CS Jul-Aug 2025

Computing

Security

Secure systems, secure data, secure people, secure business

FIT FOR PURPOSE

New guidance on

storage media

disposal raises

doubts for future

NEWS

OPINION

INDUSTRY

COMMENT

CASE STUDIES

PRODUCT REVIEWS

WARNING SIGNS

Ransomware attacks

offer hope and horror

AI - FRIEND OR FOE?

Is artificial intelligence

to be trusted or is it

just masquerading

as an ally?

BLAST-OFF FOR QUANTUM

Battle to outpace the hackers

now moves into outer space

Computing Security July/August 2025

What if there was a way to

Adapt to all Email

Security threats...

Libraesva integrates cloud email and a secure email gateway with our unique

adaptive trust engine to provide award winning protection.

Layered security defends your business against spam, malware, phishing, email

fraud, spoofing, zero-day threats, account takeover, social engineering, business

email compromise, inadvertent disclosure of sensitive information and more.

Test your security for FREE with our Email Security Tester

emailsecuritytester.com

libraesva.com

comment

NHS CASH INJECTION CAN'T QUELL ATTACK FEARS

EDITOR: Brian Wall

(brian.wall@btc.co.uk)

LAYOUT/DESIGN: Ian Collis

(ian.collis@btc.co.uk)

SALES:

Edward O’Connor

(edward.oconnor@btc.co.uk)

+ 44 (0)1689 616 000

David Bonner

(dave.bonner@btc.co.uk)

+ 44 (0)1689 616 000

Stuart Leigh

(stuart.leigh@btc.co.uk)

+ 44 (0)1689 616 000

It's encouraging to see that the NHS received a record cash investment in the UK Spending

Review, with an additional 10% technology budget increase.

But the question being asked in many quarters is: does this investment include cyber security

defence for one of our most vulnerable critical infrastructures? It is widely recognised that the

healthcare sector, dealing with sensitive personal information and running largely on legacy

systems, is highly attractive and vulnerable to cyber-attackers.

Reports reveal that only 36% of NHS staff believe cyber security measures are sufficient. Data

from SonicWall reflects this, showing healthcare remains a prime target, with hospitals and

healthcare systems taking 60-150 days to patch vulnerabilities, while hackers exploit them in just

two days, creating a critical security gap.

Executive VP EMEA Spencer Starkey at SonicWall, says that, despite Rachel Reeves' NHS budget

increase, the healthcare sector remains a prime target for ransomware attacks, as healthcare

organisations often have critical data that they cannot afford to lose. "If they haven't already,

healthcare organisations need to have a plan in place to respond to ransomware attacks and to

minimise the impact of these attacks. The healthcare sector continues to be a prime target for

malicious actors, as evidenced by the recent attacks on the NHS," he points out.

"Not only do these attacks risk the potential for exposed patient data, but any significant IT issue

that halts patient care poses an immediate threat to life," adds Starkey. "The ramifications of an

attack on the healthcare sector can be disastrous, and it's important to place the utmost amount

of time, money and efforts on securing them."

Brian Wall

Editor

Computing Security

brian.wall@btc.co.uk

PUBLISHER: John Jageurs

(john.jageurs@btc.co.uk)

Published by Barrow & Thompkins

Connexions Ltd. (BTC)

Suite 2, 157 Station Road East

Oxsted. RH8 0QE

Tel: +44 (0)1689 616 000

Fax: +44 (0)1689 82 66 22

SUBSCRIPTIONS:

UK: £35/year, £60/two years,

£80/three years;

Europe: £48/year, £85/two years,

£127/three years

R.O.W:£62/year, £115/two years,

£168/three years

Single copies can be bought for

£8.50 (includes postage & packaging).

Published 6 times a year.

© 2025 Barrow & Thompkins

Connexions Ltd. All rights reserved.

No part of the magazine may be

reproduced without prior consent,

in writing, from the publisher.

www.computingsecurity.co.uk July/August 2025 computing security

@CSMagAndAwards

3


Computing Security July/August 2025

inside this issue

CONTENTS

Computing

Security

NEWS

OPINION

INDUSTRY

COMMENT

CASE STUDIES

PRODUCT REVIEWS

FIT FOR PURPOSE

WARNING SIGNS

Ransomware attacks

New guidance on

offer hope and horror

storage media

disposal raises

doubts for future

AI - FRIEND OR FOE?

Is artificial intelligence

to be trusted or is it

just masquerading

as an ally?

BLAST-OFF FOR QUANTUM

COMMENT 3

NHS: will new cash-in stop it crashing?

Battle to outpace the hackers

now moves into outer space

NEWS 6

Imposter in high-level AI hoax

Partnering up to tackle risk

JumpCloud Acquires VaultOne

Data leak exposes 5.7 million files

ARTICLES

QUANTUM QUAKES 18

The incredible processing power and

speed of quantum computers significantly

threaten traditional encryption methods.

How do we guard against this?

GOOD, BAD AND WAY FORWARD 10

Ransomware attacks are said to have

declined by 23% between April-June this

year, compared to the previous quarter.

Meanwhile, industrials are still the most

targeted sector, with attacks up 46%

from Q4 2024 to Q1 2025, according to

a new threat report.

HEALTH ISSUES 20

The NHS has received a record cash

investment in the latest UK Spending

SQUARING THE CIRCLE 14

Review. Will the extra injection prove

Fresh top-level guidance on the secure

enough to revive it?

disposal of storage media may raise more

questions than it answers, says one industry

RETAIL AND RETALIATION 21

expert. Missing are familiar terms such as

The recent wave of attacks on retail

'Clear' or 'Purge' and there is no reference to

companies has shown no organisation,

the IEEE 2883:2022 sanitisation specification,

whatever their status might be, is safe

a key industry standard.

from those who target their operations

DATA THEFT ONSLAUGHT 25

Four people were arrested in raids over the

wave of cyber-attacks that crippled M&S,

SEVEN-YEAR ITCH 22

the Co-op and Harrods. But this won't

stop more such assaults taking place

It's been more than seven years now since

the General Data Protection Regulation

CALL FOR STRONGER CYBER LAWS 30

(GDPR) came into force. With the rapid

MPs have shown widespread support for

acceleration of AI technologies and the

stronger cyber laws, along with calls for

increasing use of big data to train models

greater government collaboration and a

and automate decisions, can the GDPR

more ambitious, future-proofed approach

keep pace and remain fit for purpose?

16 BILLION REASONS FOR ACTION 32

Data breaches that resulted in a massive

16 billion passwords being stolen could

AI - FRIEND OR FOE? 26

create a snowball effect of cyber-attacks

AI systems are all about the quality of their

in the days ahead

training data, one observer tells Computing

QUANTUM BLAST-OFF! 34

Security. Models fed narrow, outdated or

Researchers in Europe and Canada are

even fundamentally biased datasets may

developing technology that will allow them

overlook new threats or reproduce the bias

to fire quantum-coded messages across

at speed and scale. Adversaries are quick to

continents via satellites in space.

exploit these cracks, he warns.

computing security July/August 2025 @CSMagAndAwards www.computingsecurity.co.uk

4

Layers aren’t just for cakes; they’re

essential in cybersecurity’s secret

recipe for protection!

Bake it happen with VIPRE Security Group. Secure your

bytes before you take a bite with Email Security, Endpoint

Security and User Protection

www.vipre.com

news

Jason Soroko, Sectigo.

MARCO RUBIO IMPOSTOR USES AI TO CALL

HIGH-LEVEL GOVERNMENT OFFICIALS

An imposter has used AI to impersonate US secretary

of state Marco Rubio in calls to high-ranking

government officials.

The threat actor employed AI-powered software to

mimic Rubio's voice and writing style, with the intention

of manipulating foreign ministers of unnamed countries.

The incident highlights the way that AI is enabling

constantly evolving novel methods of carrying out cyberattacks.

Spencer Starkey,

SonicWall.

"The most effective method to safeguard our systems in

this scenario would be to leverage AI to compete against

its own potential threats in real-time," says Spencer Starkey, executive vice president

EMEA, SonicWall. "This perspective introduces a novel concept: a cybersecurity landscape

where AI engages in a continuous battle against cyber threats. Unlike traditional warfare,

this battlefield knows no seasons or holidays; it is a relentless, 24/7 endeavour to protect

our digital assets."

MAJOR MOVE IN QUANTUM

SUPREMACY RACE

Sir Jeremy Fleming, the former head

of GCHQ, has joined the board of

Oxford quantum computing start-up

Oxford Quantum Circuits.

PARTNERING UP TO TACKLE RISK

Sophos has formed a new partnership with Capsule,

a specialist insurance broker, that facilitates access

to cyber insurance coverage for organisations

deploying Sophos' cybersecurity solutions via a

managed services provider (MSP).

Liam Green, Capsule

This is seen as a major and significant

development as Britain races against

China and the US, with plans to spend

£2.5bn on quantum computing in

pursuit of a competitive edge.

As the UK sets out its bold roadmap

to build a world class quantum

workforce, however, it's essential we

keep quantum security front and centre,

cautions Jason Soroko, a security technology

innovator and senior fellow at

Sectigo. "This report highlights the

transformative potential of quantum

technologies, but does not pay enough

attention to the potential risks that

quantum computing brings to the

cybersecurity space - with only a token

reference made to the possible creation

of 'Quantum cryptography/cyber

security' roles.

"Sophos users enjoy automatic premium reduction, a

streamlined application process, comprehensive

coverage and pre-approved use of Sophos incident

response services, while Sophos MSPs are better able

to support their customers with a trusted cyber

insurance solution," states the company.

Adds Liam Green, co-founder and chief operating officer at Capsule: "Cybersecurity

and cyber insurance can no longer operate in silos - they must work together to

create measurable risk reduction for businesses."

GROWING GAINS

Advania UK, one of Microsoft's leading partners in Northern Europe, has

announced powerful growth and expansion. "The company achieved a record

turnover of more than £450 million and quadrupled its client base, while

significantly expanding its workforce," it states.

Advania's combined turnover for the new UK group was £452 million last year,

which was 3.3x higher than reported turnover for Advania UK the previous year.

6


Building cyber security

awareness together.

Leading the way in personalised

cyber security awareness.

Keep your staff engaged, cyber-secure, and compliant with our award-winning,

personalised cyber security training.

Designed with real people and teams in mind, our expertly crafted content transforms

cyber security into an informative and captivating experience. By making learning

fun and impactful, we maximise engagement and enhance staff security behaviour,

ensuring constant vigilance against cyber threats.

Our staff fully engaged with our

security awareness program, with

completion rates over 85%

Best cyber security awareness

platform available

news

Greg Keller,

JumpCloud.

KEY APPOINTMENT AT HACKERONE

HackerOne, a global leader in offensive security solutions,

has appointed Nidhi Aggarwal as chief product officer and

member of the executive leadership team.

"Aggarwal will lead the execution of HackerOne's platform

vision and product strategy, unifying the company's product

portfolio around a more integrated, AI-powered experience that

seamlessly scales human security expertise through AI agents to

not just find, but remediate vulnerabilities," says the company.

Nidhi Aggarwai,

HackerOne.

A seasoned technology entrepreneur and product leader, she

brings more than 15 years' experience in driving growth and

innovation at companies ranging from early-stage startups to

global enterprises.

JUMPCLOUD ACQUIRES VAULTONE

JumpCloud sees its recent acquisition of

VaultOne as a step on the path towards

igniting a new era of privileged access

management.

"We are continuously evaluating our

customers' needs to extend JumpCloud into

more areas where we can provide secure,

frictionless access to resources, regardless

of where the team or resources are

located," says Greg Keller, chief technology

officer and co-founder, JumpCloud.

"The acquisition of VaultOne brings a

deeply experienced team and established

PAM technology into the JumpCloud

family. This allows us to immediately offer

a dedicated PAM solution with the granular

control necessary to navigate today's

complex security landscape, while

providing more critical access control

capabilities our customers can consolidate

and depend upon from JumpCloud's

platform."

Stated benefits from the move include:

privileged access for all an organisation's

critical assets; secure browsing, built-in;

removal of the need for VPN; and the

radical reduction of cyber threats.

DATA LEAK EXPOSES 5.7 MILLION FILES

Cybernews researchers recently uncovered a massive data

leak, which was traced back to HireClick, a recruitment

platform for small to mid-sized businesses. The platform

helps businesses manage job listings, candidate applications

and the hiring process.

The company left over 5.7 million files wide open for anyone

on the internet, thanks to a misconfiguration of Amazon

AWS S3 storage bucket. The leaked files exposed sensitive

and private information of job seekers, mainly resumés.

"In the wrong hands, the leaked data could power everything

from identity theft and impersonation to phishing, vishing,

and smishing campaigns, where attackers pose as hiring managers to exploit desperate job

seekers," warns Cybernews journalist Paulina Okunytè.

KITEWORKS EXPANDS MARKET REACH

Amit Toren, Kitgeworks.

Kiteworks has acquired Zivver, a secure email platform

headquartered in Amsterdam, the Netherlands.

"Organisations require comprehensive solutions that

protect private data shared and sent across all

communication channels while maintaining seamless

user experiences," says Amit Toren, chief business officer

at Kiteworks. "By bringing Zivver's innovative secure email

technology into our Private Data Network, we're

providing the combined customer base with enhanced

capabilities to secure their most sensitive

communications, while meeting stringent compliance

requirements.

Paulina Okunytè

8


ransomware

WHAT DIRECTION NOW AS

RANSOMWARE HITS HARD?

RANSOMWARE REMAINS A FORMIDABLE ADVERSARY, ESPECIALLY WHEN

ITS TARGETS ARE THE BACKBONE OF NATIONAL INFRASTRUCTURE

First, the relatively good news.

Ransomware attacks are said to have

declined by 23% between April and

June this year, compared to the previous

quarter, although they are up 43% on this

time last year, with the dip only partially

explained by normal seasonal variations.

"In Q2 of 2025, 1,591 new victims of

ransomware attacks were posted publicly

on data leak sites, at an average of 17.5

per day, compared to 22.9 per day in Q1

of 2025 and 12.2 per day in Q2 of 2024,"

reports Steve Alder, editor-in-chief of The

HIPAA Journal.

Now, the bad news: industrials as still

being the most targeted sector, showcasing

the value that critical national infrastructure

holds for ransomware groups. Attacks

jumped by 46% from Q4 2024 to Q1 2025,

according to Honeywell's 2025 Cybersecurity

Threat Report. The research also found that

both malware and ransomware increased

significantly in this period and included a

3,000% spike in the use of one trojan

designed to steal credentials from industrial

operators. Where do these differing takes

leave organisations in their quest to stay

'ransom free'?

A COMPLEX REALITY

Daniel Shepherd, CEO at CSIS Security

Group, says recent research offers a

nuanced view of ransomware. "While several

reports, including findings from the NCC

Group, suggest a decline in overall attack

volumes, this improvement should not lull

us into a false sense of security. Underneath

these encouraging figures lies a more

complex reality. Ransomware remains

a formidable adversary, especially when

its targets are the backbone of national

infrastructure."

The most recent CSIS Threat Matrix report

reinforces this cautionary note, he says,

emphasising the urgent need for resilient,

targeted countermeasures in the face of

a threat that continuously adapts and

intensifies. "Even if the frequency of reported

incidents has momentarily dipped, adversaries

are still honing their techniques to

exploit weaknesses. Now, ransomware

actors are not simply relying on traditional

encryption to lock down data, they are

employing double extortion tactics that

threaten both operational integrity and

corporate reputation.

"This sophisticated hybrid of technical

prowess and psychological pressure means

that any lull in activity can be misleading.

Organisations across all sectors must

remain vigilant, because complacency is

the attacker's greatest ally. The need for a

proactive, dynamic cybersecurity stance has

never been more critical," warns Shepherd.

Drawing on insights from the latest CSIS

Threat Matrix report, a multi-layered strategy

is essential for thwarting ransomware

attacks. Here are the key pillars to consider,

he suggests:

Comprehensive risk assessments and

continuous monitoring

"Organisations need to carry out frequent

and detailed vulnerability audits to uncover

system-specific weaknesses. Leveraging

advanced endpoint detection and response

(EDR) tools can help detect suspicious file

modifications and unusual encryption

surges; both of which are signs that a

ransomware attack may be underway."

Robust incident response and threat

intelligence

"The value of preparedness cannot be

underestimated. Develop a dedicated

ransomware response plan that outlines

rapid isolation measures, sets clear communication

roles and includes established

protocols for involving law enforcement

when necessary. Additionally, forging

collaborative intelligence-sharing channels

with industry peers provides invaluable realtime

insight into emerging threats and

evolving tactics."

Employee empowerment through training

"The human element remains both a

vulnerability and a defence," adds Shepherd.

"Tailored scenarios and simulated attack

exercises cultivate a culture of cyber hygiene,

equipping employees to recognise phishing

attempts and other common precursors to

ransomware."

Layered technical defences

A defence-in-depth approach is important,

he says. "Implement robust firewalls, segmented

networks, multi-factor authentication

and behaviour-based anomaly

detection systems. Proactive measures, such

as advanced email filtering, sandboxing

and a rigorous patch management policy,

will significantly reduce exposure to

potential exploits."

10


ransomware

Resilient business continuity planning

"Establishing an effective data backup

strategy is a safeguard against crippling

downtime. Ensure backups are immutable,

regularly tested and stored securely. Developing

and rehearsing rapid recovery

protocols allows organisations to bounce

back swiftly, minimising both operational

disruption and financial losses."

BREAKING THE BANK

For a period of time in his military

intelligence career, Rob Dartnall, CEO,

SecAlliance, was focused on disrupting the

finances of terrorists. "What struck me then

was just how much that money influenced

the battlefield. A lesson that continues to

resonate when discussing ransomware

payments. At times, removing the funding

had a bigger impact than kicking down

doors. At times, we would come across

fighters who were not there for ideology,

but simply to put food on the table. No

money, fewer fighters. No money, fewer

weapons. No money, reduced capability.

Starve a group of funding and their longterm

development is significantly restricted.

"This mindset followed me as I transitioned

into cyber security over a decade ago. We're

facing increasingly capable ransomware

actors, with operations that reflect the

structure and scale of traditional adversaries.

The solution remains the same; we must

disrupt the flow of money. That's why I

support recent calls from cyber leaders like

Ciaran Martin [former CEO of the National

Cyber Security Centre] to ban ransom

payments outright. The rationale is clear.

Criminal groups continue to extract

significant sums from public and private

institutions. These funds sustain further

attacks, attract new actors, drive illicit

economies, empower corrupt regimes

and support geopolitical instability."

Dr Richard Horne, current CEO of the

National Cyber Security Centre, part of

GCHQ, has publicly stated his own

opposition to making such payments. "If

[companies] pay because they hope the

ransom attackers won't publish information,

well, they need to know that all they've got

is a criminal's word for it," said Horne. "And

if they pay to recover their systems, well,

they should have recovery plans in place so

they can recover their systems anyway."

Meanwhile, there are signs that coordinated

deterrence has an effect, adds

Dartnall. "Countries and jurisdictions where

ransom payments are restricted, particularly

in cases involving sanctions or terrorism, are

becoming less appealing targets. And when

payments are blocked entirely, threat actors

tend to shift focus." He refers to the recent

international operation against the LockBit

group, led by the UK's National Crime

Agency and its allies, which was not only

a technical achievement, but also

psychological in nature.

TACTICS TURNED ON THEIR HEADS

"Their defeat was carried out using their

own tactics. That's effective strategy:

undermining morale, disrupting

communication and cutting off financial

reward. What has been more impressive is

the sustained law enforcement operations

not only against other nefarious actors,

but also against the markets, infrastructures

and systems they rely on to illicit their gains.

When terrorist groups lose funding, their

operations contract. They make more mistakes

and become easier to detect. The

same pattern applies in cyber."

Apart from banning payment, he says

tackling the infrastructure that facilitates

cybercrime is vital. "Many financial

institutions are already obliged to flag

suspicious transactions, so why not apply

similar standards to cryptocurrency

exchanges - globally. Sanction the owners

of illicit exchanges and markets? These

platforms have too often provided cover

for laundering criminal gains. Regulation

here is overdue."

Daniel Shepherd, CSIS Security Group:

ransomware remains a formidable adversary.

Rob Dartnall, SecAlliance: starve a group of

funding and their long-term development is

significantly restricted.

www.computingsecurity.co.uk @CSMagAndAwards July/August 2025 computing security

11

ransomware

Saugat Sindhu, Wipro: prevention

capabilities should be the cornerstone

of any cyber resilience strategy

Ian Robinson, Titania: boosted by AI,

ransomware is infiltrating all the way

into the network.

However, a blanket ban could also have

unintended consequences, such as

redirecting criminals more towards private

individuals, he recognises. "The outcome

could be damaging, if skilled attackers pivot

to widespread financial fraud against the

public. That's why any response needs to

be coordinated.

Government departments, ISPs, telecom

providers, domain registrars and email

platforms all have a role to play. For the last

five years, the changes in the geopolitical

landscape have completely fractured

relationships between nations that had

shown progress in working together

to eradicate cyber-criminal activity. Whilst

there will be safe harbours for actors, we

can significantly reduce their freedom of

movement, and access to markets and

infrastructures." Prohibiting ransomware

payments isn't a catch-all fix. "It must be

backed by long-term investment, increased

resourcing for law enforcement, improved

cyber defence responsibilities for service

providers and, most importantly, a unified

national strategy. As new technologies allow

for more threat actors to more easily enter

criminal markets, we must similarly restrict

access to resources."

TOP RISK

Saugat Sindhu, global head strategy and

risk at Wipro, points to the company's latest

State of cybersecurity report, which found

that 57% of respondents viewed ransomware

attacks as their top risk. "When it

comes to cyber threats like ransomware,

prevention capabilities should be the

cornerstone of any cyber resilience strategy,

followed by recovery capabilities," says

Sindhu. "The smartest organisations also

learn from the past. They treat threat

reports and breach post-mortems not as

headlines, but as playbooks. Each one

offers clues about what today's attackers

are targeting and how to stay a step ahead.

Every incident adds to existing recovery

SOPs [Standard Operating Procedures]."

Ultimately, the goal is to detect and defuse

threats before they escalate and, if they end

up escalating, quickly recover from them.

"That means identifying vulnerabilities early,

remediating quickly and constantly adapting

defences to meet evolving risks. Cyber resilience

isn't a box to check, it's an ongoing

discipline that is iteratively evolving through

lessons learned."

AI AND AUTOMATION

While attackers traditionally relied on manual

methods, they are now using AI and

automation to accelerate and scale their

efforts, states Ian Robinson, chief product

officer, Titania. He quotes Gartner's

prediction that, by 2027, AI will reduce the

time it takes to exploit account exposures

by 50%. "Boosted by AI, ransomware is

infiltrating all the way into the network.

Instead of immediately infecting a device,

attackers are now deploying more covert

strategies - lying dormant, spreading

undetected and establishing a strong

foothold in the network before executing

the ransomware to maximum effect."

This shift in tactics significantly increases

the potential for business disruption - or

disaster. "People remain the weakest link in

cybersecurity. According to Verizon, human

actions or inactions contributed to 74% of

breaches last year. While organisations must

continue to strengthen their human firewall,

the reality is that it's a matter of when - not

if - they will face an attack. AI-powered

phishing and social engineering are becoming

increasingly convincing, making this

challenge even more pressing."

CRUCIAL CONTROL

Although millions of ransomware variants

exist, they all infiltrate and move through

networks in similar ways, he points out.

This makes network segmentation a crucial

control for mitigating risks, especially for

CNIs [critical national infrastructures].

"If a ransomware attacker breaches the

perimeter, but the administrative network

12


ransomware

is segmented from business-critical segments

and operational technology, the

attack will only proliferate as far as it can

get," says Robinson. "This is not the case

for flat net-works that will fail to stop lateral

movement. Lateral movement is an increasing

risk for businesses as attackers use AI

to automate and accelerate credential theft

attacks to open privilege escalation."

Attackers will always look for the most

easily exploitable vulnerabilities to gain

access to systems and/or networks, he adds.

"Network devices are particularly attractive

targets for ransomware, as they provide

attackers with persistent, lateral movement

capabilities and access to sensitive data

flows when compromised. Hardening

these components to enforce network

segmentation is key for CNIs to develop

operational resilience.

"Within CNI, where operational downtime

is not an option, there is often a need to

enable insecure configurations to support

legacy software and operational technology

devices. Out-dated network devices expose

CNIs to the Critical Vulnerabilities and

Exposures [CVEs] repeatedly exploited by

ransomware gangs and APTs [advanced

persistent threats]."

ESSENTIAL SAFEGUARDS

When operating with accepted risks is

unavoidable, foundational network security

and compliance measures are essential to

manage these risks effectively.

This includes minimising the attack surface by

enforcing access control lists and macro

segmentation policies; and proactively monitoring

for device configuration changes to identify

whether a change was planned versus

unplanned, and if it violates segment-ation

policy. By implementing proactive network

security measures, organisations have the realtime

information that an attack has been

mounted and the time to respond and contain

attacks before they become catastrophic."

IMPOSSIBLE CHOICE

AJ Thompson, CCO at Northdoor, says the

M&S attack, which forced a six-week pause

in online operations and an estimated

£300m profit reduction, has demonstrated

the devastating impact that goes so much

further than 'just' data loss. "Organisations

face an impossible choice: adhere to best

practices or try to mitigate the catastrophic

day-to-day business disruption, as well as

the long-term impacts of non-compliance

and associated fines. Our experience

indicates that preparation is the key.

"Companies with robust incident response

and business continuity protocols, immutable

backups and segmented networks give

organisations a strong negotiating leverage,

in the event of a crisis. For those without

such preparation in place, the prospect of

having to pay the ransom demanded by

cybercriminals becomes a very real on. It

might represent the only viable path back

to operational continuity."

There are, however, some key considerations

that will need to be taken into

account, he comments. These include:

The maturity of existing recovery

capabilities

Comprehensive impact assessment

beyond IT systems

Verification of threat actor credibility

through intelligence

Legal and regulatory obligations

regarding data protection.

"The nature of cybercriminals, of course,

means that there is no guarantee that you

will receive all of the stolen data back or in

what form it arrives, but without preparation

it remains the only hope of some to

ensure that their business can get back up

and running. The true solution lies not in

absolute positions, but in proactive resilience

- implementing advanced threat detection,

regular recovery testing and cyber insurance,

with expert response teams to ensure

organisations never face this impossible

choice unprepared."

PROACTIVE STANCE

To mitigate the many threats that ransomware

poses, Lorri Janssen-Anessi, director of

external cyber assessments at BlueVoyant,

argues that "CNI organisations must take a

proactive stance towards cyber security best

practice", with internal teams working with

dedicated MSSPs to:

Regularly back up critical data and

systems, with backups stored offline

to prevent them from being targeted.

Backup and restoration procedures

should be regularly tested to ensure they

are effective in a real-world incident.

Create, maintain and regularly exercise

a cyber incident response plan that

includes specific procedures for ransomware

attacks. This plan should be tested

regularly to identify gaps

Implementation of IAM:

Implement MFA for all services,

especially for remote access, VPNs and

webmail

Restrict user and administrator

privileges to only what is necessary for

their roles

Adopt a zero-trust model, which

assumes no user or device is trusted by

default, requiring strict verification for

every access request.

Keep all operating systems, software and

firmware up to date to protect against

known vulnerabilities that ransomware

actors frequently exploit

Isolate critical systems by segmenting the

network, which can prevent ransomware

from spreading laterally from a

compromised workstation to critical

servers

Educate employees to recognise and

report phishing attempts, suspicious links

and social engineering tactics

Increase detection and response

capabilities to boost overall resilience

against ransomware attacks.


13

asset disposal

SQUARING THE CIRCLE

FRESH TOP-LEVEL GUIDANCE ON THE SECURE DISPOSAL OF STORAGE MEDIA

MAY RAISE MORE QUESTIONS THAN IT ANSWERS, SAYS ONE INDUSTRY EXPERT

The government's recently launched

'IT Reuse for Good Charter' is widely

seen as a major step forward in

encouraging firms to embed circular

approaches into their daily IT operations -

but it could and should go further still,

says Green Alliance's Emily Carr

"It shouldn't still be the case that, in

the UK today, millions of people have no

access to digital devices to get online,

while perfectly usable business laptops,

tablets and smartphones are routinely

shredded or left gathering dust, adding

to the UK's shocking and ever growing e-

waste problem."

There's one simple solution that tackles

both problems in one go, she believes:

redistributing discarded usable devices

to the people who need them most.

"Businesses are a big part of this solution.

Some are already leading the way,

building this into their IT management

and showing what's possible when

sustainability and social impact are taken

seriously. The recent launch of the 'IT

Reuse for Good Charter' is a major step

forward in helping others to follow their

lead, making device reuse the norm rather

than the exception." Meanwhile, the

NCSC (National Cyber Security Centre)

has published new guidance to help

organisations looking to securely

decommission end-of-life digital assets.

Here are the main points:

Safely retiring data, software and

hardware is a critical endeavour with

"potentially severe repercussions", if

not done right

IT assets allowed to continue beyond

their lifespan may pose a risk to the

organisation, if they are lost, exploited

or accessed by unauthorised individuals

The goal is to understand the potential

impact of the asset's decommissioning

and ensure all associated components

are accounted for.

But how exactly do organisations faced

with such challenges get this right -

and what are the key steps they need

to take to pinpoint the pitfalls awaiting

the unwary?

GAP IN TOP-LEVEL GUIDANCE

"The recent update from the NCSC on

Secure Sanitisation and Disposal of

Storage Media was a welcome

development," says Steve Mellings,

founder and CEO of ADISA Group.

"Previous guidance was spread across

several documents, notably Information

Assurance Standard 5 (IS5), which

provided detailed sanitisation specifications.

This standard operated alongside

the Commercial Product Assurance (CPA)

scheme, which evaluated and approved

sanitisation products, and CAS-S, a certification

mechanism for companies offering

secure disposal services. Together,

these frameworks offered organisations

a high degree of assurance when

disposing of data-bearing assets.

"However, IS5 was last updated in

2014. The CPA scheme ceased approving

sanitisation products in 2023 and CAS-S

has since relied solely on referencing

NPSA destruction standards as an

approved method of sanitisation.

These developments left a noticeable

gap in authoritative guidance."

As Mellings reviewed the new update,

the first thing that stood out for him

was a prominent disclaimer: 'Note: This

guidance will not protect data from being

read by a skilled, well-funded laboratory.'

14


asset disposal

This sets a cautious tone, he states. "The

document is also explicitly tied to the UK

protective marking scheme, limiting its

relevance to data classified as OFFICIAL

within HMG. For non-government users,

this raises immediate questions about

applicability and relevance."

The guidance does contain some sound

principles on how organisations might

approach secure sanitisation, he accepts.

"However, what's notably missing is concrete

advice on how to sanitise media.

Familiar terms such as 'Clear' or 'Purge' are

absent and there is no reference to the

IEEE 2883:2022 sanitisation specification,

a key industry standard."

Beyond these omissions, some of the

recommendations are questionable, he

feels. "For example, the suggestion to

'Power off the device for at least 15

minutes' lacks a technical basis in secure

data disposal for most storage media.

Other points - such as reliance on untested

manufacturer resets or acknowledging

that 'data may remain on the device' -

further erode confidence in the document's

technical rigour."

Ultimately, concludes Mellings, this

update feels incomplete and lacking in

real, practical advice. "Rather than closing

the gap left by deprecated standards, it

introduces new uncertainties. For those

seeking clarity and assurance in the secure

disposal of storage media, this guidance

may raise more questions than it answers."

FAILURE OF SCRUTINY

When decommissioning digital assets,

one of the most overlooked risks is the

persistence of sensitive data in unexpected

places, says Richard Hall, AVP at DigiCert.

"While wiping or destroying hard drives

is standard practice, many organisations

fail to apply the same scrutiny to embedded

or secondary storage within devices.

A few years ago, I purchased decommissioned

data centre servers for a home

lab. During set-up, I discovered SD cards

still inserted, containing a full operating

system and boot configuration. It was

a clear reminder that critical data can

remain accessible long after equipment

is retired."

In another case, a colleague had received

a second-hand corporate phone that

had not been properly sanitised. "Despite

a factory reset, the device retained autofill

credentials, saved Wi-Fi networks and

identity tokens, still granting access to

cloud apps. Devices that sync across

platforms often store data in ways that

survive basic resets.

"Network infrastructure is no exception.

Equipment like routers and firewalls can

store credentials, cryptographic keys and

digital certificates in onboard memory.

If left behind, these artefacts can expose

organisations to serious risks - whether

through unauthorised access or persistent

trust relationships."

In today's complex IT environments, adds

Hall, digital certificates are everywhere: from

authentication and encryption to device

identity. "Without oversight, orphaned

certificates on decommissioned systems

can become security and compliance

risks. Many were issued with long validity,

sometimes a decade, during which cryptographic

standards may shift, algorithms

weaken and browser behaviours change.

Without visibility, outdated certificates

can remain active on systems long since

retired."

This highlights the importance of understanding

where cryptographic assets

are deployed, so they can be updated

or retired in line with changing

requirements, he points out. "Two key

developments make this even more

urgent: the shortening of TLS certificate

lifespans to 47 days and the longer-term

need to support post-quantum cryptography

(PQC). An effective decommissioning

strategy must go beyond simply

wiping drives."

Hall says the strategy should include

the following:

Auditing all devices for stored

data and credentials

Revoking certificates tied to

retired systems

Secure erasure or destruction

of all storage

Documenting the process for

compliance and audits.

"When overlooked, these gaps can lead

to data breaches, unauthorised access and

non-compliance. Treated strategically,

decommissioning strengthens digital trust

and operational resilience."

ORDER OF PRIORITY

Decommissioning tends to be regarded

as an end process concerned with the

retirement of IT data, hardware and

software when, in fact, it should be a key

consideration when buying those assets

in the first place, argues Jon Fielding,

managing director, EMEA, at Apricorn.

"The NCSC states that it should be part

of the procurement process but doesn't

explain why. When it comes to physical

storage media, for instance, choosing a

device that is tamper resistant and has

identity-based authentication as demanded

under the FIPS Level 2 and 3 security

standards can significantly reduce risk. If

the company merges or changes hands,

for example, and those devices fall off the

radar, the data is at less risk of being

exploited or accessed by unauthorised

persons."

Rather than regarding decommissioning

as an end process, says Fielding, storage

media should be a trackable asset that is

documented and inventoried from the

get-go. When it needs to be swapped out,


15

asset disposal

Steve Mellings, ADISA: some of the

recommendations in new guidance on

the secure disposal of storage media are

questionable.

Richard Hall, DigiCert: one of the most

overlooked risks is the persistence of

sensitive data in unexpected places.

either in whole or in part, this needs to be

planned. "A key consideration is not just

where and how the data will be moved,

but also how it will be safeguarded via

backup. Things can and do go wrong

during decommissioning; situations can

change or vulnerabilities emerge, all of

which can necessitate a rollback. So,

making sure there are additional copies

and that a tried and tested recovery plan

is in place, is critical."

To safeguard against these issues, he

cites the '3-2-1 backup rule', which should

be observed. This is where at least three

copies of data are created, with two of

these stored on different media, one of

which should be offsite. "For example, one

copy of the data could be offline on an

encrypted removable hard drive that is

disconnected from the network."

Finally, there's the issue of sanitisation

which should also be a consideration at

the procurement stage particularly as this

can be cost issue. "Encrypted devices, such

as those that use AES 256-bit encryption,

are far more economic to retire as well

as being more secure," he points out.

"This is because it's possible to delete the

encryption keys, thereby rendering the

data unreadable. In contrast, wiping

devices that don't use encryption is a

lengthy process involving overwriting

memory, checking the device metadata,

depowering the device and then checking

the user-accessible memory for any traces

of data. This still follows, even If the

device is being destroyed, as the data

would still need to be removed prior to

destruction."

VECTOR FOR SECURITY THREATS

According to the Eclipse Foundation,

open-source software is rudimentary to

global digital infrastructure and how we

manage the lifecycle of these projects,

particularly their end-of-life (EOL) phase,

carries significant implications. "When an

open-source project is deprecated or

abandoned without a clear EOL strategy,

it can become a vector for serious security

threats. Chief among these is the risk of

exploitation by unauthorised actors, including

package takeover, Git repository

hijacking and even DNS compromise.

Such vulnerabilities have led to real-world

incidents, where attackers republish

malicious versions of libraries that

unsuspecting developers and systems

integrate without scrutiny."

The risk intensifies when maintainers

walk away without formally archiving

repositories, revoking access credentials,

or updating metadata in package

registries, adds the foundation. "In such

a vacuum, attackers can impersonate

former maintainers or exploit forgotten

infrastructure to inject malicious code

into the supply chain. Beyond security,

organisations that originally developed

or were publicly associated with these

projects may suffer reputational damage,

if their abandoned code is compromised,

even if they're no longer directly involved."

At the Eclipse Foundation, all projects

are said to operate within a governance

model that enforces identity verification,

controlled access to repositories, welldocumented

metadata and strict release

protocols. "When a project approaches

EOL, maintainers are guided through

a formal termination review process.

This includes communication to the

community, archiving of resources and

decommissioning of infrastructure under

the foundation's management, drastically

reducing opportunities for hijacking or

impersonation.

"Moreover, Eclipse Foundation's neutral IP

and legal framework keeps project assets

separate from individual or corporate

identities. This protects users and contributors,

ensuring that even dormant projects

remain secure under institutional control."

16


ACCORDING TO JAMF 2024:

Security

Trends Report

39 % of

organisations

had at least one device

with known vulnerabilities

40 % of

mobile users

were running a device

with known vulnerabilities

9 % of

users fell for

a phishing attack

Manage and Secure

Apple at work

With Jamf Trusted Access, you ensure

that only authorised users, on enrolled

devices that are secure and compliant,

can access sensitive data.

REQUEST

Y O U R

F R E E

T R I A L

TODAY

www.jamf.com

quantum

QUANTUM QUAKES

THE INCREDIBLE PROCESSING POWER AND SPEED OF QUANTUM COMPUTERS SIGNIFICANTLY

THREATEN TRADITIONAL ENCRYPTION METHODS. HOW DO WE GUARD AGAINST THIS?

The 'quantum threat' may not be widely

understood as yet, but it has caused

tremors across many business communities

as they grapple with what might be in

store in a post-quantum world. And what

time scale are we looking at before we reach

that point - or is it just notional and some

way down the road still?

Quantum technologies are no longer simply

theoretical, points out Samantha Mabey,

director, Digital Security Solutions at Entrust -

they're fast becoming a reality. "Specifically,

quantum computing poses a particularly

urgent challenge for cybersecurity. Unlike past

technological disruptions, we have no clear

timeline for the arrival of scaled quantum

computing. When it does arrive, and if we're

not ready, it could instantly render today's

encryption obsolete, exposing sensitive data

worldwide. Even the much-feared Y2K had

a fixed deadline. 'Y2Q', by contrast, will arrive

without warning, and it will change everything."

The good news, she adds, is that we can

prepare for the future threat of quantum

tech today, through post-quantum cryptography.

"In fact, 2025 is shaping up to be

a landmark year, as organisations and

legislative bodies alike begin laying down the

foundations for quantum-safe infrastructure

and regulators start pushing for standards

that anticipate the quantum future.

"Importantly, preparing for quantum

computing is not just about future-proofing;

it's about addressing current threats, like

'harvest now, decrypt later'. This is where bad

actors steal encrypted data now, with the aim

of unlocking it once quantum computers are

viable. In some cases, breaches may have

already occurred and organisations simply

don't know it yet. Adopting quantum-safe

standards today and ensuring that your

organisation has visibility into its

cryptographic data landscape is the best

defence we have against that future."

'UNBREAKABLE' ENCRYPTION

Palo Alto Networks points to how quantum

security uses the principles of quantum

mechanics to improve the safety of

information systems and communication

networks. "It leverages unique qualities like

superposition, entanglement and uncertainty

in quantum mechanics to develop strong

security measures that can withstand

traditional and quantum attacks. With

advancements in quantum computing,

many existing cryptographic systems, such as

RSA and ECC, are at risk of being broken."

Quantum security, says the multi-national

cybersecurity company, addresses this

challenge by:

Protecting sensitive data from

future quantum-enabled attacks

Securing communications in

quantum-safe ways

Preparing organisations for the

quantum era, ensuring long-term

confidentiality and integrity.

"Quantum security leverages quantum

phenomena like superposition and

entanglement to create unbreakable

encryption methods. Unlike classical

cryptography, which relies on complex

algorithms, quantum security uses

fundamental aspects of quantum physics,

potentially creating communication channels

that are immune to eavesdropping.

"For instance, quantum key distribution

(QKD) allows secure communication by

sharing encryption keys, where any attempt

to intercept them disturbs the quantum

states, alerting the parties involved. This

innovative approach is set to revolutionise

data protection and facilitate secure interactions,

as the world increasingly adopts

quantum computing technologies."

Traditional cryptographic systems rely on the

difficulty of solving specific math problems,

like factoring large numbers, to keep data

safe, explains the company. "Quantum

mechanics studies how tiny particles behave

on a microscopic level and uses these tiny

particles and waves to perform calculations

faster than traditional computing. Quantum

security systems enable users to know immediately

if their data has been compromsed,

18


quantum

thanks to the laws of quantum superposition

and entanglement. These systems

use the rules of quantum mechanics to

achieve much faster processing speeds than

today's best supercomputers."

CLASSICAL VS QUANTUM COMPUTERS

Classical computers operate on binary logic.

"Every system, irrespective of its processing

strength, utilises bits-binary digits represented

by 1s and 0s-as the fundamental information

units. These bits, embodying a dichotomy

of 'true/false' or 'on/off', are the

building blocks for all data in classical

computing."

Quantum computers transcend binary

limitations, continues Palo Alto Networks.

They leverage 'qubits', which embody both

true and false states. "This quantum advantage

allows for processing information at

a pace unattainable for even the most

potent classical systems. Classical machines

require two bits for the exact computation

quantum systems can perform with a single

qubit."

The incredible processing power and speed

of quantum computers significantly threaten

traditional encryption methods. "Quantum

computing's sheer force can compromise

public key infrastructure (PKI) and uncover

significant weaknesses in current security

systems. Quantum computing poses a

threat to cybersecurity through its potential

to break the cryptographic algorithms

that currently protect sensitive data,

communications and digital transactions."

Traditional encryption methods rely on

the computational difficulty of specific

mathematical problems. "For example,

RSA encryption, a widely used form of

public-key cryptography, depends on the

challenge of factoring large prime numbers.

Quantum computers could solve these

problems much more quickly, with their

advanced capabilities, than classical

computers."

QUANTUM MECHANICS BASICS

At the heart of quantum security lies

the foundation of quantum mechanics,

a branch of physics that explores the

peculiar behaviours of energy and

particles at the microscopic scale.

"Quantum mechanics presents ideas that

challenge classical physics. These include

superposition, where particles can exist

in multiple states simultaneously, and

entanglement, in which particles are

so interconnected that the state of one

affects the other instantly, regardless of

the distance between them."

These principles, comments Palo Alto

Networks, are crucial, as they enable

quantum systems to achieve exceptional

levels of security. "For example, measuring

a quantum system inevitably disturbs it,

making any eavesdropping noticeable -

this is vital for quantum key distribution

(QKD). Grasping these fundamental concepts

of quantum mechanics is important,

because they underpin innovative

security protocols that aim to address

new cybersecurity challenges in our

increasingly digital environment."

QUANTUM KEY DISTRIBUTION (QKD)

Quantum Key Distribution relies on

quantum mechanics for what the

company claims is exceptional security.

"Unlike traditional cryptographic methods

that use complex mathematical algorithms,

QKD utilises the unique properties

of quantum particles, like photons, to

exchange cryptographic keys securely.

Keys are encoded in quantum states,

which are highly sensitive to external

observations.

If an eavesdropper tries to intercept

the transmission, the quantum state

is disturbed, instantly notifying the

communicating parties of a security

breach. Thus, QKD detects unauthorised

access and prevents successful key acquisition,

making it resistant to threats from

Samantha Mabey, Entrust: scaled

quantum computing could instantly

render today's encryption obsolete.

quantum computing."To prepare for this

future, organisations should adopt defence-indepth

strategies, considering data protection

in transit and at rest, and to be agile in the

face of emerging threats," says James Dargan,

a writer and researcher at The Quantum

Insider. "This includes network segmentation,

leveraging 5G private networks, Zero Trust

architectures and re-encrypting old files with

new technologies. The approach aims to

provide comprehensive coverage against

various attacks, preparing for the quantum

computing era while handling current

cybersecurity challenges."

As the quantum computing landscape

evolves, staying informed on the latest

developments and their implications for

cybersecurity is crucial, he adds. "By understanding

the advancements in quantum

computing, organisations can better prepare

for potential threats and implement robust

security measures. Focusing on agility and

a proactive stance in cybersecurity strategies

will ensure resilience against both current

and future challenges."


19

health

HEALTH ISSUES

THE NHS IS A HUGE AND VULNERABLE TARGET FOR CYBER AND RANSOMWARE ATTACKS.

WILL THE RECENT EXTRA CASH INJECTION BE ENOUGH TO KEEP IT SAFE?

Spencer Starkey, SonicWall: the

ramifications of an attack on the

healthcare sector can be disastrous.

The NHS has received a record cash

investment in the latest UK Spending

Review, with a 10% technology budget

increase. Indeed, the Government has

prioritised the NHS in the UK review, in

recognition of the fact that the NHS has

become one of the most vulnerable critical

infrastructures.

The healthcare sector, dealing with sensitive

personal information and running largely on

legacy systems, is uniquely attractive and

vulnerable to cyber-attackers. And the wave

of attacks it has suffered has clearly created

a deep malaise. Reports reveal that only 36%

of NHS staff believe cyber security measures

are sufficient.

The independent BT online survey of 76 NHS

staff at 59 NHS organisations and integrated

care systems, carried out in September last

year, explored sentiment around digital

healthcare in the UK. It found that only

42% of NHS staff surveyed trust that existing

systems are robust enough to safeguard

sensitive patient data and 64% report that

patient data is isolated and inoperable due

to outdated systems.

Despite a rise in training on new technologies

from 5% in BT's 2022 survey to 15%

in the 2024 survey, training on both new and

existing systems has fallen from 47% to 39%,

with 60% of frontline staff surveyed calling

for more cyber security training.

PRIME TARGET

SonicWall data reflects this, confirms the

company, showing healthcare remains a

prime target with hospitals and healthcare

systems taking 60-150 days to patch vulnerabilities,

while hackers exploit them in just

two days, creating a critical security gap.

Spencer Starkey, executive VP EMEA at

cybersecurity company SonicWall, homes

in on how threat actors target the most

important sectors of our society: "Despite

Rachel Reeves' NHS budget increase, the

healthcare sector remains a prime target

for ransomware attacks, as healthcare

organisations often have critical data that

they cannot afford to lose. If they haven't

already, healthcare organisations need

to have a plan in place to respond to

ransomware attacks and to minimise the

impact of these attacks.

EXPOSED DATA

"The healthcare sector continues to be a

prime target for malicious actors as evidenced

by the recent attacks on the NHS. Not only

do these attacks risk the potential for exposed

patient data, but any significant IT issue that

halts patient care poses an immediate threat

to life," states Starkey. "The ramifications of

an attack on the healthcare sector can be

disastrous, and it's important to place the

utmost amount of time, money and efforts

on securing them."

In recognition of the growing threats, the

NHS has ramped up its cybersecurity efforts.

A notable development is the announcement

of a £4.2 million investment by NHS England,

aimed at enhancing cybersecurity across the

health service. Key initiatives include the NHS

Secure Boundary project, a centrally managed

security service designed to protect NHS

networks from internet-borne threats.

20


retail

RETAIL AND RETALIATION

THE RECENT WAVE OF ATTACKS ON RETAIL COMPANIES HAS SHOWN THAT NO ORGANISATION,

WHATEVER THEIR STATUS MIGHT BE, IS SAFE FROM THOSE WHO TARGET THEIR OPERATIONS

The recent and many attacks on major

retail companies - such as M&S, Harrods,

the Co-op, Adidas and Victoria's Secret -

have all served to demonstrate how vulnerable

the sector is. The Co-op faced significant

disruptions, including empty shelves and

compromised member data, while Harrods

had to restrict internet access to prevent

further intrusion.

These incidents highlight how even the

most well-known and well-resourced retailers

remain prime targets for cyber-attacks. The

varied responses by M&S, Co-op, Adidas and

Harrods also show the importance of early

detection, containment protocols and clear

communication in managing a breach.

On July 10, 2025, the UK's National Crime

Agency (NCA) announced the arrest of four

individuals in connection with the cyberattacks

that disrupted operations at Marks & Spencer

(M&S), Co-op, and Harrods earlier this year.

The suspects-a 20-year-old woman from

Staffordshire, two 19-year-old men (one

British, one Latvian) from London and the

West Midlands, and a 17-year-old British male

were detained at their residences. Authorities

seized electronic devices for forensic analysis.

These arrests are linked to the hacker group

known as Scattered Spider, notorious for

employing sophisticated social engineering

tactics, SIM swapping and phishing techniques

to infiltrate organisations. In the case

of M&S, the attackers deployed ransomware,

leading to a six-week shutdown of online

clothing sales and an estimated £300 million

loss in operating profit.

DECISIVE ACTION

"In response to the series of recent cyber

incidents, retail businesses must act decisively,"

insists Robert Cottrill, technology director at

ANS. "Working with a cyber response team is

essential to assess the breach's full impact,

plug any vulnerabilities and restore systems

quickly. Clear, consistent communication with

customers and stakeholders will be vital to

rebuild trust."

Describing the incidents as a wake-up call

for all businesses, Cottrill says cyber security

must be a board-level priority. "Robust incident

response plans, proactive security reviews and

close collaboration with experts are critical.

In the fast-moving retail environment,

safeguarding customer data isn't just good

practice - it's fundamental to brand survival."

What has become clear is that no one and

no organisation is safe from such attacks,

whatever their status. The International

Criminal Court, for instance, was recently

targeted by a "sophisticated" cyberattack and

is taking measures to limit any damage, the

global tribunal has announced. The ICC, which

also was hit by a cyberattack in 2023, said

the latest incident had been contained, but

did not elaborate further on the impact or

possible motive.

Points out The Independent newspaper:

"The ICC has a number of high-profile

investigations and preliminary inquiries

underway in nations around the world and

has in the past been the target of espionage.

In 2022, a Dutch intelligence agency said it

had foiled a plot by a Russian spy using a false

Brazilian identity to work as an intern at the

court, which is investigating allegations of

Russian war crimes in Ukraine and has issued

a war crimes arrest warrant for President

Vladimir Putin, accusing him of personal

responsibility for the abductions of children

from Ukraine."

Robert Cottrill, ANS: working with

a cyber response team is essential to

assess the breach's full impact.


21

compliance

SEVEN-YEAR ITCH

COMPLIANCE IS NO LONGER JUST A LEGAL REQUIREMENT - IT'S A STRATEGIC DIFFERENTIATOR, ARGUES ONE

INDUSTRY VOICE. HOW WELL WILL GDPR COPE WITH THE GROWING PLETHORA OF NEW CHALLENGES IT FACES?

It's been more than seven years now since

the General Data Protection Regulation

(GDPR) came into force: on 25 May 2018.

To date, around 167 countries have introduced

their own data protection laws. Others

have legislation in the pipeline. Many of these

frameworks echo the GDPR's core principles

(transparency, accountability and subject data

rights), cementing its reputation as the global

benchmark for privacy.

But seven years on, it is clear we are entering

a new chapter of data protection. With the

rapid acceleration of AI technologies and the

increasing use of big data to train models

and automate decisions, can the GDPR keep

pace? What have we learned since the GDPR's

inception?

"Seven years since GDPR reshaped the data

landscape, the regulation remains a defining

force in how businesses handle personal data,

manage risk and build customer trust," says

Sean Tilley, senior director sales of EMEA at

11:11 Systems. "While the legislation may

no longer be new, its demands continue to

evolve - as do the expectations of regulators,

customers and stakeholders. Today, compliance

is no longer just a legal requirement:

it's a strategic differentiator."

According to the UK Information

Commissioner's Office (ICO), 'Data protection

by design and by default' remains a core

principle of GDPR, reinforcing the need to

embed compliance into systems from the

outset. At 11:11 Systems in the UK, we've

seen first-hand how organisations that treat

privacy and resilience as foundational

principles are better equipped to stay agile

and secure in a changing landscape."

The conversation has matured beyond tickbox

compliance. Modern businesses are

asking: how do we ensure our systems adapt,

scale, and remain secure, while supporting

innovation? Research from Gartner shows

that, by 2026, more than 70% of organisations

will treat privacy as a competitive

advantage, not just a compliance task. "Cloud

platforms with built-in security, automated

compliance reporting and resilience at their

core are now essential," adds Tilley. "11:11

Systems' integrated cloud, connectivity, and

security services help organisations respond

to evolving standards without compromising

agility or creativity.

Operational resilience is also under increasing

scrutiny. The UK's Financial Conduct

Authority and Prudential Regulation Authority

have issued guidance underscoring the

importance of 'impact tolerances' and robust

continuity planning. In today's environment

of escalating threats, disaster recovery, zerotrust

frameworks and data sovereignty are

non-negotiable."

Seven years on, GDPR has proven to be

more than a legal framework, he adds. "It's

a catalyst for resilient, secure and customercentric

operations. Now is the time to go

further - embedding compliance deeply into

the infrastructure of innovation."

NEVER-ENDING JOURNEY

Is the seven-year itch up to scratch? "In many

ways, GDPR has catalysed stronger governance,

clearer accountability and more resilient

systems, but the journey is far from over,"

responds Samantha Swift, senior director of

product strategy and marketing at Vaultree.

"Security vendors tend to forget that most

of what GDPR is about is protecting

personal data, not just securing it from

cyber criminals. Possibly the hardest pill to

swallow is that GDPR is, and has always

been, a legal text and it doesn't stipulate

a laundry list of products to go buy. In

reality, complete compliance is an illusion;

organisations are either non-compliant or

they simply haven't been caught."

Everyone still wants to talk about the big,

scary fines, she adds, but, beyond the

headlines, how much real benefit are

consumers seeing? "For most of us, the

internet is just as irritating as ever. Websites

bombard us with pop-ups and consent

banners - walls of legal jargon that no one

reads, but everyone clicks 'agree' on, just to

get them out of the way. The spirit of the

regulation was to empower users, but, in

practice, has it simply created more friction

without delivering meaningful control?"

Our data is still often misused, stolen,

held to ransom and left waving about in the

breeze, she points out. "The tech giants -

TikTok, Meta, Google and the rest - can

easily absorb the fines, although breaches

of GDPR ought to erode our trust in these

organisations; in most cases, we continue to

rely on their services, regardless. Meanwhile,

[possibly] everyone's favourite two-letter

acronym, AI, is popping up on every corner and

has the promise to revolutionise our lives.

22


compliance

"According to one group of researchers,

large language models are fast running out

of public human-generated data used for

training models, as soon as next year. Which

leaves us as the potential beneficiaries of

machine learning-based AI, AND the organisations

driving innovation in this space,

with a very real challenge: how do LLMs

continue to genuinely improve, without

causing a privacy (and ultimately a

compliance) disaster?

"Fortunately, breakthroughs in the

encryption space bring hope to the table:

technologies such as next-generation Fully

Homomorphic Encryption, which allows

data-in-use to remain encrypted whilst

models are trained, data is queried and

privacy-preserving data science collaboration

is achievable… without putting consumers'

personal information at risk in the way that

plain-text data or purely encryption in transit

and at rest does and without identifying the

individuals along the way."

GOLD STANDARD

"The 8th anniversary of the GDPR may fly

under the radar for many, but the birthday of

this gold-standard data protection regulation

is something worth noting," say Tiernan

Connolly, managing director in the cyber &

data resilience team at Kroll. "Most, if not all,

businesses will now have a GDPR framework

integrated into their data governance

practices, with the regulation becoming an

international standard for other nations to

follow. Although GDPR might be considered

'old news' in 2025, the ECB has committed to

renewing its focus on areas where 'persistent

sluggishness' is seen with compliance to existing

regulations [eg, BCBS239 - itself now a

10-year-old piece of regulation] in the

financial industry.

"This shows that older requirements will

not be forgotten or fly under the radar of

regulators. Hence, while compliance teams

may now be more concerned with adherence

to newer regulations, such as NIS2 [Network

and Information Security Directive], Digital

Operations Resilience Act [DORA] and the EU

AI Act, and how they apply to internal data

governance, protection and management,

the GDPR's landmark 4% fines loom in the

background for any business that forgets

the grandfather of data privacy regulation."

GREATER AGILITY

The compliance landscape is no longer static,

comments Sam Peters, chief product officer,

ISMS.online. "Standards like NIS 2, DORA

and the EU AI Act have recently joined

GDPR as regulations that companies need to

comply with. Additionally, the approach the

government is taking with the UK's Cyber

Security and Resilience Bill, which is due to

come into effect later this year, is to be more

agile when it comes to regulations - particularly

as new technologies, such as AI, and

threats emerge. As the government says,

'It is important for national security that our

regulatory framework is not stagnant'."

Despite this continually evolving landscape

and the introduction of new regulations,

compliance should not be seen as a blocker

to innovation, he adds. Compliance is a

catalyst when embedded early. "Take GDPR,

for example. It began as something companies

initially saw as yet more regulatory

compliance. But now it is shaping business

models and influencing everything from

product design to customer engagement.

For me, this highlights that we can encourage

better business practices, whilst also driving

profitability and innovation. Embedding

compliance in development cycles helps build

resilience from the ground up, and reduces

the cost and complexity of retrofitting

controls later."

But what types of systems should organisations

adopt that will enable them to

embed compliance in development cycles

and not stall innovation? "Adaptive, scalable

compliance systems allow both the compliance

team and the product team to work

in harmony from day one. Systems like

Sam Swift, Vaultree: organisations’

data is still often misused, stolen, held

to ransom and left waving about in

the breeze.

Sam Peters, ISMS.online: GDPR is

now shaping business models and

influencing everything from product

design to customer engagement.


23

compliance

Sean Tilly, 11:11 Systems: GDPR remains

a defining force in how many businesses

handle personal data, manage risk and

build customer trust.

Tiernan Connolly, Kroll: most businesses

will now have a GDPR framework

integrated into their data governance

practices.

ISMS.online's are built for adaptability and

scale. Supporting over 100 frameworks, our

systems enable organisations to pivot quickly

as new regulations emerge, without having

to reinvent the wheel," adds Peters.

"These pre-mapped frameworks and

reusable content enable businesses to build

once and apply the same solution multiple

times, achieving compliance faster while

reducing friction for development teams.

Similarly, these types of systems can help to

future-proof the business, supporting expansion

into new markets and industries, without

requiring the overhaul of security and privacy

practices each time.

"A good example we've seen is developers

integrating consent management, data

minimisation and automated logging of

processing activities into their platforms at

the build stage. This essentially means they're

making privacy part of the user experience,

not just seeing it as something another team

should handle in the back office."

CATALYST FOR CHANGE

"Once viewed as a compliance checklist, the

GDPR has been a catalyst for cultural and

strategic change," says the Data Protection

Officer (DPO) Centre. "Public awareness

around privacy has grown significantly, and

organisations now recognise data protection

as central to trust, brand value, and longterm

resilience. It has also set a global benchmark,

prompting countries worldwide to

rethink the scope and ambition of their own

data laws.

The big question is, of course, can the GDPR

keep pace with AI technologies and big data?

"AI systems are evolving fast and often rely

on vast datasets that challenge the GDPR's

principles around transparency, purpose

limitation and data minimisation," says the

DPO. "As models become more complex,

so do challenges for organisations operating

in the EU that need to comply with additional

regulations.

David Smith, DPO and AI sector lead,

emphasises how AI systems that process EU

personal data are still subject to the GDPR

and must also meet the requirements of the

AI Act. "There's significant overlap between

the two and strong data protection practices

often support AI compliance," he says. "It's

not a choice between complying with one

or the other - both are essential."

GDPR AND THE FUTURE

The GDPR was designed as a principlesbased

framework, intended to be flexible

and adaptable across different technologies

and use cases. But, despite this, many

privacy professionals believe it needs clearer,

more consistent guidance to remain effective,

especially as new technologies emerge

and complexity grows in highly regulated

sectors.

Lawrence Carter, DPO and life sciences

sector lead, says the main issue to date is

that the GDPR hasn't supported a model

for issuing secondary legislation to codify

complex issues. "Life Sciences organisations,

in particular, face ongoing challenges in

certain areas, including selecting the correct

lawful basis for clinical trials, pseudonymisation

and international data transfers.

Guidance from the EDPB and rulings from

the CJEU are, at times, inconsistent, contradictory

and not uniformly interpreted across

Member States, leading to a patchwork

of jurisdictional exceptions, rather than

harmonisation and regulatory certainty.

Introducing a mechanism to formally clarify

and update the GDPR could offer greater

consistency and confidence for organisations

navigating high-risk processing," Carter

suggests.

As the GDPR moves into its eighth year,

data protection is no longer just about

compliance. With AI, regulatory divergences

and growing public expectations, the organisations

that will thrive are those that treat

privacy as a strategic priority... built-in, visible

and always evolving.

24


attacks round-up

DATA THEFT ONSLAUGHT

ATTACKS AND BREACHES ARE SHOWING NO SIGNING OF EASING OFF - IN FACT,

THEY HAVE INTENSIFIED, WITH VAST AMOUNTS OF DATA EXPOSED AND STOLEN

Four people - a 20-year-old woman and

three teenage boys - were arrested in

early morning raids over the wave

of cyber-attacks that crippled M&S, the

Co-op and Harrods. Suspected of hacking,

blackmail and money laundering, the group

allegedly unleashed ransomware that stole

millions of customer records, shut down

online orders and left supermarket shelves

bare. M&S alone faces a £300 million hit,

with some systems offline for months,

highlighting the long term damage cyberattacks

cause.

Spencer Starkey, executive VP of EMEA

at SonicWall, points out how vital it is that

every single business has a robust roadmap

in place to deploy, if and when an attack

happens. "The preparation always begins

with prevention: layered security systems

and updated employee training are basic

principles in today's risky environment.

Everyone involved should have a welldefined

role and key responsibilities before

the crisis occurs."

In other attacks, a "significant amount" of

private data, including details of domestic

abuse victims, has been hacked from Legal

Aid's online system. The Ministry of Justice

said the agency's services were hacked in

April and data dating back to 2010 was

downloaded. The BBC understands that

more than two million pieces of information

were taken. The breach covers all

areas of the aid system - including domestic

abuse victims, those in family cases and

others facing criminal prosecution. "This

data may have included... addresses of

applicants, dates of birth, national ID

numbers, criminal history, employment

and financial data such as... debts and

payments," the MoJ revealed.

Qantas is another recent high-profile victim

whose customer data has been compromised.

The incident occurred when a cybercriminal

targeted one of its airline contact

centres and gained access to a third-party

customer-servicing platform. There is no

evidence that any personal data stolen, states

the airline, adding: "Qantas has reconfirmed

no credit card details, personal financial

information or passport details were stored in

this system and therefore have not been

accessed."

TRUST MUST BE REBUILT

In response to such incidents, retail businesses

must act decisively, says Robert Cottrill, technology

director at ANS. "Working with a cyber

response team is essential to assess the

breach's full impact, plug any vulnerabilities

and restore systems quickly. Clear, consistent

communication with customers and stakeholders

will be vital to rebuild trust. The

incidents are a wake-up call for all businesses:

cyber security must be a board-level priority.

"Robust incident response plans, proactive

security reviews and close collaboration with

experts are critical. In the fast-moving retail

environment, safeguarding customer data

isn't just good practice - it's fundamental to

brand survival."

Meanwhile, the Business Digital Index (BDI),

created by Cybernews, has evaluated the

cybersecurity postures of 75

European Union government

institutions and found that 67%

received a D or F rating - placing

them in high-risk or critical-risk

categories. The BDI also revealed

that every institution in the study

had experienced at least one data

breach.


25

artifical intelligence

AI - FRIEND OR FOE?

'AI MAY ACCELERATE OUR DEFENCES, BUT IT CANNOT REPLACE

THE HUMAN CRITICAL THINKING THAT UNDERPINS TRUE SECURITY'

- ADAM WINSTON, WATCHGUARD TECHNOLOGIES, PICTURED LEFT

According to recent statistics, 75% of

employees using AI to tackle everyday

tasks may lead to efficiency gains.

"Credential theft, data exfiltration and

infrastructure weaknesses are all potential

threats when AI tools operate without

governance," warns Adam Winston, field

CTO for managed services at WatchGuard

Technologies. "With an estimated 14% of

organisations having formal AI policies,

most deployments are left untracked and

potentially hazardous."

AI's transformative power is undeniable,

he acknowledges. "Over the last decade,

security teams have struggled under the

sheer volume of data, a fast-changing threat

landscape and a shortage of skilled people.

Machine learning models are now capable

of performing many of the repetitive duties,

such as pattern recognition, anomaly

detection, event correlation and alert triage.

All at a speed no human could match. In

incident response scenarios, AI can even

trigger containment measures before an

analyst is alerted."

Yet these gains come with their own set of

problems, Winston adds. "AI systems are

all about the quality of their training data.

Models fed narrow, outdated or even

fundamentally biased datasets may overlook

new threats or reproduce the bias at speed

and scale. Adversaries are quick to exploit

these cracks. "Techniques like data poisoning

and evasion attacks can skew ML, while

generative AI enables phishing campaigns so

convincing that they can bypass traditional

filters." One of the more hidden risks is that

decision making becomes opaque. "When an

algorithm flags suspicious activity without

explanation, security teams confront a black

box without a clear rationale and no audit

trail. In regulated sectors, such as finance and

healthcare, this lack of context can translate

directly into compliance failures and hefty

fines. But the answer isn't to abandon AI.

"It just needs to be used in the right way

and alongside human insight. Skilled analysts

bring the contextual awareness, ethical

judgment, and the legal and business understanding

that machines lack. They ask the

probing questions AI cannot. For example,

was that late?night login a genuine executive

working abroad or a sophisticated impersonation?

Does this network spike a malicious

or a flawed software update?"

Some managed detection and response

providers are already embracing this hybrid

model, he states, where you have automated

detection paired with expert investigation

and continuous tuning. "And with regulations

like the EU's Artificial Intelligence Act mandating

transparency, accountability and human

oversight in high-risk AI applications, businesses

will have no choice but to use this

approach. AI may accelerate our defences,

but it cannot replace the human critical

thinking that underpins true security. Success

will belong to those who treat AI as a force

multiplier, without losing sight of the human

expertise that steers it.

PRIME TARGET

"All AI relies upon Application Programming

Interfaces (APIs) to quickly and efficiently

communicate with other APIs and to retrieve

and condense data, making these APIs

a prime target for threat actors, cautions

James Sherlow, systems engineering director,

EMEA at Cequence Security. "In fact, Gartner

predicts that by 2028 a quarter of all enterprise

breaches will be traced back to AI agent

abuse from both external and malicious

actors, so protecting these APIs needs to

be a prime consideration for the CISO."

The challenge is compounded when

employees use shadow AI - unsanctioned AI

tools that bypass enterprise security controls

entirely. "When corporate data flows through

these personal AI accounts and unapproved

platforms, it creates additional API connections

outside the organisation's visibility and

governance framework."

One of the most important steps the

security team can take to protect these APIs

is to determine which have authentication

and access vulnerabilities, Sherlow continues.

"This is no mean feat, as discovering the build

components for many third-party APIs can

be tricky and the sad reality is that many of

the popular APIs in use by enterprise development

teams have little to no authentication

built in.

"Discovery is therefore vital in mitigating the

threat posed by AI in the enterprise. Looking

for hidden, deprecated and shadow APIs can

allow the team to understand which APIs are

in use or have fallen into disuse and which

could be actively exposing sensitive data. This

should be conducted on a continuous basis

and mapped to known behavioural models

to monitor and assess API call activity."

Also, APIs should be compliant, in that they

meet their design specifications, use appropriate

authentication, regardless of whether

they are active, and are patched when

26



necessary. "Protecting the APIs that underpin

AI is critical for the enterprise to detect and

resolve issues. The faster the business can

determine how APIs are being attacked, the

speedier it can respond. Utilising behavioural

fingerprints of threat actors and attacks, it's

possible to augment alerts with information

on the source IP address, [determine] which

APIs are involved and the types of data

resources being exposed, following which API

calls can be blocked, rate limited or deception

techniques used to funnel the attack."

It's only by addressing APIs that we can

hope to effectively secure AI and the next

evolutionary step: agentic AI. "By 2028,"

adds Sherlow, "a third of enterprise software

applications are expected to include agentic

AI, according to Gartner, which means it,

too, will become a prime target."

Lucy Finlay, director of secure behaviour and

analytics at Redflags from ThinkCyber, offers

a quote from Nobel Prize-winning economist

Paul Krugman in 1998: 'By 2005 or so, it will

become clear that the internet's impact on

the economy has been no greater than the

fax machine's'. "History has a habit of

repeating itself," she points out, "and we're

currently in the same position with AI, with

'experts' taking their stance on where the

chips will ultimately fall: is AI going to

precipitate the next industrial revolution?

Or is it the next fad like NFTs? Or something

more sinister, with mass job losses and the

disappearance of critical thinking on the

horizon? This hasn't stopped the public and

businesses flocking to this newfangled tool,

with AI being the mot-du-jour for investors

and consumers alike.

"At Think Cyber, we have seen the trends

in the usage of GenAI tools rocket since the

start of 2024 across our customers. As a

result, security, data protection and tech

teams are wrangling with where they're

going to place their bets. Do they acknowledge

that people are going to use this tool

and allow its use with guardrails implemented?

Do they shut it down and face the

wrath of onlookers who say they're stunting

innovation? The answer is, much like Paul

Krugman's famous statement, that experts

don't really know what the right answer is.

Anyone who professes to know what AI's

effect on the world has a good chance of

also saying something that will be just as

regrettable in 20 years' time."

In the meantime, wonders Finlay, what's a

pragmatic approach to dealing with this new

tool? "A quote from the author Kevin Sands

somewhat sums it up: 'It is never the tool

that decides. It's the hands-and the heart-of

the one who wields it.' Educate those who

are going to inevitably use the tool. At a local

level, nudge them towards critical thinking

around the consequences of their actions.

Steer them towards the controlled instances

of AI that have been thoroughly vetted by

trusted internal teams, rather than opensource

versions of the tool. Integrate into

their new workflow, merging positive feedback

for desired behaviour and personalising

guidance to their use case."

THE AI BATTLEGROUND

The AI landscape has become a battlefield

where most businesses are rapidly losing

ground, comments Tyler Reguly, associate

director, R&D at Fortra. "This battle is being

fought from multiple sides and not everyone

is following the rules. Infosec teams face so

many threats that it can be impossible to

determine the greatest threat. From prompt

injection attacks and shadow AI, to advanced

deepfakes and AI hallucinations, the attacks

come from all sides."

AI has caught the world by storm, Reguly

says. "It has given unskilled individuals the

perception that they can perform skilled

work. From vibe coding and art generation,

to eloquent writing and spreadsheet mastery,

people are given the ability to operate

outside their skillset. It is tempting to use AI

tools of unknown origin, share confidential

data and present the results as your own. At

James Sherlow, Cequence Security:

Gartner predicts that by 2028 a quarter

of all enterprise breaches will be traced

back to AI agent abuse.

Lucy Finlay, Redflags from ThinkCyber:

constructive discourse of safe usage

of AI is needed, with governmental

and AI innovators' input.


27


Tyler Reguly, Fortra: a complete AI policy

is imperative, ensuring your users know

what is, and is not, acceptable.

Ravit-Sadeh, CTERA: leadership teams

that delay AI policies out of fear of

'slowing innovation' are missing the

point.

the same time, senior leadership at companies

can't help but see savings when they can

replace a skilled worker with someone less

skilled."

AI hallucinations still plague generated

data, adds Reguly. "Unskilled individuals are

unaware of the mistakes that riddle their

results. This is why media literacy and skilled

employees are critical in the utilisation of AI

within organisations. Organisations must

ensure that they hire and retain skilled

individuals. "After you deal with AI hallucinations,

what about shadow AI, where

employees use unapproved AI platforms?

If you don't have an AI policy, it is hard to

argue that shadow AI exists. A complete

AI policy is imperative, ensuring your users

know what is, and is not, acceptable. Other

important tools, like data loss prevention and

cloud access security brokers, can help you

identify when AI services are accessed."

Finally, you have business impacts from

prompt injection attacks and advanced

deepfakes. "Consider a phishing email with

an attachment containing hidden prompts

that requests immediate AI-based processing.

Your entire internal approved AI infrastructure

may be compromised via a single

email. Additionally, we're seeing convincing

deepfake job applicants, utilising fake audio

and video, with nefarious intentions. These

situations are difficult to address. Human

risk management is crucial. By training

employees, you can help them spot phishing

emails and identify deepfakes."

In the rush to embrace AI's potential, many

companies are neglecting the basics, states

Ravit Sadeh, VP of product management,

CTERA. "Where is data going? Who's

accountable for its use? What happens when

something goes wrong? In my work, I've

spoken with many companies that have

had many horror stories. Employees aren't

reckless; they're trying to meet deadlines and

stay competitive. But without formal support

or training, sensitive data often ends up in

external tools, with little thought to where it

might go." And the risks aren't just internal.

"AI-generated phishing attacks have become

far more sophisticated, with attackers using

tools like ChatGPT to craft flawless emails and

even deepfake voice calls. Fake customer

service chatbots, powered by AI, are now

impersonating brands with alarming realism."

Leadership teams that delay AI policies out

of fear of 'slowing innovation' are missing

the point, she adds. "Innovation without

guardrails isn't agility, it's exposure. This

doesn't mean banning AI. It means recognising

that it's already here. The companies

best positioned to benefit from generative AI

are those who treat it as a critical piece of

infrastructure - not a toy, not a trend and

definitely not someone else's problem."

What should that look like? Start small:

Define which AI tools are approved,

and what data is off-limits

Educate employees about risks like

credential leaks and phishing

Create internal sandboxes where

teams can experiment safely

Appoint a cross-functional task force,

including IT, legal, HR, and security,

to update policies as tools evolve.

"These actions are simple, actionable and

urgent," says Sadeh. "AI use in the workplace

isn't 'emerging'; it's already widespread.

Pretending otherwise isn't just naïve, it's

dangerous. The bottom line: AI itself isn't

the threat. But ungoverned, invisible and

unmanaged use of it absolutely is."

Companies are integrating AI-powered

applications into their ecosystems faster

than they can secure them, cautions Neil

Roseman, CEO, Invicti. "The new tools carry

new risks and are often built or adopted

outside standard development pipelines,

bypassing traditional software security and

quality processes." When those applications

process sensitive data, interact with internal

systems and sit exposed on the internet,

that's a major security problem. Better

28



understood are the privacy risks from

employees revealing confidential information

to non-sanctioned platforms, usually GenAI

chatbots. "While not always malicious, it's

usually a symptom of inadequate internal

guidelines," he says. "The consequences

aren't obvious, but can be significant, if your

company secrets somehow get into an

external AI model with hazy privacy policies.

The security and privacy risks are very real,

but also known and addressable. Security

tools already exist to identify exposed AI

assets and scan them for vulnerabilities. Data

privacy concerns can be mitigated through

clear terms of use and robust internal policies

that distinguish between sanctioned and

unsanctioned AI usage."

But there's a third, far more insidious, risk

emerging: overreliance and excessive trust,

he says. "As AI-generated summaries and

insights become commonplace efficiency

boosters, it's all too easy to start trusting

machine output as a reflection of reality. And

when business decisions are made, based

on unverified AI responses, the line between

efficiency and irresponsibility begins to blur."

Dependence on the functionality and data

fidelity of AI platforms carries strategic risk.

"It's one thing to pilot an AI project and fail to

realise value. It's another to architect entire

workflows, customer interactions or product

strategies around systems that may hallucinate,

misinterpret or simply go offline. If the

model fails, who's accountable for business

downtime? If the data is wrong, who takes

responsibility for the bad decisions it

backed?" asks Roseman.

"We're already learning to address AI

security gaps and privacy concerns, but overreliance

is a different beast. The companies

that will thrive in an AI-driven economy

aren't those that adopt AI fastest or most

extensively - they're the ones that deploy it

most thoughtfully. Right now, the biggest

threat isn't AI going rogue. It's us outsourcing

our thinking to it. In the absence of proper

governance, organisations are already

suffering the consequences, comments Dave

McGrail, head of business consultancy at

Xalient. "Recently, hackers breached a popular

AI chatbot service, exposing thousands of

user chat logs, along with credentials and API

keys buried in those conversations. This kind

of data leakage can be catastrophic to a

business, in terms of potential regulatory

penalties and damage to brand reputation.

"There are a growing number of poorly

secured chatbots being used against their

owners. Meanwhile, cyber-criminals are

exploiting the AI boom with a fake 'ChatGPT'

browser plugin which stole login credentials

[more than 4 million in one haul] from users

drawn in by the AI craze. These incidents,

spanning data leakage to credential theft,

highlight the breadth of threats when AI is

adopted without oversight."

The common thread here is that

uncontrolled use magnifies security gaps.

"Organisations must proactively bring AI

usage out of the shadows, says McGrail.

"This starts with clear internal policies and

training on what data employees can feed

into AI systems and which tools are

approved. Unsanctioned AI tools should be

treated as the new shadow IT and be subject

to the same scrutiny as any unscreened

app or cloud service. Technical controls to

monitor and restrict sensitive data going into

AI queries should be implemented, and

vendor security due diligence ensured to

capture and treat risk for any AI platforms.

Fortunately, guidance is emerging, he

continues. Frameworks such as the NIST AI

Risk Management Framework and ISO/IEC

23894:2023 (AI risk management guidance)

offer blueprints for governance and controls.

"At a time when AI innovation and adoption

is outpacing most company compliance

and governance playbooks, a thoughtful,

accountable AI governance program should

be viewed as a business imperative, rather

than a burden."

Neil Roseman, Invicta: right now, the

biggest threat isn't AI going rogue. It's

us outsourcing our thinking to it.

Dave McGrail, Xalient: organisations

must proactively bring AI usage out of

the shadows.


29

legislation

NEW CYBER LAWS MUST BE 'MORE AMBITIOUS'

MPS SHOW WIDESPREAD SUPPORT FOR STRONGER CYBER LAWS, ALONG WITH CALLS FOR GREATER

GOVERNMENT COLLABORATION AND A MORE AMBITIOUS, FUTURE-PROOFED APPROACH

Dan Aldridge, chair of the APPG

for Cyber Innovation.

Till Sommer, Policy Counsel at

Cyber security Business Council.

The first public statement from MPs

on the forthcoming Cyber Security

and Resilience (CSR) Bill highlights

a sense of cautious optimism, with 46%

of survey respondents believing the CSR

Bill will support economic growth, while

44% merely "see the potential".

Against the backdrop of high-profile

cyberattacks on major UK retailers, the

Cyber Innovation All-Party Parliamentary

Group's official report further underscores

the urgent need for a more ambitious and

inclusive approach to cyber legislation.

The report was developed based on

insights from a national survey, with

89 respondents from across the cyber

sector and beyond. The report incorporated

inputs from a parliamentary roundtable

discussion held under the Chatham

House rule that brought together 17

representatives from managed service

providers, cyber companies, academics

and other organisations in the UK.

NARROW APPROACH

The CSR Bill presents a transformative

opportunity to update the UK's cyber

legislation, yet - according to the Cybersecurity

Business Network - currently

adopts a narrow approach, which excludes

key opportunities that would benefit the

UK economy and wider society, including:

Embedding corporate governance

at the heart of corporate decision

Empowering cyber professionals

to address the emerging threats

Providing legal protection for threat

intelligence

Aligning regulating requirements

to reduce compliance issues and

drive higher standards.

Are there failings in the Bill that need to be

addressed? Till Sommer, Policy Counsel at

Cyber security Business Council, sees the

issues differently. "The problem is less about

the Bill being weak. The Bill, at least based

on what we know about it at present, is

totally doing the right thing, but my worry

is that the Government is just a little bit too

conservative. This will be the first Bill ever

with cyber in the title and while I totally get

concerns about this becoming a Christmas

tree bill to which you attach every single

cyber issue, I am concerned that we are only

looking at a very small slice of a cake that is

made up of lots of unsolved problems when

it comes to cyber security and cyber regulation.

Getting parliamentary time to pass

legislation is incredibly difficult and we need

to make the most of this opportunity."

The Cyber Innovation All-Party Parliamentary

Group (APPG) believes there's a risk

the CSR bill will not receive the necessary

support from stakeholders, unless a more

comprehensive approach is taken to engage

with relevant stakeholders before and during

the parliamentary process.

Dan Aldridge MP, chair of the APPG for

Cyber Innovation, comments: "This Bill is a

historic opportunity to strengthen the UK's

cyber resilience, but we risk falling short,

if we don't listen to those on the frontline.

We're calling on DSIT [Department for

Science, Innovation and Technology] to

open up the conversation, coordinate across

government, to provide a timeline and

process for tackling the urgent issues that

are deemed out of scope. By future-proofing

regulations and giving Parliament a clear

role in oversight, we can make sure the

UK remains secure and competitive in a

rapidly changing digital world."

30


data protection

16 BILLION REASONS TO TAKE ACTION NOW!

DATA BREACHES THAT LED TO 16 BILLION PASSWORDS BEING STOLEN COULD

CREATE A SNOWBALL EFFECT OF CYBER-ATTACKS IN THE DAYS AHEAD

Xavier Sheikrojan, Signifyd: balancing

advanced technology with human

oversight will be essential in addressing

the fallout from this breach.

How big can data theft really get?

Extremely so, is the answer, particularly

in the wake of the discovery of

one of the largest data breaches in history:

several collections of almost 16 billion

exposed login credentials.

The research that unearthed the theft,

based on unique Cybernews findings and

originally published on its website on

18 June, suggests the data most likely

originated from various infostealers.

Xavier Sheikrojan, senior risk intelligence

manager, Signifyd, believes the data

breaches that resulted in these 16 billion

passwords being stolen could create a

snowball effect of cyber-attacks. "A key

concern is the rise of sleeper accountsaccounts

created using stolen details that

can be used not only for immediate fraud,

mimicking legitimate customers before being

exploited at scale. Although it's too early to

draw definitive conclusions, the timing

of these increases aligns with the recent

breaches, suggesting fraudsters may

be testing the waters with stolen data,

potentially through account takeover and

credential-stuffing attacks."

He advises businesses to stay vigilant and

implement robust protective measures, such

as monitoring for anomalies in behaviour

from their existing users and customers.

"Sometimes hackers only need one set of

matching stolen credentials, so a forced

reset of passwords, using strong and

unique passwords, and using two-factor

authentication, can be great strategies.

This not only protects the business, but

also safeguards loyal customers. If you

have manual review teams, ensure they

are educated and aware of the latest data

breach trends. Additionally, proactively find

ways to optimise your machine learning

detection. Balancing advanced technology

with human oversight will be essential in

addressing the fallout from this breach."

ROTATION SALVATION

Spencer Young, SVP EMEA, Delinea, says the

current wave of data breaches shows that

static credentials can be a serious liability in

today's fast-moving world. "Passwords alone

- especially unrotated ones - leave consumers

and organisations vulnerable to phishing, credential

stuffing and Pass-the-Hash attacks.

Good password hygiene isn't enough

anymore. Credential vaulting and automated

password rotation are foundational

to stopping lateral movement. By continuously

rotating credentials and limiting their

lifespan, organisations and consumers can

invalidate stolen hashes and prevent

attackers from moving freely."

Passwordless initiatives with the aim of

reducing the risks are becoming increasingly

more popular as well. "Technologies such as

biometrics, where biometric data remains

encrypted and safely stored in the device and

does not travel across the network, improves

the authentication process because it's based

on a factor that only the user has and does

not leave their device," adds Young. Despite

these developments, passwords are not

disappearing. They are simply moving to

the background and becoming part of an

authorisation experience, with one-time

passwords, magic links, temporary keys and

just-in-time access to stay ahead of threats."

James Shank, director of threat operations

at Expel, underscores the scale of what is at

stake equally well when he says: "If this news

frightens you, then your security program

probably has some fundamental gaps.

Let this be the fuel you need to position

yourself and your department for solving

the problem systematically, rather than

defending against the news du jour. There

will always be another breach, with even

more passwords, and emergency handling

will continue, if you don't have systematic

defences in place."

The scale of apparent negligence when it

comes to lost data is startling. When, for

32


data protection

instance, Apricorn recently announced

the findings from its annual Freedom of

Information (FoI) requests into device loss

and data breaches across major government

departments in 2024, the figures indicated

that device security issues remain endemic

across the public sector. Several departments

reported an increase in lost and stolen devices,

compared to the previous year, despite

attempts to address the issue.

"Across the 17 departments questioned,

more than 1,200 organisational devices were

reported lost or stolen between January and

December 2024. HM Revenue and Customs

(HMRC) alone accounted for 804 of these

losses, including 499 mobile phones," reveals

Apricorn, manufacturer of software-free,

256-bit AES XTS hardware-encrypted USB

data storage devices. "While this represents

a modest decrease compared to the 1,015

devices lost by HMRC in 2023, the number

remains troubling, given the sensitivity of the

information the department handles. A large

number of the reported phone losses were

the result of an internal audit that flagged

legacy devices replaced with newer models,

highlighting ongoing inventory management

challenges."

Other departments showed a more

worrying trend, with The House of

Commons reporting 100 devices lost or

stolen during 2024, a significant increase

from 65 devices the previous year. Similarly,

the Department for Education (DfE) saw

device losses climb from 78 in 2023 to 107

in 2024. The Department for Energy Security

and Net Zero (DESNZ) also reported a rise,

from 122 lost devices last year to 150 this

year. Meanwhile, the Department for

Science, Innovation and Technology (DSIT)

reported 113 missing devices.

"Although HMRC's numbers suggest some

improvement following internal audits, the

continued high levels of device loss across

government departments show that fundamental

issues have not been resolved," says

Jon Fielding, managing director, EMEA,

Apricorn. "Every lost or unaccounted device

carries a risk for those individuals whose data

could be exposed."

The findings also reveal the extent of

personal data breaches, with The House of

Commons disclosing 49 incidents involving

personal data during 2024, up from 41

reported the previous year. Despite these

breaches, the House of Commons has not

had to disclose any such personal data

breach to the Information Commissioner's

Office (ICO) in this period. The figure

highlights the continued vulnerability of

sensitive personal information within

Parliament and other institutions.

Worryingly, several departments that had

previously been forthcoming with breach

and incident reporting declined to respond

in full this year. The Ministry of Justice (MoJ)

and the Department for Education (DfE), for

example, both refused to disclose details on

data breaches and reports made to the ICO,

citing exemptions under Section 24(2) of the

Freedom of Information Act (FOIA). The

exemption states that there is no duty to

confirm or deny whether the requested

information is held, if doing so would

prejudice national security. Several other

departments also failed to provide the

relevant statistics.

Fielding believes this growing lack of

transparency raises further questions about

the true scale of data breaches occurring

within government departments and the

threat to data. "Whilst all departments

confirmed their devices are encrypted,

they must be supported by strong back-up

protocols, inventory control and employee

awareness programmes.

"A holistic approach to data protection,

including frequent audits, multiple back-up

copies and rigorous disaster recovery testing,

is essential to minimise the risks posed by

device loss and theft."

James Shank, Expel: if this news frightens

you, then your security program probably

has some fundamental gaps.

Jon Fielding, Apricorn: the continued high

levels of device loss across government

departments show fundamental issues

have not been resolved.


33

quantum

QUANTUM BLAST-OFF

BATTLE TO BEAT THE HACKERS WILL BE FOUGHT IN OUTER SPACE

Researchers in Europe and Canada

are developing technology that will

allow them to fire quantum-coded

messages across continents via satellites

in space.

According to DigiKey, the project is

helping to lay the foundation for

a new kind of internet - one that is

fundamentally unhackable. Called

HYPERSPACE, it is pushing beyond the

limits of fibre-based quantum links and

using space to provide ultra-secure

communication.

"While a fully operational transatlantic

quantum link remains years away,

HYPERSPACE aims to tackle the core

scientific and technological challenges

that would make such a breakthrough

possible," says DigiKey. "The project is

widely seen as a modern echo of Marconi's

pioneering transatlantic radio transmission

in 1901, and HYPERSPACE could mark

the beginning of a quantum-powered

internet built not on cables and code,

but on entangled particles and the laws

of physics."

TOTALLY SECURE ENCRYPTION

States project coordinator Prof Dr Fabian

Steinlechner comments: "HYPERSPACE is

working on a way to generate totally

secure encryption keys at a distance

through space using quantum technology.

One day, this could connect entire

continents with communication that's

impossible to hack. Today, Europe and

Canada are building the foundation for

that future by testing how we can transmit

quantum signals between satellites and

the ground."

At the heart of HYPERSPACE is a phenomenon

called entanglement, described

by Einstein as 'spooky action at a distance'.

In a simple analogy, entangled particles

behave like identical twins. The entangled

twins can have one of two eye colours,

blue or brown, states DigiKey. "When

the eye colour of one of the twins is

determined, the eye colour of its twin is

known instantly. According to quantum

theory, however, the eye colour is not

determined until we actually measure

(or 'look at') it."

Quantum communication dispenses

with complex passwords or encryption

algorithms, but is protected by the use of

entangled particles. These quantum signals

can be sent through fibre-optic cables or

even beamed through open space, but

unlike conventional data, any attempt to

intercept them immediately breaks the

connection and exposes the eavesdropper.

Currently, most quantum communication

systems rely on photons travelling through

fibre-optic cables to share encryption keys.

But fibre-based systems on the ground can

only go so far: after a few hundred kilometres,

the signal weakens and becomes

unreliable. This is why the HYPERSPACE

team is looking to space: to explore how

quantum signals can be sent between

satellites and ground stations, enabling

secure communication over vast distances.

PHOTON FINISH

The team is exploring how to encode

multiple quantum bits (qubits) onto a

single photon to create 'high-dimensional

entanglement', essentially packing more

information at once.

"Quantum entanglement is powerful,

but usually it only enables one bit of

information at a time to be sent, like one

car driving down a single-track road,"

explains DigiKey. "With high-dimensional

entanglement, it's like adding extra lanes

to the road. Suddenly, multiple vehicles

can move side by side, which means more

information travels faster, with less chance

of slowdowns or interference."

34


Computing

Security


Product Review Service

VENDORS – HAS YOUR SOLUTION BEEN

REVIEWED BY COMPUTING SECURITY YET?

The Computing Security review service has been praised by vendors and

readers alike. Each solution is tested by an independent expert whose findings

are published in the magazine along with a photo or screenshot.

Hardware, software and services can all be reviewed.

Many vendors organise a review to coincide with a new launch. However,

please don’t feel that the service is reserved exclusively for new solutions.

A review can also be a good way of introducing an established solution to

a new audience. Are the readers of Computing Security as familiar with

your solution(s) as you would like them to be?

Contact Edward O’Connor on 01689 616000 or email

edward.oconnor@btc.co.uk to make it happen.

Computing

Security


e-newsletter

Are you receiving the Computing Security

monthly e-newsletter?

Computing Security always aims to help its readers as much as possible to do

their increasingly demanding jobs. With this in mind, we've now launched a

Computing Security e-newsletter which is produced every month and is available

free of charge. This will enable us to provide you with more content, more

frequently than ever before.

If you are not already receiving this please send your request to

christina.willis@btc.co.uk and advise her of the best email address for the

newsletter to be sent to.

CS Jul-Aug 2025

Transform your PDFs into Flipbooks and boost your revenue!

Delete template?

Save as template ?