CS2511

Computing

Security

Secure systems, secure data, secure people, secure business

WRAP-AROUND THINKING

AI must be backed up

by full-scale security

to be a bankable and

sure-fire winner

NEWS

OPINION

INDUSTRY

COMMENT

CASE STUDIES

PRODUCT REVIEWS

LIGHT TOUCH

Ways to sidestep

encryption’s more

negative embrace

AI: THEREBY HANGS A TAIL

Could the technology

have leanings towards

self-destruction?

HITTING THE MARK

Key steps to take - and pitfalls

to avoid - for a winning identity

and access management strategy

Computing Security November/December 2025

Building cyber security

awareness together.

Leading the way in personalised

cyber security awareness.

Keep your staff engaged, cyber-secure, and compliant with our award-winning,

personalised cyber security training.

Designed with real people and teams in mind, our expertly crafted content transforms

cyber security into an informative and captivating experience. By making learning

fun and impactful, we maximise engagement and enhance staff security behaviour,

ensuring constant vigilance against cyber threats.

Our staff fully engaged with our

security awareness program, with

completion rates over 85%

Best cyber security awareness

platform available

inside view

TRUST MUST BE EARNED

Digital trust is a vital part

of the backbone that

runs through any

organisation and keeps it safe.

However, such trust is only as

good as it is on any given day -

it must always be up to date,

certifiably verified and as near to

100% dependable as possible.

All the more worrying when

research from Sectigo and

Omdia suggests a digital trust

crisis is brewing and argues that

most businesses are unprepared.

According to the research, 96%

of IT leaders are concerned

about shrinking certificate

lifespans, yet 95% are still using manual processes to manage them. "With the first

deadline hitting in early 2026, that's a recipe for outages and disruption," Sectigo

warns.

The company's inaugural 'State of Crypto Agility Report' reveals a massive gap between

fear and action, highlighting these key areas:

The Certificate Crunch: "with more frequent renewals looming,

81% of companies are unprepared for the disruption"

The Quantum Threat: "the quantum clock is ticking,

but 86% of businesses haven't even assessed their quantum risk"

The Automation Gap: 95% of companies are still managing

certificates manually, "flying blind into a new era of digital trust".

Adds Sectigo: "This is an IT headache, as well as a direct threat to business continuity.

The report's key insight is that building certificate agility now is the fastest path to

preparing for the quantum future."

SSL/TLS public certificates and their underlying cryptography have been remarkably

stable for 30 years, acting as an invisible component of IT infrastructure, but that era is

over, says Tim Callan, chief compliance officer at Sectigo. "Today, certificates are front

and centre in the fight to secure our digital future," he points out. "Building certificate

agility now is the fastest path to achieving the crypto agility required for post-quantum

cryptography readiness later."

Brian Wall

Editor

Computing Security

brian.wall@btc.co.uk

EDITOR: Brian Wall

(brian.wall@btc.co.uk)

LAYOUT/DESIGN: Ian Collis

(ian.collis@btc.co.uk)

SALES:

Edward O’Connor

(edward.oconnor@btc.co.uk)

+ 44 (0)1883 38 00 54

+ 44 (0)1689 616 000

David Bonner

(dave.bonner@btc.co.uk)

+ 44 (0)1883 38 00 54

+ 44 (0)1689 616 000

Stuart Leigh

(stuart.leigh@btc.co.uk)

+ 44 (0)1883 38 00 54

+ 44 (0)1689 616 000

Fraser Owen

(fraser.owen@btc.co.uk)

+ 44 (0)1883 38 00 54

+ 44 (0)1689 616 000

PUBLISHER: John Jageurs

(john.jageurs@btc.co.uk)

Published by Barrow & Thompkins

Connexions Ltd. (BTC)

Suite 2, 157 Station Road East

Oxted. RH8 0QE

Tel: +44 (0)1689 616 000

Fax: +44 (0)1689 82 66 22

SUBSCRIPTIONS:

UK: £35/year, £60/two years,

£80/three years;

Europe: £48/year, £85/two years,

£127/three years

R.O.W:£62/year, £115/two years,

£168/three years

Single copies can be bought for

£8.50 (includes postage & packaging).

Published 6 times a year.

© 2025 Barrow & Thompkins

Connexions Ltd. All rights reserved.

No part of the magazine may be

reproduced without prior consent,

in writing, from the publisher.

www.computingsecurity.co.uk Nov/Dec 2025 computing security

@CSMagAndAwards

3


Computing Security November/December 2025

inside this issue

CONTENTS

Computing

Security

NEWS

OPINION

INDUSTRY

COMMENT

CASE STUDIES

PRODUCT REVIEWS

WRAP-AROUND THINKING

LIGHT TOUCH

AI must be backed up

Ways to sidestep

encryption’s more

by full-scale security

negative embrace

to be a bankable and

sure-fire winner

AI: THEREBY HANGS A TAIL

Could the technology

have leanings towards

self-destruction?

COMMENT 3

Digital trust is only as good as it proves to

be on any given day - it must always be up

to date, certifiably verified and as near to

100% dependable as possible

HITTING THE MARK

Key steps to take - and pitfalls

to avoid - for a winning identity

and access management strategy

NEWS 6

MoD backs AI-powered data control

New channel partner for Advantech

SonicWall expands cyber solutions

Hidden risk in AI adoption

Jailbreak alert from Zimperium

Confidence in resilience questioned

Eyes on Delinea Iris AI

IS AI EATING ITS OWN TAIL? 10

"AI is no longer on the horizon; it's in the

kill chain," say Team8 in a new report: "For

attackers, AI unlocks novel weapons like

deepfakes and voice clones, while also

accelerating traditional vectors through

automation and scale." Combatting these

threats brings other new challenges, too

COMPUTING SECURITY

AWARDS 2025

WHICH TIN IS YOURS? 14

NIGHT ALL THE STARS CAME OUT 18

Data loss prevention certainly 'does what it

says on the tin' when properly deployed - but

The 2025 Computing Security Awards took

the tin can (no pun intended) often be in

place at a top London venue, unleashing

danger of rusting over and losing its shine.

another night of success, as many of the

What, then, is the best way to ensure DLP is

industry's hottest talents stepped up to

effectively activated across all potential points

capture the prizes

of failure to ensure full-scale protection?

MAIN ARTICLES

THE 'RESILIENCE FACTOR’ IN CYBER 20

TARGETING THE RIGHT IAM STRATEGY 26

What are the actions that must be taken, in

order to elevate cyber resilience from a

Demand for strong Identity and Access

concept into a boardroom capability?

Management (IAM) solutions has surged.

Is there a failsafe way to implement this,

Computing Security reports

so that all bases are properly covered? We

report on the key steps that need to be

IS AI ON THE WRONG TRAJECTORY? 22

taken - and pitfalls that should be avoided

Investment in AI is very much geared

towards acquiring or developing the

technology, says one industry observer. But

what about the spend allocated to actually

GROWING TOWARDS THE LIGHT 30

securing it?

Encryption is now seen as a key part of

many organisations' data strategies and

COMPLIANCE GOES 'ON TRIAL' 24

removable media policies. When committed

A new corporate criminal offence of 'failure

to travelling this path, however, there are

to prevent fraud' has recently hit the statute

many barriers to adoption that have to be

books, in a bid to drive an anti-fraud

overcome, including the inevitable myths

culture and improve business confidence

often encountered

computing security Nov/Dec 2025 @CSMagAndAwards www.computingsecurity.co.uk

4

Layers aren’t just for cakes; they’re

essential in cybersecurity’s secret

recipe for protection!

Bake it happen with VIPRE Security Group. Secure your

bytes before you take a bite with Email Security, Endpoint

Security and User Protection

www.vipre.com

news...news...news

ADVANTECH SHOWCASES ITS LATEST INNOVATIONS AT EXHIBITION

Advantech used the recent SIDO Lyon

Advantech technology

2025 exhibition to showcase its latest

goes on show.

innovations in embedded edge computing,

modular AI systems and more.

Advantech unveiled a broad portfolio of

high-performance Edge AI computing

modules, embedded boards, as well as

customisable expansion modules, along with

full-stack Autonomous Mobile Robot (AMR) platforms and development kits.

The company also displayed scalable solutions that facilitate smart robotics, computer vision

and real-time edge analytics, "empowering OEMs and developers to build next-generation AIoT

applications with flexibility, speed and reliability", said the company.

Rob Cottrill.

NO END TO CYBER-ATTACK IMPACT

Fallout from the cyber-attack on JLR in

September - estimated to have cost

£1.9bn - continues to be felt, with

disruptions ongoing for both the

organisation and its wider supply chain.

Robert Cottrill, technology director at

ANS, says that attack alone shows how

attractive the automotive industry is for

cyber criminals. "The highly-connected

nature of the production lines and vast

supply chains means a single incident

can cause widespread disruption.

"With AI accelerating both the opportunities

and the threats in this space,

the risks of disruption will only become

more prevalent, if enhanced security

measures aren't put in place to safeguard

systems."

The best defence is always prevention,

he adds. "Around-the-clock managed

protection allows organisations to

spot and stop threats before they can

cause harm."

GOLDEN MOMENT AT THE HOUSE OF COMMONS

Golden Valley, the landmark £1bn cyber development in

Cheltenham, Gloucestershire, has launched a new Skills

Hub.

The development will, it is said, strengthen the UK's

leadership in cyber, AI, quantum technologies, and secure

communications, supporting national security, economic

resilience and industry expansion.

MP Max Wilkinson hosted

the launch.

Hosting the reception at the House of Commons, MP for

Cheltenham, Max Wilkinson, stated: "To make sure that we

have a talent pipeline, we need to ensure that the education

system is working well. One of the things that's been missing

in Cheltenham for a long time is that pipeline of people coming through, perhaps growing up

and then completing education in Cheltenham and getting jobs in the region. Putting that

together is something that we're starting to do."

ALARMING GAP IN DEFENCES REVEALED

Kiteworks has announced findings from its 2025 Data

Security and Compliance Risk: Annual Survey Report,

revealing a number of significant governance challenges

facing defence contractors, as they prepare for CMMC

2.0 requirements.

Mission impossible?

The survey, across a total of 461 organisations across industries, found that only 56% have

fully implemented end-to-end encryption for all sensitive data and that just over 50% have

centralised governance processes. These gaps are particularly concerning for defence

contractors handling controlled unclassified information (CUI), as CMMC 2.0 demands

comprehensive governance and security controls across the entire supply chain.

6


Technology, Data, and Cyber Security

Mountains of data

CAN be conquered

We combine digital, cyber and operational expertise to turn

your data into insights and risks into rewards. Let us unlock the

potential of technology to power your success.

Discover what the power of ‘can’ could do for you at swgroup.com

news...news...news

Matt Jennings.

BREACH SPARKS 70-YEAR LOW IN UK CAR PRODUCTION

The recent cyber-attack on Jaguar Land

Rover (JLR) has had devastating effects -

resulting in UK car production hitting a 70-

year low for September, with £1.9bn in

estimated losses and 5,000 businesses

impacted.

Tom Fairbairn, a distinguished engineer at

supply-chain real-time data provider Solace,

said: "The recent cyberattacks at JLR have exposed a new fault line in global supply chains -

digital fragility. These disruptions not only stop production; they freeze entire networks of

suppliers, distributors, and customers, proving that recovery speed is the new measure of

resilience, no matter what the original cause of disruption may be."

Meanwhile, some of Renault UK's customer data was stolen in another cyber-attack that

targeted a third-party data processing provider.

OXFORD COLLEGE BOOSTS

DEFENCES

St John's College, one of the historic

colleges of the University of Oxford,

has significantly strengthened its

cybersecurity posture with the

implementation of a Managed

Vulnerability Management (MVM)

programme delivered by long-term

partner ANSecurity and built on Tenable

Nessus.

With a small in-house IT team and

growing cyber threats, the college

needed a proactive solution to improve

visibility, reduce risks and free up

internal resources. The service includes

daily credentialed scans, automated

vulnerability notifications, remediation

validation and monthly strategic reviews

with ANSecurity consultants.

Matt Jennings, IT manager at St John's

College Oxford, commented: "This

service has freed up internal resources

and helped us stop playing 'whack-amole'

with vulnerabilities. We now know

what to focus on, and how to do it."

QUANTUM'S RICH PICKINGS

Jason Soroko.

HSBC has announced what is said to be the world's firstknown

empirical evidence of the potential value of current

quantum computers for solving real-world problems. The

bank tested a hybrid quantum-classical approach on €1tn

worth of bond trading data - achieving a 34% boost in

predicting trade execution compared to traditional methods.

"There are still some people who believe that quantum

computing, especially in its current state, is far from being

capable of breaking current cryptographic algorithms," said

Jason Soroko, senior fellow, at Sectigo. "The biggest

misconception is that we will never get there and that

quantum computers will never be a threat. This is essentially

disapproved with some of the world's largest tech companies building legitimate quantum

computers or road maps right now."

BACKUP BLOW

Gaping holes in organisational backup strategies have been uncovered, despite a growing

reliance on recovery processes.

In its latest annual survey of UK IT security decision makers, Apricorn discovered that 31% of

respondents who had to recover from a backup were unable to make a full recovery.

While the proportion of organisations able to recover everything is encouraging - at 58, up

slightly from 50% in 2024, the fact that so many have to turn to backups at all underlines the

ongoing pressure on recovery systems and the urgent need for robust backup policies, said the

company.

8


AI security

IS AI EATING ITS OWN TAIL?

WE REPORT ON HOW MANY COMPANIES' USE OF AI MAY BE CREATING A FALLOUT THAT THREATENS THEIR SECURITY

The prime issues that are dominating

CISOs' minds in these challenging times

when it comes to AI are securing AI

agents and ensuring employees' use of AI

tools conforms to security and privacy

policies. At the same time, AI is said to

be creating a range of new cybersecurity

challenges - from newly effective attacks to

newly vulnerable technology platforms.

According to a recently released report, 'Key

Finding from Team8's CISO Village Survey',

"AI is no longer on the horizon, it's in the kill

chain". Adds Team8: "We are witnessing

a true arms race between attackers and

defenders. For attackers, AI unlocks novel

weapons like deepfakes and voice clones,

while also accelerating traditional vectors

through automation and scale. While

combatting these new threats, defenders

are also challenged with defending AI as a

new attack surface, introducing new risks.

"At the same time, AI has become essential

for surviving the velocity and scale of modern

threats. It offers not only fast detection and

response, but a chance to automate manual,

resource-intensive processes in a field plagued

by persistent talent shortages."

ATTACKS AT SPEED AND SCALE

So, should those committed to the

technology also be worried about the

unintended security consequences of their

own? Ian Robinson, chief product officer,

Titania, say AI is changing cybersecurity faster

than almost any innovation before it-but not

always for the better.

FRIEND AND FOE

"While organisations race to embed AI tools

into their workflows, many are overlooking

the unintended consequences these systems

may introduce into their own infrastructure.

AI isn't inventing new attack techniques: it's

automating the exploitation of existing ones,

at speed and at scale. From AI-written firewall

rules to automated network changes,

we're seeing a surge in complexity that often

outpaces visibility. One organisation discovered

its AI-generated policies had ballooned

into more than 20,000 lines of logic, so

tangled that compliance became nearly

impossible. Automation made enforcement

faster, but oversight weaker."

At the same time, threat actors are evolving

with unprecedented speed. "State-sponsored

campaigns are increasingly stealthy, exploiting

overlooked and under-monitored devices like

routers and switches to quietly establish persistence.

In this environment, visibility is

everything - and it's often the first casualty of

unchecked automation," advises Robinson.

"AI-driven security tools promise to help

defenders move faster, but, without

independent validation and continuous

assurance, they risk creating blind spots that

attackers can exploit. Automation without

visibility doesn't simplify security - it fragments it."

The future of cyber defence depends on

balance, he adds. "AI can and should help

teams detect, respond and adapt faster than

ever, but it must be paired with disciplined

oversight, clear accountability and continuous

monitoring. Otherwise, in chasing speed and

scale, we risk feeding the very vulnerabilities

we're trying to eliminate."

DOUBLE-EDGED SWORD

There are many terrific use cases of AI when it

comes to driving efficiency, augmenting

human capability and improving productivity

across industries, points out Megha Kumar,

chief product officer and head of geopolitical

risk, CyXcel. "From automating repetitive tasks

to enabling data-driven decision-making and

enhancing creativity, AI can significantly

transform how businesses operate. However,

it's important to recognise that AI is a doubleedged

sword like no other. The accessibility of

this technology is incredibly high. Anyone can

now experiment with powerful AI tools, but,

at the same time, the barriers to misusing AI

are rapidly falling.

10


AI security

"Across the US, UK and EU, the misuse of

AI by threat actors is becoming a major

concern," she states. "We're now seeing a

new wave of cyberattacks and fraud powered

by agentic AI systems - autonomous, taskoriented

agents capable of executing

complex operations without much human

oversight. For example, Anthropic AI's

Claude Code has been cited as acting in

both technical consulting and operational

execution roles, enabling a single data

extortion campaign to scale across 17

critical-infrastructure organisations in just

one month."

Claude Code is an agentic coding tool

that lives in your terminal, understands your

codebase and helps you code faster by

executing routine tasks, explaining complex

code and handling git workflows -- all

through natural language commands

"As AI technology continues to evolve, the

methods and scale of its misuse will inevitably

become more sophisticated and damaging,"

says Kumar. "What makes this even more

concerning is the lack of preparedness

among organisations.". According to CyXcel's

research, nearly a third of UK businesses

(29%) have only just implemented their first

AI risk strategy, while 31% still have no AI

governance policy in place whatsoever,

leaving many companies exposed to both

regulatory and operational risks.

"To address this, businesses need to move

quickly," she adds. "AI-powered threat

detection systems, employee training on

identifying synthetic or deepfake content and

robust AI lifecycle governance processes are

now essential. With this, CISOs must also

prevent the use of unauthorised AI systems

and establish clear policies outlining how AI

can, and cannot, be used within their organisations.

"Ultimately, the most important lesson is

this - don't rush to adopt AI simply because

everyone else is doing it. First, determine why

your business wants to use AI, where it will

deliver the most value and how you will

measure its ROI [Return On Investment]. Only

with this clarity can organisations implement

proportionate governance measures, safeguard

their data, and ensure that their

investment in AI remains both secure and

sustainable."

FEEDBACK LOOP

Dave Spillane, systems engineering director

at Fortinet, warns that nobody is safe from

cyberattacks, not even AI-focused companies.

"While AI has become both the sword and

the shield in cybersecurity, it's also exposing

new risks. The same technology that

empowers defenders to detect anomalies

and automate response at speed is being

weaponised by cybercriminals to scale

attacks, craft deepfake phishing campaigns

and generate adaptive malware. This is

creating a dangerous feedback loop."

The difference, he says, lies in how we

apply AI. "Used responsibly, it can streamline

processes, automate routine checks and

identify threats faster than any human could.

But without human intelligence, critical

thinking and ethical oversight, it quickly

becomes a risk. In fact, 77% of organisations

experienced insider-related data loss in the

past 18 months showing that human error

and insider threats remain one of the biggest

challenges, even in AI-led environments.

"As attacks become more automated, the

demand for human expertise is rising, with

recent Fortinet research finding that 87% of

cybersecurity decision makers expect AI to

enhance some or major aspects of their roles

and only 2% believing that AI will replace

their roles entirely," adds Spillane. "It's clear

that, while AI can accelerate response, only

people can build trust, accountability and

strategic resilience.

"True resilience, though, comes from strengthened

cyber posture. Every company, whether

a traditional enterprise or AI-native start-up,

Ian Robinson, Titania: AI is changing

cybersecurity faster than almost any

innovation before it - not always for the

better.

Aron Brand, CTERA: the way companies

adopt AI can quietly weaken their defences.

www.computingsecurity.co.uk @CSMagAndAwards Nov/Dec 2025 computing security

11

AI security

Shreyans Mehta, Cequence Security:

an AI gateway can secure the interconnected

web of AI-mediated

interactions generated by agentic AI.

Megha Kumar, CyXcel: it's important

to recognise that AI is a double-edged

sword like no other.

should combine skilled human expertise with

intelligent automation. This requires leading

from the top - building a security-first culture,

enforcing multi-factor authentication, continuous

patching and ensuring all employees are

trained to recognise and prevent attacks.

With the right mix of technology and talent,

organisations can prepare not just for today's

threats, but also for the AI attacks of

tomorrow."

DOUBLE BIND

AI now shows up in almost every enterprise

discussion and it creates a double bind for

security leaders. "Adversaries are already using

it to sharpen phishing, generate malware

and automate recon," says Aron Brand, CTO,

CTERA. "Meanwhile, the way companies

adopt AI can quietly weaken their own

defences, especially when sensitive data

meets AI systems."

RAG (Retrieval Augmented Generation) is

seen as the go-to pattern for bringing LLMs

(Large Language Models) into the enterprise,

he adds. "It grounds answers in internal

content, so employees get organisationspecific

results. The catch is duplication.

Many RAG stacks copy files into new indexes

or send context to external APIs. Every copy

expands the attack surface. Worse, once data

leaves its system of record, permission fidelity

erodes. Recreating fine-grained access

controls inside an AI pipeline is hard and

oversharing at query time is the predictable

outcome."

There's also the 'shadow copy' problem,

states Brand. "When AI tools aren't integrated

with corporate data sources, people upload

documents by hand to make them useful.

That spawns shadow copies - unmanaged,

out of sync, and invisible to the CISO - often

sitting on services with unknown controls."

Agents and orchestration (such as MCP -

Model Context Protocol) raise the stakes,

since mixing private and public contexts can

leak data in non-obvious ways. "For example,

an agent that retrieves confidential financial

files and then hits an external MCP server for

market data may expose sensitive context to

that server. Today's LLMs are credulous by

design and are easily steered by prompt

injection."

The deeper lesson, he argues, is that AI

adoption rewires data flows. "If those flows

bypass the existing guardrails of identity,

access and audit, they recreate the same

shadow IT problems that cloud file-sharing

once did, only faster and at greater scale.

Enterprises that succeed with AI will be the

ones that treat these pipelines as first-class

corporate systems, applying the same discipline

and controls they demand of every other

critical service."

THE WHITE ELEPHANT

Shreyans Mehta, CTO at Cequence Security,

says the productivity gains promised by

agentic AI have seen organisations dedicate

huge amounts of time and energy into

getting projects off the ground. "But those

development teams are struggling to get

even the basics working, in terms of the

underlying infrastructure that needs to be in

place to allow AI agents to communicate.

That means security controls aren't given

equal consideration, and measures such as

authentication and authorisation cannot be

easily implemented. The company then ends

up with a white elephant it can't scale, with

agents that could potentially expose the

business through data loss, misuse or noncompliance."

CISOs are under colossal pressure to determine

the time, resources and risk associated

with these projects, he adds. "They need a

way to safely and securely deploy agentic

AI that doesn't require them to upskill their

developers, enables them to put guardrails in

place and to monitor and log AI interactions,

and to withstand the inevitable change as

regulations evolve."

MCP, the protocol that was designed to

12


AI security

help ease these problems, is itself now part

of the problem, with numerous incidents

coming to light over the past year of MCP

servers exposing data to neighbouring users,

he continues. "It's therefore no longer safe to

assume that those servers can be trusted,

which is why it's now necessary to vet MCP

servers to determine which are secure or

come from reputable vendors. In addition,

many organisations are now opting to build

their own servers to connect agents to

internal and external APIs, and applications.

"Standing up an MCP server is relatively

straightforward - there are plenty of templates

and SDK toolkits out there - but again

the complexity arises when you attempt to

secure AI agents. It's for this reason that

security teams are now looking to use an AI

Gateway not just to expedite traffic, but also

to generate the MCP server and monitor

agentic AI."

TIGHT CONTROLS

An AI gateway can secure the interconnected

web of AI-mediated interactions

generated by agentic AI, concludes Mehta.

"It's able, for instance, to ensure an agent

only has the access it needs to carry out a

specific task by requiring authentication and

authorisation through OAUth 2.0-compliant

identity systems. That AI-to-API access can

then be monitored to capture the prompts,

tools and instructions used to detect and

mitigate the risk of malicious requests, such

as prompt injection hidden in emails or

documents processed by the MCP server

and its tools, preventing agents from going

rogue."

GOOD DEAL OF PROMISE

From his perspective, Chris Newton-Smith,

CEO of IO (formerly ISMS.online), feels the

announcement of the Tech Prosperity Deal

presents a telling moment for AI research,

particularly in fields like cancer treatment and

drug discovery. To achieve its full potential,

though, it must be underpinned by strong

governance that ensures the security and

integrity of the data driving these breakthroughs,

he points out. "Ultimately,

governance is not a brake on innovation - it

connects information security, privacy and AI.

It ensures not just that systems are protected

from external threats, but that the quality,

accuracy and provenance of data can be

trusted throughout the AI lifecycle. It will

ensure AI breakthroughs in areas like cancer

research are delivered responsibly, securely,

and with enduring trust from patients,

practitioners and the public.

"Encouragingly our recent survey of 3,000

security and compliance professionals shows

that AI governance and data protection are

now front of mind for CISOs and business

leaders," states Newton-Smith. "Executives

told us that data provenance and integrity are

just as critical as network security - in highstakes

projects like cancer research, results

can only be trusted, if the inputs are secure

and accurate.

"And in projects of this scale, partners span

countries, sectors and supply chains. Therefore,

the importance of globally recognised

governance frameworks to create a common

standard of protection and accountability,

ensuring every participant is working to the

same level of trust, is now essential. "

DATA POISONING

Meanwhile, a study of 3,001 cybersecurity

and information security managers in the UK

and USA by IO reveals that more than one

in four organisations in the UK and US have

fallen victim to AI data poisoning in the past

year, wherein hackers corrupt the data that

trains AI systems, planting hidden backdoors,

sabotaging performance or manipulating

outcomes to their advantage.

More than one in four surveyed organisations

in the UK and US (26%) have fallen

victim to AI data poisoning in the past year,

says IO, wherein hackers corrupt the data

that trains AI systems, planting hidden

backdoors, sabotaging performance or

manipulating outcomes to their advantage.

"The consequences are far-reaching, and

poisoned models can quietly undermine

fraud detection, weaken cyber defences and

open the door to large-scale attacks, putting

both businesses and the public at risk."

The IO State of Information Security Report,

worryingly found that 20% of organisations

also reported experiencing deepfake or cloning

incidents in the last 12 months. In line

with this, 28% of respondents highlight

deepfake impersonation in virtual meetings

as a growing threat for the next 12 months,

showing how AI is increasingly being

weaponised to target people directly and

undermine trust in everyday business

interactions.

"Beyond deepfakes, AI-generated misinformation

and disinformation tops the list

of emerging threats for the next 12 months,

cited by 42% of security professionals

concerned about scams and reputational

harm," adds IO. "Generative AI-driven phishing

(38%) and shadow AI misuse are also

on the rise, with more than a third (37%) of

respondents reporting that employees use

generative AI tools without permission or

guidance, creating risks of data leaks, compliance

breaches and reputational damage."

Shadow IT in general - downloading or

accessing unapproved software or services - is

already an issue for 40% of organisations and

generative AI is exacerbating the problem,

the company continues, especially when it is

used without human oversight. "40% of

those who are currently facing challenges in

information security cited tasks being

completed by AI without human compliance

checks as a key challenge. If businesses are

not fast enough to address this problem,

employees may well continue to find insecure

workarounds and shortcuts, putting sensitive

data at risk."

See pages 30-31 for more on how AI is

ramping up the security stakes.


13

data loss prevention

WHICH TIN IS YOURS?

DATA LOSS PREVENTION CERTAINLY 'DOES WHAT IT SAYS ON THE TIN' WHEN PROPERLY

DEPLOYED - BUT THE TIN CAN OFTEN BE IN DANGER OF RUSTING OVER AND LOSING ITS SHINE

Data loss prevention is an essential in

any security strategy, as it can help

organisations monitor and protect

sensitive information across on-premises

systems, cloud-based locations and endpoint

devices - and also ensure legal compliance.

But what is the best way to ensure DLP is

effectively activated across all potential points

of failure to ensure full-scale protection?

And where are the potential weak points in

any DLP solution?

MEETING THE CHALLENGE

"While DLP tools protect sensitive information

across endpoints, networks and cloud, they

only address part of the challenge organisations

are facing," says Dominic Carroll,

director of portfolio at e2e-assure. "Attacks

exploit identity compromise, shadow IT

and insider threats that bypass policy-driven

controls. DLP solutions are only as strong

as their coverage and configuration.

"To activate DLP effectively across all potential

points of failure, organisations need more

than technology; they need continuous

monitoring, contextual analytics and the

ability to detect behaviours that signal data

compromise before the information is moved.

While DLP can flag data movements, it

doesn't always reveal the threat actor activity

driving them - it can tell you what data

moved and where, but it cannot always

explain why," he points out. "Was it a legitimate

transfer, an employee error or the result

of compromised credentials and lateral

movement by an attacker? An advanced SOC

bridges that gap, correlating DLP events with

threat intelligence, endpoint telemetry and

user activity to uncover the full story."

Carroll offers the following 'do's' and 'don'ts'

Do:

Cover all points of failure, including

endpoints, cloud apps, email and

collaboration tools must all be in scope

Tune policies regularly, aligning DLP rules

with business processes and compliance

obligations (GDPR, NIS2, sector standards)

Integrate with identity and access controls,

preventing compromised accounts

from bypassing safeguards

Combine DLP with advanced detection,

using threat intelligence, anomaly

detection and behavioural analytics

to catch insider misuse and attackerdriven

data theft

Measure outcomes, including reduced

risk of data leakage, fewer compliance

breaches, and stronger trust from

customers and partners.

Don't:

Assume technology alone is enough when

misconfigured DLP can overwhelm teams

with false positives or leave blind spots

Ignore insider threats, since both

accidental and malicious behaviour

can evade static controls

Treat DLP as a silo and instead integrate

with wider Threat Detection & Response

to understand the 'why' behind data

movement

Underestimate resource demand. without

SOC support, policy management and

incident triage can drain internal teams.

MULTI-LAYERED APPROACH

For organisations to ensure DLP is effectively

implemented across all potential points of

failure, adopting a multi-layered approach

that brings together technology, clear policies

and user awareness is fundamental, states

Shannon Dority, marketing manager at

iStorage. "DLP should be applied consistently

across endpoints, networks, cloud services

and secure offline storage to prevent

unauthorised access, data leakage or theft.

A successful strategy depends on enforcing

security measures across the entire IT environment,

including user access controls,

encryption protocols and data monitoring

systems."

A significant starting point, she continues, is

identifying and classifying sensitive data, such

as personal information, financial records,

and intellectual property. "Once classified,

policies must govern how each data set is

accessed, stored, shared and transferred.

Automated DLP tools can then enforce these

policies by monitoring data movement and

blocking unauthorised actions."

Offline secure storage plays a vital role in

this process. "Devices such as hardwareencrypted

USB drives, external hard drives

14

computing security Nov/Dev 2025 @CSMagAndAwards www.computingsecurity.co.uk


and air-gapped systems help isolate sensitive

data from online threats," points out Dority.

"These solutions ensure that, even if a device

is lost or stolen, the data remains unreadable

without proper authentication. When combined

with strong encryption standards, they reduce

significantly the risk of unauthorised access."

When managed correctly, offline storage

also gives organisations tighter control over

access. "Physical measures, such as PIN authorisation,

locked storage, access logs and

audits, help maintain strong security. In

parallel, encryption must be applied to data

in transit and at rest. Secure communication

protocols, encrypted file transfers and end-toend

encryption in cloud environments protect

against data interception, particularly when

using third party services."

Despite these protections, however, weaknesses

remain. "Human error is one of the

most common risks, with users potentially

bypassing controls or falling for phishing or

social engineering attacks. Ongoing training,

clear procedures and a culture of security

awareness are essential. Endpoint devices,

such as laptops and mobile phones, must

also be kept secure and up to date."

There are also key mistakes to avoid, she

points out. "Organisations should not rely

solely on technology, as tools cannot replace

staff awareness. Policies must be tailored to

the specific needs of the organisation, rather

than being generic. Regular reviews and

audits are also crucial, as outdated configurations

can leave gaps in protection. By

combining strong security practices with

education and oversight, organisations can

significantly reduce the risk of data loss."

CHECK, DON'T CHOKE!

DLP is often treated like a checkbox, says

Heather Case-Hall, senior security solutions

architect, Myriad360, but it's one of the most

sensitive levers in security. "Done right, it

protects sensitive information across email,

endpoints, cloud and network traffic. Done

wrong, it can grind operations to a halt."

Here are her do's and don't's to achieve DLP

effectiveness.

DO: Anchor DLP in Visibility. "DLP is only as

effective as the visibility it has. If sensitive data

can flow outside your line of sight - whether

through email, browsers, file transfers, or

cloud sync - you don't truly have prevention.

Email remains a classic exfiltration vector, but

modern risk lives in browser-based transfers

between on-prem and cloud systems. Without

coverage here, critical data can walk out

unnoticed."

DON'T: Assume Policy = Protection. "A

policy misstep can cripple productivity. I've

seen a poorly tuned DLP rule result in the

infamous 'blue screen of death' across an

enterprise. Overly aggressive configurations

frustrate users, drive workarounds and create

shadow IT. Test policies in controlled pilots

before enforcing them broadly."

DO: Expand Beyond the Obvious. "Modern

DLP needs to integrate with broader Data

Security Posture Management (DSPM) tools

to watch less traditional channels. Microsoft

Purview, for example, can limit exfiltration

via email, but what about low-and-slow

channels like DNS tunneling, or 'old school'

methods like FTP and SSH? Regularly review

your network topology and update coverage

to match real traffic flows."

DON'T: Set It and Forget It. "Data paths

evolve constantly - especially with hybrid

work, SaaS adoption and shadow data

growth. If you're not reviewing DLP controls

and telemetry regularly, you're trusting yesterday's

policies to solve tomorrow's risks. Think

of it like toddler-proofing your house: data

will find the smallest opening, unless you

keep checking the locks."

FINAL THOUGHT. The real 'do' of DLP is

balance, advises Case-Hall. "Protect data

without smothering business. Pair automated

enforcement with continuous review and

stakeholder feedback. Otherwise, sensitive

data may slip away quietly-like a three-yearold

heading out the door while everyone

assumes someone else is watching."

EXFILTRATION AND EXTORTION

Data is an essential driver of any business.

"Whether it be intellectual property that gives

you a competitive edge or information on

your customers, or prospects, data offers

insights into improvements and trends that

a business can capitalise on," says Josh Davies,

principal market strategist, Fortra. "Threat

actors know this, which is why data exfiltration

and extortion are the primary objectives

of high-profile breaches. These breaches

give criminals the information they need to

sell stolen data on the dark web, commit

fraud or social engineering attacks against

customers, and even notify compliance

bodies and b2b partners to force fines or

encourage the breakdown of business

relationships."

Securing data should be a top priority for

any successful and longstanding business,

he adds. "But data security presents unique

challenges. While systems and networks can

be resilient by relying on a dual strategy of

prevention and rapid recovery, once data is

stolen, it can't be recovered. This is why data

security strategies need to focus on data loss

prevention."

Successful DLP projects are deliberate and

patient, Davies adds. "Start by considering

and communicating the intended outcome.

I have seen too many DLP projects fail, just

because no one knew the aims. Is this project

focused on malicious insiders? Accidental

loss? Or both?"

He also encourages understanding what

sensitive data you care about and what the

associated risks are with this data, based on

classification and location. "This begins by

identifying where sensitive data is likely to

be, so you can define the right scope. Data

classification tools and data security posture


15


Dominic Carroll, e2e-assure: DLP

solutions are only as strong as their

coverage and configuration.

Shannon Dority, iStorage: a successful

strategy depends very much on enforcing

security measures right across the entire

IT environment.

management assessments are perfect to

validate your initial assessment, quantify risks

and levels, and set you up for success when it

comes to implementing policies."

To get the most effective policies, granularity

is recommended, which begins with

nuanced data labels. "Consider labelling data

to improve the efficacy of the DLP, and

persistent labelling for optimum coverage

and limiting blind spots between scans or

data transfers."

Don't:

Try to boil the ocean. "A working DLP

across 80% of your state is better than

perfect DLP across 0%, and milestones

keep momentum."

Roll out DLP without informing and

consulting end users, and don't block

the business of the organisations. "DLP

will fail, if it has a significant impact on

working lives."

Finally, don't lose patience with DLP, he

advises, as effective DLP is often the last line

of defence that protects trust and business

continuity.

VISIBILITY GAPS

While DLP remains critical for identifying and

blocking sensitive data, modern organisations

face significant challenges when relying on

DLP as a standalone solution, says John

Lynch, director, UK market development,

Kiteworks. "Traditional DLP operates reactively

at specific checkpoints, providing point-intime

protection without ongoing governance

once data is shared. This creates substantial

visibility gaps. Whilst DLP can identify violations,

it doesn't provide comprehensive

insights into data usage patterns, access

controls or user behaviour across the

enterprise."

Channel fragmentation compounds these

issues, as organisations typically deploy

different DLP solutions across email, file sharing

and web forms, resulting in inconsistent

protection and policy enforcement.

"Moreover, DLP lacks fundamental data

governance capabilities, unable to manage

who has access to data, how long they retain

that access or what actions they can perform

with sensitive information."

TRANSFORMATIONAL TOUCH

The most effective approach to data

protection, he argues, transforms DLP from

a reactive control into part of a proactive,

multi-layered security strategy. "This requires

implementing a unified security architecture

where all sensitive data flows through a

single, hardened platform, with consistent

DLP policies applied across all communication

channels. By establishing a zero-trust foundation

that requires authentication and authorisation

before any data exchange, organisations

create preventive controls that

complement DLP's detective capabilities."

This integrated approach should incorporate

continuous governance through role-based

and attribute-based access controls, end-toend

encryption that protects data, even if

DLP scanning fails, and advanced threat

detection, including antivirus, ATP and

content disarm and reconstruction.

"When combined with behavioural analytics

to identify suspicious patterns that rulesbased

DLP might miss, immutable audit l

ogs for compliance and centralised security

operations, organisations achieve a comprehensive

data protection strategy.

"This multi-layered approach ensures that,

when an employee attempts to share sensitive

data, the system not only scans the files,

but also authenticates users, verifies permissions,

logs attempts, checks for anomalous

behaviour and provides administrative oversight

for legitimate business needs.

"If any of these steps are violations, the file is

blocked, significantly reducing the likelihood

of data breaches, compared to relying on

DLP alone."

16


What if there was a way to

Adapt to all Email

Security threats...

Libraesva integrates cloud email and a secure email gateway with our unique

adaptive trust engine to provide award winning protection.

Layered security defends your business against spam, malware, phishing, email

fraud, spoofing, zero-day threats, account takeover, social engineering, business

email compromise, inadvertent disclosure of sensitive information and more.

Test your security for FREE with our Email Security Tester

emailsecuritytester.com

libraesva.com

2025 CS Awards

https://flic.kr/s/aHBqjCwUtV

Guests gather before the dinner and awards ceremony.

A NIGHT WHEN ALL THE STARS CAME OUT

THE 2025 COMPUTING SECURITY

AWARDS TOOK PLACE AT A TOP

LONDON VENUE, UNLEASHING

ANOTHER NIGHT OF SUCCESS

AS MANY OF THE INDUSTRY’S

HOTTEST TALENTS STEPPED UP

TO CAPTURE THE PRIZES

The Computing Security Awards

2025 were once again a huge

success, showing the remarkable

breadth of talent that exists right across

our industry.

As advances in technology - from AI

to quantum computing - lay down ever

greater challenges, the solutions on

display at the awards demonstrated

how these are being met and managed

head on. While the winners in each

category were rightly feted by all who

attended, what was evident was how

fiercely competitive these awards - now

in their 16th year - have become.

Category after category was hotly

contested. Winner or finalist, everyone

could enjoy their sense of achievement.

So, congratulations to everyone who

played their parts in making the Awards,

once again, the unique and unmissable

occasion they are.

18


2025 CS Awards

THE 2025 AWARDS WINNERS:

EMAIL SECURITY SOLUTION OF THE YEAR

Libraesva - Email Security Gateway

ENDPOINT SECURITY SOLUTION OF THE YEAR

VIPRE Security - VIPRE Endpoint Security Cloud

INCIDENT RESPONSE & INVESTIGATION SECURITY SERVICE

PROVIDER OF THE YEAR

LRQA

NETWORK SECURITY SOLUTION OF THE YEAR

Performanta - Performanta Safe XDR & FlexMDR

ENCRYPTION SOLUTION OF THE YEAR

WatchGuard Technologies - AD360

ADVANCED PERSISTENT THREAT (APT)

SOLUTION OF THE YEAR

Gatewatcher - AIONIQ

DLP SOLUTION OF THE YEAR

VIPRE Security - SafeSend DLP

COMPLIANCE AWARD - SECURITY

Metacompliance

RISK MANAGEMENT SOLUTION/SERVICE


LRQA

AI SECURITY SOLUTION OF THE YEAR

Hornetsecurity - 365 Total Protection Plan 4

- AI Cyber Assistant

IDENTITY AND ACCESS MANAGEMENT


Cyderes - Identity Security as a Service

MOBILE SECURITY SOLUTION OF THE YEAR

Jamf - Jamf Mobile Security

SECURE DATA & ASSET DISPOSAL COMPANY OF THE YEAR

Gigacycle

CLOUD SECURITY SOLUTION OF THE YEAR

Performanta - Performanta Managed Defender

for Cloud & Sentine

PENETRATION TESTING SOLUTION OF THE YEAR

Cybaverse - Penetration Testing

BREACH AND ATTACK SIMULATION SOLUTION OF THE YEAR

Cybaverse - Cybaverse Platform

SECURITY SOFTWARE SOLUTION OF THE YEAR

Keeper Security - KeeperPAM

SECURITY HARDWARE SOLUTION OF THE YEAR

NetAlly - Cyberscope Air

SECURITY EDUCATION AND TRAINING


Metacompliance

THREAT INTELLIGENCE AWARD

LevelBlue

SECURITY RESELLER OF THE YEAR

101 Data Solutions

SECURITY DISTRIBUTOR OF THE YEAR

Brigantia

ENTERPRISE SECURITY SOLUTION OF THE YEAR

Libraesva - Libraesva Email Security

SME SECURITY SOLUTION OF THE YEAR

TrustLayer - TrustLayer One

INDIVIDUAL CONTRIBUTION

TO CYBER SECURITY

Kiteworks - Jonathan Yaron

CYBER SECURITY CUSTOMER SERVICE AWARD

Brigantia

SECURITY SERVICE PROVIDER OF THE YEAR

Barracuda Networks

BENCH TESTED PRODUCT OF THE YEAR

Keeper Security - KeeperPAM

SECURITY PROJECT OF THE YEAR

Northdoor & The Salvation Army

NEW PRODUCT/


Hornetsecurity - AI Cyber Assistant

ONE TO WATCH SECURITY - PRODUCT

CyberSmart - Patch

ONE TO WATCH SECURITY - COMPANY

Wire

SECURITY COMPANY OF THE YEAR

VIPRE Security

To see the full results – Winners and Runners-Up – go to: www.computingsecurityawards.co.uk

www.computingsecurity.co.uk Nov/Dec 2025 computing security

@CSMagAndAwards

19

cyber resilience

PUTTING THE 'RESILIENCE' INTO CYBER

WHAT ACTIONS NEED TO BE TAKEN TO ELEVATE CYBER RESILIENCE FROM

A CONCEPT INTO A BOARDROOM CAPABILITY? COMPUTING SECURITY REPORTS

In an independent global survey of 1,200 IT

and security professionals, nearly half of all

respondents (49%) said the cybersecurity

skills gap within their organisations has worsened

over the past 12 month, with the same

percentage stating they are experiencing workplace

burnout. At the same time, a sharp disconnect

has emerged: 45% of C-level leaders

say that the are very confident in managing

cyber risk, whereas only 19% of mid-level

managers agree with this, which emphasises

a growing divide between strategic vision and

operational reality.

Meanwhile, according to a Gartner report:

"Professional security services for 2024 had

the highest market share with 35.5% or

$27.3 billion ([in current US dollars]. Interest

in professional security services is rising, due

to increasing enterprise needs for third-party

support, driven by skills shortages, alongside

the growing demand for specialized expertise,

including AI."

In line with such findings, it is no coincidence

that global cybersecurity company

Bitdefender has launched a new offering

to enhance cybersecurity operations for

businesses by providing high-level security

consulting and on-demand access to specialised

expertise. Bitdefender Cybersecurity

Advisory Services have been designed to

"optimise existing security teams, assess and

close security gaps, create tailored strategies,

reduce risk and comply with data regulations

across all environments, including cloud and

third-party supply chains", the company says.

"These new services underscore Bitdefender's

commitment to a comprehensive approach

for customers, covering security controls/

processes, threat prevention, protection,

detection and response."

Bitdefender Cybersecurity Advisory Services

has been set up to help to solve critical

challenges businesses face in identifying and

remediating security gaps across people,

processes and technologies as the attack

surface grows, as-well as finding and retaining

specialised talent with expertise in data

laws/ regulations, CSO/CISO leadership,

security frameworks and more. Each customer

is assigned a tailored engagement

team, based on their industry, geography

and requirements. This team includes a

delivery manager, certified consultants

and a team lead, who oversees consultants

and briefs stakeholders on results from

Bitdefender assessments.

ALL-IN-ONE OR STANDALONE

Bitdefender Cybersecurity Advisory Services

are designed to complement Bitdefender's

entire solutions portfolio, including endpoint

detection and response (EDR), extended

detection and response (XDR), managed

detection and response (MDR), and offensive

security services - or utilised as a standalone

offering. The services, as such, are structured

into three pillars:- Strategy and Leadership;

Risk and Compliance; and Event

Preparedness.

Strategy and Leadership - Bitdefender

Cybersecurity Advisory Services offers advisory

retainers that cover a suite of services that

help to enhance organisational leadership

and provide strategic cybersecurity guidance.

"With a deep bench of experienced CISOs and

security experts, Bitdefender has a proven

track record in diverse industries," states the

company. "These retainer-based services

strengthen and train security teams, develop

and review strategies, create tailored policy

frameworks, and define and review security

metrics and KPIs for effective reporting."

Risk and Compliance - Bitdefender helps

businesses navigate complex regulatory

landscapes by establishing and evaluating

cybersecurity risk and compliance requirements

based on industry, partners, supply

chains and geography. Certified consultants

20


cyber resilience

assess organisations against standards such

as ISO 27001, NIST CSF, GDPR, HIPAA and

SOC 2 to identify and remediate gaps. "This

approach enhances business reputation and

builds trust with customers and partners,"

argues the company.

Event Preparedness - Bitdefender focuses on

preparing for events such as data breaches,

natural disasters and outages. Consultants

assess operational and monetary impacts,

develop incident response, business continuity

and disaster recovery plans. Additionally,

it conducts real-world scenario drills and

table-top exercises to refine and reinforce

crisis management roles and responsibilities.

"Effective security involves more than just

technology - it includes people, processes and

regulatory compliance essential for global

business," says Paul Hadjy, vice president of

APAC and cybersecurity services, Bitdefender

Business Solutions Group. "Bitdefender

Cybersecurity Advisory Services helps

organisations understand their current

security posture, address gaps, optimise

strategies and prioritise actions with expert

guidance. These services complement our

full portfolio, including endpoint protection,

MDR and offensive services, providing a viable

path to a much more streamlined and

thorough cybersecurity operation."

CORE BUSINESS CAPABILITY

Cyber resilience must be viewed as more than

a buzzword - it is a core business capability

that equips organisations with the necessary

tools to continue operating when significant

disruption occurs. So argues Mike Lawrence,

director, Protiviti UK. "To achieve cyber

resilience, teams must begin with clear, endto-end

visibility of the technology estate -

a dynamic view that goes beyond a static

database or visual", he states. "It requires

understanding how infrastructure, ranging

from the service to asset level, underpins

critical business operations, particularly

customer-facing services where disruption

is most visible and damaging. Without this

depth of insight, resilience remains a concept

instead of a capability."

Cyber teams must also plan for full-outage

scenarios, identifying critical dependencies

and single points of failure, understanding

vulnerabilities, and implementing strategies

to contain damage and keep services operating.

Techniques such as segmentation,

redundancy, and isolated, air-gapped backups

can all play a role here, he says. "Even if an

incident occurs, these measures help ensure

its impact is contained and recovery is swift."

THE BIG CHALLLENGE

While the goal of resilience is realtively easy to

describe, achieving it is far more challenging,

as it requires significant investment. "In

organisations that do not view cybersecurity

as a business enabler, securing this investment

can be difficult. Building the case often

starts with qualitative methods - scoring risks,

assessing impacts and identifying whether

they fall within agreed thresholds," continues

Lawrence. "These can be paired with recognised

frameworks such as the NIST Cybersecurity

Framework [CSF], that translate

complex security concepts into accessible,

business-friendly terms. This translation can

help move cyber resilience from a siloed

initiative to a collaborative one."

Quantitative methods, such as the Factor

Analysis of Information Risk (FAIR) model,

go further, by estimating the financial impact

of incidents and the return on proposed

investments. "While such modelling can feel

unfamiliar to teams grounded in technology,

rather than finance, translating risk into

financial terms elevates cybersecurity from an

opaque concept into a boardroom priority."

Building cyber resilience is as much a cultural

shift as a technical one, he firmly believes.

"Organisations in which technology and

business share the same strategic outcomes

will be better placed to justify resilience

investments in terms that the board

understands."

Mike Lawrence, Protiviti UK: teams must

begin with clear end-to-end visibility of

the technology estate.

Paul Hadjy, Bitdefender Business Solutions

Group: effective security involves more

than just technology - it includes people,

processes and regulatory compliance.


21

artificial intelligence

IS AI ON THE WRONG TRAJECTORY?

SPEND ON DEVELOPING AI IS SAID TO BE OUT OF SYNCH WITH INVESTMENT IN SECURING THE TECHNOLOGY

Investment in AI is happening in all

businesses, whether it is a corporate

subscription to ChatGPT or development

of products and services around the organisation's

own AI models and agents, says

Martin Jakobsen, managing director at

Cybanetix - "but that investment is very much

geared towards acquiring or developing the

technology. There's a clear disparity between

the spend allocated to that versus the spend

allocated to securing the technology".

Huggingface, for example, which is one of

the largest publicly available repository of AI

models, was showing 2,131,198 models for

download at one point, he states. "These and

other repositories enable the enterprise to

start developing AI tools simply by downloading

a model and they can then get

going. However, few organisations stop to

think about who developed the model and

what data it was trained upon? Organisations

are more focused on what a model

can do for them, as opposed to what a

model could do to them."

It is not beyond the realm of the possible

that, in a near-term dark dystopian cyber

future, those same AI models could become

an insider threat. "An AI deployed within the

organisation could develop malicious intent

and, because it is connected to corporate

sensitive data and then published in applications,

it would be able to carry out large

data and IP theft unchallenged," warns

Jakobsen.

While there is ample investment in AI, the

cyber security implications of deploying AI

are currently treated as an afterthought.

"Not only is budget and investment lagging

behind, but the services and technology for

protecting AI are also lagging behind the

technology itself. While this is the typical

trend for all technology evolutions - for cloud

the emergence of cloud security lagged

significantly behind and created a whole new

strain of security vendors - the evolutionary

speed of AI could see that lag grow, so

that, rather than threats fostering secure

innovation, they overwhelm the market."

The challenge for CISOs is that the AI

evolution is fast and, if anything, accelerating,

he says, whereby service and solutions

are needed now be able to keep up with the

development of AI itself. "Currently, AI is

a rapidly evolving security problem without

a solution."

THE MILLISECONDS MENACE

Adversaries are exploiting AI to automate

reconnaissance and launch attacks that

change in milliseconds. This speed is creating

a widening gap between the threats and the

defensive skills cybersecurity professionals rely

on, comments Haris Pylarinos, CEO and

founder of Hack The Box. "To close that gap,

organisations need to harness AI not just for

detection and mitigation but also to transform

how their cybersecurity teams are

trained."

Traditional training will often use static labs

and linear lesson plans. "This means that

learners are rehearsing against outdated

techniques that attackers abandoned long

ago. When real-world incidents deviate from

those scripted scenarios, defenders may be

caught off guard. What professionals really

need is upskilling that more accurately

replicates the unpredictability of live threats.

And this means exposing them to shifting

tactics, and forcing them to adapt quickly

and decisively under pressure."

By analysing individual and team performance,

the latest AI-powered upskilling

platforms can recommend targeted scenarios

to close specific skill and knowledge gaps,

points out Pylarinos. "Technology like Hack

The Box's MCP [Model Context Protocol]

helps deliver adaptive, AI-guided labs that

accelerate hands-on learning and lower

barriers to learning. AI-driven red teaming

assessments can simulate attacker behaviour

22


artificial intelligence

and test defensive skills against unpredictable

threats. These environments evolve in real

time, uncovering weaknesses and adjusting

difficulty to keep learners engaged. Along

with stronger technical skills, the result is

faster decision-making, and the ability to stay

calm and decisive under pressure."

Cyber resilience goes beyond technical

proficiency, he adds. "It needs creativity,

mental agility and the ability to think like an

adversary. AI-enhanced upskilling supports

the growth of these qualities by encouraging

experimentation with novel tactics, improvising

responses and making critical

judgments in the middle of uncertainty.

Adaptive systems will reward unconventional,

but effective approaches, instilling confidence

and resourcefulness that more static

training scenarios are rarely able to achieve."

The rapid rise of AI brings fresh unknowns

and flaws, he continues: for example,

unchecked models can magnify mistakes.

"In cybersecurity upskilling, we must ensure

we combine enthusiasm with vigilance.

This means experimenting in controlled

environments, tracking outcomes rigorously,

and constantly changing and adapting.

Learning programs must mirror this reality,

equipping cybersecurity professionals to spot

AI's limits and harness its strengths safely and

effectively."

From intelligent lab curation and personalised

learning pathways to adversarial

emulation and cloud-based incident response

drills, AI has the potential to support every

layer of training, insists Pylarinos. "Simulated

SOC environments will allow cross-functional

teams to practise coordination in real time,

while machine-learning models highlight

emerging attack patterns that inform the

training content.

"The outcome will be a culture of continuous

learning, enhanced by feedback loops

that keep exercises aligned with the evolving

threat landscape and each learner's unique

needs. In this way, training is not a one-off

exercise; it is a sustained driver of professional

growth."

AI is simultaneously an ally and an

adversary, he further comments. "Those

organisations that embrace adaptive, AIpowered

training will ensure their defenders

are not just following playbooks, but are

ready to pivot, improvise and counter threats

with the same speed and agility as the

attackers themselves."

QUEST FOR SUPREMACY

Against this background, AI serenely marches

on in its quest for supremacy, as Paul

Hoffman from BestBrokers.com indicates.

"Following OpenAI's surge to a $500 billion

valuation, overtaking SpaceX and ByteDance,

the world's two most valuable private

companies until now, an essential conclusion

can be drawn: AI is becoming a dominant

force.

Four of the ten most valuable private

companies are now AI firms, with OpenAI

joined by xAI ($200 billion), Anthropic ($183

billion) and Databricks ($100 billion), all

leveraging foundational AI models and platforms

adopted by hundreds of thousands of

businesses worldwide."

In 2025, investor capital is concentrated in

proven sectors, such as fintech, enterprise

technology, and, above all, AI, driving a

"flight to quality" where startups capable of

turning innovation into scalable, sustainable

revenue command the highest valuations,

he states.

OpenAI reached ITS $500 billion valuation

following a $6.6 billion secondary share sale.

The sale involved participation from investors

such as SoftBank, Thrive Capital, T. Rowe

Price and Abu Dhabi's MGX. OpenAI CEO

Sam Altman has made it clear that, even

without turning a profit yet, the company's

goal is to grow its AI platforms and build

lasting value.

Martin Jakobsen, Cybanetix: many

organisations are more focused on what

an AI model can do for them, rather

than to what it could do to them.

Haris Pylarinos, Cybanetix: Adversaries

are exploiting AI to launch attacks that

change in milliseconds.


23

compliance

COMPLIANCE GOES 'ON TRIAL'

A NEW CORPORATE CRIMINAL OFFENCE OF 'FAILURE TO PREVENT FRAUD' HAS HIT THE STATUTE

BOOKS, IN A BID TO DRIVE AN ANTI-FRAUD CULTURE AND IMPROVE BUSINESS CONFIDENCE

Businesses are now benefiting from

a new corporate criminal offence of

'failure to prevent fraud', designed to

drive an anti-fraud philosophy and step up

business confidence.

Introduced as part of the Economic Crime

and Corporate Transparency Act (ECCT)

2023, the offence, which came into effect

on Monday, 1 September, holds large organisations

to account, if they profit from fraud.

It forms part of wider measures introduced

by the government to tackle fraud and protect

the UK economy, as part of the 'Plan for

Change'.

With fraud being the most common crime

type in the UK, amounting to around 40%

of all crime in England and Wales, the newly

announced 'failure to prevent fraud' measures

are part of the wider government

ambition to reduce fraud and protect

potential victims, including business victims.

But how much effect might this have on

increasing compliance?

Will it be enough to act as a game changer

or is there more to be done to make compliance

universally accepted and applied?

According to Sean Tilley, senior director

EMEA Sales, 11:11 Systems, the new corporate

offence of failure to prevent fraud

should be viewed less as red tape and more

as a business reality. "For the C-suite, it moves

compliance away from being simply a tickbox

exercise, shifting the priority from only

having a compliance framework in place to

actually demonstrating that the framework

is effective."

He also points out a critical aspect of the

new measures. "The offence is strict liability -

meaning intent doesn't matter. If fraud

happens and you can't show 'reasonable

procedures' were in place, your organisation

is at risk. This raises the stakes for boards and

elevates compliance to a strategic priority."

The upside of this, adds Tilley, is that the

law is a lever for positive change, as it "gives

compliance leaders the authority to secure

investment in better tools, more effective

training and smarter reporting

structures. It

should also push

leadership teams to

integrate fraud prevention

into broader

resilience strategies,

rather than treating it as

a back-office function".

FOCAL POINTS

However, legislation cannot

be seen as a silver bullet, he

states. "Fraud is evolving

quickly, powered by digital

channels and global networks.

Smaller firms may struggle to keep

pace, while larger organisations risk slipping

into a tick-box mindset that satisfies

auditors, but fails to stop real-world

threats," adds Tilley.

UNITED EFFORT

C-suite leaders who want to get ahead

should focus on three things, he suggests:

Culture at the top - fraud prevention

needs to be seen as everyone's

responsibility, rather than being

a compliance team problem

Technology as an enabler - AI-driven

monitoring, secure data sharing

and integrated reporting can spot

the issues humans miss.

Resilience as a differentiator - by

embedding compliance into day-today

operations, you build trust with

customers, regulators and investors.

"The law sets the minimum standard.

Competitive advantage comes from going

beyond making fraud prevention about

avoiding fines, and also making it about

protecting reputation, maintaining customer

confidence and driving long-term value."

Ultimately, compliance must be reframed

as a business enabler. Regulations provide

the baseline guardrails, but organisations

that stop there risk falling behind.

"As the threat landscape is growing in

both scale and sophistication, and

regulatory scrutiny is only set to increase,

those merely meeting the minimum

requirements will be on the back foot. To

lead, fraud prevention must be woven

into the fabric of the organisation: driving

trust, resilience and sustainable growth."

24


compliance

The offence of 'failure to prevent fraud'

follows major steps forward on fraud

prevention, including a bilateral agreement

with the insurance sector and adopting the

first-ever UN resolution on fraud

CRIMINAL LIABILITY

Under the new law, which was passed

with cross-Parliament support, large

organisations can be held criminally liable

where an employee, agent, subsidiary or

other 'associated person' commits a fraud

intending to benefit the organisation.

Examples may include:

dishonest sales practices

hiding important information from

consumers or investors

dishonest practices in financial markets.

In the event of prosecution, an

organisation will now have to demonstrate

to the court that it had reasonable fraud

prevention measures in place at the time

that the fraud was committed.

The offence is intended to encourage

organisations to build an anti-fraud culture,

in the same way that failure to prevent

bribery legislation has helped reshape

corporate culture since its introduction

back in 2010.

Throughout the implementation period,

businesses have been supported with

guidance advising on the new offence,

ensuring they take action to prevent fraud.

With recent ONS figures finding that fraud

increased last year by 31%, the government

has placed key focus on tackling this issue.

Plans are developing at speed ahead of

the publication of a new expanded fraud

strategy, which places tackling fraud against

business at its heart, it states.

Fraud Minister Lord Hanson comments:

"Fraud is a shameful crime and we are

determined to bring those responsible to

justice wherever it takes place. [Monday, 1

September] marks a pivotal moment for

businesses and this new offence strengthens

our anti-fraud culture to protect businesses,

build corporate trust and support long-term

economic growth, a cornerstone of this

government's 'Plan for Change'."

Adds Nick Ephgrave, director of the Serious

Fraud Office (SFO). "This is a significant new

tool for prosecutors to tackle serious and

complex fraud, which damages UK business

and undermines our economy. The SFO is

ready to act, if corporates fail to comply

with their new responsibilities."

Hannah von Dadelszen, Chief Crown

Prosecutor leading on fraud and economic

crime for the CPS, also warns that large

organisations must act to put robust fraud

prevention systems in place or leave themselves

open to legal action. "The CPS will not

hesitate to prosecute where companies fail

in their responsibility to prevent fraud and

where the Code for Crown Prosecutors test

is met."

THE NEED TO ADAPT

One of the biggest challenges in security

compliance management is that regulations

change, requiring organisations to adapt

accordingly to stay compliant, along with

staying on top of new security threats.

"In addition, organisations are increasingly

adopting a combination of on-premise

and cloud services, making it hard to gain

a holistic picture of your organisation's

security risks," points out Dov Goldman,

VP of Risk Strategy at Panorays.

"Security compliance management is

particularly challenging for large organisations

with segments of the company

located across different geographic regions.

Communication challenges across the

organisation can increase the risk of a data

breach or failure to pass a compliance audit.

To meet these challenges, security and

compliance teams must work together to

meet security and compliance regulations."

Goldman suggests a range of best practices

for security compliance, such as:

Create a cybersecurity compliance

program

Establish security controls and

automate them

Develop a risk management plan

Ensure continuous monitoring

Develop an auditing process

Create an incident response plan

Track cybersecurity incidents.

"Effective security compliance stresses the

importance of security and compliance

throughout your organisation, from the

C-suite through HR and the IT department,"

he adds "Employees are educated about

security risks, given a high-level explanation

about the systems put in place to defend

against data breaches, and asked to be

vigilant about security risks and preventing

security incidents."

Sean Tilley, 11:11 Systems: the corporate

offence of failure to prevent fraud should

be viewed less as red tape and more as a

business reality.


25

identity access management

TARGETING THE RIGHT IAM STRATEGY

WE REPORT ON THE KEY STEPS THAT NEED TO BE TAKEN - AND PITFALLS THAT

SHOULD BE AVOIDED - WHEN IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT

Demand for strong Identity and Access

Management (IAM) solutions has

surged. At the same time, users must

navigate the complexities of integrating

IAM systems with legacy infrastructures,

balancing stringent security measures with

user convenience and managing the costs

of deploying comprehensive solutions. Is

there a failsafe way to implement IAM, so

that all these bases are properly covered?

It's all too clear that organisations face

growing pressure to protect user identities

from increasingly sophisticated cyber-attacks,

as Dan Lattimer, area vice president, EMEA

West, Semperis, points out. "While identity

access management systems promise governance,

privileged access management, and

authentication through single sign-on (SSO)

and multi-factor authentication (MFA), an

organisation's identity security

strategy is far

from complete. In fact, he states, many

organisations "lack sufficient visibility into

privileged accounts and service identities,

and rely too much on legacy infrastructure,

such as Microsoft's Active Directory (AD),

the most widely deployed identity directory

globally.

"As the backbone of authentication and

access management for millions of organisations

for the past 25 years, AD can leave

them exposed to increased risks".

Lattimer continues: "While Active Directory

has been the cornerstone of enterprise

identity for more than two decades, it

wasn't designed for the modern era of

cloud, zero trust and nation-state cyber

threats - leaving many organisations

exposed to risks [Active Directory] was

never built to handle. It was designed to

provide a straightforward way of allowing

vast numbers of users to be managed and

monitored, enabling them to access those

resources they need at the time they need

them. This legacy makes AD an incredibly

attractive target for attackers."

So, what steps should

organisations take? "With

identity linking back to AD,

it is imperative to analyse any

configurations that are causing exposures

and indicators of compromise using community

tools available, such as Purple Knight.

Equally important is operating on the

principle of least privilege, ensuring that

insider threats or external attackers can't

exploit excessive or outdated access rights.

Monitor configurations over time for

changes and rectify them in real-time

to maintain a strong security posture."

Next, he advises, establish a testable

backup process that allows clean restores,

so recovery can be achieved quickly and

seamlessly without reintroducing the

malware infection all over again.

"By combining analysis, recovery and

continuous monitoring, organisations can

strengthen the resilience of AD and ensure

that IAM investments deliver on their

promise," insists Lattimer. "Strong identity

governance, privileged access control and

MFA remain essential, but they must be

built on a foundation of a secure, recoverable

identity layer."

FOUNDATIONAL SAFEGUARD

For Lorri Janssen-Anessi, director of external

cybersecurity assessments at BlueVoyant,

implementing a robust Identity and Access

Management strategy is essential for protecting

sensitive data and defending against

threats like ransomware. "The first step is

enforcing multi-factor authentication across

all services, particularly for remote access

points, such as VPNs and webmail. MFA is a

foundational safeguard that reduces the risk

of credential compromise, strengthening a

multi-layered security approach."

"Organisations should adopt the Principle

of Least Privilege (PoLP), ensuring users

and administrators only have access to

the resources necessary for their roles. This

limits exposure, reduces the likelihood of

insider misuse and helps prevent access

creep. Zero Trust architecture strengthens

IAM further by requiring continuous

verification of users and devices, regardless

of location or access level. Trust is never

assumed."

To support IAM effectively, businesses must

centralise and regularly update operating

26



systems, software and firmware to patch

vulnerabilities, she says. "Network segmentation

is another critical measure, restricting

lateral movement if an attacker gains access.

Together, these measures create a stronger

security posture.

"An integrated IAM program also gives IT

administrators greater visibility and control

over who accesses what and when. Tools

like Single Sign-On (SSO) simplify authentication

across multiple platforms, enhancing

both security and user productivity. Regular

access reviews are essential to ensure permissions

remain aligned with role responsibilities

throughout an employee's lifecycle,

from onboarding to role changes and

offboarding."

IAM also supports compliance, she adds,

with regulations such as GDPR and HIPAA -

all of which require strict access controls

and audit capabilities. "A mature IAM

framework not only reduces risk, but also

demonstrates accountability and helps

organisations avoid costly fines or reputational

damage."

Finally, IAM governance must be proactive.

"Complex IAM systems can introduce insider

threat risks, whether accidental or malicious,"

continues Janssen-Anessi. "Therefore,

streamlined access control, user-friendly

tools and consistent monitoring are essential

to ensuring strong security, without

compromised usability."

PATH TO SUCCESS

There's no 'silver bullet' when it comes to

implementing IAM, points out Geethika

Cooray, general manager of identity and

access management at WSO2, as it's not a

one-size-fits-all endeavour. "But there is a

proven path to success. The best approach

begins with a clear understanding of business

priorities, regulatory requirements and

risk appetite. This means going beyond

compliance checklists to ask the tough

questions, like which digital assets are

mission-critical? Who should have access

to them? How much friction is acceptable

in exchange for stronger assurance?

"By mapping these dimensions, organisations

create a strategic foundation for

IAM, rather than being reactive. From

there, organisations should design an IAM

architecture that prioritises strong security

AND user experience by adopting capabilities

such as single sign-on, MFA, continuous

monitoring, automated provisioning

and deprovisioning. Moreover, IAM programs

must evolve to manage AI agents as

first-class entities."

Security versus convenience is not a

'balancing act', he continues, as some of

the most secure options are also the most

convenient (passwordless authentication is

a good example). "By removing passwords

altogether, organisations not only reduce

the risk of phishing and credential theft,

but also streamline the user journey, as

users don't have to remember passwords,

transforming security from a barrier into

a business enabler.

"A phased rollout, starting with the

highest-impact use cases, minimises

disruption and builds organisational

confidence. Enabling secure, seamless

access for remote employees or highvalue

customer portals could be the lowhanging

fruit where the best results can

be obtained in the easiest way."

Equally important is avoiding common

pitfalls. 'Big bang' deployments often fail;

integration complexity is best managed

with connectors, APIs and federation

standards like SAML and OIDC. "Futureready

IAM also requires careful consideration

of vendor lock-in risks and interoperability

across cloud, hybrid, and onpremises

systems," says Cooray.

"An agile approach, grounded in open

standards, ensures today's IAM decisions will

scale with evolving business models. Overly

restrictive policies can frustrate users and

encourage workarounds, while overly

permissive access creates security gaps.

An example of this is requiring users to

jump through multiple hoops, in order to

tighten security, but alienating them in the

process. The right solution silently monitors

user activity in the background and only

intervenes when risks are high or high-value

transactions are requested. This is called

adaptive authentication."

BALANCING ACT

It remains a challenge to implement IAM

in a way that balances integration, security,

usability and cost efficiency, comments

David Morimanno, field CTO NA, Xalient.

While no implementation is entirely fail-safe,

he says, disciplined strategies can significantly

reduce risk and ensure sustainable

success.

"Too often, organisations launch IAM

initiatives without a realistic, business-driven

roadmap or fail to establish clear ownership,

treating IAM as an isolated IT function,

rather than a cross-functional priority. A

strong IAM program begins with a clear

governance model, executive sponsorship

and business alignment. IAM should be

approached as a business transformation

initiative that defines how digital identities

enable secure access across the enterprise."

However, before initiating change, adds

Morimanno, organisations must assess their

current identity landscape, which includes

cataloguing identity sources, application

dependencies, access models and integration

challenges. "Underestimating this

complexity is a common misstep, particularly

when legacy systems and fragmented

data environments are involved. These gaps

can result in rogue or dormant identities,

prime targets for threat actors who exploit

undocumented access privileges to move

laterally across systems."


27


Lorri Janssen-Anessi, BlueVoyant: a robust

IAM strategy is essential for protecting

sensitive data and defending against threats

like ransomware.

Geethika Cooray, WSO2: an agile approach,

grounded in open standards, ensures that

today's IAM decisions will scale with evolving

business models.

As modern IAM sits at the intersection of

cybersecurity, data protection and digital

trust, it demands close collaboration

between security operations, risk management

and IT, he adds. "Effective programs

integrate capabilities such as Privileged

Access Management (PAM), Identity

Governance and Administration (IGA),

Access Management (AM) and Cloud

Infrastructure Entitlement Management

(CIEM). However, many organisations

overfocus on tools and overlook the

strategic framework and process design

that make those tools effective.

"IAM is complex, with many moving parts,

and it's easy to get lost in the weeds.

Maintaining a strategic, birds-eye view is

essential to avoid tunnel vision and ensure

alignment with broader business goals."

As such, IAM implementations should be

phased and risk-based, starting with highvalue

or high-risk systems to demonstrate

quick wins and build stakeholder confidence.

Incremental deployment ensures

agility and control, while reducing disruption.

"Security must be balanced with user

experience. Poor usability often leads to

workarounds that undermine IAM integrity

- a risk exacerbated when role engineering

and data quality are neglected."

CLEAN INTEGRATION

The key challenge many organisations face

when implementing IAM solutions is finding

one that integrates cleanly with existing

infrastructure, says Darren Guccione, CEO

and co-founder at Keeper Security.

"Legacy systems, shadow IT and

fragmented access controls can create blind

spots that can undermine even the most

sophisticated IAM deployments. It helps to

be explicit about what IAM is responsible

for and what it is not. Where many implementations

falter is at the intersection

between identity and privilege. IAM is the

umbrella capability for identifying users,

managing authentication, and provisioning

and de-provisioning access at scale: roles,

SSO, MFA, lifecycle manage-ment and

broader governance fall under IAM's remit.

Its primary purpose is to ensure the right

people get the right access at the right time

- across the organisation."

By contrast, Privileged Access Management

(PAM) focuses narrowly on accounts

and sessions that carry elevated risk - administrators,

service accounts, IT operators and

any identity that can change configuration,

exfiltrate data or pivot laterally. "PAM

enforces least-privilege for those accounts,

provides session controls, implements justin-time

access and creates detailed audit

trails of privileged activity. Because privileged

accounts present out-sized risk, PAM

applies stricter controls and monitoring

than general IAM controls."

That scope difference is why IAM and

PAM are complementary, rather than

interchangeable, Guccione points out.

"Whereas IAM governs identities and

everyday access for all users; PAM secures

the smaller population of privileged identities

and the critical systems they touch.

Treating them as separate, integrated layers

- IAM for broad identity governance, PAM

for focused protection of high-risk access -

significantly reduces overlap and ensures

both solutions are fit for purpose."

Practical implementation starts with taking

an inventory of identities and privileged

access, mapping privileges, and defining

roles and policies, he says.

"Organisations can then move on to

addressing risk-differentiation by applying

IAM controls enterprise-wide and deploying

PAM where accounts have elevated rights or

can access sensitive systems. Typical pitfalls

to avoid are assuming IAM alone will protect

privileged credentials and failing to instrument

strict controls, continuous monitoring and

automated response for privileged sessions."

28


Computing

Security


e-newsletter

Are you receiving the Computing Security

monthly e-newsletter?

Computing Security always aims to help its readers as much as possible to do

their increasingly demanding jobs. With this in mind, we've now launched a

Computing Security e-newsletter which is produced every month and is available

free of charge. This will enable us to provide you with more content, more

frequently than ever before.

If you are not already receiving this please send your request to

christina.willis@btc.co.uk and advise her of the best email address for the

newsletter to be sent to.

encryption

LIGHTING THE WAY FORWARD

ENCRYPTION CAN BE REWARDING - BUT CHALLENGING. HOWEVER,

USING THAT AS A REASON NOT TO ADOPT A SOLUTION COULD

LEAVE ORGANISATIONS HIGHLY VULNERABLE TO ATTACK

When you are committed to

travelling the encryption road,

there are many barriers to adoption

that have to be overcome, not just the

commonplace obstacles, but also the myths

that are often encountered along the way.

That said, encryption is now much more

extensively used, according to the Apricorn

annual survey, with 59% of IT decision

makers implementing the technology. "

As a result, the vast majority (94%) view

encryption as a key part of their data

encryption strategies and removable media

policies," says the company's Jon Fielding,

managing director of EMEA.

It's a move that has been partially driven by

remote and hybrid working practices, and the

need to protect data and peripherals outside

the company network. "However, there's still

some confusion over which data sets to

encrypt; just over one in ten said this was

an issue that clouded their thinking when it

came to rolling out a cybersecurity plan for

their remote workforce," he reveals.

The trajectory may also be influenced by the

sobering fact that 24% identified a lack of

encryption as the main cause of a breach

over the past 12 months. "This has seen

the use of encryption soar, with 64% now

encrypting all laptops and desktops, 54% all

USB drives and 63% all portable hard drives.

And it's a trend that is expected to continue,

with around a quarter planning to apply

encryption to laptops (26%), USB drives

(27%), hard drives (25%) and desktops (24%)

going forward, and another 38% extending

encryption measures to mobiles," adds

Fielding.

BACKUPS BOLSTERED

Surprisingly, there was a marked decline in

the use of encryption to protect against

ransomware, with just 10% citing this as a

driver, down from 12% last year and 17%

in 2023. "This may well be due to the

sophistication of ransomware, which has

seen a certain inevitability creep in, so that,

rather than focus on solely trying to prevent

and protect against the initial compromise,

there's been a greater emphasis on bolstering

backups."

Awareness of the value of hardware-based

encryption has also risen, he says. "While 29%

said they use software-based encryption to

protect the data on employee devices, over a

third (34%) said they now only allow the use

of hardware encrypted removable media that

is approved by the organisation. This is welcome

news because, while software-based

encryption is of value, it can still be susceptible

to counter resets, software hacking,

screen capture and keylogging. In contrast,

FIPS certified hardware-based encryption

housed on the device protects the encryption

keys from brute-force attacks and unauthorised

access."

Encryption is becoming more embedded

throughout the data lifecycle, "but the

challenge now is getting it to become

ubiquitous and automatic", Fielding

concludes.

THE MENACE LURKING

The argument for encryption is a compelling

one, when an organisation gets the process

right, but there is a threat to its effectiveness

lurking in the shadows: quantum computers.

These have the potential to break most

existing encryption methods, in just hours,

compared with the millions of years it would

take with current computers, goes the

argument.

Warns the National Cyber Security Centre

(NCSC): "Quantum computers use properties

of quantum mechanics to compute in a

fundamentally different way from today's

digital, 'classical', computers. They are,

theoretically, capable of performing certain

computations that would not be feasible for

classical computers. Although advances in

quantum computing technology continue to

be made, quantum computers today are still

30


encryption

limited and suffer from relatively high error

rates in each operation they perform."

In the future, it is possible that error rates

can be lowered such that a large, generalpurpose

quantum computer could exist,

the NCSC concedes. "It is, however, hard

to predict when this may happen, as many

engineering and physical challenges must be

overcome first. Many nations are investing

heavily in quantum computing and, assuming

developers overcome these challenges in

future, most traditional public key cryptography

(PKC) algorithms in use today will be

vulnerable to attack." A quantum computer

that will be able to run these attacks is

referred to as a cryptographically-relevant

quantum computer (CRQC).

Traditional PKC includes algorithms based

on integer factorisation (such as RSA), and

algorithms based on the discrete logarithm

problem (such as Finite Field Diffie-Hellman,

ECDH, DSA, ECDSA, EdDSA). These algorithms

are primarily used for:

key establishment (used to agree

a shared cryptographic key for secure

communication)

digital signatures (used to underpin

proof-of-identity and trust on a network).

For key establishment and encryption, there

is a risk from an attacker collecting and storing

data today and decrypting it at some

point in the future. "Given the cost of storing

vast amounts of old data for decades, such

an attack is only likely to be worthwhile for

very high-value information. This means that,

for organisations that need to provide longterm

cryptographic protection of very highvalue

data, the possibility of a CRQC in the

future is a relevant threat now."

KEY CONCERNS

The threat to digital signatures is that an

adversary in possession of a CRQC could

forge signatures to impersonate the legitimate

private key owner or tamper with

information whose authenticity is protected

by a digital signature. "This attack should be

considered before a CRQC exists, particularly

when deploying keys for high-value trust

anchors that are intended to have a long

operational lifetime."

In contrast with PKC, states the NCSC, the

security of symmetric cryptography is not

greatly impacted by quantum computers and

existing symmetric algorithms with at least

128-bit keys (such as AES) can continue to

be used. "The security of hash functions, such

as SHA-256, is also not significantly affected

and secure hash functions can also continue

to be used.

"The best mitigation against the threat of

quantum computers to traditional PKC is

post-quantum cryptography (PQC). Also

known as 'quantum-safe cryptography' or

'quantum-resistant cryptography', PQC

algorithms will replace the vulnerable PKC

algorithms used today for both key establishment

and digital signatures."

The security of PQC algorithms is based

on mathematical problems that are believed

to be intractable for both classical and

quantum computers. "These algorithms will

not necessarily be drop-in replacements for

the current PKC algorithms in protocols or

systems, so system owners should begin

planning for the migration to PQC," the

NCSC strongly advises.

In response, the National Institute of

Standards and Technology (NIST) has led

efforts to develop post-quantum encryption

(PQE) to defend against these future threats.

Widespread availability of this technology

would completely upend data security. So,

what does this mean for the future of data

security?

Jason Soroko, senior fellow at Sectigo,

points out that threat actors will use

quantum computing to unravel quantum

cryptography that uses any form of

factorisation. "For instance, RSA and ECC

used to encrypt data in transit, also digital

signing, authentication etc… these threat

actors will be using quantum security in

conjunction with Shore's algorithm. In topics

of AI and quantum computing, it's absolutely

no different than the analogy of why we had

an Apollo project.

"Every country, or group of countries, needs

to have this technology at the same time as

all of its adversaries or competitors. To not

have a powerful quantum computer or sovereign

AI puts you at extreme disadvantage. It's

a modern Space Race."

THREAT LEVELS SOAR

The advent and impact of post-quantum

cryptography notwithstanding, Nitin Todkar,

senior researcher at Polaris Market Research

and Consulting, stresses then need for highend

email encryption as the threat level soars

to dangerous heights. "In an age where data

privacy is under constant threat, securing

email communication is more critical than

ever. Email encryption ensures that sensitive

messages and attachments are unreadable

to anyone other than the intended recipient.

This protects personal, financial or businesscritical

information from being intercepted or

exposed during transmission, significantly

reducing the risk of data breaches.

Then there is regulatory compliance. "Many

industries are governed by strict data privacy

regulations such as GDPR, HIPAA, and CCPA.

Email encryption helps organisations meet

these compliance requirements by securing

confidential communication and maintaining

proper audit trails, which can protect them

from legal penalties and reputational

damage," states Todkar.

That goes hand in hand with increased

customer trust. "When clients and partners

know their information is handled securely,

it builds confidence in the organisation.

Encrypted communication demonstrates a

commitment to privacy and security, which


31

encryption

Jon Fielding, Apricorn: the vast majority

[94% in an annual survey] view

encryption as a key part of their data

encryption strategies and removable

media policies.

Jason Soroko, Sectigo: threat actors will

use quantum computing to unravel

quantum cryptography that uses any

form of factorisation.

enhances brand reputation and strengthens

relationships with customers and

stakeholders," he continues.

Encrypted email systems often come with

authentication and verification features that

help detect suspicious activity. These measures

make it harder for attackers to spoof

identities or intercept sensitive data, providing

a stronger defence against phishing

attacks, malware and other cyber threats.

MARKET DYNAMICS

There is a lot at stake, as Polaris Market

Research highlights, with the email

encryption market size expected to reach

USD 44.70 Billion by 2034, according to

a new study by the company.

The report (snappily titled 'Email Encryption

Market Share, Size, Trends, Industry Analysis,

By Deployment Type, By Offering, By Organization

Size, By End User, and By Region;

Market Forecast, 2025-2034') gives a detailed

insight into current market dynamics and

provides analysis on future market growth.

"The email encryption market is expanding

as organisations prioritise secure communication

frameworks to protect sensitive data

shared across digital platforms. Growing

focus on safeguarding confidential information

from cyber threats is increasing the

demand for encryption software, key

management systems and policy-based

security controls integrated within email

clients and cloud-based environments."

So, what factors are driving that market

growth? To the fore is the rising level of

phishing attacks, increasing compliance

requirements and broader digital transformation

across sectors such as healthcare,

finance, and government.

"Advancements in automated encryption,

real-time policy enforcement and seamless

integration with enterprise IT systems are

driving adoption across small, medium and

large-scale organ-isations," reports the

research organisation.

GOVERNANCE AND ADHERENCE

"In terms of deployment type, the onpremise

segment dominated the market in

2024, due to strong preference for internal

data governance and regulatory adherence,

especially across government and large-scale

enterprise networks.

"Based on offering, the service offering

segment is poised to capture significant

market share by 2034, fuelled by increasing

enterprise adoption of third-party managed

security solutions."

Rising concerns over data privacy and

compliance obligations are increasing the

use of scalable encryption platforms that

enable seamless integration with enterprise

systems, cloud computing services and

regulatory frameworks.

Developers are advancing automated key

lifecycle management, centralised policy

enforcement and user-friendly interfaces to

streamline secure communication.

Meanwhile, "integration of quantumresistant

algorithms and metadata protection

capabilities are pushing towards

platform reliability through adoption of

email encryption as an essential layer of

enterprise cybersecurity infrastructure".

North America maintained its position as

the dominant regional market in 2024, with

its leadership highlighted by rigorous

compliance mandates such as HIPAA and

GDPR, adds Polaris Market Research.

"The Asia Pacific email encryption market

is anticipated to exhibit robust growth

through 2034, driven by accelerating digital

transformation initiatives across enterprises

and government sectors." Some of the

global key market players include Broadcom,

Cisco Systems, Microsoft and Proofpoint.

32


Computing

Security


Product Review Service

VENDORS – HAS YOUR SOLUTION BEEN

REVIEWED BY COMPUTING SECURITY YET?

The Computing Security review service has been praised by vendors and

readers alike. Each solution is tested by an independent expert whose findings

are published in the magazine along with a photo or screenshot.

Hardware, software and services can all be reviewed.

Many vendors organise a review to coincide with a new launch. However,

please don’t feel that the service is reserved exclusively for new solutions.

A review can also be a good way of introducing an established solution to

a new audience. Are the readers of Computing Security as familiar with

your solution(s) as you would like them to be?

Contact Edward O’Connor on 01689 616000 or email

edward.oconnor@btc.co.uk to make it happen.

ACCORDING TO JAMF 2024:

Security

Trends Report

39 % of

organisations

had at least one device

with known vulnerabilities

40 % of

mobile users

were running a device

with known vulnerabilities

9 % of

users fell for

a phishing attack

Manage and Secure

Apple at work

With Jamf Trusted Access, you ensure

that only authorised users, on enrolled

devices that are secure and compliant,

can access sensitive data.

REQUEST

Y O U R

F R E E

T R I A L

TODAY

www.jamf.com

CS2511

Transform your PDFs into Flipbooks and boost your revenue!

Delete template?

Save as template ?