immense pressure on unprepared organisations.
To avoid such a scenario from unfolding, organisations must prioritise establishing a dedicated system for backing up and recovering AD, ensuring they can restore operations with both speed and integrity in the event of an attack.
Less than a quarter of firms currently have such a system in place, and that needs to change. Yes, preventative measures are important. However, recovery is an aspect that organisations cannot afford to overlook.
After CrowdStrike triggered a global IT meltdown, 74% of people call for regulation to hold companies accountable for delivering “bad” code.
SHARE THIS STORY
New research argues that 66% of UK consumers think software companies who release “bad” code that causes mass outages should be punished. Many agree that doing so is on par with, or worse than, supermarkets selling contaminated food.
The study of 2,000 UK consumers was commissioned by Harness and conducted by Opinium Research. The report found that almost half (44%) of UK consumers have been affected by an IT outage.
IT outages becoming a fact of life
Over a quarter (26%) were impacted by the recent incident caused by a software update from CrowdStrike in July 2024. Those affected by those outages said they experienced a wide array of issues. These included being unable to access a website or app (34%) or online banking (25%). Others reported having trains and flights delayed or cancelled (24%), as well as difficulty making healthcare appointments.
“As software has come to play such a central role in our daily lives, the industry needs to recognise the importance of being able to deliver innovation without causing mass disruption. That means getting the basics right every time and becoming more rigorous when applying modern software delivery practices,” said Jyoti Bansal, founder and CEO at Harness. Bansal added that simple precautions could drastically reduce the impact of outages like the one that affected CrowdStrike. Canary deployments, for example, could mitigate the impact of an outage by ensuring updates only reach a few devices. This would have helped identify and mitigate issues early, he added, “before they snowballed into a global IT meltdown.”
Following the recent disruption, 41% of consumers say they are less trusting of companies that have IT outages. More than a third (34%) have changed their behaviour because of outages. Almost 20% now ensure they have cash available. Others keep more physical documents (15%). And just over 10% are hedging their bets with a wider range of suppliers. For example, using multiple banks can avoid being impacted by outages.
Consumers favour regulation for IT infrastructure and software
In the wake of the July mass-outages, 74% of consumers say they favour the introduction of new regulations. These regulations would ensure companies are held accountable for delivering “bad” or poor-quality software updates that lead to IT outages.
Many consumers go further. Over half (52%) claim software firms that put out bad updates should compensate affected companies (52%). Some believe the offenders should be fined by the government (37%). Almost one-in-five (18%) consumers say they should be suspended from trading.
“With consumers crying out for change, there needs to be a dialogue about the controls that can be implemented to limit the risk of technology failures impacting society,” Bansal added. “Just as they do for the banking and healthcare industries, or in cybersecurity, regulators should consider mandating minimum standards for the quality and resilience of the software that is ubiquitous across the globe. To get ahead of such measures, software providers should implement modern delivery mechanisms that enable them to continuously improve the quality of their code and drive more stable release cycles. This will allow the industry to get on the front foot and relegate major global IT outages to the past.”
Jacques de la Riviere, CEO at Gatewatcher, takes a look at the intersection of new technologies and tactics transforming the shadowy world of ransomware.
SHARE THIS STORY
Having evolved from a basic premise of locking down a victim’s data with encryption, then demanding a ransom for its release, research now suggests that ransomware will cost around $265 billion (USD) annually by 2031, with a new attack (on a consumer or business) every two seconds.
Against such a pervasive threat, businesses have sought to better prepare themselves against attacks. They have developed an array of tools, including better backup management, incident recovery procedures, business continuity and recovery plans. Together, they have all made the encryption of victims’ data less profitable.
In addition, security researchers together with national bodies such as the Cybersecurity and Infrastructure Security Agency (CISA) have made substantial progress in identifying the weaknesses in the methods used by attackers, in order to develop decryption solutions. No More Ransomware, promoted by Europol, the Dutch police, and other stakeholders lists approximately one hundred such tools.
In response to these developments, attacker groups are reconsidering their strategy. Rather than risk detection by encrypting valuable data, they now prefer to extract as much information as possible. Then, they threaten to divulge it. Ransomware has become extortion.
Re-energising the threat of publication
The potential public disclosure of sensitive information is the core of leveraging fear to pressure victims into paying a ransom. The reputational damage and financial repercussions of a data breach can be devastating.
Ransomware gangs have recognised the potential for damage to a brand or group’s reputation simply by being mentioned on the ransomware operators’ sites. A study found that the stock market value of the companies named in a data leak falls by an average of 3.5% within the first 100 days following the incident and struggles to recover thereafter. On average, the companies surveyed can lose 8.6% over one year.
This threat of loss based on association, now quantified and in the hands of cybercriminals has become an effective tool.
Operational disruption and revenue loss
Modern businesses rely heavily on digital systems for daily operations. A ransomware attack can grind operations to a halt, disrupting critical functions like sales, customer service, and production.
This disruption translates to lost revenue, employee downtime, and potential customer dissatisfaction. The longer the disruption lasts, the greater the financial impact becomes. Attackers exploit this vulnerability, pressuring victims to pay the ransom quickly to minimize their losses. And they do this most effectively by recognising key operational data.
This then evolves as a ransomware attack on one company can ripple through its entire supply chain. Suppliers and distributors may be unable to access essential data or fulfil orders. This leads to delays and disruptions across the supply chain.
Knowledgeable attackers now target a single company as a gateway to extort multiple entities within the supply chain, maximising their leverage and potential payout.
Brand Damage at the regulatory level
Brazen ransomware groups have already realised the value in making direct contact with
end-users or companies that are the customers of their targets as it enables the operators to increase pressure.
However, one new avenue of this direct attack on brand reputation is for the gangs to connect with the authorities. In November 2023, the ALPHV/BlackCat ransomware gang filed a complaint with the United States Securities and Exchange Commission (SEC) regarding their victim, MeridianLink.
In mid-2023, the SEC adopted new requirements for notifying data leaks effective from September 2023. One of these rules requires notification within four business days of any data leak from the moment it is confirmed. Not only did ALPHV/BlackCat take control of the trajectory of the extortion, but they also even circulated the complaint form among specialist forums as part of a promotional campaign.
Targeting the most vulnerable
Ransomware gangs are not above using sophisticated, customised extortion strategies on the most vulnerable sectors. Healthcare has long been a key target – there is a step change in urgency when critical medical procedures may be delayed if ransom is not paid.
Just a few months after the international Cronos Operation, the Lockbit group claimed a new victim in the healthcare sector. The Simone-Veil hospital in Cannes suffered a data compromise, adding to the extensive list of attacks conducted in recent months by other ransomware players against the university hospitals of Rennes, Brest and Lille.
Once the data had been extracted from the hospital on April 17, 2024, an announcement concerning their compromise was made on Lockbit’s showcase site on April 29, 2024. According to the cybercriminals’ terms, the hospital had until midnight on May 1, 2024, to pay the ransom.
The lesson here is that attackers exploit the vulnerabilities and pain points specific to each industry, making their extortion tactics more potent. And they do so with no consideration for the victims.
Ransomware attacks are now more than just data encryption schemes. They are sophisticated operations that exploit a range of vulnerabilities to extract maximum leverage from victims. By understanding the multifaceted nature of ransomware extortion, businesses and individuals can develop a more robust defence against this growing threat.
The potential disruption of public transport services alone can bring daily operations to a halt, affecting millions of commuters, businesses, and the broader economy. Fortunately, law enforcement haven’t detected any damage to data. Nevertheless, this incident highlights the urgent need for a comprehensive and effective Disaster Recovery (DR) plan, tailored to manage both traditional disasters and modern cyber risks.
The evolving threat landscape
Historically, DR planning for organisations like TfL focused on physical threats – floods, fires, and power outages for example – but the landscape of risk has evolved enormously.
Cyber threats, including data exfiltration, ransomware, phishing, and denial-of-service (DDoS) attacks, have become more sophisticated, capable of compromising critical infrastructure in ways that were previously unimaginable. The recent situation at TfL is a clear example of this shift, where attackers can potentially compromise a city’s transport system infrastructure, leading to widespread disruptions.
The lesson here is clear: DR and containment plans must evolve in tandem with these new threats. They must address both traditional risks and cyber risks in a way that ensures continuity of services even when technology is compromised. A cyberattack affecting national infrastructure can no longer be treated as a niche threat – it must be considered a mainstream risk with serious consequences.
The central role of communication in incident response
A crucial lesson to emerge from the TfL incident is the central role that communication plays in responding to such an event. In any large-scale cyberattack, the ability to communicate effectively and rapidly across different levels of the organisation and with external stakeholders can significantly shape the success of the response.
While TfL’s recent cyber incident did not cause any downtime of public services, primarily affecting internal systems, it serves as a reminder that future attacks could have more severe consequences.
Ensuring a communication strategy is in place for potential service disruptions is essential for minimising public impact and maintaining operational continuity in the face of future threats.
To that end, a robust communication strategy must be a core component of any DR plan. It should account for multiple scenarios, including the potential failure of primary communication systems due to the cyberattack itself. This is particularly important for organisations like TfL, where clear communication is essential for managing both internal response efforts and external public expectations.
1. Establishing communication redundancies
One of the first steps to ensuring effective communication during a disaster is building redundancy into the system. Security teams must put alternative methods – such as secure messaging apps, satellite phones, or third-party platforms – in place to secure the flow of critical information, even when primary channels are compromised.
For instance, where internal networks may be taken down or compromised during a cyber attack, having a backup communication method ensures key personnel can still coordinate responses, share updates, and make informed decisions in real-time.
2. Engaging stakeholders quickly and transparently
A clear protocol for promptly notifying all relevant stakeholders – both internal and external – is essential. Internal teams, including IT, operations, and management, need to be informed immediately to coordinate the technical response, containment, and recovery efforts. Externally, law enforcement agencies, cybersecurity experts, insurance companies, and business partners must be brought into the loop to ensure compliance with legal obligations, expedite recovery, and manage financial repercussions.
In the case of public services like TfL, this level of coordination is vital, both for restoring disrupted services but also for maintaining trust with the public and stakeholders.
3. Public communication: managing perception and behaviour
In incidents involving public services like TfL, the ability to communicate clearly with the public is crucial. Providing accurate, timely, and transparent updates can help manage expectations, reduce panic, and guide public behaviour during potential disruptions. Clear messaging allows TfL to inform commuters about the nature of the incident, any expected downtime, and available alternatives. This reduces frustration and confusion, ultimately helping maintain public trust in the organisation.
However, the nature of a cyberattack, which may include elements of uncertainty or ongoing investigation, adds complexity to public communications. TfL must balance transparency with caution. They must ensure that public statements do not inadvertently worsen the situation, such as by sharing details that could aid attackers.
Establishing a pre-defined communication plan that outlines how to handle public relations during a cyberattack can provide a framework for managing these delicate situations.
The importance of a well-tested DR plan
The TfL incident also emphasises the need for regular testing and updates to DR plans. A DR plan is only as effective as its implementation during a crisis. Conducting regular “fire drill” exercises that simulate cyberattacks allows organisations to identify weaknesses in their plan and ensure that all stakeholders know their roles and responsibilities.
Simulated incidents help to refine both the technical aspects of the DR plan – such as isolating compromised systems and restoring backups – and the softer elements, such as communication protocols and leadership response. In the case of cyberattacks, where rapid containment is often critical, these drills can significantly improve response times and minimise the damage caused by the attack.
Additionally, post-incident reviews are essential for learning and improvement. Following the TfL incident, a detailed analysis of what went well and what failed during the response will provide invaluable insights for future preparedness. Lessons learned from real-world incidents allow organisations to continuously evolve their DR strategies to remain resilient in the face of emerging threats.
Developing a secure recovery strategy
When dealing with cyber incidents, particularly ransomware, it is not enough to simply restore services from backups.
By restoring data directly to its original environment, security teams risk reinfection if theyhaven’t fully eradicated the malware. Instead, recovery should occur in a secure, isolated environment: a “clean room”. Here, security teams can analyse and neutralise the attack vector before they restore any systems or data.
This careful approach ensures that organisations avoid the costly mistake of reintroducing malware into their networks, which could lead to repeated attacks. Incorporating these steps into a DR plan ensures that recovery is not only fast but also secure and complete.
A call to action for strengthening infrastructure resilience
The cyberattack on TfL serves as a wake-up call for national infrastructure organisations worldwide.
The lessons learned from this incident highlight the need for a modern, comprehensive DR plan that addresses the full spectrum of risks – from traditional disasters to complex cyber threats. Central to this is a robust communication strategy, regular testing, and secure recovery processes.
By taking these lessons on board, organisations can better protect their infrastructure, maintain public trust, and ensure resilience in the face of an increasingly dangerous cyber threat landscape.
A new industry report warns of “major security gaps and lack of board accountability” in UK companies’ cybersecurity.
SHARE THIS STORY
Despite the number of cyber attacks in the UK increasing dramatically year-on-year, two-thirds of UK organisations still don’t operate with round-the-clock cybersecurity, according to a new report, “Unfunded and Unaccountable” by Trend Micro. The report claims to have found evidence of “major security gaps and lack of board accountability in many companies.” The results cast the UK economy’s cyber readiness in a worrying light.
Bharat Mistry, Technical Director at Trend Micro argues that the issues are having dire consequences for UK businesses. “A lack of clear leadership on cybersecurity can have a paralysing effect on an organisation—leading to reactive, piecemeal and erratic decision making,” he says, especially as the frequency and severity of cyber attacks in the UK rises once again year-on-year.
Cybercrime rising in the UK
Cybercrime cost the average business in the UK £4,200 in 2022. All told, cybercrime costs the UK approximately £27 billion per year. The average cost of a cyber-attack to a medium-sized UK business was £10,830 in 2024. While that’s a necessarily larger figure than the overall average, the data still indicates a meaningful upward trend.
This year, the UK Government’s Cyber Security Breaches Survey found that half of UK businesses had suffered a cyber attack or security breach in the preceding 12 months — an increase from the previous year.
Trend Micro’s research, which surveyed 100 UK cybersecurity leaders as part of a global study, found that concerns over both the ubiquity of attacks, and the UK economy’s lack of preparedness to combat the threat. As noted by twenty-four IT, this year only 31% of businesses and 26% of charities undertook a cyber security risk assessment, suggesting that many businesses are not adequately prepared for the threat of cyber crime.
Trend Micro’s report backs up that data. The overwhelming majority (94%) of cybersecurity leaders surveyed reported concerns about their organisation’s attack surface. Over one third (36%) are reported being worried about having a way of discovering, assessing and mitigating high-risk areas. Additionally, 16% said they weren’t able to work from a single source of truth.
Communication, clarity, and cooperation
Trend Micro’s data pins the blame for UK companies’ failure to achieve these cybersecurity basics squarely on a lack of leadership and accountability at the top of the organisation. Emphasising this, almost half (48%) of global respondents claimed that their leadership doesn’t consider cybersecurity to be their responsibility. On the other hand, only 17% disagreed strongly with that statement.
When asked who does or should hold responsibility for mitigating business risk, respondents returned a variety of answers, indicating a lack of clarity on reporting lines. Nearly a third (25%) of UK respondents said the buck stops with organisational IT teams.
This lack of clear direction on cybersecurity strategy may be resulting in widespread frustration. Over half (54%) of UK respondents complained that their organisation’s attitude to cyber risk was inconsistent. Some noted that their organisation’s attitude to cyber risk “varies from month to month.”
“Companies need CISOs to clearly communicate in terms of business risk to engage their boards. Ideally, they should have a single source of truth across the attack surface from which to share updates with the board, continually monitor risk, and automatically remediate issues for enhanced cyber-resilience,” argues Mistry.
Candida Valois, field CTO at Scality, explores the rise in ransomware and how to take meaningful steps to protect your organisation and its data.
SHARE THIS STORY
Ransomware attacks today have become more sophisticated and can have more massive consequences than ever before. For example, in 2024, attackers hit the UK’s NHS with a ransomware cyber-attack against pathology services provider Synovis. The attack caused widespread delays to outpatient appointments and required the NHS to postpone elective procedures.
Organisations have to be on high alert to make sure their business-critical data is always protected and that they remain operational without impacting customers — even in the event of an attack.
To stay future-proof, organisations are beginning to realise the value of adopting a new way of protecting data assets known as a cyber resilience approach.
Three reasons to re-evaluate your security posture
Three recent technology developments have turned standard cybersecurity measures on their head.
1. AI is empowering criminals to increase the volume and precision of their attacks.
The UK’s National Cyber Security Centre noted the increased effectiveness, speed and sophistication that AI will give attackers. The year after ChatGPT was released, phishing activity increased 1,265%, and successful ransomware attacks rose 95%.
2. Organisations must watch for “immutability-washing.”
In other words, just because something purports to be immutable doesn’t mean it really is. Truly ransomware-proof security is not what most “immutable” storage solutions are offering. Some solutions use periodic snapshots to make data immutable, but that creates periods of vulnerability. Some solutions don’t offer immutability at the architecture level – just at the API level. But immutability at the software level isn’t enough; it opens the door for attackers to evade the system’s defences.
Attackers are getting better at exploiting the vulnerabilities of flawed immutable storage. To create a truly immutable system, organisations must deploy solutions that prevent deletion and overwriting of data at the foundational level.
3. The rise in exfiltration attacks needs addressing.
Today’s ransomware attackers not only encrypt data; they now exfiltrate that data. Then they threaten to publish or sell it unless you pay a ransom. Data exfiltration is part of 91% of ransomware attacks today.
Immutably alone can’t stop exfiltration attacks because they don’t rely on changing, deleting or encrypting data to demand a ransom. To defeat data exfiltration, you need a multi-layered approach that secures sensitive data everywhere it exists. Most providers have not hardened their offerings against common exfiltration techniques.
Moving beyond immutability: The five key layers of end-to-end cyber resilience
Relying solely on immutable backups won’t protect data against all the current and emerging ransomware perils. It’s time for organisations to move beyond basic immutability and adopt a more holistic security paradigm of end-to-end cyber resilience.
This paradigm includes the strongest type of true immutability. But it doesn’t stop there; it includes strong, multi-layer defences to defeat data exfiltration and other emergent threats such as AI-enhanced malware. This entails creating security measures at every level to shut down as many threat types as possible and achieve end-to-end cyber resilience. These levels include:
API
Amazon shook up the storage industry when it introduced its immutability API (AWS S3 Object Lock) six years ago. It offers the highest protection against encryption-based ransomware attacks and creates a default interface for common data security apps. In addition, the S3 API’s granular control over data immutability enables compliance with the strictest data retention requirements. For the modern storage system, these capabilities are must-haves.
Data
Stopping data exfiltration is the goal here. Anywhere sensitive data exists, organisations need to deploy strict data security measures. To make sure backup data can’t be accessed or intercepted by unauthorised parties, what’s needed is a hardened storage solution that has many layers of security at the data level. That includes broad cryptographic and identity and access management (IAM) features.
Storage
Should an advanced hacker get root access to a storage server, they can evade API-level protections and gain unfettered access to all the server’s data. Sophisticated, AI-powered tools and techniques that defeat authentication make attacks like this harder to defeat. A storage system must make sure data is safe – even if a bad actor finds their way into the deepest level of an organisation’s storage system.
Next-gen solutions address this scenario with distributed erasure coding technology. It makes data at the storage level unintelligible to hackers and not worth exfiltrating. An IT team can also use it to completely reconstruct any data lost or corrupted in an attack. This works even if several drives or a whole server are destroyed.
Geographic
Storing data in one location makes it especially susceptible to attack. Bad actors try to infiltrate several organisations at once by attacking data centres or other high-value targets. This raises the odds of actually getting the ransom. Today’s storage recommendations include having many offsite backups, geographically separate, to defend data from vulnerabilities at one site.
Architecture
The security of storage architecture determines the security of the storage system. That’s why cyber resilience must focus on getting rid of vulnerabilities located in the core system architecture. When a ransomware attack is in process, one of the first things an attacker tries to do is to escalate their privileges. If they can do that, then they can deactivate or otherwise bypass immutability protections at the API level.
If a standard file system or another intrinsically mutable architecture is the foundation of an organisation’s storage system, its data is left out in the open. The risk of ransomware attacks at the architecture level increases if a storage system is founded on a vulnerable architecture, given the explosion of malware and hacking tools enhanced by AI.
Go beyond immutable: Staying ahead of AI-fuelled ransomware
AI-powered ransomware attacks are on the rise, rendering many traditional approaches to protect backup data ineffective. Immutability is a must, but it’s not enough to combat the increasing sophistication of cyber criminals – and not only that, but most so-called immutable solutions really aren’t.
What’s organisations needed today is end-to-end cyber resilience that addresses five key levels in order to future-proof their data security strategy.
Luke Dash, CEO at ISMS.online, explores the rising tide of supply chain cyber attacks on UK organisations and how companies can beat the odds.
SHARE THIS STORY
In an increasingly interconnected world, the importance of robust cybersecurity measures cannot be overstated.
At present, one of the pressing security concerns facing organisations is supply chain attacks. Supply chain attacks are a sophisticated, extremely harmful threat technique in which cybercriminals target organisations by infiltrating or compromising the least secure aspects of a company’s increasingly broad digital ecosystem.
Critically, these attacks specifically exploit interdependencies between companies and their digital suppliers, service providers or other online third-party partners. This makes them particularly challenging to defend against.
Several notable examples of supply chain attacks highlight their potentially devastating impacts, such as the recent attack on the NHS. Several hospitals were forced to cancel operations and blood transfusions following an attack on IT company Synnovis. The IT company was hit by a major ransomware attack. The consequences have affected thousands of patients. In response, the NHS has issued a major call for blood donors as it struggles to match patient’s blood quickly.
There was also the Okta supply chain breach disclosed in early 2022. Here, a third-party contractor’s systems were breached, subsequently impacting the leading identity and access management firm. Critically, hackers managed to extract information from Okta’s customer support system. This gave them access to sensitive data such as its clients’ names and email addresses.
Similarly, the MOVEit breach stands as another noteworthy example. Discovered in 2023, this incident involved the exploitation of a zero-day vulnerability in the MOVEit Transfer software—a widely used file transfer application developed by Progress Software. The breach led to the unauthorised access and theft of data from numerous organisations globally. The attack was so bad that the NCSC provided its own information, advice, and assistance to affected companies.
Indeed, these two incidents, among many, highlight a crucial lesson for organisations: as supply chain threats become increasingly prevalent and complex, firms must recognise that their security is only as strong as the weakest link in their network of suppliers and partners.
79% of UK businesses have experienced supply chain-related security incidents
Seeking to ascertain just how widespread the issue of supply chain attacks is at present, ISMS.online recently surveyed 1,526 security professionals globally to uncover their own experiences.
Our latest State of Information Security report details the seriousness of the situation facing UK companies. Critically, we discovered that 41% of UK businesses had been subject to partner data compromises in the last 12 months. Further, a staggering 79% reported having experienced security incidents originating from their supply chain or third-party vendors—up 22% versus the previous year.
The message from this dramatic spike in statistics is clear. Supply chain vulnerabilities are not only becoming more prevalent but are also increasingly exploited by cybercriminals. This highlights the urgent need for comprehensive and collaborative cybersecurity measures across all levels of the supply chain.
Indeed, companies must work to mitigate these threats and minimise their risk exposure by reassessing their cybersecurity strategies. But where and how exactly should they focus their efforts? At ISMS.online, we believe that there are four key areas that companies should prioritise when it comes to achieving best practices.
1. Stronger supply chain vetting processes
First, it is critical to implement rigorous security vetting processes when selecting partners and suppliers. This involves thorough due diligence, assessing potential partners’ security posture and cybersecurity measures, and reviewing past security incidents and responses. Companies should also evaluate compliance with relevant regulations and continually monitor their partners’ security practices where appropriate.
2. Enhanced cybersecurity measures
Of course, it’s not good to demand that partners have robust security measures without adopting best practices yourself. Therefore, bolstering internal cybersecurity measures and extending them to the supply chain is needed to significantly reduce risks.
Here, strategies to consider include the regular auditing of internal systems, comprehensive employee training in cyber threat recognition and response, the adoption of advanced cybersecurity technologies like multi-factor authentication and encryption and keeping an updated and unique incident response plan in case of supply chain breaches.
3. Robust partnership agreements
Detailed and stringent partnership agreements will undoubtedly help establish clear cybersecurity expectations and responsibilities. Indeed, it is important to define security requirements, request regular security status reports, and define access controls to safeguard sensitive information.
4. Alignment with essential standards
Aligning with critical standards and asking that partners and clients do the same can be a highly effective way of ensuring consistent and high-security levels across the supply chain. Of course, there are a variety of standards to consider. However, for UK companies, some of the most important ones to align with include:
Cyber Essentials: A UK government-backed scheme designed to help organisations protect themselves against common cyber threats by providing clear guidance regarding basic security controls.
ISO 27001: An international standard for information security management systems that provides a systematic approach to managing sensitive company information, ensuring it remains secure.
NCSC Supply Chain Security Guidance: A comprehensive supply chain security guide providing recommendations about managing supply chain risks, implementing robust cybersecurity measures, and ensuring continuous monitoring and improvement.
Given the growing threat of supply chain attacks, it is imperative to demand the adoption of cybersecurity best practices both internally and among suppliers, service providers, and partners.
From aligning with essential standards to developing new partnership agreements, it can feel like a daunting or challenging task. Indeed, the difficulty for many companies is knowing where to start. However, achieving best practices on each of these fronts doesn’t need to be as daunting or burdensome as the businesses might think.
Indeed, with proper support and guidance, best practices can be adopted, followed internally, and advocated externally with relative ease.
Bion Behdin, CRO and Co-founder of First AML, believes we’ve entered a new era of financial crime.
SHARE THIS STORY
Rigour and complexity – two words that aptly describe the current state-of-play for financial regulation and AML. The nature of financial crime is changing: from the increase in the use of AI to the changing regulatory landscape, new problems are requiring new solutions from businesses.
Many companies are already putting measures in place, such as upgrading their tech stacks to incorporate software that can streamline the AML process. However, the challenge extends far beyond just technology. Truly effective combat against financial crime requires an approach that integrates technology, comprehensive understanding of the landscape, and most importantly, strong leadership.
A big task for one person
The role of a Money Laundering Reporting Officer (MLRO) is both critical and challenging. Tasked with the comprehensive oversight of a firm’s anti-money laundering (AML) efforts, MLROs often find themselves wearing multiple hats, navigating both the landscape of regulatory requirements as well as often juggling responsibilities in another part of the business such as operations, business intake, or as a fee-earner.
They are also responsible for overseeing the firm’s risk assessment and management strategies, ensuring that the business can identify, understand, and mitigate the various risks it may encounter. This involves a continuous cycle of monitoring, reporting, and updating the firm’s policies in response to both internal and external changes.
As if this isn’t enough, MLROs are also expected to create and implement in-house training programs aimed at raising awareness and understanding of AML regulations among employees, including the c-suite. They must continually build a culture of compliance, identifying weaknesses and ensuring the organisation meets AML regulatory standards to avoid penalties or more severe consequences.
With such a broad and demanding set of responsibilities, it’s clear that MLROs require significant support and resources to effectively manage the challenges they face. It is not a job that one person can complete effectively alone. So how can businesses get the most out of their MLRO?
How technology can help
For some, the answer to this issue is hiring extra people to help the MLRO. The same goes for MLROs asking for more budget to run their compliance function more efficiently and enact requests from their frontline staff. This is not a luxury that all businesses can afford. But failing to be compliant isn’t something that they can afford either; this is exactly why MLROs need technology to help supplement their efforts.
Software solutions can address these challenges head-on by automating the collection and verification of data, as well as using tools that integrate with other public records to shed light on beneficial ownership and verify identification documents. These technologies can directly access public records to gather necessary information, significantly reducing the manual effort required from compliance professionals. This automation not only minimises the risk of human error but also ensures a more accurate and comprehensive analysis of company structures and beneficial ownership. As a result, MLROs can allocate their resources more effectively, whether they focus on high-level analysis and strategic decision-making or utilising frontline staff more frequently.
Software also offers real-time monitoring and automatic updating of company records, which can detect changes in company details, such as shifts in directorships or share distributions. This capability is crucial for maintaining an up-to-date understanding of the risk profile of their customers, especially when considering the changing international sanctions lists and the constant introduction of new regulatory requirements.
With these tools, businesses can make a significant step towards staying compliant. But it is not the only thing that is required.
The C-suite’s role
While the integration of technology streamlines and enhances the efficiency of these processes, the foundation of a successful compliance strategy lies in the culture of the organisation. This is where the C-suite executives are needed.
Firstly, when senior executives actively participate in and prioritise compliance, it sets a clear example for the entire organisation. This leadership influence helps integrate compliance into the daily operations and mindset of the company, making it a fundamental part of the organisational culture – rather than an afterthought.
It demonstrates to employees, regulators, and the market that the company is committed to operating responsibly and ethically. This then positively impacts the company’s reputation through trust.
By driving strategic decisions that incorporate compliance considerations from the outset, senior executives can lead the business to more sustainable compliance practices. This proactivity can help identify potential risks early, allowing the company to address them before they become problematic.
Worryingly, our recent survey painted a different picture; 39% of c-suite staff had reduced 2024 anti-money laundering budgets. Clearly, a solid commitment to funding compliance strategy is the only way forward.
The bottom line
It is an MLROs job to ensure that businesses stay compliant, but the responsibility of this can not fall on them alone. The whole organisations needs to cultivate a culture of compliance from top to bottom if it aims to meet tehese needs. This starts from the top, meaning that C-suite executives must do everything in their power to instil this culture.
Technology can automate and streamline many aspects of the compliance process. However, the leadership and example set by the C-suite are indispensable in creating an organisation that values and prioritises compliance.
Barath Narayanan, Global BFSI and Europe Geo Head at Persistent Systems, explores new responses to a new generation of cyber attacks.
SHARE THIS STORY
Cyber threats have evolved into a formidable force capable of bringing down even the most technologically advanced organisations today. Ransomware attacks, data breaches, and sophisticated malware are some of the overwhelming challenges businesses face. These types of attack can disrupt operations, incur staggering financial losses, and erode customer trust.
The numbers speak volumes: in the past year alone, 50% of businesses in the UK reported cyber security breaches. Major incidents, on average, cost medium and larger businesses more than £10,000.
This underscores an urgent need for a strategic approach to cyber resilience, one that requires a fundamental shift in mindset and a relentless pursuit of adaptation and innovation, involving both technical measures and a security-conscious company culture.
It’s About Mindset and Culture: Moving from Response to Resilience
The ripple effect of these breaches extends far beyond the target company, crippling entire ecosystems. That is why cyber security has catapulted to the top of boardroom agendas. Forward-thinking enterprises understand that cyber security is not a mere IT issue. They understand cybersecurity is a core business risk that demands a comprehensive approach.
Ensuring business continuity in the face of evolving cyber threats encapsulates the proactive shift in corporate strategies towards cyber resilience.
In today’s interconnected digital landscape, businesses no longer solely react to cyber threats but embrace resilient frameworks that safeguard operations amidst constant evolution in threat landscapes. This approach transforms cybersecurity from a reactive measure into a strategic asset. Vitally, it ensures that investments in technology and operations are safeguarded against emerging threats.
As businesses navigate a landscape marked by digital transformation and interconnectedness, cyber resilience emerges as the linchpin for maintaining trust, preserving operational integrity, and sustaining growth in an increasingly digital world.
Building a Strong Foundation for Cybersecurity
Leveraging AI is no longer an option but a necessity. By harnessing the capabilities of AI, enterprises can achieve unprecedented levels of threat detection accuracy (92.5%), reduce false positives (3.2%), and cut response time (40%).
AI systems can analyse millions of daily attacks, identifying emerging threats through advanced pattern recognition. This bolsters defences against sophisticated attacks. AI is revolutionising the development of secure code and preventing vulnerabilities from appearing in the first place. AI-powered automation can streamline migration, upgrades, and modernization, reducing risks from manual processes.
Organisations are also adopting AI-enhanced cybersecurity maturity assessments, which help enterprises build robust, adaptive defences in an evolving threat landscape. These should go beyond traditional crisis response plans and encompass the threat landscape.
Data Loss Prevention (DLP) solutions are crucial, particularly in the era of open banking and third-party applications. These solutions can identify, monitor, and control access to sensitive data and help enterprises respond to attacks while complying with regulations.
Partnerships with cyber security firms and the integration of threat intelligence feeds can also be leveraged to provide invaluable insights into the latest attack vectors and emerging threats, empowering organisations to stay ahead and fortify their defences. Additionally, incorporating threat intelligence into an incident response plan can significantly reduce post-breach recovery time.
From SOC to Cyber Fusion Centre
Transforming a Security Operations Centre (SOC) into a Cyber Fusion Centre represents a strategic evolution in cybersecurity capabilities, aligning defence strategies with the dynamic and interconnected nature of modern threats.
Unlike traditional SOCs focused primarily on incident response and threat detection, Cyber Fusion Centres integrate intelligence gathering, analytics, and collaboration across teams and technologies. This proactive approach enhances situational awareness by synthesising data from multiple sources—such as network traffic, endpoint devices, and threat intelligence feeds—into actionable insights. By fostering synergy among cybersecurity teams, including analysts, engineers, and incident responders, Cyber Fusion Centres enable rapid detection, response, and mitigation of sophisticated cyber threats. Moreover, these centres facilitate real-time decision-making through advanced automation and orchestration, empowering organisations to pre-emptively address emerging threats before they escalate.
As cyber threats continue to evolve in complexity and scale, Cyber Fusion Centres emerge as pivotal hubs for orchestrating comprehensive defence strategies that safeguard critical assets, uphold regulatory compliance, and maintain stakeholder trust in an increasingly digital and interconnected world.
Creating firewalls in the boundaryless world of digital ecosystems requires a paradigm shift towards dynamic and adaptive cybersecurity measures. In today’s interconnected landscape, where data flows seamlessly across platforms and devices, traditional perimeter defences are no longer sufficient. Organisations must deploy sophisticated firewalls that not only protect against external threats but also monitor and manage internal risks effectively.
This entails implementing robust intrusion detection systems, advanced threat analytics, and continuous monitoring protocols. Moreover, integrating firewalls into the fabric of digital ecosystems ensures that security measures evolve alongside technological advancements, providing resilience against ever-evolving cyber threats.
Additional techniques to enhance security include web content filtering, endpoint security agents, file upload application protection, sandbox testing of applications, browser isolation, off-network security filtering for company devices, prevention of unapproved software installations, and revocation of user access when necessary.
Best Practices for Building Cyber Resilience
To fortify their cyber resilience, enterprises must adopt a holistic approach. This must include an incident response plan, meticulously tested with all relevant teams including IT, legal, communications and human resources.
This ensures that the roles and responsibilities are spelled out. Pre-established contracts with legal, communications, and forensics specialists can save valuable time after an attack.
This demands a practical strategy, starting with recovery planning that must occur before an attack. An integrated view of application, server, and network vulnerabilities must be accessible to all management levels, leveraging AI-driven threat intelligence.
Regular and mandatory employee training should also be an essential part of this strategy. Many top risks stem from internal behaviour and compromised or stolen devices.
In today’s connected systems landscape, implementing a Zero-trust model with shared security and compliance across employees, vendors, and partners is essential.
Lastly, always operate with the mindset that the business will be attacked and that attackers are already in your environment. By integrating these strategies, businesses can enhance their resilience and better navigate the modern digital landscape.
Jonathan Wright, Head of Products and Operations at GCX, discusses how companies can comply with the upcoming tighter cybersecurity regulations about to affect the US.
SHARE THIS STORY
In response to the escalating frequency and complexity of cyber-attacks, the US has implemented measures to bolster cyber resilience. In May 2021, President Biden signed an Executive Order, leveraging $70 billion worth of US government IT spending power to mandate all federal bodies and their private sector partners to incorporate zero-trust policies throughout their IT infrastructure.
The legislation enacted gives those in question until September 2024 to comply with tighter security regulations. The implications of which, however, extend far beyond US organisations to any organisation with ties to US business. As such, this policy has international ramifications. All organisations within federal supply chains, regardless of their location, must adhere to these standards.
This legislation comes at a time when external attack surfaces are under increasing threat, with data breaches increasing by 72% between 2021 and 2023. This legislation makes clear that new security measures must be taken to mitigate these increasing threats across the entire attack surface. This includes increasing identity monitoring and visibility across endpoints, networks and cloud security architecture through to user application protection.
Implementing these comprehensive cybersecurity measures can seem like a complex undertaking and developing a robust and adaptable strategy isn’t always easy, but it is becoming crucial in the face of evolving threats. Let’s unpack.
The need for collaboration
Zero-trust policies treat every access attempt with suspicion, whether it originates from inside or outside a network. By scrutinising each request, zero-trust enables finer control over who gets access to data and what they can do. This policy creates a security net where nothing slips through unchallenged. The result? A robust defence that keeps cyber threats at bay.
Despite being US legislation, UK businesses with US partners will naturally need to comply with these tighter security regulations. This is because the nature of modern international business means that data is often shared between companies and up and down supply chains.
Considering the extent of the supply chains in question often spans several countries, this presents several complex challenges. These range from navigating diverse data residency laws to bridging communication gaps and aligning with a patchwork of compliance regimes. If these challenges aren’t met, businesses leave themselves open to data breaches that could result in financial and reputational damages. Standard global security policies combined with innovative security solutions can help bolster resilience on a global scale.
Enhancing visibility
Properly managing supply chain security leaves a lot to keep track of, and even today, we see siloed approaches to cybersecurity, wherein organisations adopt singular tools to address singular challenges, but this is only a short-term solution. Effective zero-trust policies set out by the US mandate require enhanced visibility across the attack surface. This is because there are more policies to implement, and therefore more techniques and run books to be applied, so increased visibility provides the scope and platform to constantly monitor and resolve threats – a key principle as they increase in volume and sophistication.
With so many siloed tools out there, organisations should consider deploying network security overlays in a single stack, as this allows them to easily underpin their networks with zero-trust. For example, Software Defined Wide Area Network (SD-WAN), which was built for on-site work, is still prominent today. The shift to hybrid and remote work accelerated cloud adoption. As a result, cloud security architectures, such as Secure Access Service Edge (SASE), have become increasingly critical. Deploying both as part of a single stack solution would fortify the supply chain attack surface and unify network operating metrics so they are all visible in one place.
This is vital in the context of this legislation given its focus on supply chains. Furthermore, while the US has set the mandate, we are now seeing similar proposals to strengthen supply chain security, the European Union’s NIS2 measures and UK’s recently announced cyber security and resilience bill for example. These are great steps in standardising global security practices and must continue if organisations want to tighten security protocols on a global scale.
Leveraging industry expertise
Years of experience and gathered expertise leave Managed Service Providers (MSPs) uniquely positioned to help organisations through the complexities of the zero-trust mandate. Strengthening cyber defences requires a unique industry perspective, one that can help many navigate increasingly challenging environments.
MSPs can ensure due diligence is done. They can ensure that businesses can adopt and maintain effective zero-trust policies, strategies and management systems. For example, a single-stack solution would reduce the pressure on in-house IT teams. This comes at a time when these teams are increasingly pressed by the growing attack surface. Equally, a single-stack solution would provide a platform to bolster security and free up internal resources to focus on driving efficiency and innovation.
September 2024 is just around the corner. However, the mandate should not be seen as an inconvenience or hurdle, but rather an opportunity for transformative security enhancements.
Adopting zero-trust architecture into a single-stack offers a dual benefit in more robust security measures. But there are additional benefits. It also streamlines IT operations that offset skills shortages and the chaos of siloed security tools.
Embracing zero-trust isn’t simply just about compliance. It’s about protecting your organisation for the future. By partnering with MSPs and committing to the requirements of this mandate, businesses can transform potential challenges into strategic advantages. In doing so, they will position themselves at the forefront of secure, efficient and agile operations.
Rob Pocock, Technology Director at Red Helix, explores how cyber security teams can guard against the rising tide of cyber threats.
SHARE THIS STORY
Over just six months the number of reported cyber-dependent crime incidents in the UK rose by over 20%. As AI continues to lower the barrier to entry for criminals, that number will likely grow even faster over the next two years.
We’re no longer facing a flood of cyber attacks. We’re facing a tsunami. And as we prepare our defences for the colossal wave of threats heading our way, we can take inspiration from the early-warning detection systems used to protect against tsunamis.
Backed by a robust communications infrastructure, these systems harness a network of sensors to detect and verify the threat before issuing timely alarms. Local authorities can notify those at risk in advance and preparations can be made to prevent loss of life and damage to property.
Similarly, in cyber security, Threat Detection and Response (TDR) systems can help identify threats early and mitigate any potential damage. They too utilise effective communications and a network of ‘sensors’ to alert security professionals of any irregularities requiring their attention.
However, for TDR systems to be effective against the current surge of threats, security teams much introduce them as part of an integrated mesh architecture.
Modern security for modern infrastructure
For many years, organisations protected themselves against cyber attacks by establishing defensive measures around a defined perimeter, such as their company intranets. Defences typically comprised of firewalls, antivirus software, and intrusion detection systems. While these are still important tools for defending private networks against outside threats, in today’s digital world they are no longer enough.
Businesses have been rapidly transferring processes and storage to cloud networks. This, combined with the rise in remote working and Software as a Service (SaaS) offerings, has all but dissolved the perimeter that traditional security measures were designed to shield. As companies move assets off-premises, security teams must extend controls into all systems where data is stored.
This once again draws parallels with the tsunami early-warning systems. A sensor on the coastline (the defined perimeter) will still provide a tsunami warning, but it is unlikely that you will be able to do anything about it when it’s already at your door. However, placing a sensor further out at sea provides more advanced notice. The sensor can prompt people to take action before the wave reaches the shore.
Likewise, when properly integrated, TDR can extend security monitoring across your entire IT infrastructure, including third-party applications. This helps security teams detect and respond to threats earlier and greatly reduces the amount of damage they can cause.
Extended visibility with TDR
An effectively integrated TDR collects, aggregates, and analyses security data from various tools to provide comprehensive, accurate threat detection in real-time. It simplifies the approach, while providing greater visibility across on-premises and cloud environments. Achieving this requires focusing on three cyber security solutions at once.
First is Endpoint Detection and Response (EDR), a security solution used to monitor endpoints – i.e., computers, tablets, phones etc – and detect and investigate any potential threats. It uses data analytics to identify suspicious network activity. When it detects suspicious activity, it blocks any malicious actions and alerts security teams.
The second solution is Network Detection and Response (NDR) which, as the name suggests, executes a similar task but at the network level. It uses AI, machine learning and behavioural analytics to monitor traffic. This then allows it to establish a baseline of activity. The NDR solution can then measure activity agains the benchmar to track malicious or anomalous activity.
Finally, at the heart of this approach is Security Incident and Event Management (SIEM). It collects and analyses the data from your EDR and NDR solutions, along with additional security logs, and provides a central view of all potential threats.
Combining these three solutions results in an extended detection and response (XDR) system that reduces false positive alerts, provides better threat identification, and offers greater visibility over network assets. It also presents security teams with contextually rich, triangulated cases assembled from a unique set of high-fidelity detections across multiple layers – giving them the detailed information required to prepare a more effective and timely response.
The implementation and management of XDR systems can be a time consuming and resource intensive process, but it has become an increasingly important part of modern cyber security.
Early warning for a better response
In the face of an escalating cyber tsunami, spurred on by the advanced capabilities of AI, the need for security measures that transcend traditional defences has never been more critical. To quickly identify threats outside the traditional security perimeter, businesses need access to detailed information showing which actions to take.
Much like how tsunami early-warning systems pull together various signals to identify and verify a potential threat, a well-integrated XDR can achieve this by collating data from numerous touchpoints. This further enhances visibility across the entire IT infrastructure, allowing security teams to respond swiftly and effectively to any potential attack.
Ultimately, the evolution of the threat landscape demands an equally dynamic and proactive approach to security. Businesses will be better prepared and more resilient to the ever-growing wave of threats by embracing the principles of early detection, comprehensive monitoring and integrated response mechanisms.
David Critchley, Regional Director of UK & Ireland at Armis draws insights from new research to showcase the risk cyberwarfare poses to democracy and society in a crucial election year.
The digital realm has erupted into an invisible war in which the UK is under constant attack. In this kind of warfare, everyone is on the front line; every company, every person. There are no borders. That’s what makes cyberattacks such an effective form of warfare. It’s not simply about data breaches or financial gains either, these attacks are a calculated assault on public trust, aimed at destabilising economies, crippling entire systems and eroding the fabric of democracy.
Now, 37% of IT leadersin the UK believe that cyberwarfare could affect the integrity of an election, spiking significantly from those within the three major pillars of our society: government (60%), healthcare (67%) and financial services (71%). Make no mistake, the nation is teetering on the precipice of a digital catastrophe. And democracy is in danger.
Democracy on a tightrope
The NCSC highlighted that all types of cyber threat actors – state and non-state, skilled and less skilled – are using and weaponising AI, amplifying their ability to cause harm and supercharging the volume and impact of cyberwarfare. Combine that with the rising geopolitical tensions between the UK and Eastern Axis enemies, and we’re entering a very fragile situation.
Despite this, almost half (46%) of IT leaders say they’re unconcerned or indifferent about the impact of cyberwarfare; a 13% YOY increase. However, it’s not indifference. It’s a result of being overwhelmed. A lack of automation has left 29% of cybersecurity teams feeling overwhelmed, hindering security and IT professionals from effectively remediating or prioritising threats. Faced with a further deluge of information, the mounting pressure to maintain constant vigilance and a lack of resources, it’s easy to understand why some IT leaders are seemingly indifferent.
However, this is not an excuse for inaction. Especially with democracy on the line. If we’re to mitigate the threat of foreign interference within the electoral process – and avoid democracy being knocked off the tightrope – we must take a more proactive approach.
Taking matters into our own hands
In the face of these escalating threats, it’s crucial for the government and organisations to proactively rebuild national confidence by enhancing defensive cybersecurity strategies. And that starts with being able to see the entire attack surface.
To effectively defend against cyber threats, you need to know what you’re up against. That’s why organisations must conduct a comprehensive assessment of their attack surface. Do to this, they must map all the entry points and vulnerabilities that bad actors could exploit. Most importantly, they need to follow mapping with investment into technology that can help identify and monitor any threats.
With tens of thousands of physical and virtual assets connected to any organisation’s networks on an average day, and over 40% remaining unmonitored, its time organisations start defending against current threats while also positioning themselves for the dynamic challenges and evolving vulnerabilities that lie ahead.
A complex, thorny problem
With that, it’s important to remember that not all vulnerabilities are created equal. In 2023, the cybersecurity community identified and dealt with an astonishing 65,000 unique Common Vulnerabilities and Exposures (CVEs), yet the patch rates for critical CVEs remained noticeably lower than others. Put simply, organisations are failing to prioritise the right vulnerabilities.
From a deluge of data and too many different tools for managing assets connected to a network, organisations must instead equip themselves with the right tools to combat cyberwarfare. Implementing technology that can help teams understand and focus on the vulnerabilities affecting assets, particularly ones that are critical to the core function of the organisation, or are in a vulnerable context, is now a necessity for a robust cybersecurity posture.
Additionally, as cyberwarfare tactics are constantly evolving, organisations must stay ahead of the curve with continuous threat intelligence. Solutions that act as an early warning system, using AI and machine learning to scan the dark web, whilst setting dynamic ‘honeypots’ for bad actors, provides actionable data ahead of vulnerabilities, attacks and impacts.
By combining these early warning systems with automation and other AI-powered solutions, security teams can proactively address threats to elections. After all, nation-state actors are increasingly using AI for attacks, so it’s time to start using it for defence.
Building a digital defence
Global attack attempts more than doubled in 2023, increasing 104% and, when combined with rising geopolitical tensions, the UK has found itself in the crosshairs of bad actors, nation-state or otherwise. With 2024 being such a crucial year for democracy, it’s time organisations – as well as the government – come together to rebuild national trust. The time to act is now.
Starting with a robust investment in cybersecurity, coupled with the deployment of AI-driven tech that can see, secure, protect and manage billions of assets around the world in real-time will be key in an organisation’s cyber defence. If government and organisations take a proactive approach today, then there’s a chance we can still shield democracy from the threat of cyberwarfare.
The majority of software supply chains in the UK regularly face cyber threats as hackers exploit unguarded third party suppliers.
SHARE THIS STORY
Designed to exploit weaknesses in third party suppliers, a software supply chain attack turns a trusted supplier into an unsuspecting Trojan horse. In recent years, collective awareness of cyber risk has grown, leading to widespread adoption of stronger safety measures. This has made direct attacks on large organisations more challenging.
So, hackers have turned to enterprises’ supplier networks as a new source of vulnerabilities to exploit. Smaller software suppliers often have weaker security measures, making them easier targets. Once compromised, these suppliers’ software can be injected with malicious code, providing hackers with a way to breach their target from within.
The results can be catastrophic. According to a new report from BlackBerry, UK companies are especially likely to be at risk of cyberattack in their supply chain.
“Unknown components and a lack of visibility on the software supply chain introduce blind spots containing potential vulnerabilities that can wreak havoc across not just one enterprise, but several, through loss of data and intellectual property, operational downtime along with financial and reputational impact,” commented Christine Gadbsy, VP of Product Security at BlackBerry in the report. “How companies monitor and manage cybersecurity in their software supply chain has to rely on more than just trust.”
BlackBerry’s report highlighted the 2020 hacking campaign which targeted a vulnerability in SolarWinds software and managed to penetrate US government departments including the Department of Homeland Security and part of the Pentagon. New research from BlackBerry highlights the extent of the problem for UK software supply chain security.
Out of those who experienced an attack, 59% were operationally compromised, 58% lost data, 55% lost intellectual property, 52% suffered a perceived loss to their reputation, and 49% were hurt financially.
Recovery times following an attack were also longer than ideal for many firms. Nine out of ten companies took up to a month for their operations to recover following a software supply chain attack. According to BlackBerry’s researchers, “the damage to reputation and brand lasts much longer.”
This data not only identified an increase in attack frequency but also shows a greater financial impact compared to data from 2022.
One alarming discovery from the report was the presence of hidden entities within software supply chains. According to BlackBerry, three in four businesses uncovered hidden entities in their supply chain, with over two-thirds (68%) of businesses only recently identified these unknown participants.
This vulnerability typically arises as the result of gaps in regulatory and compliance processes. Troublingly, fewer than 20% of UK companies request security compliance evidence from suppliers beyond the initial onboarding stage.
Also, despite reporting high levels of confidence in their suppliers’ ability to identify and prevent vulnerabilities, few companies consistently verified compliance. This lack of verification and visibility, the report’s authors argue, leaves opportunities for cyber criminals to exploit.
Thomas Hughes and Charlotte Davidson, Data Scientists at Bayezian, break down how and why people are so eager to jailbreak LLMs, the risks, and how to stop it.
SHARE THIS STORY
Jailbreaking Large Language Models (LLMs) refers to the process of circumventing the built-in safety measures and restrictions of these models. Once these safety measures are circumvented, they can be used to elicit unauthorised or unintended outputs. This phenomenon is critical in the context of LLMs like GPT, BERT, and others. These models are ostensibly equipped with safety mechanisms designed to prevent the generation of harmful, biased or unethical content. Turning them off can result in the generation of misleading, hurtful, and dangerous content.
Unauthorised access or modification poses significant security risks. This includes the potential for spreading misinformation, creating malicious content, or exploiting the models for nefarious purposes.
Jailbreaking techniques
Jailbreaking LLMs typically involve sophisticated techniques that exploit vulnerabilities in the model’s design or its operational environment. These methods range from adversarial attacks, where inputs are specially crafted to mislead the model, to prompt engineering, which manipulates the model’s prompts to bypass restrictions.
Adversarial attacks are atechnique involving the addition of nonsensical or misleading suffixes as prompts. These deceptive additions deceive models into generating prohibited content. For instance, adding an adversarial string can trick a model into providing instructions for illegal activities despite initially refusing such requests. There is also an option to inject specific phrases or commands within prompts. These command exploit the model’s programming to produce desired outputs, bypassing safety checks.
Prompt engineering has two key techniques. One is semantic juggling. This process alters the phrasing or context of prompts to navigate around the model’s ethical guidelines without triggering content filters. The other is contextual misdirection, a technique which involves providing the model with a context that misleads it about the nature of the task. Once deceived in this manner, the model can be prompted to generate content it would typically restrict.
Bad actors could use these tactics to trick an LLM into doing any number of dangerous and illegal things. An LLM might outline a plan to hack a secure network and steal sensitive information. In the future, the possibilities become even more worrying in an increasingly connected world. An AI could hijack a self-driving car and cause it to crash.
AI security and jailbreak detection
The capabilities of LLMs are expanding. In this new era, safeguarding against unauthorised manipulations has become a cornerstone of digital trust and safety. The importance of robust AI security frameworks in countering jailbreaking attempts, therefore, is paramount. And implementing stringent security protocols and sophisticated detection systems is key to preserving the fidelity, reliability and ethical use of LLMs. But how can this be done?
Perplexity represents a novel approach in the detection of jailbreak attempts against LLMs. It is a measure which evaluates how accurately a LLM model can predict the next word in the output. This technique relies on the principle that queries aimed at manipulating or compromising the integrity of LLMs tend to manifest significantly higher perplexity values, indicative of their complex and unexpected nature. Such abnormalities serve as markers, differentiating between malevolent inputs, characterised by elevated perplexity, and benign ones, which typically exhibit lower scores.
The approach has proven its merit in singling out adversarial suffixes. These suffixes, when attached to standard prompts, cause a marked increase in perplexity, thereby signalling them for additional investigation. Employing perplexity in this manner advances the proactive identification and neutralisation of threats to LLMs, illustrating the dynamic progression in the realm of AI safeguarding practices.
Extra defence mechanisms
Defending against jailbreaks involves a multi-faceted strategy that includes both technical and procedural measures.
From the technical side, dynamic filtering implements real-time detection and filtering mechanisms that can identify and neutralise jailbreak attempts before they affect the model’s output. And from the procedural side, companies can adopt enhanced training procedures, incorporating adversarial training and reinforcement learning from human feedback to improve model resilience against jailbreaking.
Challenges to the regulatory landscape
The phenomenon of jailbreaking presents novel challenges to the regulatory landscape and governance structures overseeing AI and LLMs. The intricacies of unauthorised access and manipulation of LLMs are becoming more pronounced. As such, a nuanced approach to regulation and governance is essential. This approach must strike a delicate balance between ensuring the ethical deployment of LLMs and nurturing technological innovation.
It’s imperative regulators establish comprehensive ethical guidelines that not only serve as a moral compass but also as a foundational framework to preempt misuse and ensure responsible AI development and deployment. Robust regulatory mechanisms are imperative for enforcing compliance with established ethical norms. These mechanisms should also be capable of dynamically adapting to the evolving AI landscape. Only thn can regulators ensure LLMs’ operations remain within the bounds of ethical and legal standards.
The paper “Evaluating Safeguard Effectiveness” outlines some pivotal considerations for policymakers, researchers, and LLM vendors. By understanding the tactics employed by jailbreak communities, LLM vendors can develop classifiers to distinguish between legitimate and malicious prompts. And the shift towards the origination of jailbreak prompts from private platforms underscores the need for a more vigilant approach to threat monitoring: it’s crucial for both LLM vendors and researchers to extend their surveillance beyond public forums, acknowledging private platforms as significant sources of potential jailbreak strategies.
The bottom line
Jailbreaking LLMs present a significant challenge to the safety, security, and ethical use of AI technologies. Through a combination of advanced detection techniques, robust defence mechanisms, and comprehensive regulatory frameworks, it is possible to mitigate the risks associated with jailbreaking. As the AI field continues to evolve, ongoing research and collaboration among academics, industry professionals, and policymakers will be crucial in addressing these challenges effectively.
Thomas Hughes and Charlotte Davidson are Data Scientists at Bayezian, a London-based team of scientists, engineers, ethicists and more, committed to the application of artificial intelligence to advance science and benefit humanity.
Human error remains the most common point of failure for cybersecurity measures, but almost three quarters of European companies aren’t training staff.
SHARE THIS STORY
A shortage of cybersecurity professionals and a lack of organisation-wide training may be exacerbating a lack of cybersecurity skills in many European companies.
More than 70% of companies in the European Union have not taken any steps to train their employees on cybersecurity, or raise awareness of cybersecurity as an issue. This data comes from a new survey by Eurobarometer of companies in 27 EU countries in April and May.
Security breaches are worse than ever
It would appear that, for most organisations, increasing employees’ cybersecurity capabilities would be a top priority. Data breaches and cybersecurity attacks are becoming increasingly common. A survey of more than 500 IT and cybersecurity professionals within UK businesses found that 61% of businesses experienced a cyber breach last year. A quarter of those companies suffered three breaches or more.
According to data published in the State of Email and Collaboration Security 2024, 74% of all cybersecurity breaches are down to “human factors”. These include errors, stolen credentials, misuse of access privileges, and social engineering.
Not only is it becoming more likely that breaches occur, but data also suggests that they are wreaking more havoc than ever. A study released in April found that an overwhelming proportion (93%) of breached enterprises reported the consequences of their breaches as “dire”. Fallout commonly included operational downtime and financial losses, as well as reputational damage.
So, why is no one being trained?
The figures only make it more alarming that well over half of all EU companies have made no progress towards improving the overall cyber-readiness of their workforces. Additionally, 68% of the companies surveyed reported thinking that no training or awareness raising about cybersecurity was needed. Another 16% said they were not aware of relevant training opportunities, and 8% said such measures were too costly.
The most common reason cited by organisations not training their staff on cybersecurity is that there doesn’t appear to be anyone who can do the training. Just under half of all respondents (45%) identified their biggest challenge as finding qualified candidates for cybersecurity positions. Almost half (44%) reported having no applicants at all.
Around 20% of companies reported the fact that the continuous training required to keep cyber professionals abreast of industry developments was an obstacle to hiring. A similar number also cited rapidly evolving technology as a challenge to finding qualified workers.
As a result, it appears that, in Europe at least, the cyber skills shortage is driving a lack of cyber awareness across the whole business. It’s also possible that a lack of cybersecurity professionals leads to a lack of training, which then leads to a lack of awareness of a need for better cybersecurity measures. Until there’s a breach, of course.
Things are similar in the UK. According to the British government’s 2023 Cyber Security Breaches Survey report only 18% of businesses said that they’d organised cybersecurity training for their employees in the last year.
Kayne McGladrey, Field CISO, Hyperproof, commented that employers “should provide annual training at the very minimum, supplemented by micro-training modules after policy violations or incidents”.
A Gartner report has highlighted the challenges often faced by organisations implementing a zero-trust strategy, even as the practice grows in popularity.
SHARE THIS STORY
At a time when organisations face higher levels of cyber threat than ever before, it’s not a huge surprise that zero-trust strategies are growing in popularity.
According to a new report from Gartner, 63% of organisations worldwide have implemented some kind of zero-trust strategy, either fully or to a partial degree.
However, while the number of organisations exploring zero-trust is growing, Gartner also found that the approach typically covers less than half of an organisation’s IT environment.
What is zero-trust?
Zero-trust is an approach to security which treats everyone, whether they’re inside or outside the company network, as a potential risk. In practice, zero-trust environments constantly authenticate, authorise, and continuously validate everyone inside or outside the network.
Zero-trust means an end to the idea of a traditional network edge. As a result, networks can be local, in the cloud, or a mix of both, and people can connect to them from anywhere. Zero trust has been particularly in vogue since the COVID-19 pandemic drove a worldwide spike in remote and hybrid working.
Widespread adoption troubled by lack of clear vision
Gartner’s survey found that more than half (54%) of organisations pursuing zero-trust as their primary cybersecurity strategy were doing so because they see the approach as a best-practice for the industry.
“Despite this belief, enterprises are not sure what top practices are for zero-trust implementations,” said John Watts, VP Analyst, KI Leader at Gartner. “For most organisations, a zero-trust strategy typically addresses half or less of an organisation’s environment and mitigates one-quarter or less of overall enterprise risk.”
Three steps to zero trust
Gartner recommends three steps for best-practice zero-trust adoption.
Practice 1: Set Clear Scope for Zero-Trust Early On
To nail zero-trust, organisations should know what part of their setup they’re covering, which domains are included, and how much risk they’re cutting down. Reportedly, most organisations don’t cover their whole setup with zero-trust. In fact, 16% cover 75% or more, while only 11% cover less than 10%.
Practice 2: Share Zero-Trust Wins with the Right Metrics
Of the organisations with some level of zero-trust in place, 79% have strategic metrics to track progress, and of those, 89% have risk metrics too. When sharing these metrics, security leaders should tailor them for zero-trust, not just recycle old ones. CIOs, CEOs, and the board back an estimated 59% of zero-trust projects.
“Metrics for zero-trust should focus on its specific goals, like cutting down malware movement, rather than just general cybersecurity stats,” said Watts.
Practice 3: Expect Higher Costs and Staffing Needs, But No Extra Delays
According to Gartner, 62% of organisations think costs will go up, and 41% expect to need more staff for zero-trust.
“The cost of zero-trust varies based on the scale and robustness of the strategy from the start,” said Watts. “It can increase costs as organisations work on maturing their risk-based and adaptive controls.” While only 35% faced setbacks in their zero-trust rollout, having a solid plan with clear metrics helps keep things on track.
From AI-generated phishing scams to ransomware-as-a-service, here are 2024’s biggest cybersecurity threat vectors.
SHARE THIS STORY
No matter how you look at it, 2024 promises to be, at the very least, an interesting year. Major elections in ten of the world’s most popular countries have people calling it “democracy’s most important year.” At the same time, war in Ukraine, genocide in Gaza, and a drought in the Panama Canal continue to disrupt global supply chains. Domestically, the UK and US have been hit by rising prices and spiralling costs of living, as corporations continue to raise prices, even as inflation subsides.
Spikes in economic hardship and sociopolitical unrest have contributed to a huge uptick in the number and severity of cybercrimes over the last few years. That trend is expected to continue into 2024, further accelerated by the adoption of new AI tools by both cybersecurity professionals and the people they are trying to stop.
So, from AI-generated phishing scams to third-party exposure, here are 2024’s biggest cybersecurity threat vectors.
1. Social engineering
It’s not exactly clear when social engineering attacks became the biggest threat to cybersecurity operations. Maybe it’s always been the case. Still, as threat detection technology, firewalls, and other digital defences get more sophisticated, the risk posed by social engineering attacks is only going to grow more outside compared with network breaches.
More than 75% of targeted cyberattacks in 2023 started with an email, and social engineering attacks have been proven to have had devastating results.
One of the world’s largest casino and hotel chains, MGM Resorts, was targeted by hackers in September of last year. By using social engineering methods to impersonate an employee via LinkedIn and then calling the help desk, the hackers used a 10-minute conversation to compromise the billion-dollar company. The attack on MGM Resorts resulted in paralysed ATMs and slot machines, a crashed website, and a compromised booking system. The event is expected to take a $100 million bite out of MGM’s third-quarter profits. The company is expected to spend another $10 million on recovery alone.
2. Professional, profitable cybercrime
Cybercrime is moving out of the basement. The number of ransomware victims doubled in 2023 compared to the previous year.
Over the course of 2024, the professionalisation of cybercrime will reach new levels of maturity. This trend is largely being driven by the proliferation of affordable ransomware-as-a-service tools. According to a SoSafe cybercrime trends report, these tools are driving the democratisation of cyber-criminality, as they not only lower the barrier of entry for potential cybercriminals but also represent a significant shift in the attack complexity and impact.”
3. Generative AI deepfakes and voice cloning
Artificial intelligence (AI) is a gathering storm on the horizon for cybersecurity teams. In many areas, its effects are already being felt. Deepfakes and voice cloning are already impacting the public discourse and disrupting businesses. Recent developments that allow bad actors to generate convincing images and video from prompts are already impacting the cybersecurity sector.
Police in the US have reported an increase in voice cloning used to perpetrate financial scams. The technology was even used to fake a woman’s kidnapping in April of last year. Families lose an average of $11,000 in each fake-kidnapping scam, Siobhan Johnson, an FBI spokesperson, told CNN. Considering the degree to which voice identification software is used to guard financial information and bank accounts, experts at SoSafe argue we should be worried. According to McAfee, one in four Americans have experienced a voice cloning attack or know someone who has.
In February 2024—262 days before the US presidential election—leading tech firms assembled in Munich to discuss the future of AI’s relationship to democracy.
“As society embraces the benefits of AI, we have a responsibility to help ensure these tools don’t become weaponized in elections,” said Brad Smith, vice chair and president of Microsoft, in a statement. “AI didn’t create election deception, but we must ensure it doesn’t help deception flourish.”
Collectively, 20 tech companies—mostly involved in social media, AI, or both—including Adobe, Amazon, Google, IBM, Meta, Microsoft, OpenAI, TikTok, and X, pledged to work in tandem to “detect and counter harmful AI content” that could affect the outcome at the polls.
The Tech Accord to Combat Deceptive Use of AI in 2024 Elections
What they came up with is a set of commitments to “deploy technology countering harmful AI-generated content.” The aim is to stop AI being used to deceive and unfairly influence voters in the run up to the election.
The signatories then pledged to collaborate on tools to detect and fight the distribution of AI generated content. In conjunction with these new tools, the signatories pledged to drive educational campaigns, and provide transparency, among other concrete—but as yet undefined—steps.
The participating companies agreed to eight specific commitments:
Developing and implementing technology to mitigate risks related to Deceptive AI Election content, including open-source tools where appropriate
Assessing models in scope of this Accord to understand the risks they may present regarding Deceptive AI Election Content
Seeking to detect the distribution of this content on their platforms
Seeking to appropriately address this content detected on their platforms
Fostering cross-industry resilience to Deceptive AI Election Content
Providing transparency to the public regarding how the company addresses it
Continuing to engage with a diverse set of global civil society organisations, academics
Supporting efforts to foster public awareness, media literacy, and all-of-society resilience
The complete list of signatories includes: Adobe, Amazon, Anthropic, Arm, ElevenLabs, Google, IBM, Inflection AI, LinkedIn, McAfee, Meta, Microsoft, Nota, OpenAI, Snap, Stability AI, TikTok, TrendMicro, Truepic, and X.
“Democracy rests on safe and secure elections,” Kent Walker, President of Global Affairs at Google, said in a statement. However also stressed the importance of not letting “digital abuse” pose a threat to the “generational opportunity”. According to Walker, the risk posed by AI to democracy is outweighed by its potential to “improve our economies, create new jobs, and drive progress in health and science.”
Democracy’s “biggest year ever”
Many have welcomed the world’s largest tech companies’ vocal efforts to control the negative effects of their own creation. However, others are less than convinced.
“Every election cycle, tech companies pledge to a vague set of democratic standards and then fail to fully deliver on these promises,” Nora Bernavidez, senior counsel for the open internet advocacy group Free Press, told NBC News. She added that “voluntary promises” like the accord “simply aren’t good enough to meet the global challenges facing democracy.”
The stakes are high, as 2024 is being called the “biggest year for democracy in history”.
This year, elections are taking place in seven of the world’s 10 most populous countries. As well as the US presidential election in November, India, Russia and Mexico will all hold similar votes. Indonesia, Pakistan and Bangladesh have already held national elections since December. In total, more than 50 nations will head to the polls in 2024.
Will the accord work? Whether big tech even cares is the $1.3 trillion question
The generative AI market could be worth $1.3 trillion by 2032. If the technology played a prominent role in the erosion of democracy—in the US and abroad—it could cast very real doubt over its use in the economy at large.
In November of 2023, a report by cybersecurity firm SlashNext identified generative AI as a major driver in cybercrime. SlashNext blamed generative AI for a 1,265% increase in malicious phishing emails, and a 967% rise in credential phishing. Data published by European cybersecurity training firm, SoSafe, found that 78% of recipients opened phishing emails written by a generative AI. More alarmingly, the emails convinced 21% of people to click on malicious content they contained.
Of course, phishing and disinformation aren’t a one-to-one comparison. However, it’s impossibly to deny the speed and scale at which generative AI has been deployed for nefarious social engineering. If the efforts taken by the technology’s creators prove to be insufficient, the impact mass disinformation and social engineering campaigns powered by generative AI could have is troubling.
He adds that tools of the kind promised by the accords’ signatories may make detecting AI-generated text and images easier as we head into the 2024 election season. The response from the US has also included a rapidly drafted ban by the FCC on AI-generated robocalls aimed to discourage voters.
However, Tucker admits that “following longstanding patterns of the cat-and-mouse dynamics of political advantages from technological developments, we will, though, still be dependent on the decisions of a small number of high-reach platforms.”
Multiple tech giants have pledged to “detect and counter harmful AI content,” but is controlling AI a “hallucination”.
SHARE THIS STORY
A worrying trend is starting to take shape. Every time a new technological leap forward falls on an election year, the US elects Donald Trump.
Of course, we haven’t got enough data to confirm a pattern, yet. However, it’s impossible to deny the role that tech-enabled election inference played in the 2016 presidential election. One presidential election later, and efforts taken to tame that interference in 2020 were largely successful. The idea that new technologies can swing an election before being compensated for in the next is a troubling one. Some experts believe that the past could suggest the shape of things to come as generative AI takes center stage.
Social media in 2016 versus 2020
This is all very speculative, of course. Not to mention that there are many other factors that contribute to the winner of an election. There is evidence, however, that the 2016 Trump campaign utilised social media in ways that had not been seen previously. This generational leap in targeted advertising driven by unquestionalbly worked to the Trump campaign’s advantage.
It was also revealed that foreign interference across social media platforms had a tangible impact on the result. As reported in the New York Times, “Russian hackers pilfered documents from the Democratic National Committee and tried to muck around with state election infrastructure. Digital propagandists backed by the Russian government” were also active across Facebook, Instagram, YouTube and elsewhere. As a result, concerted efforts to “erode people’s faith in voting or inflame social divisions” had a tangible effect.
In 2020, by contrast, foreign interference via social media and cyber attack was largely stymied. “The progress that was made between 2016 and 2020 was remarkable,” Camille François, chief innovation officer at social media manipulation analysis company Graphika, told the Times.
One of the key reasons for this shift is that tech companies moved to acknowledge and cover their blind spots. Their repositioning was successful, but the cost was nevertheless four years of, well, you know.
Now, the US faces a third pivotal election involving Donald Trump (I’m so tired). Much like in 2020, unless radical action is taken, another unregulated, poorly understood technology with the ability to upset an election through misinformation and direct interference.
Will generative AI steal the 2024 election?
The influence of online information sharing on democratic elections has been getting clearer and clearer for years now. Populist leaders, predominantly on the right, have leveraged social media to boost their platforms. Short form content and content algorithms’ tend to favour style and controversy over substantive discourse. This has, according to anthropologist Dominic Boyer, made social media the perfect breeding ground and logistical staging area for fascism.
“In the era of social media, those prone to fascist sympathies can now easily hear each other’s screams, echo them and organise,” Boyer wrote of the January 6th insurrection.
Generative AI is not inextricably entangled with social media. However, many fear that the technology will (and already is) being leveraged by those wishing to subvert democratic process.
Joshua A. Tucker, a Senior Geopolitical Risk Advisor at Kroll, said as much in an op-ed last year. He notes that ChatGPT “took less than six months to go from a marvel of technological sophistication to quite possibly the next great threat to democracy.”
He added, most pertinently, that “just as social media reduced barriers to the spread of misinformation, AI has now reduced barriers to the production of misinformation. And it is exactly this combination that should have everyone concerned.”
AI is a perfect election interference tool
While a Brookings report notes that, “a year after this initial frenzy, generative AI has yet to alter the information landscape as much as initially anticipated,” recent developments in multi-modal AI that allow for easier and more powerful conversion of media from one form into another, including video, have undeniably raised the level of risk.
In elections throughout Europe and Asia this year, the influence of AI-powered disinformation is already being felt. A report from the Associated Press also highlighted the demotratisation of the process. They note that anyone with a smartphone and a devious imagination can now “create fake – but convincing – content aimed at fooling voters.” The ease with which people can now create disinformation marks “a quantum leap” compared with just a few years ago, “when creating phony photos, videos or audio clips demanded serious application of resources.
“You don’t need to look far to see some people … being clearly confused as to whether something is real or not,” Henry Ajder, an expert in generative AI based in Cambridge, England, told the AP.
Brookings’ report also admits that “even at a smaller scale, wholly generated or significantly altered content can still be—and has already been—used to undermine democratic discourse and electoral integrity in a variety of ways.”
The question remains, then. What can be done about it, and is it already too late?
Over half of organisations plan to implement AI in the near future, but is there sufficient focus on cybersecurity?
SHARE THIS STORY
The arrival of artificial intelligence (and more specifically generative AI) has had a transformative effect on the business landscape. Increasingly, the landscape is defined by skills shortages and rising inflation. In this challenging environment, AI promises to drive efficiency, automate routine tasks, and enhance decision-making.
A new survey of IT leaders found that 57% of organisations have “concrete plans” in place to adopt AI in a meaningful way in the near future. Around 25% of these organisations were already implementing AI solutions throughout their organisations. The remaining remaining 32% plan to do so within the next two years.
However, the advent of AI (not to mention increasing digitisation in general) also raises new concerns for cybersecurity teams.
“The adoption of AI technology across industries is both exciting and concerning from a cybersecurity perspective. AI undeniably has the potential to revolutionise business operations and drive efficiency. However, it also introduces new attack vectors and risks that organisations must be prepared to address,” Carlos Salas, a cybersecurity expert at NordLayer, commented after the release of the report.
Cybersecurity investment and new threats
IT budgets in general are going to rise in 2024. For around half of all businesses (48%), “increased security concerns” are a primary driver of this increased spend.
“As AI adoption accelerates, allocating adequate resources for cybersecurity will be crucial to safeguarding these cutting-edge technologies and the sensitive data they process,” says Salas.
A similar report conducted earlier this year by cybersecurity firm Kaspersky reaffirms Salas’ opinion. The report argues that it’s pivotal that enterprises investing heavily into AI (as well as IoT) also invest in the “right calibre of cybersecurity solutions”.
Similarly, Kaspersky also found that more than 50% of companies have implemented AI and IoT in their infrastructures. Additionally, around a third are planning to adopt these interconnected technologies within two years. The growing ubiquity of AI and IoT renders businesses investing heavily in the technologies “vulnerable to new vectors of cyberattacks.” Just 16-17% of organisations think AI and IoT are ‘very difficult’ or ‘extremely difficult’ to protect. Simultaneously, only 8% of the AI users and 12% of the IoT owners believe their companies are fully protected.
“Interconnected technologies bring immense business opportunities but they also usher in a new era of vulnerability to serious cyberthreats,” Ivan Vassunov, VP of corporate products at Kaspersky, commented. “With an increasing amount of data being collected and transmitted, cybersecurity measures must be strengthened. Enterprises must protect critical assets, build customer confidence amid the expanding interconnected landscape, and ensure there are adequate resources allocated to cybersecurity so they can use the new solutions to combat the incoming challenges of interconnected tech.”
The rise of connected vehicles is turning cars into a new weakness for cybersecurity threats to exploit.
SHARE THIS STORY
Over the past decade, every company has ostensibly become a tech company. Nowhere is this more true than in the automotive sector. In 2021, there were an estimated 237 million connected cars on the road. By next year, that number is expected to hit 400 million.
The era of the software defined vehicle
Cars are becoming increasingly suffused with technology.
So much is this the case that (in a sort of Armageddon oil drillers in space situation) tech companies like Xiaomi and (maaaybe, probably not any more) Apple are getting into the car game.
Next generation electric vehicles aside, the average car is, according to Luca de Meo, CEO of the Renault Group, more about software than hardware. “The car must now go beyond the physical object. Today, it’s all about connecting it to the cloud, to the digital ecosystem, and turning it into an extension of our digital spaces,” he wrote in March of last year.
The average passenger vehicle contains hundreds of sensors, cameras, and enough microchips for the global semiconductor shortage to hit the auto industry harder than it hit the smartphone market. The most technologically sophisticated passenger cars contain as many as 3,000 microchips guided by 150 million lines of software code. According to a report by the United Nations’ economic commission, cars could become twice as complex by the end of the decade.
De Meo even notes that the “computer systems and practical software features” have become the main selling points of modern vehicles.
These software defined vehicles (SDVs) are defined by De Meo as operating based on a centralised electronic architecture, being equipped with artificial intelligence (AI), have the potential to be paired with a digital twin, and most importantly are connected to the cloud during their entire lifecycle.
Car’s aren’t just getting smarter. They’re also more inseparably and permanently connected to the internet. Automakers are constantly updating, even improving SDVs, argues De Meo. He says SDVs will “become better and improve themselves day by day. As a result, they will be better when you sell them than when you buy them.”
Smarter cars mean more cyber risk
Despite the benefits touted by the auto industry of an always-on, always-connected car, perpetual connection to the internet via a plethora of IoT devices also has its risks.
More technology makes cars safer, smarter, and more convenient to use. However, it also presents a troubling new threat vector. As the electronic (and always connected) systems inside cars become increasingly sophisticated, they present a more inviting target for cyberattacks.
What kinds of cyberattacks?
The infotainment system in an SDV connects to the internet and other devices around it via wifi, bluetooth, cellular, and USB connections. These systems—much the same as for a personal computer—can provide an entry point for hackers to exploit. Ivan Reedman, director of secure engineering at IO Active, argues that this could allow these hackers to “access and control vehicle functions remotely, endangering human safety.”
It’s more likely, however, for hackers to be interested in attacking a car for the same reason they breach many other systems: data. “Infotainment systems also store personal information, such as personal contacts and location data, which can attract cybercriminals,” says Reedman. Personal data is vulnerable to attack whether users store is in the car itself, or on a device that trusts the car.
Cybersecurity in the auto industry shifting gears
The simple fact is that the auto industry is going to have to adopt a cybersecurity-conscious mindset and invest heavily into ensuring the SDVs of the future don’t represent a huge potential cyber risk.
A McKinsey report notes that “cybersecurity will be nonnegotiable” for automakers looking to bring connected cars to market. Despite the fact that “Unlike in other industries, such as financial services, energy, and telecommunications, cybersecurity has so far remained unregulated in the automotive sector,” new regulations are changing the landscape faster than some automakers can adapt.
New EU cybersecurity rules set to take effect in June have reportedly resulted in the scrapping of two new Porsche cars, the 718 Boxster and 718 Cayman for failing to live up to new cybersecurity standards. Porsche says it plans to continue selling the cars outside of the EU.
The evolution of the SDV will undoubtedly have major consequences for the auto industry. However, the success of smarter, more connected cars relies on automaker’s ability to not only make them physically safe, but cyber-secure as well. “Cars are an extension of the home, and we want to feel protected there,” Ronen Smoly, Chief Executive of Argus Cyber Security recently told Automotive World. “We don’t want anyone to spy on us or download personal data that exists in the car.”
Shifts in culture and approaches to threats could see the cybersecurity sector undergo some meaningful changes in 2024.
SHARE THIS STORY
Change seems to be the only true constant in cybersecurity.
True to form, the 2024 cybersecurity landscape looks set to tread unfamiliar ground, as generative AI emerges into a powerful tool for hackers and cybersecurity professionals alike. At the same time, new systematic approaches like Continuous Threat Exposure Management are requiring organisational and cultural shifts in the cybersecurity function and throughout the rest of the organisation. Poor communication, third-party exposure, and human error round out the list. (Some things do always stay the same, it seems).
1. Generative AI finds new applications—not all of them good
Generative artificial intelligence dominated the technology conversation last year. In 2024, however, hype around generative AI tools like ChatGPT has started to give way to people taking a long hard look at finding real world applications for the technology.
One of those applications, it seems, is cybercrime. In a report released by IBM’s X-Force, experts say that generative AI comes uncomfortably close to human capabilities when used as a tool for phishing and social engineering campaigns.
“Just this year we’ve seen scammers increasingly use voice clones generated by AI to trick people into sending money, gift cards or divulge sensitive information,” writes Stephanie Carruthers, one of IBM’s chief white hat hackers. “While humans may still have the upper hand when it comes to emotional manipulation and crafting persuasive emails, the emergence of AI in phishing signals a pivotal moment in social engineering attacks.”
It’s not all bad news, however. Generative AI also has the potential to augment the capabilities of cybersecurity professionals.
“Generative AI, the most transformative tool of our time, enables a kind of digital jiu jitsu”
Colourfully put by David Reber Jr., chief security officer for NVIDIA, “Generative AI, the most transformative tool of our time, enables a kind of digital jiu jitsu. It lets companies shift the force of data that threatens to overwhelm them into a force that makes their defences stronger.”
Generative AI’s ability to rapidly examine vast amounts of data, flag irregularities, and act as an intermediary layer between other types of software could significantly benefit security. Generative AI models can even create vast amounts of synthetic data in order to simulate “never-before-seen attack patterns,” and better train cybersecurity tools.
2. CTEM is the next big security differentiator
Continuous Threat Exposure Management (CTEM) is an increasingly popular approach to cybersecurity that shows immense promise.
Gartner predicts that organisations prioritising CTEM-based security investments will experience two-thirds fewer breaches by 2026
CTEM, in short, is a systematic approach to assessing digital and physical asset vulnerability. Rather than traditional approaches, which are reactionary and retroactive, CTEM is proactive threat identification and management, continually. This is achieved by continually simulating new attacks in order to identify and neutralise weaknesses in an organisation’s defences.
Generative AI, with its ability to create synthetic data and simulate new attack patterns, is expected to play a role in fueling CTEM practices.
3. Security culture beats security tech every time
In a world where cybersecurity technology constantly evolves, it’s easy to lose sight of the fact that human error remains one of the most common causes of a breach.
Gartner expects 2024 to be the year that “security leaders realise the importance of moving from mere awareness to changing behaviours to mitigate cybersecurity risks.”
Soft skills that promote a more productive working relationship between cybersecurity and the rest of the business are the name of the game. By 2027, half of large enterprise CISOs are expected to adopt human-centric security practices, reducing friction and enhancing control adoption.
Healthcare systems’ digital transformations are highlighting new cybersecurity vulnerabilities.
SHARE THIS STORY
Over the last few years, large scale data breaches have become disturbingly commonplace across multiple industries. Nowhere is this more worrying, however, than the healthcare sector, however. As healthcare organisations begin to feel the positive effects of their digital transformation efforts, escalating cybersecurity risks threaten to undermine hard-won progress.
Unified health data platforms create new vulnerabilities
Among the most recent breaches is the February 2024 attack on United Health Group’s (UHG) prescription provider, Optum. On February 21, UHG confirmed to the press that Optum was forced to temporarily shut down its IT systems due to a massive cyber attack, Pymnts reported. These systems include the Change Healthcare Platform, the largest payment exchange platform between doctors, pharmacies, healthcare providers, and patients in the US.
The attack caused widespread disruption across the country. This included leaving many patients unable to process insurance claims or accept certain kinds of discount prescription cards. As a result, patients went without potentially lifesaving medicine. The breach was so serious that the American Hospital Association issued a statement recommending “all health care organisations that were disrupted or are potentially exposed by this incident consider disconnection from Optum until it is independently deemed safe to reconnect to Optum.”
The danger is that, while the negative effects of siloed, legacy healthcare data management systems have been felt for years, the digital tools used to alleviate these pain points come with added vulnerabilities of their own. Nevertheless, the benefits of a digitally transformed healthcare data platform are needed now more than ever.
Digital healthcare platforms fight clinician burnout, staff shortages, and more
In 2022, the World Health Organisation (WHO) data suggesting an estimated 41% to 52% of healthcare workers suffer from burnout. At least 25% healthcare workers reported symptoms of anxiety, depression, and burnout.
A report by Wolters Kluwer argues: “the first step to creating systems that help reduce burnout is modernising clinical workflows.” Successfully accomplishing this would, they argue, “reduce administrative burden and increase efficiency.”
The UK’s National Health Service (NHS) is experiencing more burnout than ever, according to a 2024 report. According to the British Medical Journal (BMJ), burnout significantly impacts retention throughout the NHS. As a result, more staff are reportedly thinking about leaving than ever before. Admittedly, burnout is a long-standing issue in the NHS and healthcare organisations in general. However, NHS Employers’ report notes that the pandemic placed further burdens on NHS staff and exacerbated the problem.
As the world’s largest nationalised healthcare organisation, the NHS serves approximately 65 million people. Supposedly, the NHS has the ability to use huge amounts of its data to make better decisions. This, in conjunction with experienced staff and cutting edge technology, could help not only improve decisonmaking, but also reduce clinician burnout. Some examples of possible applications include:
Using patient data in conjunction with Google’s DeepMind to predict when patients are at risk of developing kidney failure.
Collaborating with NVIDIA to deploy open source AI across several hospital trusts in order to quickly analyse medical imagery. The deployment has already shown promise in speeding the detection of Covid-19, breast cancer, brain tumours, dementia, and strokes.
The Federated Data Platform—all the NHS’ eggs in one basket?
Right now, the NHS is in the process of centralising the personal patient records of millions of UK citizens. The Federated Data Platform aims to unite all the patient data used in the above examples. The project will drive cutting edge AI deployments to improve quality of care. Not onyl that, but it is expected to improve the quality of life and work for clinicians across the country. “Clinicians will be able to access live data of available theatre slots, staff availability and individual patient data suitable for particular procedures at the touch of a button,” said Matthew Taylor, NHS Confederation CEO.
The NHS has previously struggled to unify its data, with opposition forcing it to abandon two similar projects since 2012. One risk is the organisation’s entanglement with controversial data mining company Palantir. Some fear that association with the US firm could further complicate the process of obtaining public approval. Other critics highlight the increased risk of a high profile, large scale data breach the likes of which hit Optum.
“Inevitably, this will bring many challenges,” wrote tech author Bernard Marr in a recent op-ed. “Healthcare data is some of the most sensitive data that there is, and the task of keeping it secure while still ensuring that it’s accessible when and where it’s needed is no simple feat.”
Healthcare organisations desperately need the benefits that unified data management platforms can provide. However, if these benefits are to be realise, then cybersecurity remains the biggest challenge to be faced.
Generative AI threatens to exacerbate cybersecurity risks. Human intuition might be our best form of defence.
SHARE THIS STORY
Over the past two decades, the pace of technological development has increased noticeably. One might argue that nowhere is this more true than in the cybersecurity field. The technologies and techniques used by attackers have grown increasingly sophisticated—almost at the same rate as the importance of the systems and data they are trying to breach. Now, generative AI poses quite possibly the biggest cyber security threat of the decade.
Generative AI: throwing gasoline on the cybersecurity fire
Locked in a desperate arms race, cybersecurity professionals now face a new challenge: the advent of publicly available generative artificial intelligence (AI). Generative AI tools like Chat-GPT have reached widespread adoption in recent years, with OpenAI’s chatbot racking up 1.8 billion monthly users in December 2023. According to data gathered by Salesforce, three out of five workers (61%) already use or plan to use generative AI, even though almost three-quarters of the same workers (73%) believe generative AI introduces new security risks.
Generative AI is also already proving to be a useful tool for hackers. In a recent test, hacking experts at IBM’s X-Force pitted human-crafted phishing emails against those written by generative AI. The results? Humans are still better at writing phishing emails, with a higher click through rate of 14% compared to AI’s 11%. However, for just a few years into publicly available generative AI, the results were “nail-bitingly close”.
Nevertheless, the report clearly demonstrated the potential for generative AI to be used in creating phishing campaigns. The report’s authors also highlighted not only the vulnerability of restricted AIs to being “tricked into phishing via simple prompts”, but also the fact that unrestricted AIs, like WormGPT, “may offer more efficient ways for attackers to scale sophisticated phishing emails in the future.”
As noted in a recent op-ed by Elastic CISO, Mandy Andress, “With this type of highly targeted, AI-honed phishing attack, bad actors increase their odds of stealing an employee’s login credentials so they can access highly sensitive information, such as a company’s financial details.”
What’s particularly interesting is that generative AI as a tool in the hands of malicious entities outside the organisation is only the beginning.
AI is undermining cybersecurity from both sides
Not only is GenerativeAI acting as a potential new tool in the hands of bad actors, but some cybersecurity experts believe that irresponsible use, mixed with an overreliance on the technology inside the organisation can be just as dangerous.
John Licata, the chief innovation foresight specialist at SAP, believes that, while “cybersecurity best practices and trainings can certainly demonstrate expertise and raise awareness around a variety of threats … there is an existing skills gap that is worsening with the rising popularity and reliance on AI.”
Humans remain the best defence
While generative AI is unquestionably going to be put to use fighting the very security risks the technology creates, cybersecurity leaders still believe that training and culture will play the biggest role in what IBM’s X-Force report calls “a pivotal moment in social engineering attacks.”
“A holistic cybersecurity strategy, and the roles humans play in it in an age of AI, must begin with a stronger security culture laser focused on best practices, transparency, compliance by design, and creating a zero-trust security model,” adds Licata.
According to X-Force, key methods for improving humans’ abilities to identify AI-driven phishing campaigns include:
When unsure, call the sender directly. Verify the legitimacy of suspicious emails by phone. Establish a safe word with trusted contacts for vishing or AI phone scams.
Forget the grammar myth. Modern phishing emails may have correct grammar. Focus on other indicators like email length and complexity. Train employees to spot AI-generated text, often found in lengthy emails.
Update social engineering training. Include vishing techniques. They’re simple yet highly effective. According to X-Force, adding phone calls to phishing campaigns triples effectiveness.
Enhance identity and access management. Use advanced systems to validate user identities and permissions.
Stay ahead with constant adaptation. Cybercriminal tactics evolve rapidly. Update internal processes, detection systems, and employee training regularly to outsmart malicious actors.
AI systems like Chat-GPT are creating more sophisticated phishing and social engineering attacks.
SHARE THIS STORY
Although generative artificial intelligence (AI) has technically been around since the 1960s, and Generative Adversarial Networks (GANs) drove huge breakthroughs in image generation as early as 2014, it’s only been recently that Generative AI can be said to have “arrived”, both in the public consciousness and the marketplace. Already, however, generative AI is posing a new threat to organisations’ cybersecurity.
With the launch of advanced image generators like Midjourney and Generative AI powered chatbots like Chat-GPT, AI has become publicly available and immediately found millions of willing users. OpenAI’s ChatGPT alone generated 1.6 billion active visits in December 2023. Total estimates put monthly users of the AI engine at approximately 180.5 million people.
In response, generative AI has attracted a head-spinning amount of venture capital. In the first half of 2023, almost half of all new investment in Silicon valley went into generative AI. However, the frenzied drive towards mass adoption of this new technology has attracted criticism, controversy, and lawsuits.
Can generative AI ever be ethical?
Aside from the inherent ethical issues of training large language models and image generators using the stolen work of millions of uncredited artists and writers, generative AI was almost immediately put to use in ways ranging from simply unethical to highly illegal.
In January of this year, a wave of sexually explicit celebrity deepfakes shocked social media. The images, featuring popstar Taylor Swift, highlighted the massive rise in AI-generated impersonations for the purpose of everything from porn and propaganda to phishing.
Generative AI elevating the quality of phishing campaigns
Now, according to Chen Burshan, CEO of Skyhawk Security, generative AI is elevating the quality of phishing campaigns and social engineering on behalf of hackers and scammers, causing new kinds of problems for cybersecurity teams. “With AI and GenAI becoming accessible to everyone at low cost, there will be more and more attacks on the cloud that GenAI enables,” he explained.
Brandon Leiker, principal solutions architect and security officer at 11:11 Systems, added that generative AI would allow for more “intelligent and personalised” phishing attempts. He added that “deepfake technology is continuing to advance, making it increasingly more difficult to discern whether something, such as an image or video, is real.”
According to some experts, activity on social media sites like Linkedin may provide the necessary public-facing data to train an AI model. The model can then use someone’s statue updates and comments to passably imitate the target.
Linkedin is a goldmine for AI scammers
“People are super active on LinkedIn or Twitter where they produce lots of information and posts. It’s easy to take all this data and dump it into something like ChatGPT and tell it to write something using this specific person’s style,” Oliver Tavakoli, CTO at Vectra AI, told TechTarget. “The attacker can send an email claiming to be from the CEO, CFO or similar role to an employee. Receiving an email that sounds like it’s coming from your boss certainly feels far more real than a general email asking for Amazon gift cards.”
Richard Halm, a cybersecurity attorney, added in an interview with Techopedia that “Threat actors will be able to use AI to efficiently mass produce precisely targeted phishing emails using data scraped from LinkedIn or other social media sites that lack the grammatical and spelling mistakes current phishing emails contain.”
Findings from a recent report by IBM X-Force also found that researchers were able to prompt Chat-GPT into generating phishing emails. “I have nearly a decade of social engineering experience, crafted hundreds of phishing emails, and I even found the AI-generated phishing emails to be fairly persuasive,” Stephanie Carruthers, IBM’s chief people hacker, told CSOOnline.
This month’s cover story features Fiona Adams, Director of Client Value Realization at ProcurementIQ, to hear how the market leader in providing sourcing intelligence is changing the very face of procurement…
And below are just some of this month’s exclusives…
ProcurementIQ: Smart sourcing through people power
We speak to Fiona Adams, Director of Client Value Realization at ProcurementIQ, to hear how the market leader in providing sourcing intelligence is changing the very face of procurement…
The industry leader in emboldening procurement practitioners in making intelligent purchases is ProcurementIQ. ProcurementIQ provides its clients with pricing data, supplier intelligence and contract strategies right at their fingertips. Its users are working smarter and more swiftly with trustworthy market intelligence on more than 1,000 categories globally.
Fiona Adams joined ProcurementIQ in August this year as its Director of Client Value Realization. Out of all the companies vying for her attention, it was ProcurementIQ’s focus on ‘people power’ that attracted her, coupled with her positive experience utilising the platform during her time as a consultant.
Although ProcurementIQ remains on the cutting edge of technology, it is a platform driven by the expertise and passion of its people and this appealed greatly to Adams. “I want to expand my own reach and I’m excited to be problem-solving for corporate America across industries, clients and procurement organizations and teams (internal & external). I know ProcurementIQ can make a difference combined with my approach and experience. Because that passion and that drive, powered by knowledge, is where the real magic happens,” she tells us.
ASM Global: Putting people first in change management
Ama F. Erbynn, Vice President of Strategic Sourcing and Procurement at ASM Global, discusses her mission for driving a people-centric approach to change management in procurement…
Ripping up the carpet and starting again when entering a new organisation isn’t a sure-fire way for success.
Effective change management takes time and careful planning. It requires evaluating current processes and questioning why things are done in a certain way. Indeed, not everything needs to be changed, especially not for the sake of it, and employees used to operating in a familiar workflow or silo will naturally be fearful of disruptions to their methods. However, if done in the correct way and with a people-centric mindset, delivering change that drives significant value could hold the key to unleashing transformation.
Ama F. Erbynn, Vice President of Strategic Sourcing and Procurement at ASM Global, aligns herself with that mantra. Her mentality of being agile and responsive to change has proven to be an advantage during a turbulent past few years. For Erbynn, she thrives on leading transformations and leveraging new tools to deliver even better results. “I love change because it allows you to think outside the box,” she discusses. “I have a son and before COVID I used to hear him say, ‘I don’t want to go to school.’ He stayed home for a year and now he begs to go to school, so we adapt and it makes us stronger. COVID was a unique situation but there’s always been adversity and disruptions within supply chain and procurement, so I try and see the silver lining in things.”
SpendHQ: Realising the possible in spend management software
Pierre Laprée, Chief Product Officer at SpendHQ, discusses how customers can benefit from leveraging spend management technology to bring tangible value in procurement today…
Turning vision and strategy into highly effective action. This mantra is behind everything SpendHQ does to empower procurement teams.
The organisation is a leading best-in-class provider of enterprise Spend Intelligence (SI) and Procurement Performance Management (PPM) solutions. These products fill an important gap that has left strategic procurement out of the solution landscape. Through these solutions, customers get actionable spend insights that drive new initiatives, goals, and clear measurements of procurement’s overall value. SpendHQ exists to ultimately help procurement generate and demonstrate better financial and non-financial outcomes.
Spearheading this strategic vision is Pierre Laprée, long-time procurement veteran and SpendHQ’s Chief Product Officer since July 2022. However, despite his deep understanding of procurement teams’ needs, he wasn’t always a procurement professional. Like many in the space, his path into the industry was a complete surprise.
But that’s not all… Earlier this month, we travelled to the Netherlands to cover the first HICX Supplier Experience Live, as well as DPW Amsterdam 2023. Featured inside is our exclusive overview from each event, alongside this edition’s big question – does procurement need a rebrand? Plus, we feature a fascinating interview with Georg Rosch, Vice President Direct Procurement Strategy at JAGGAER, who discusses his organisation’s approach amid significant transformation and evolution.
Our exclusive cover story this month features a fascinating discussion with UK Procurement Director, CBRE Global Workplace Solutions (GWS), Catriona Calder to find out how procurement is helping the leader in worldwide real estate achieve its ambitious goals within ESG.
As a worldwide leader in commercial real estate, it’s clear why CBRE GWS has a strong focus on continuous improvement in its procurement department. A business which prides itself on its ability to create bespoke solutions for clients of any size and sector has to be flexible. Delivering the superior client outcomes CBRE GWS has become known for requires an extremely well-oiled supply chain, and Catriona Calder, its UK Procurement Director, is leading the charge.
Procurement at CBRE had already seen some great successes before Calder came on board in 2022. She joined a team of passionate and capable procurement professionals, with a number of award-winning supply chain initiatives already in place.
With a sturdy foundation already embedded, when Calder stepped in, her personal aim focused on implementing a long-term procurement strategy and supporting the global team on its journey to world class procurement…
We grab some time with Adam Brown who leads the Technology Platform for Procurement at A.P. Moller-Maersk, the global logistics giant. And when he joined, a little over a year ago, he was instantly struck by a dramatic change in culture…
Government of Jersey: A procurement transformation journey
Maria Huggon, Former Group Director of Commercial Services at the Government of Jersey, discusses how her organisation’s procurement function has transformed with the aim of achieving a ‘flourishing’ status by 2025…
The procurement team at Corio on bringing the wind of change to the offshore energy space. Founded less than two years ago, Corio Generation already packs quite the punch. Corio has built one of the world’s largest offshore wind development pipelines with projects in a diverse line-up of locations including the UK, South Korea and Brazil among others.
The company is a specialist offshore wind developer dedicated to harnessing renewable energy and helps countries transform their economies with clean, green and reliable offshore wind energy. Corio works in established and emerging markets, with innovative floating and fixed-bottom technologies. Its projects support local economies while meeting the energy needs of communities and customers sustainably, reliably, safely and responsibly.
Felix Schmitz, Head of Investor Relations & Head of Strategic Sustainability at Klöckner & Co SE explores how German company Becker Stahl-Service is leading the way towards a more sustainable steel industry with Nexigen® by Klöckner & Co.
This month’s cover story sees us speak with Brad Veech, Head of Technology Procurement at Discover Financial Services.
Having been a leader in procurement for more than 25 years, he has been responsible for over $2 billion in spend every year, negotiating software deals ranging from $75 to over $1.5 billion on a single deal. Don’t miss his exclusive insights where he tells us all about the vital importance of expertly procuring software and highlights the hidden pitfalls associated.
“A lot of companies don’t have the resources to have technology procurement experts on staff,” Brad tells us. “I think as time goes on people and companies will realise that the technology portfolio and the spend in that portfolio is increasing so rapidly they have to find a way to manage it. Find a project that doesn’t have software in it. Everything has software embedded within it, so you’re going to have to have procurement experts that understand the unique contracts and negotiation tactics of technology.”
There are also features which include insights from the likes of Jake Kiernan, Manager at KPMG, Ashifa Jumani, Director of Procurement at TELUS and Shaz Khan, CEO and Co-Founder at Vroozi.
