Supply Chain Risk in 2026: The Hidden Threats Beyond Your Estate
Supply Chain Risk in 2026: The Hidden Threat Beyond Your Estate
Organisations are connected to more than ever before meaning supply chains have expanded and so too has the level of risk associated with these diverse supply chains.
Cloud services, managed service providers, SaaS platforms, open source software and outsourced business functions now form part of an extended digital supply chain that sits well beyond the traditional network perimeter. According to recent industry analysis by DeepStrike, third party involvement is now present in approximately 30% of all data breaches, double the proportion seen just a few years ago.
More concerning still, research from IBM shows that breaches involving supply chain compromise are typically more expensive and take longer to contain than other incidents. While the global average cost of a data breach currently sits at roughly $4.44 million, breaches via supply chains are uniquely more damaging. A supply chain compromise is one of the most significant factors that amplifies the total cost of a breach. In the UK it can cost an organisation an additional average of £241,620. (source: DeepStrike)
According To IBM’s Cost of a Data Breach Report 2025 it takes an average of 267 days to identify and contain a breach. As attackers increasingly exploit trusted relationships, instead of relying solely on technical vulnerabilities, supply-chain risk is now one of the most critical cyber security challenges for organisations of any size.
Understanding Your Supply Chain Risk
Supply chain cyber risk refers to the exposure an organisation faces as a result of its reliance on third‑party suppliers, vendors, partners, and software components. Rather than attacking a target directly, threat actors compromise a supplier and leverage the trust relationship to gain access to downstream victims.
Supply chain attacks have become an increasingly common and damaging tactic among cyber criminals. These breaches highlight just how vulnerable organisations can be when the security of their partners, vendors, and software providers is compromised.
Understanding supply chain risk begins with achieving full visibility across all third-party services and suppliers your organisation relies upon. Identifying these critical relationships is essential, as gaps in awareness can expose internal systems and sensitive data to external threats.
Assessing each supplier’s security maturity and posture helps clarify potential vulnerabilities, while evaluating how easily attackers might exploit these connections provides insight into your overall risk profile.
Importantly, your industry or sector also shapes the likelihood and nature of supply chain attacks. Certain fields, such as finance or healthcare, face heightened targeting due to the value of their assets and data. Proactive supply chain risk assessment empowers organisations to anticipate, mitigate, and respond to threats more effectively.
Supply Chain Sorted, with HackRisk
HackRisk’s Supply Chain Security tools proactively manage your third-party risk, monitor vendor posture, and strengthen your supply chain security.
Our Supply Chain Security tool gives you real-time insight into third-party risk across your ecosystem. Invite your suppliers to join HackRisk, share your HackRisk Scores and encourage your suppliers to invite their own vendors to build a stronger, more resilient supply chain.
Why Supply Chain Risk Management Matters
Supply chain attacks are no longer rare, isolated incidents. Industry reporting throughout 2024 and 2025 shows sustained growth in both the frequency and impact of supply‑chain driven breaches, particularly those involving software vendors, open‑source ecosystems and managed service providers. This surge has prompted organisations to turn to established frameworks and risk models for guidance in managing supply chain cyber risk.
NIST Framework
One of the most widely recognised frameworks is the NIST Cybersecurity Framework (CSF), which provides a structured approach to identifying, protecting, detecting, responding to, and recovering from cyber threats, including those originating from the supply chain.
NIST has published dedicated guidance, such as NIST SP 800-161 Revision 1: “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations”, which outlines best practices for assessing, monitoring, and mitigating risks associated with third-party vendors, software components, and service providers. The framework emphasizes the importance of integrating supply chain risk management (SCRM) into overall cybersecurity strategy, including activities like supplier risk assessments, contract security requirements, continuous monitoring, and incident response planning.
Other Frameworks
Other notable frameworks include the ISO/IEC 27001 and ISO/IEC 27036 series, which address information security management and specific guidelines for managing risks in supplier relationships. The Center for Internet Security (CIS) Controls also recommends measures such as maintaining an inventory of third-party assets, enforcing least-privilege access, and regularly validating supplier security practices.
By leveraging these frameworks, organisations can systematically identify vulnerabilities in their supply chain, implement robust controls, and foster a culture of continuous improvement and vigilance. Proactive supply chain risk management is now considered essential for defending against the evolving threat landscape, as highlighted by recent high-profile breaches and ongoing industry research.
Real‑World Supply Chain Breach Examples
XZ Utils Open‑Source Backdoor (2024): A sophisticated backdoor was discovered in a widely used Linux compression library, demonstrating how long‑term social engineering and open‑source dependency risks can threaten critical infrastructure globally. (source: Datadog Security Labs)
SolarWinds Orion Breach (2020): Perhaps the most infamous supply chain attack in recent memory, the SolarWinds incident saw hackers infiltrate the company’s software development pipeline. By compromising updates for the widely used Orion IT monitoring platform, attackers were able to insert malicious code that was subsequently pushed to approximately 18,000 customers, including major government agencies and global corporations. This breach demonstrated how a single compromised supplier can result in a cascade of downstream victims, often undetected for months. (source: NCSC)
Kaseya Ransomware Attack (2021): In another headline-grabbing example, cybercriminals targeted Kaseya, a company that provides IT management software to managed service providers (MSPs). By exploiting a vulnerability in Kaseya’s VSA platform, hackers were able to distribute ransomware to hundreds of organisations in one coordinated attack. The event underscored how attackers can use trusted software suppliers as a force multiplier to scale their impact and bypass traditional security measures. (source: PurpleSec)
Jaguar Land Rover Supply Chain Attack (2024): In a high-profile incident, attackers targeted Jaguar Land Rover by exploiting a well-known vulnerability in a third-party SAP (NetWeaver) platform used by one of the automaker’s suppliers. This breach disrupted production and supply chain operations, demonstrating how cybercriminals can leverage weaknesses in widely deployed enterprise software to compromise even mature organisations. The overall cost from the incident is estimated to be at least £1.9 billion ($2.5 billion), making it the most economically damaging cyber event ever recorded in the UK. The attack halted production at multiple sites, affected over 5,000 organisations in the supply chain, and required a £1.5 billion government loan guarantee to stabilise operations. JLR’s wholesale deliveries dropped nearly 25% year-on-year, and recovery is still ongoing in early 2026. (source: SysGroup)
These real-world cases serve as stark reminders that even the most robust internal cybersecurity practices can be undermined if third-party partners and software providers are not held to the same standards. Vigilance, continuous oversight, and a strong supply chain risk management strategy are essential to safeguarding today’s interconnected digital infrastructure.
5 Steps to Reducing Supply Chain Risk
Organisations can significantly reduce their exposure through visibility of suppliers, proportionate due diligence, least‑privilege access, continuous monitoring and robust incident response planning.
- Supplier Visibility: Maintain an up-to-date inventory of all suppliers, vendors, and third-party service providers. Use standardised risk classification, as outlined by NIST CSF and ISO/IEC 27036, to segment suppliers based on the sensitivity and criticality of their access and services.
- Proportionate Due Diligence: Conduct thorough risk assessments before onboarding new suppliers, scaling the depth according to their potential impact. Review security certifications, controls, and incident history to align with NIST SP 800-161 and ISO/IEC 27001 requirements for evaluation and ongoing monitoring.
- Least-Privilege Access: Enforce strict access controls so suppliers only have the minimum necessary access to perform their duties. Both NIST CSF and CIS Controls support the least-privilege principle to limit potential damage from breaches.
- Continuous Monitoring: Implement real-time monitoring of supplier activities and automated alerts for unusual behavior. Regularly validate supplier security practices through audits, questionnaires, or penetration testing as recommended in NIST and ISO frameworks.
- Robust Incident Response Planning: Integrate suppliers into your incident response plans by establishing clear communication channels, escalation paths, and joint response exercises. NIST CSF emphasizes the importance of coordinated response and recovery processes that include third-party partners.
By aligning your supply chain risk management with established models like the NIST CSF and ISO/IEC standards, you can effectively identify vulnerabilities, implement targeted controls, and foster a culture of continuous improvement—significantly reducing the likelihood and impact of supply chain cyber incidents.
Get Your Free HackRisk Report
AI-powered cyber risk monitoring with secure dashboard and shareable reports, delivered by security experts.
We’ll perform a full external scan and generate your first HackRisk Report, completely free of charge.
You will receive your HackRisk report within 24 hours. No card details necessary.
Four Steps to Strengthen Cyber Security for the Age of Artificial Intelligence
Integrating Identity Security, AI Governance, and Risk‑Based Remediation for Stronger Protection
According to a 2023 survey among global business and cyber leaders, 65% believed cyber security was the sector expected to be the most affected by generative artificial intelligence (AI).
In 2026, there is no doubt that artificial intelligence is transforming cyber security on both sides of the fence. Attackers are using it to move faster and phish smarter. Defenders are using it to detect earlier and respond sharper.
1. AI Is Supercharging Attackers, So Strengthen Your Human Firewall
Gone are the days when poor grammar and bad formatting gave phishing emails away. Generative AI now enables cyber criminals to craft messages that look and feel authentic.
The key is to prioritise people in your cyber security strategy. Use cyber security awareness training to equip your teams to recognise subtle warning signs, question any suspicious consent prompts, and always verify unexpected or unusual requests using a different communication channel.
By fostering a security-aware culture that blends human vigilance with technology, organisations can better defend against sophisticated AI-driven threats and reduce the risk of successful attacks.
Tip: Enforce phishing-resistant MFA and update awareness training that includes deepfake demos and modern phishing examples, not just “bad link” spotting.
Generative AI in Cyber Security Explained
Generative AI is changing the game. Is it helping defenders more than attackers? Dive into the risks, opportunities, and real-world impact of AI on cyber security.
Dave Mareels, Senior Director of Product Management at Sophos, joins the podcast to explore how generative AI is reshaping the cyber threat landscape.
2. AI and Human Defenders Working Together
Cyber attacks are multistage and often start with a valid login. AI isn’t just a threat, it’s part of the solution. The strongest defences combine AI with human expertise. Together, they can spot weak signals in context, investigate quickly, and contain incidents before they escalate.
Identity Threat Detection and Response is critical. Attackers increasingly target identity systems, so monitoring and responding to identity-based threats should be a priority.
Tip: Assess out-of-hours coverage and escalation paths. If you can’t investigate and respond in minutes, not hours, consider 24/7 managed detection and response for faster risk reduction.
3. If Your Data Isn’t Ready for AI, You’re Not Ready for AI
To effectively harness the benefits of AI while minimising risk, organisations must take a structured approach to AI governance. This starts with curbing the use of Shadow AI, which is unapproved applications or tools that staff may adopt without IT oversight, as these can introduce significant security and compliance concerns.
Organisations should formalise the use of Sanctioned AI by clearly defining approved tools and implementing robust controls to ensure safe, compliant deployment.
The end goal should be to progress towards Adopted AI , where artificial intelligence is fully integrated into business processes, thoroughly auditable, and aligned with organisational objectives.
Most importantly, sensitive data must be classified accurately and steps taken to prevent oversharing. By doing so, organisations can reduce the risk of AI-powered assistants inadvertently exposing confidential information to unauthorised individuals, strengthening both security and trust within the workplace.
Tip: Conduct a free data assessment to ensure your organisation knows what data exists, where it lives, who has access, and how it’s classified. This single step reduces the risk of sensitive information leaking into AI models, prevents inadvertent oversharing, and establishes a strong foundation for safe, compliant AI adoption. Think of it as switching on the lights before inviting AI into the room.
AI’s Role in Data Protection Explained
In this episode, Stuart Wilson from Forcepoint explores the risks, rewards and rising challenges of AI in data protection, from shadow AI to safeguarding sensitive data, while helping businesses navigate secure innovation in an AI‑driven world.
4. Responsive Remediation is Key
Identifying vulnerabilities is only the start; the real challenge is fixing them swiftly. While prompt patching is essential, not all issues can be resolved immediately. This means that mitigating controls, such as tightening permissions or disabling unused services, are vital.
Virtual patching can protect where permanent fixes are unavailable. The next step is AI-driven remediation, which automates prioritisation and coordinates fixes based on business risk, enabling faster, more consistent vulnerability closure and freeing teams to focus on strategic security.
This shifts organisations from reactive to intelligent, risk-based remediation, reducing attacker opportunities and strengthening resilience.
Tip: Rank vulnerabilities by business impact, exploit likelihood, and data sensitivity, then move fast on the top tier. Where patches aren’t immediately available, apply mitigating controls and virtual patching to reduce exposure.
Final Thoughts: Getting Ahead of AI Threats
AI is changing the game, and the steps outlined above make it clear that success comes from strengthening your people, enhancing detection and response with AI, putting firm governance around data and tools, and moving toward smarter, risk‑based remediation.
When these elements work together, organisations build real resilience and stay ahead of fast‑moving threats. The most effective way to continue that journey is to understand your current level of risk
HackRisk reports give you a clear, practical view of your exposure so you can prioritise what matters most and take action with confidence.
Get Your Free HackRisk Report
AI-powered cyber risk monitoring with secure dashboard and shareable reports, delivered by security experts.
We’ll perform a full external scan and generate your first HackRisk Report, completely free of charge.
You will receive your HackRisk report within 24 hours. No card details necessary.
Weak Passwords & Password Policies: Strengthening Access Security
A Growing Concern
In 2025, you might expect the threats posed by AI and increasingly sophisticated phishing attack methods would be the biggest cyber security risks. However, it’s often the basics that are overlooked and leaving organisations exposed.
In this blog, we explore how weak passwords and inadequate password policies continue to be a significant security risk for organisations and consumers.
Major Breaches Expose Weak Password Policies
The Open Worldwide Application Security Project (OWASP) Foundation claims that “In each of the recent high-profile hacks that have revealed user credentials, it is lamented that most common passwords are still: 123456, password and qwerty.” (source: The OWASP Foundation)
Recent events in the UK have further highlighted the pressing issue of weak password policies and the need to implement and adhere to robust internal processes and governance that mitigate the risk of credentials being compromised.
A recent, massive data breach exposed 184 million logins for companies like Apple and Google. The compromised dataset, discovered in an unprotected online database, included usernames and passwords for various online services and email providers. Cyber security researcher Jeremiah Fowler believes that infostealer malware, often deployed in phishing emails and malicious websites, was used to obtain and compile the compromised dataset. (source: WIRED)
Retail Hacks in the News: Weak Password Reset Process and Social Engineering
In our recent blog post, we explored the recent incidents involving household names Marks & Spencer (M&S), Co-op and Harrods. It is believed that attackers used a combination of social engineering, impersonating employees and manipulating the IT helpdesk into resetting user account passwords. This allowed threat actors to bypass standard authentication procedures and gain unauthorised access to sensitive information, including customer account details, payment information, delivery details and login credentials.
Many of the compromised credentials had also been reused across multiple platforms, deepening the impact of the breaches. Investigations revealed that both incidents originated from lapses in password complexity requirements and inadequate monitoring for previously compromised credentials. These events underscore how the combination of human manipulation and weak password hygiene leaves organisations, regardless of size or reputation, vulnerable to attack. (source: rradar)
At the recent Manchester Digital E-Commerce Conference, we conducted a live hack on a demo online store to show how quickly a compromise similar to the incidents involving M&S and Co-op can occur.
Weak Passwords Remain a Leading Security Challenge for Web Applications
While most professionals are well-versed in the mechanics of phishing, recent industry reporting underscores how weak passwords continue to amplify the impact of increasingly sophisticated and AI-powered phishing campaigns. According to a report by Verizon (2024 Data Breach Investigations Report), in 2020 over 60% of breaches in web applications were successful due to compromised or easily guessed passwords. In 2024 the report indicates that this percentage was closer to 40%, so while there has been a reduction the level of vulnerability remains high. (source: Verizon)
This downward trend suggests that some web application providers are responding to the threat by strengthening authentication requirements. However, the enduring presence of weak credentials among known vulnerabilities highlights the ongoing challenge facing developers and security teams. Notably, applications that permit simplistic, easily guessed, or previously compromised passwords consistently attract the attention of attackers, especially when paired with emerging phishing techniques.
Sophisticated phishing attacks, now frequently using AI-driven tools that customise messages for individual targets, are particularly effective when organisations lack robust password requirements or sufficient Authentication methods. As highlighted by Microsoft’s Digital Defence Report, AI-generated phishing emails have become such a prevalent threat that Microsoft has reassigned 34,000 engineers to security initiatives, including developing phishing-resistant MFA and strengthening defences against AI-driven threats.
The combination of advanced phishing and weak authentication remains a primary driver of large-scale cyber incidents across sectors, making the case for stronger password policies and ongoing credential monitoring.
Risks Associated with Weak Password Policies
Weak password policies not only increase organisational vulnerability to phishing and the sale of sensitive data on the dark web but also pose significant risks when they allow users to reuse old or previously compromised passwords. Allowing the continued use of credentials exposed in past breaches—such as those affecting major companies highlighted above—dramatically raises the likelihood of unauthorised access. Without robust policies in place that prevent password reuse, simple password structures or flag known breached passwords, organisations leave a door wide open for attackers to exploit. According to ID Agent organisations with compromised credentials, including passwords that are reused across different platforms, increase their likelihood of experiencing a cyber incident by 2.56x.
Alarming Statistics and the Danger of Reused Passwords Found on the Dark Web
Recent cyber security analyses continue to reveal the magnitude of compromised credentials on the dark web. According to recent findings from leading VPN provider Surfshark, over 3.2 million British user accounts have been compromised in data breaches during the first half of 2025, this equated to approximately 7 British accounts being compromised every minute in Q2 of this year. (source: Tech Digest)
Globally, the pool of compromised accounts on the dark web seems almost infinitely greater. In 2022 Digital Shadows reported that more than 24.6 billion records—primarily emails and passwords—were available on underground forums and cybercriminal marketplaces. (source: Dark Reading)
According to Market.us Scoop, stolen data, including compromised account credentials, are used by 65% of active cyber criminals globally, highlighting the danger that weak or compromised passwords pose by being instrumental in other cyber attacks.
Alarmingly, NordPass found that the most common passwords in these dumps—like “123456” and “password”—made up over 85% of all breached credentials, underscoring the critical risk of password reuse for users and organisations alike. (source: NordPass)
The consequences are severe: reused passwords allow attackers to exploit one breach to access multiple accounts, fuelling cyber attacks such as credential stuffing and a cascade of other threat vectors. As cyber criminals leverage advanced phishing tactics and the anonymity of the dark web, the persistence of weak and repeated passwords remains a significant problem in today’s digital landscape.
Best Practices for Reducing Risk from Weak Password Policies
Implementing comprehensive password security measures is essential for reducing organisational exposure to cyber threats. The following best practices can help mitigate the risks associated with weak password policies:
- Enforce Strong Password Requirements: Mandate the use of complex passwords that combine uppercase and lowercase letters, numbers, and special characters. Prohibit commonly used or compromised passwords and require a minimum password length.
- Implement Multi-Factor Authentication (MFA): Require MFA or two-factor authentication (2FA) for all users, especially for accessing sensitive systems, to provide a crucial layer of security beyond the password.
- Set Regular Password Change Intervals: Establish policies that require users to reset passwords at regular intervals and prevent the reuse of previous passwords, reducing the window of opportunity for attackers.
- Utilise Password Managers: Encourage or provide access to reputable password managers to help users create, store, and use strong, unique passwords across all accounts, minimising the temptation to reuse or simplify credentials.
- Continuous Dark Web Monitoring: Employ tools or services such as HackRisk to monitor for compromised credentials on the dark web, allowing for swift response if employee or organisational data is found in breach dumps.
- Comprehensive Staff Training: Deliver regular cyber security awareness training for all employees, with a focus on recognising phishing attempts, the importance of password hygiene, and how to respond to suspicious activity.
- Ongoing Policy Review and Enforcement: Routinely review and update password and authentication policies to adapt to emerging threats and ensure enforcement with automated checks wherever possible.
The Final Word: Enhancing Security Through Effective Password Management
The risks associated with weak password policies are substantial, and organisations must take proactive measures to mitigate these threats.
Implementing robust password policies, educating employees about phishing attacks, and continuously monitoring the dark web for compromised data are essential steps in safeguarding sensitive information.
Find Your Data on the Dark Web
Data breaches happen every day, at companies large and small, with stolen credentials commanding a premium on the Dark Web.
With over 24 billion sets of usernames and passwords currently for sale on the dark web, it has never been more important to keep control of your credentials.
Our advanced scanning software crawls the dark web for your compromised business credentials.
Where it finds stolen data, we identify the source of the breach, alert you instantly, and provide advice on how to keep your accounts secure.
You may be surprised how much of your information is already out there.
Free Posture Assessment
Understand your security risks and how to fix them.
Take the first step to improving your cyber security posture, looking at ten key areas you and your organisation should focus on, backed by NCSC guidance.
Claim your free 30-minute guided posture assessment with a CyberLab expert.
How Secure Is Microsoft Copilot? Understanding The Risks of AI Tools
Understanding the Risks and Solutions of AI-Assisted Tools
The emergence of AI-powered tools like Copilot is reshaping the way businesses tackle productivity and innovation.
Of course, with any game-changing technology, there’s a flip side, and the introduction of mainstream generative-AI brings along some cyber security challenges. So, how can businesses prepare to take full advantage of Copilot while staying safe? It’s all about striking the perfect balance between embracing innovation and addressing risks head-on.
Adopting Copilot Securely Explained
James Mallalieu from Chess explores how organisations can roll out Microsoft Copilot securely and successfully.
The Cyber Security Challenges of AI Tools
AI assistants like Copilot are powerful tools, but their capabilities introduce vulnerabilities that organisations must address. Listed below are some of the cyber security risks associated with their use:
Data Privacy Concerns
To operate at full functionality, AI requires access to sensitive information, such as emails, documents, and code repositories, raising privacy risks if data is mishandled or exploited. In a recent survey, a staggering 77% of business that have deployed AI models have already experienced AI-related breaches.
External Threats and Data Leaks
Without secure implementation, attackers could exploit AI systems, leading to information misuse, manipulation, or data leaks.
Several incidents have highlighted these risks, particularly since the public release of AI models like ChatGPT, showcasing the need for better data management and security practices.
One such example, is how Slack’s AI service was vulnerable. Slack’s AI provides generative features within the application, such as summarising lengthy conversations, answering questions, and summarising channels that are infrequently accessed. Researchers have demonstrated that Slack’s AI contained vulnerabilities which may permit data from private channels to be exposed via prompt injection.
Bias and Misinformation
AI tools may produce flawed outputs due to biased or inaccurate training data.
Soon after the launch of its Bard AI, Google faced credibility challenges when the chatbot delivered inaccurate information during a demonstration concerning the James Webb Space Telescope. This error resulted in a significant decline in Alphabet’s stock price, erasing $100 billion from the company’s market value.
Shadow AI Usage
Employees might use unregulated AI tools when official access is restricted, increasing the risk of data exposure to less secure third-party platforms. Reports indicate that 61% of organisations are already dealing with Shadow AI usage.
Why Businesses Must Securely Integrate Copilot
While banning AI tools might seem like an easy way to avoid risks, it’s a short-sighted strategy that could backfire. Employees are increasingly tech-savvy and may seek out unregulated AI solutions if they feel restricted. These tools often lack enterprise-grade security features, potentially exposing sensitive data to external platforms and creating compliance risks.
A high-profile example of these risks became apparent when Samsung employees turned to ChatGPT to streamline their work. To boost productivity, they pasted confidential source code for an unreleased program into the AI tool and also uploaded sensitive meeting notes to generate a presentation. This action resulted in the exposure of private corporate information to external servers. Which is a clear and serious breach of data security policies.
By implementing Copilot securely, businesses gain control over its usage, ensuring employees have access to a trusted and robust tool while minimising vulnerabilities. A controlled integration allows organisations to reap the benefits of AI-assisted workflows without sacrificing security and also, importantly, without releasing confidential information outside of the organisation.
How to Reduce AI Risks
Preparing for Copilot’s integration requires proactive measures to mitigate the risks outlined above. Here are some strategies businesses should adopt:
Promote Controlled Alternatives to Shadow AI
Rather than banning AI tools outright, which can lead to stealth use, provide employees with secure organisation-approved AI. For example, implementing Copilot in a controlled manner allows businesses to monitor its usage while providing employees with a productive tool they trust. This approach reduces the likelihood of shadow AI usage, which poses significant risks when external, unapproved systems are used.
Secure Implementation Protocols
The first step is to implement Copilot within a secure framework. Ensure that the AI tool operates within controlled environments, such as on-premises servers or trusted cloud platforms with robust security measures. Encryption protocols must be enforced for all data transmissions, and access controls should be strictly managed.
Educating employees about the risks and safe usage of AI tools is crucial. Provide training sessions on how Copilot processes data, its capabilities, and the boundaries of its use. Employees should understand that while Copilot is a powerful assistant, it requires careful handling to ensure security.
Data Controls and Classification
A critical aspect of deploying AI tools like Copilot securely is the proper classification and labelling of organisational data. Sensitive information, such as salary details, intellectual property, or customer data, must be explicitly marked as highly confidential. This ensures that the AI system is configured to respect these classifications and prevents unauthorised access to restricted data.
For example, organisations should ensure that salary information is labelled and stored in a way that restricts AI access. Without such safeguards, an employee could inadvertently or maliciously query the AI for another person’s salary and receive a response, leading to breaches of confidentiality and trust.
To mitigate these risks, businesses should:
• Establish robust data labelling protocols to categorise data based on sensitivity.
• Configure AI tools to operate within predefined access boundaries, ensuring they cannot retrieve or process highly confidential data unless explicitly authorised.
• Regularly audit and update data classifications to reflect changes in organisational priorities or regulations.
By implementing strict data controls, organisations can create a secure AI environment where employees can make full use of the tool’s capabilities without compromising sensitive information.
Conclusion: Securely Integrating AI Tools like Copilot
AI assistants like Copilot represent a significant leap forward in how businesses operate, but their capabilities come with cyber security challenges that must be addressed. From data privacy concerns to shadow AI usage, a secure and thoughtful approach to Copilot’s implementation is essential.
Rather than banning AI tools, businesses should focus on controlled integration, providing employees with a secure and regulated alternative to external solutions. Through comprehensive training, monitoring systems, and ethical AI policies, organisations can maximise the benefits of Copilot while ensuring robust cyber security protections.
The future of business lies in adopting innovative tools securely. By preparing for Copilot with a security-first mindset, organisations can lead the way in efficiency, creativity, and trust.
Free Posture Assessment
Understand your security risks and how to fix them.
Take the first step to improving your cyber security posture, looking at ten key areas you and your organisation should focus on, backed by NCSC guidance.
Claim your free 30-minute guided posture assessment with a CyberLab expert.
Exploring the Dark Web: The Digital Wild West of Cyber Crime Today
The Digital Wild West
Data breaches are increasingly common, and news reports frequently highlight these incidents. Millions of email addresses and passwords have been stolen, sold, and shared across the Dark Web. But what exactly is the Dark Web, and what threat does it pose to organisations?
In this article we journey into the depths of this digital Wild West. Much like the lawless frontiers of the past, the Dark Web is a digital landscape where anonymity and illicit activities thrive beyond the reach of many authorities. We explore what the Dark Web is, its role in cyber crime, and recent reports on data leaks. In addition, we cover measures that organisations can take to prevent their most sensitive assets from ending up for sale on the Dark Web.
What is the Dark Web?
The Dark Web is a hidden part of the internet that operates outside the bounds of conventional search engines and requires specialised software, configurations, or authorisation for access.
While the Dark Web is home to many legitimate companies, it also contains message boards, online marketplaces for drugs, as well as stolen financial and private data. Transactions within this economy are often made with cryptocurrency and are completely anonymous.
The Dark Web is infamous for its role as a hub for illicit activities, providing anonymity to users engaged in cyber crime, data breaches, and other nefarious deeds. It facilitates a vast market for stolen data, compromised credentials, and hacked accounts. With corporate credit cards, criminals can cause financial damage and make unauthorised purchases. The risk is more than just financial damage from stolen credit cards, with employee details criminals can launch more sophisticated and targeted attacks. Phishing attacks are one of the most common attack methods employed by cyber criminals, and could be the entry point for further compromise to your organisation.
The Dark Web is not just stolen credentials, it also harbours platforms where individuals can hire hackers for various malicious purposes, from launching cyber attacks to conducting espionage. If you can imagine it, it’s probably out there on the Dark Web.
Recent reports from sources like CSO Online and the University of Surrey underscore the growing prevalence of cyber criminal activities on the Dark Web, posing significant threats to enterprises and individuals alike.
Tales from the CyberLab
AI’s Role in Data Protection Explained with Forcepoint
Recent Breaches on the Dark Web
Recent data breaches have highlighted the growing market for stolen data and credentials on the Dark Web.
Apple, Google, and Other Major Companies
A huge breach exposed 184 million logins for Apple, Google, and many other companies. The dataset, which was discovered in an unprotected online database, includes usernames and passwords for various online services and email providers. Jeremiah Fowler, a cyber security researcher investigating the database believes that infostealer malware may have been used to obtain and compile the compromised dataset. Infostealer malware is often deployed in phishing emails and malicious websites and used by cyber criminals to harvest data and credentials from systems they have infected. The stolen data/assets are usually then sold on the Dark Web or other illicit marketplaces. (source: PCMag)
AT&T
In another alarming incident, personal data belonging to 73 million current or former AT&T customers was leaked online. The data, including addresses, social security numbers, and passcodes, was published on the Dark Web, prompting concerns over potential misuse. AT&T has initiated an investigation into the breach, although they have not identified evidence of the data being stolen. As a precautionary measure, the company has reset customers’ passcodes and urged them to monitor their account activity and credit reports. The leaked data, which dates back to 2019 or earlier, encompasses information from 7.6 million current customers and 65.4 million former account holders. While financial information was not included in the leak, details such as full names, email addresses, and dates of birth were compromised. Even though the breach happened in 2024, the stolen data is still on the Dark Web and is being repackaged for sale (source: ZNET)
US National Public Data Breach
An enormous amount of sensitive information, including social security numbers for millions of US, UK and Canadian citizens, was stolen and released on the Dark Web. The data breach, believed to be 277.1 gigabytes of data includes names, address histories, relatives, and social security numbers dating back at least three decades. The hacking group claiming responsibility for the breach, USDoD , are apparently selling the stolen data on the Dark Web for $3.5 million. (source: USA Today Tech)
Recent Breaches on the Dark Web
The dark web serves as a digital marketplace for cyber criminals looking to exploit stolen data. Here are some of the malicious activities they can engage in:
Credential Stuffing
Cyber criminals use stolen credentials to gain unauthorised access to accounts by trying multiple username-password combinations.
Fraud
Stolen data can be used to commit various types of fraud, including identity theft and financial fraud.
Ransomware
Ransomware-as-a-service (RaaS) allows criminals to encrypt and lock victims’ data until a ransom is paid.
Distributed Denial-of-Service (DDoS) Attacks
Attackers can use stolen data, such as login credentials or network configurations, to infiltrate systems and hijack devices, turning them into bots within a larger botnet. These botnets are then coordinated to flood a target’s network or server with an overwhelming volume of traffic, causing disruptions, slowing operations, or completely paralysing the system.
Keyloggers, Trojans, and Spyware
Malware tools can be distributed to steal sensitive information from victims.
How to Protect Your Data
If your data has made it on to the Dark Web, acting quickly to assess the risk and mitigate the potential damage is essential. But how do you know if your data is out there? Dark Web Monitoring allows you to monitor any instances of your organisation’s data on the dark web and receive proactive notifications if any information from your domain is found. The platform engine monitors hidden chat rooms, private websites, P2P networks, IRC channels and thousands of botnets.
Continually scanning Dark Web databases for your company’s domain-specific data means you can act quickly if your sensitive information is made available on the Dark Web. With intelligent algorithms, sifting through the vast amounts of information, accurately identifying any instances of your company’s data. When such a potential threat is detected, it provides real-time alerts, enabling you to take immediate action to protect your business.
Few organisations have the right tools, people, and processes in-house to manage their security program around-the-clock while proactively defending against new and emerging threats. As such, organisations should consider getting an assessment of their cyber security posture to identify weaknesses. Another consideration is implementing advanced technologies for threat detection or partnering with a Managed Security Services Provider (MSSP) for services such as Managed Detection and Response (MDR).
In Conclusion
The Dark Web remains a formidable challenge in today’s digital landscape, serving as a haven for cybercriminals to exploit vulnerabilities and trade stolen data. The recent data breaches reveal the sheer scale of data that is vulnerable to being exposed on this digital black market, and underlines the importance of implementing robust cyber security controls and strategies.
By pro-actively and regularly assessing their estate for vulnerabilities, implementing robust detection and response capabilities, continuously monitoring Dark Web channels for any exposed data or credentials, and fostering a culture of cyber awareness and vigilance, organisations can better protect themselves and their informational assets against the ever-present threats posed by the Dark Web.
Free Posture Assessment
Understand your security risks and how to fix them.
Take the first step to improving your cyber security posture, looking at ten key areas you and your organisation should focus on, backed by NCSC guidance.
Claim your free 30-minute guided posture assessment with a CyberLab expert.
Retail Under Siege from Cyber Attacks as Criminal Tactics Evolve
What the M&S, Co-op and Harrods Cyber Attacks Reveal About Modern Threats
Recently, a wave of cyber-attacks has struck some of the UK’s most well-known retailers: Marks & Spencer, the Co-op, and Harrods. These incidents have disrupted services, forced systems offline, and cost millions in lost revenue. They are not just unfortunate timing. They are a wake-up call for not just the retail industry, but for every organisation across the UK.
The message is clear, if the “big guys” can fall victim, anyone can.
A Timeline of Disruption
Easter Weekend (29–31 March 2025)
Marks & Spencer was the first to experience a major disruption. Over the bank holiday weekend, the retailer suffered a ransomware attack reportedly carried out by the group DragonForce. The incident forced M&S to take its website and apps offline, halting Click & Collect services and disrupting contactless payments and loyalty programmes.
With online sales accounting for approximately £3.8 million per day in its clothing and home division, the financial impact was immediate and substantial. M&S later confirmed that customer data had been stolen, although it clarified that the compromised information did not include passwords or payment details. [Source: BBC]
Wednesday 7 May 2025
The Co-op revealed that it had taken parts of its IT infrastructure offline in response to suspicious activity, as a precaution against a potential cyber attack. Staff were instructed to keep cameras on during remote meetings and to verify all attendees, a signal that the company feared a deeper network compromise. The full nature and scope of the attack have not been publicly confirmed. [Source: BBC News]
Thursday 8 May 2025
Harrods became the third major retailer to confirm an incident. The company reported attempted unauthorised access to its systems. In response, its IT team restricted internet access at its stores as a protective measure. While its flagship Knightsbridge location and online store remained open and functional, the company has not disclosed further technical details or the extent of the attempted breach. [Source: BBC]
Ongoing Disruption
Cyber attacks are often widely disruptive. Customers at M&S have been unable to shop online for over a month, and reports indicate that disruption could last until July. The disruption of this cyber attack is estimated to cost M&S over £300 million. [Source: BBC]
Why are Retailers Targets for Cyber Criminals?
Retail businesses, especially large chains, have become increasingly attractive to cyber criminals.
- They manage large volumes of customer data, including payment information, delivery details and login credentials.
- Their operations are deeply digital, from logistics and inventory management to payment systems and loyalty apps.
- Any downtime causes immediate and visible disruption, creating pressure to resolve incidents quickly, sometimes under ransom demands.
We Simulated a Breach and It Took Minutes
At the recent Manchester Digital E-Commerce Conference, we conducted a live hack on a demo online store to show how quickly a compromise can occur.
Within minutes, our team exposed:
- A misconfigured ecommerce website that was vulnerable to exploitation.
- How an SQL Injection could steal usernames and encrypted passwords.
- How easily we decrypted the passwords due to weak passwords and poor encryption algorithm.
- Weak login process with no 2FA which enabled us to access all details on the account – including address and payment information.
Most successful attacks do not rely on sophisticated exploits and threat actors will almost always for the path of least resistance to establish a foothold. They rely on simple oversights, poor digital hygiene or human error.
Even today, the number one, most prevalent vulnerability facing applications globally are broken access controls according to the Open Worldwide Application Security Project (OWASP) [source: OWASP Top Ten]
How Can Organisations Protect Themselves Against Cyber Attacks?
While the recent attacks are concerning, they highlight areas where many organisations can make meaningful improvements. Addressing cyber risk doesn’t require a drastic overhaul or reacting with panic.
Instead, it begins with a focused review of your current cyber security posture. You should review the technologies you use, your internal processes, and your existing policies. The priority should be to identify gaps, understand where your most critical assets lie, and take measured, practical steps to reduce risk.
Some of the key steps you should consider are:
- Use Multi-Factor Authentication (MFA) across all admin and critical access points.
- Patch and update all systems regularly, especially third-party plugins and platforms. Utilising patch management software can make this process faster and easier.
- Use 24/7 log monitoring and alerting tools such as a Security Information and Events Management (SIEM) and Early Detection and Response (EDR) solutions across your applications and endpoints that can detect and record anomalous activity such as repeated attempted login failures in real time.
- Conduct regular security audits, penetration tests, and code reviews.
- Segment networks and use monitoring tools to detect abnormal behaviour early.
- Train staff on phishing, social engineering, and access protocols.
- Have an incident response plan in place and test it regularly.
It’s Not “If” But “When”
The recent incidents at M&S, Co-op, and Harrods are not anomalies. They are signs of a threat landscape that is growing more aggressive and opportunistic. For any organisation operating online or relying on digital systems, the risk is very real.
At CyberLab, we help businesses strengthen their defences, uncover vulnerabilities before attackers do, and stay ahead of the threat curve.
Free Posture Assessment
Understand your security risks and how to fix them.
Take the first step to improving your cyber security posture, looking at ten key areas you and your organisation should focus on, backed by NCSC guidance.
Claim your free 30-minute guided posture assessment with a CyberLab expert.
Cyber Crime and the Festive Season: Protecting Businesses During Peaks
A Dangerous Spike in Cyber Threats
As the festive season approaches, the excitement surrounding Black Friday, Cyber Monday, and Christmas shopping often leads to a sharp increase in cyber threats. During this time, online consumer behaviour changes drastically- shoppers are eager for deals, working against the clock, and spending more time online.
This frenzy presents an ideal opportunity for cyber criminals, who take advantage of increased online traffic, distracted users, and businesses operating out-of-hours to launch attacks. For organisations, this shift introduces unique risks and demands heightened security measures.
This month, we are focusing on the elevated cyber risks associated with the festive season. We will explore how cyber criminals exploit holiday shopping habits and changes in consumer behaviour, provide examples of high-profile incidents, and offer best practices that organisations can implement to safeguard their operations during this critical period.
Why Cyber Criminals Love the Festive Season
During peak shopping times like Black Friday and Christmas, cyber crime rises as consumers spend billions online. A recent report by ThriveDX found that ransomware attacks increase by 30% during the holidays compared to regular months.
Cyber criminals know that consumers are often distracted while hunting for deals, leaving them vulnerable to phishing attacks and other scams. According to Forbes, in 2022 37% of data breaches in retail involved stolen payment card data, and ransomware accounted for 24% of breaches, with retailers often pressured to pay to avoid disruptions during their busiest sales periods.
A notable example of cyber criminals exploiting the festive period to steal payment card data is the Target breach, which affected approximately 40 million credit and debit card accounts during the holiday shopping period. The attack, facilitated by malware installed through an HVAC subcontractor, led to widespread customer distrust and hefty fines. This incident is a stark reminder that even well-established businesses with strong security frameworks can fall victim to cyber crime during the holidays.
Top 5 Most Common Threats During the Festive Season
Phishing Scams
Cyber criminals take advantage of consumers’ increased reliance on online shopping by sending emails that mimic trusted brands. These emails often include malicious files or links to fake websites where users unknowingly provide personal and payment information.
A report by DataProt found that over 70% of phishing emails were opened by recipients in 2023, especially during periods like Black Friday and Christmas when consumers are bombarded with promotional emails.
Ransomware
Between December and January, attempted ransomware attacks rose by 70%, as businesses were more willing to pay to prevent operational disruption. The combination of out-of-hours operations and an influx of temporary workers makes organisations more vulnerable to these attacks. [source: Darktrace]
Typosquatting
Cyber criminal websites that resemble legitimate retailers, often relying on common typos in domain names to trick consumers into entering their personal details. During Black Friday and Cyber Monday, these schemes become even more prevalent as users rush to make purchases. [source: Forbes]
Out-of-hours Attacks
According to Darktrace, in 76% of detected ransomware infections, the encryption process begins after hours or during the weekend.
Cyber criminals and threat actors alike often increase attack attempts during off-hours, particularly on weekends or holidays, when fewer staff are available to monitor security alerts in real time, making it easier to exploit standard organisational processes and human vulnerability.
With fewer personnel on-hand to respond, threat actors are often afforded more time to establish a deeper foothold within internal networks before being detected. For example, ransomware attacks tend to peak during these times, knowing that quick responses are more challenging.
AI-Enhanced Scams
The National Cyber Security Centre (NCSC) has warned that AI-generated scams will play a significant role this festive season, producing more polished and convincing phishing emails and fake websites.
According to NCSC, 72% of British people are concerned about AI making it easier for criminals to commit fraud. The misuse of AI to bolster scams, such as creating fake advertisements and fraudulent emails, makes it harder for consumers to discern between legitimate offers and cyber threats. [source: NCSC]
Best Practices to Protect Your Organisation
Due to the rise in cyber threats during the festive season, businesses must remain vigilant and proactive. Here are some best practices to consider:
1. Ensure Regular System Updates and Patching
Cyber criminals often exploit known vulnerabilities, so it’s crucial to keep all software and systems up to date with the latest security patches.
Protect your operating systems and third-party software from vulnerabilities with vRx from Vicarius.
A complete patch management system that discovers, prioritises, and remediates software vulnerabilities across your estate, including the smaller applications that are often forgotten.
2. Strengthen Employee Awareness and Training
Seasonal hires, in particular, are vulnerable to phishing attacks and social engineering as they are typically only contracted to work over the busy festive periods and so are less likely to be fully integrated into organisations’ policies and processes, meaning they may not have as much exposure or training to become vigilant to suspicious behaviours or cyber criminal activity.
Training employees to identify suspicious emails or websites can reduce the risk of human error. Verizon’s 2023 Data Breach Investigations Report found that human error played a role in 74% of breaches, highlighting the need for continual employee awareness. For temporary staff, provide quick, engaging onboarding modules that put emphasise on detecting phishing attempts and other social engineering tactics.
3. Implement Multi-Factor Authentication (MFA)
MFA adds an additional layer of security, which makes it more difficult for attackers to access systems even if they possess stolen credentials. SecurEnvoy helps to fortify your security and reduce the risk of data breaches by keeping track of where your data resides and making sure that only authorised users can access critical systems and information.
4. Monitor Network Traffic
Increased traffic during the festive period can strain your networks. Deploy monitoring tools to detect abnormal activity and prevent distributed denial of service (DDoS) attacks.
5. Consider Managed Security Services
If your business lacks in-house expertise, consider partnering with a Managed Security Service Provider (MSSP) for services such as threat detection and response, penetration testing, and incident response.
6. Dark Web Monitoring
Services such as HackRisk can help detect if any of your organisation’s data has been exposed on the dark web and provide real-time alerts to mitigate risks.
7. Prepare an Incident Response Plan
With out-of-hours attacks more common during the holidays, having a robust incident response plan is critical. Outsourcing to a retainer service, such as those offered by Sophos, can reduce the pressure on internal teams by providing expert guidance in handling incidents.
Conclusion
As the holiday season ramps up, so do the threats from cyber criminals eager to exploit changes in consumer behaviour and the operational vulnerabilities of businesses. By understanding the tactics used by attackers and implementing best practices such as employee training, regular system updates, and robust monitoring, organisations can significantly reduce their risk of falling victim to cyber crime.
Stay vigilant, invest in cyber security measures, and ensure your defences are up to the challenge this festive season. sophisticated cyber threats.
Free Posture Assessment
Understand your security risks and how to fix them.
Take the first step to improving your cyber security posture, looking at ten key areas you and your organisation should focus on, backed by NCSC guidance.
Claim your free 30-minute guided posture assessment with a CyberLab expert.
Defending Education: Top Cyber Security Challenges in Higher Education
Cyber Security for Education Institutions
Cyber security has become a critical issue for higher education (HE) institutions due to their unique structures. Academic institutions have open environments where many users access shared networks from various devices and locations.
This makes them prime targets for cyberattacks. Common threats include phishing attacks, ransomware, Distributed Denial of Service (DDoS) attacks, and data breaches. Plus, the rise of remote learning and cloud adoption has increased the potential attack surface for many educational institutions, making it harder to manage cyber security.
Understanding the Threat Landscape
Higher education institutions are attractive targets for threat actors due to their decentralised structures, large user bases, and the diversity of data they store.
Universities, for example, often have open networks to support collaboration and research, creating vulnerabilities and exploitable gaps in infrastructure. They typically hold valuable intellectual property, cutting-edge research, financial data, and personal student/staff information. Additionally, a blend of staff, students, and external collaborators using a range of different devices further complicates security oversight and can make endpoint security management a living nightmare.
Considering all of these factors, Higher Education Institutions appeal to a wide spectrum of motives for threat actors to target them; nation-states may target them for espionage and to obtain valuable research data, while ransomware groups view them as lucrative opportunities due to their reliance on constant system availability for academic and administrative purposes.
In the past year alone, 97% of UK higher education institutions reported cyber incidents, spanning across a wide variety of attack vectors and methods, according to a recent survey by the NCSC.
Key Security & Compliance Challenges Facing Higher Education
Decentralised Structures and User Diversity
Universities host a mix of staff, students, and external collaborators who access networks from various devices. This diversity increases the attack surface, making it harder to monitor and secure endpoints. Additionally, many departments and research teams have different security protocols or lack them altogether, creating inconsistent defences across the institution.
Appeal to Threat Actors: Espionage and Financial Crimes
Higher education institutions hold valuable intellectual property, particularly in research areas such as technology, health, and defence, making them appealing to nation-state actors seeking espionage. Ransomware groups and financially motivated cybercriminals also target these institutions due to the critical reliance on availability, making them more likely to pay to regain access to encrypted systems.
Cyber Security Awareness
With the variety of users and devices, human error is one of the largest vulnerabilities. Phishing attacks are common and can quickly compromise critical systems. Awareness training for students, faculty, and staff is often inconsistent or lacking.
Securing Research Data and Intellectual Property
Beyond financial crimes, universities are repositories of cutting-edge research and data. This makes them attractive targets for espionage, particularly for international competitors seeking technological advantages.
Best Practices and Recommendations for Higher Education Institutions
To effectively combat cyber threats, higher education institutions must adopt a proactive and tailored cyber security strategy. This begins with conducting a comprehensive risk assessment to measure their overall cyber security posture, but also to understand what makes their institution an attractive target specifically.
Universities and colleges should consider the assets they hold—whether it’s sensitive student data, valuable research project data, or intellectual property. Furthermore, institutions need to evaluate their relationships with external collaborators, including research partners, government agencies, and private corporations, as these partnerships may expose them to additional risks.
Geographic location can also influence the threat landscape, particularly if the institution is involved in research or collaborations that are of interest to state-sponsored actors. People of interest who teach among faculties or attend universities can attract both influence and risk. The NCSC has published guidance for HE institutions supporting VIPs and high-risk individuals.
With the right guidance and expertise, information security teams, compliance teams and other internal stake holders can identify where their biggest risks are within their estate, the most likely threat actors to target them, and thus the most likely methods and techniques they are to deploy, ultimately providing a “blueprint” for an optimal cyber security strategy and posture hardening.
With this understanding in place, universities can then implement best practices such as:
Adopting a Zero Trust Architecture
This approach assumes no user or device is trusted by default, even if they are already inside the network. This approach is especially crucial for higher education institutions, given their vast, open networks, with users accessing resources from diverse locations and devices.
Example in Higher Education: Universities can implement micro-segmentation within their networks to limit the movement of attackers if a breach occurs. For example, restricting student access to sensitive research databases or administrative systems through segmented network zones can prevent unauthorised access, even if an attacker has already breached one area.
Another common practice is continuous authentication, where the system regularly checks user credentials and behaviour, such as location, device type, or network usage, to identify any anomalies that could indicate a breach.
The University of California, Berkeley has adopted a Zero Trust approach by implementing secure, role-based access controls for its academic resources, minimising access privileges for non-administrative users. Their system continuously verifies user identity, reducing the risk of lateral movement by attackers. [source: The University of California, Berkeley]
Strengthening Access Controls
Implementing Multi-Factor Authentication (MFA) and Role-Based Access Control (RBAC) ensures only authorised individuals have access to critical systems and data.
MFA requires users to present two or more forms of verification (something they know, something they have, and something they are). This is particularly effective in defending against phishing attacks, which are highly prevalent in higher education.
Example in Higher Education: Implementing MFA across university systems for both students and staff can prevent unauthorised access even if login credentials are stolen. For example, universities can require students to verify their identity using a mobile app or a hardware token in addition to their password.
The University of Oxford rolled out a university-wide MFA system, requiring all staff and students to authenticate using both their university credentials and an additional form of verification, such as a mobile phone app or security token. This has drastically reduced successful phishing attacks by ensuring that stolen passwords alone are not enough to gain access. [source: The University of Oxford]
Regular Software Updates and Endpoint Protection
Ensuring that all devices, including personal ones used for work (BYOD), have up-to-date antivirus and firewall protection is crucial. Regular software updates are vital to patch known vulnerabilities. Additionally, enabling remote wipe capabilities for lost or compromised devices ensures sensitive data can be erased quickly.
Phishing and Social Engineering Awareness Training
Employees are often the first line of defence against cyber threats. Regular training sessions on phishing, social engineering, and secure data handling can significantly reduce the risk of human error leading to a security breach.
Collaborating with External Cyber Experts
Partnering with cyber security experts, especially in the field of penetration testing, Managed Security Service Providers and Incident Response, or government agencies can provide higher education institutions with real-time threat intelligence, access to advanced security technologies, insights into vulnerabilities and misconfigurations across their estate and provide assurance that their assets and users will be safeguarded in the event of a cyber attack or data breach.
Managed Detection and Response (MDR)
Endpoint detection alone is no longer sufficient given today’s digital threat landscape. Organisations must now employ an “always-on” threat detection and monitoring capability. However, employing and retaining qualified cyber security analysts and engineers can be very expensive. Running a 24/7 SOC (Security Operations Centre) in-house with experienced analysts and security experts with state-of-the-art defensive technologies are typically reserved for multi-national conglomerates and global tier 1 banks.
MDR services provide continuous monitoring and analysis of an organisation’s entire estate, including endpoints, network traffic and activity logs. By outsourcing to experts, firms can ensure that threats are detected and mitigated in real-time, reducing the risk of a successful attack.
Incident Response and Recovery
Having a robust incident response plan is essential for mitigating the damage caused by cyber incidents. Higher education institutions should invest in both in-house and outsourced incident response teams to ensure a swift and effective reaction to breaches and conduct regular assessments of their cyber incident response plans (CIRP) or ‘tabletop exercises’ simulating various cyber incident scenarios to ensure that their response strategies are robust and understood by all risk owners.
Vulnerability Management
Regularly updating and patching software, coupled with continuous vulnerability assessments, is vital for maintaining a secure infrastructure. Cyber security as a Service (CSaaS) solutions, such as HackRisk can help organisations manage vulnerabilities effectively without overburdening internal teams.
Conclusion: Proactive Defence in Higher Education
To safeguard the wealth of data and intellectual property, higher education institutions must adopt a proactive, layered approach to cyber security. By addressing the unique challenges of decentralised networks and diverse users, universities can build a strong defence against increasingly sophisticated cyber threats.
Common Cyber Security Challenges in Education
Here are some key findings detailing the quantity of different types of cyber-attacks that further education colleges and higher education institutions have encountered over the past 12 months:
Phishing Attacks
Phishing attacks were extremely common across both sectors, with 100% of higher education institutions and 97% of further education colleges reporting incidents.
Impersonation Attacks
90% of higher education institutions and 78% of further education colleges experienced impersonation attacks, where attackers pretended to be from the organisation.
Viruses, Spyware, or Malware
Higher education institutions reported significantly higher incidents of viruses, spyware, or malware (77%) compared to 32% in further education colleges.
Access
Higher education faced more issues with unauthorised access to files or networks, with 27% of breaches caused by staff and 20% by outsiders. For further education colleges, 19% involved staff, but 0% by outsiders.
Other Breaches or Attacks
There was a considerable difference in miscellaneous breaches or attacks, with 47% of higher education institutions and 16% of further education colleges reporting incidents outside the standard categories.
[source: NCSC]
Free Posture Assessment
Understand your security risks and how to fix them.
Take the first step to improving your cyber security posture, looking at ten key areas you and your organisation should focus on, backed by NCSC guidance.
Claim your free 30-minute guided posture assessment with a CyberLab expert.
How to Protect Against Phishing Attacks with Smarter Email Security
Anti-Phishing Measures To Stay Secure
Phishing remains one of the most common entry points for cyber attacks.
CyberLab outlines what phishing is, why it matters, how to enable people to recognise and avoid it, and how organisations can gain confidence that defences are working.
What is Phishing and Why Does it Matter?
Phishing is a form of social engineering where an attacker sends a deceptive message that appears to come from a trusted source. The goal is to trick the recipient into taking an action, for example entering credentials, opening a malicious attachment, approving a fraudulent payment, or installing malware that leads to ransomware or data theft.
Phishing is serious for three reasons:
- It targets people, not just systems. Even well secured environments can be compromised if a user is manipulated into granting access.
- It often starts bigger incidents. Many breaches begin with a single click that leads to credential theft, lateral movement and impact on critical services.
- It keeps evolving. Messages are increasingly polished, personalised and timed to match real business processes, which reduces the likelihood that staff will recognise them on sight.
How to Enable People to Spot & Avoid Phishing
Technology is necessary, but it is not sufficient on its own. Building capability in people requires an ongoing programme that is practical, engaging and measurable.
Design training for how adults learn
- Short, focused modules. Ten to fifteen minute sessions, delivered regularly, improve retention without disrupting the day.
- Varied formats. Video, interactive scenarios, quick reads and micro‑quizzes cater for different learning styles.
- Role‑specific examples. Finance teams, customer service and executives face different lures and require tailored scenarios.
- Just‑in‑time nudges. Brief reminders at the point of risk, for example before seasonal peaks or system changes, reinforce good judgement.
Make simulations realistic and continuous
- Diverse templates. Use a wide variety of lures and brands so knowledge cannot spread as “avoid that specific email”.
- Adaptive scheduling. Send simulations at different times and frequencies so vigilance becomes a habit, not a one‑off event.
- Teachable moments. If a user interacts with a simulation, show a friendly landing page that explains the red flags they missed and how to spot them next time.
Encourage reporting, not silence
- One‑click reporting. Provide a report phishing button in email clients and make sure it is monitored.
- Positive tone. Thank staff for reporting, even if the message turns out to be benign. Avoid blame, focus on learning.
- Clear playbooks. Ensure staff know what to do if they have clicked. Quick reporting enables faster containment.
How Organisations Gain Confidence in User Readiness
Occasional simulations and a long video once a year do not provide assurance. A stronger approach combines training, testing and metrics.
- Run continuous, varied simulations. Measure click rates, data submission, and reporting rates. Aim to improve all three.
- Segment results. Understand performance by team, location and role. Target support where it is most needed.
- Close the loop. Provide immediate feedback to participants, offer quick refreshers to those who need them, and celebrate improvement publicly.
- Test processes, not just people. Validate that reported emails reach the right team, that triage is timely, and that containment actions are triggered.
Beware common pitfalls: over‑reliance on a single template, predictable schedules that are easy to game, or punitive responses that discourage reporting.
Recommendations and Guidance
A layered programme combines people, process and technology.
People and process
- Establish a security awareness plan with quarterly themes, micro‑modules and ongoing simulations.
- Define a clear policy for reporting suspected phishing and responding to mistakes without blame.
- Run tabletop exercises that include finance approvals, supplier changes and executive impersonation scenarios.
- Provide onboarding and refresher pathways so new joiners and high‑risk roles receive timely guidance.
Technical controls
- Email security gateway with attachment sandboxing, URL rewriting and impersonation detection.
- Authentication hardening with multi‑factor authentication, conditional access and device posture checks.
- Domain protections using SPF, DKIM and DMARC with alignment and reject policies.
- Browser and DNS filtering to block known malicious destinations and risky categories.
- Endpoint protection with behaviour‑based detection and rollback for ransomware scenarios.
- Least privilege and separation of duties for sensitive actions, for example payment approvals and credential resets.
- Automation and orchestration so that reported messages are auto analysed and similar emails are removed from other mailboxes.
What good looks like
- Training completion above a defined threshold, improved assessment scores over time, and increased voluntary reporting.
- Declining click‑through and data submission rates on simulations, with faster reporting of real threats.
- Documented response playbooks, measured mean time to triage and containment, and regular post‑incident reviews.
Phishing Simulation from CyberLab Control
Did you know that the first stage of over 90% of cyber attacks was a phishing email?¹ Crude yet effective, and they’re on the rise.
Despite this, fewer than one-in-five businesses report testing their employees with phishing simulations².
CyberLab Control empowers your people to identify and report phishing attacks within an environment you control, helping them to become your first line of defence rather than your weakest link.
Putting it into Practice
- Baseline. Assess current awareness, reporting routes and technical controls. Identify high‑risk processes such as payment changes and document signing.
- Launch. Roll out short training modules and enable a report phishing button. Start with a varied simulation set.
- Measure. Track engagement, click and report rates, and process timings. Share results with leaders and teams.
- Improve. Target coaching for repeat clickers, refresh scenarios to match emerging lures, and tune technical controls based on findings.
- Sustain. Keep cadence steady, integrate lessons from real incidents, and align with wider risk and compliance activities.
Talk to CyberLab
CyberLab helps organisations build practical, people‑centred defences against phishing.
The team designs training and simulation programmes, implements robust reporting and response processes, and tunes technical controls such as email security and identity protection.
To explore how to strengthen resilience against phishing and social engineering, the team is available for an initial consultation.
Protect the Public Sector: Understanding CAF & Log Management
CyberLab Team Up with Logpoint
In a recent CyberLab webinar with Logpoint‘s Director of Sales Engineering, Paul Gower, we delved into two critical areas of cyber security that are essential for protecting public sector organisations: Cyber Assessment Frameworks (CAF) and Log Management.
These frameworks, some of which are provided by the NCSC, provide the foundation for identifying, mitigating, and responding to cyber threats in a structured and effective manner.
As public sector organisations face increasing cyber risks, from data breaches to ransomware attacks, understanding and implementing robust cyber assessment frameworks and effective log management strategies is vital.
The Role of Cyber Assessment Frameworks in Public Sector Cyber Security
Cyber Assessment Frameworks (CAF) are designed to guide organisations through the process of evaluating and improving their cyber security posture. The recent webinar underscored that a key challenge for public sector bodies is ensuring that their security measures align with regulatory and compliance requirements, while also addressing the dynamic nature of cyber threats.
A CAF provides a systematic way to assess an organisation’s existing cyber security controls, processes, and policies. These frameworks are essential for identifying vulnerabilities, understanding risks, and establishing best practices for mitigating those risks. For public sector organisations, implementing a CAF offers a clear path to achieving a high level of resilience against cyber threats.
The key components of a cyber assessment framework discussed in the webinar included:
- Risk Assessment: Understanding the unique cyber risks faced by public sector bodies, such as the protection of sensitive citizen data and the security of critical national infrastructure (CNI).
- Controls and Policies: Ensuring that security controls and policies are well-defined and effectively enforced. This includes user access controls, data protection measures, and incident response protocols.
- Continuous Improvement: Emphasising the importance of regular reviews and updates to the cyber security posture, as threats and technologies evolve.
By adopting a CAF, public sector organisations can not only meet compliance standards but also ensure that they are proactively addressing security risks in an evolving threat landscape.
Log Management: The Backbone of Effective Cyber Defence
Log management emerged as another central theme in the webinar, with experts explaining its role in cyber security. Logs contain crucial information about system activities, user interactions, and network traffic. When properly managed, logs provide a valuable source of intelligence that can help organisations detect, analyse, and respond to security incidents.
For public sector organisations, log management is particularly important due to the sensitive nature of the data they handle. Effective log management enables security teams to track potential breaches, identify suspicious activities, and maintain a clear audit trail for compliance purposes.
The webinar emphasised the following best practices in log management for public sector organisations:
- Centralised Logging: Aggregating logs from various systems and platforms into a centralised location ensures that security teams have a comprehensive view of activities across the organisation.
- Real-Time Monitoring: Continuous monitoring of logs enables teams to identify and respond to threats as they occur, reducing the risk of delayed detection.
- Retention and Compliance: Retaining logs for the required period and ensuring that they meet regulatory compliance standards is essential, especially for public sector organisations that are subject to strict data protection regulations.
- Log Analysis and Automation: With the volume of logs generated daily, manual analysis can be overwhelming. AI-driven log analysis tools can automate the process of identifying anomalies and potential threats, allowing security teams to focus on higher-level decision-making.
Integrating Cyber Assessment Frameworks with Log Management
A key takeaway from the webinar was the importance of integrating cyber assessment frameworks with log management strategies. Both components complement each other to create a more holistic approach to cyber security.
By aligning the findings from cyber assessments with real-time log data, public sector organisations can continuously evaluate their security posture and ensure that they are detecting and responding to emerging threats. This integrated approach can also help organisations improve their incident response times, reduce vulnerabilities, and strengthen overall resilience.
For example, during an active cyber attack, logs can provide critical insights into how an attacker is moving through the network, while the cyber assessment framework ensures that appropriate defensive measures are in place to respond to such threats. Together, these elements form a robust defence against the growing number of cyber threats targeting public sector organisations.
Key Security and Compliance Challenges Facing the Public Sector
Legacy Systems
Many public sector organisations rely on outdated systems that are more vulnerable to attacks. These legacy systems often lack modern security features or are difficult to patch due to compatibility issues.
Resource Constraints
Budgetary limitations and resource shortages in IT and cyber security teams leave gaps in defence strategies, making public sector entities more susceptible to attacks.
Decentralised Structures
Similar to challenges faced in education, public sector organisations often have decentralised systems with numerous access points, making monitoring and securing endpoints a complex task.
Compliance Pressure
Compliance with frameworks like the Cyber Assessment Framework (CAF) is necessary but can strain already limited resources. The webinar emphasised how balancing compliance and proactive defence can be difficult.
Human Error and Insider Threats
Phishing remains a prevalent attack vector, exploiting the human element within organisations. Insufficient training for employees exacerbates the risk of falling victim to social engineering attacks.
Supply Chain Vulnerabilities
Public sector organisations often work with external contractors and suppliers, increasing the risk of supply chain attacks, which were mentioned as a growing concern.
Best Practices and Recommendations for Public Sector Organisations
To effectively combat cyber threats, public sector organisations must adopt a proactive and tailored cyber security strategy. This begins with conducting a comprehensive risk assessment to measure their overall cyber security posture and to understand what makes their organisation an attractive target.
Public sector entities should consider the assets they manage—whether it’s sensitive citizen data, critical infrastructure systems, or classified government information. Furthermore, organisations need to evaluate their relationships with third-party vendors, contractors, and external collaborators, as these partnerships may introduce additional risks.
Geographic location and political context can also influence the threat landscape, particularly if the organisation is involved in high-profile projects or operates in regions of interest to state-sponsored actors. High-ranking officials or individuals of public interest within these organisations may also attract targeted attacks, making VIP and high-risk individual protection crucial. The NCSC has published guidance for supporting such individuals within public sector environments.
With the right guidance and expertise, cyber security teams, compliance officers, and other internal stakeholders can identify their most significant risks, the threat actors most likely to target them, and the methods these adversaries are likely to employ. This enables the creation of a robust “blueprint” for an optimal cyber security strategy and posture hardening.
Armed with this understanding, public sector organisations can then implement best practices such as:
Adopting a Zero Trust Architecture
This approach assumes no user or device is trusted by default, even if they are already inside the network. This approach is especially crucial for public sector organisations, given their complex infrastructure, multiple access points, and the diverse range of stakeholders accessing resources from various locations and devices.
Example in the Public Sector: Government agencies can implement micro-segmentation within their networks to limit the movement of attackers if a breach occurs. For instance, restricting access to sensitive citizen data or administrative systems through segmented network zones can prevent unauthorised access, even if an attacker has already compromised one area.
Another common practice is continuous authentication, where the system regularly checks user credentials and behaviour, such as location, device type, or network usage, to identify any anomalies that could indicate a breach.
Case Study: The US Department of Homeland Security adopted a Zero Trust approach, implementing secure, role-based access controls for its critical systems. This minimised access privileges for non-essential users and continuously verified user identity, reducing the risk of lateral movement by attackers.
Strengthening Access Controls
Implementing Multi-Factor Authentication (MFA) and Role-Based Access Control (RBAC) ensures only authorised individuals can access critical systems and data.
MFA requires users to present two or more forms of verification (something they know, something they have, and something they are). This is particularly effective in defending against phishing attacks, which are highly prevalent in the public sector.
Example in the Public Sector: Implementing MFA across government systems for both employees and contractors can prevent unauthorised access, even if login credentials are stolen. For instance, agencies can require users to verify their identity using a mobile app or a hardware token in addition to their password.
Case Study: Implementing MFA is part of the Cyber Essentials Accreditation. Discover how the NHS strengthened their cyber security posture with CyberLab in our NHS Case Study.
Regular Software Updates and Endpoint Protection
Ensuring that all devices, including those used remotely (BYOD), have up-to-date antivirus and firewall protection is critical. Regular software updates are vital to patch known vulnerabilities. Additionally, enabling remote wipe capabilities for lost or compromised devices ensures sensitive data can be erased quickly.
Phishing and Social Engineering Awareness Training
Public sector employees are often the first line of defence against cyber threats. Regular training sessions on phishing, social engineering, and secure data handling can significantly reduce the risk of human error leading to a security breach. Training should be tailored to address specific threats targeting public sector entities, such as impersonation of government officials or fraudulent invoices.
Managed Detection and Response (MDR)
Endpoint detection alone is no longer sufficient given today’s digital threat landscape. Public sector organisations must now employ an “always-on” threat detection and monitoring capability. However, employing and retaining qualified cyber security analysts and engineers can be very expensive. Running a 24/7 SOC (Security Operations Centre) in-house with experienced analysts and security experts with state-of-the-art defensive technologies is often reserved for large-scale government bodies.
MDR services provide continuous monitoring and analysis of an organisation’s entire estate, including endpoints, network traffic, and activity logs. By outsourcing to experts, public sector organisations can ensure that threats are detected and mitigated in real-time, reducing the risk of a successful attack.
Incident Response and Recovery
Having a robust incident response plan is essential for mitigating the damage caused by cyber incidents. Public sector organisations should invest in both in-house and outsourced incident response teams to ensure a swift and effective reaction to breaches. Regular assessments of cyber incident response plans (CIRP) or ‘tabletop exercises’ simulating various cyber incident scenarios ensure response strategies are robust and understood by all risk owners.
Vulnerability Management
Regularly updating and patching software, coupled with continuous vulnerability assessments, is vital for maintaining a secure infrastructure. Cyber security as a Service (CSaaS) solutions, such as CyberLab Control, can help public sector organisations manage vulnerabilities effectively without overburdening internal teams.
Conclusion: A Unified Approach to Public Sector Cyber Defence
Protecting public sector organisations against cyber threats requires a strategic, integrated approach that combines both cyber assessment frameworks and effective log management. By focusing on these key areas, public sector bodies can ensure they are well-prepared to defend against the growing range of cyber threats.
Our webinar with Logpoint served as a valuable resource for organisations looking to improve their security posture and implement best practices in the face of an ever-evolving digital landscape.
Common Cyber Security Challenges in the Public Sector
Here are some key findings detailing the quantity of different types of cyber-attacks that public sector organisations have encountered over the past 12 months, as well as insights into the other cyber security challenges they are facing.
Ransomware Attacks
34% of state and local government organizations were hit by ransomware in 2024. This represents a 51% decrease from the 69% attack rate reported in 2023. Furthermore, 56% of computers in state and local government organizations are impacted by a ransomware attack if one occurs.
Data Encryption
It is extremely rare for state and local government organizations to have their full environment encrypted: just 8% reported that 81% or more of their devices were impacted. At the other end of the scale, while some attacks do impact only a handful of devices, this too, is highly unusual, with only 2% of state and local government organizations saying that 10% or fewer of their devices were affected.
Compromised Credentials
All state and local government respondents hit by ransomware were able to identify the root cause of the attack. Compromised credentials were the most common method of entry (49%), followed by exploited vulnerabilities (24%).
Backup Compromise
99% of state and local government organisations reported that cybercriminals attempted to compromise their backups, exceeding the global average of 94%.
Data Theft
Adversaries don’t just encrypt data; they also steal it. 42% of state and local government organizations reported that where data was encrypted, data was also stolen.[Source: Sophos State of Ransomware Report 2024]
Free Posture Assessment
Understand your security risks and how to fix them.
Take the first step to improving your cyber security posture, looking at ten key areas you and your organisation should focus on, backed by NCSC guidance.
Claim your free 30-minute guided posture assessment with a CyberLab expert.