Security Awareness

According to a 2023 survey among global business and cyber leaders, 65% believed cyber security was the sector expected to be the most affected by generative artificial intelligence (AI).

In 2026, there is no doubt that artificial intelligence is transforming cyber security on both sides of the fence. Attackers are using it to move faster and phish smarter. Defenders are using it to detect earlier and respond sharper.

Gone are the days when poor grammar and bad formatting gave phishing emails away. Generative AI now enables cyber criminals to craft messages that look and feel authentic.

The key is to prioritise people in your cyber security strategy. Use cyber security awareness training to equip your teams to recognise subtle warning signs, question any suspicious consent prompts, and always verify unexpected or unusual requests using a different communication channel.

By fostering a security-aware culture that blends human vigilance with technology, organisations can better defend against sophisticated AI-driven threats and reduce the risk of successful attacks.

Tip: Enforce phishing-resistant MFA and update awareness training that includes deepfake demos and modern phishing examples, not just “bad link” spotting.

Generative AI is changing the game. Is it helping defenders more than attackers? Dive into the risks, opportunities, and real-world impact of AI on cyber security.

Dave Mareels, Senior Director of Product Management at Sophos, joins the podcast to explore how generative AI is reshaping the cyber threat landscape.

Cyber attacks are multistage and often start with a valid login. AI isn’t just a threat, it’s part of the solution. The strongest defences combine AI with human expertise. Together, they can spot weak signals in context, investigate quickly, and contain incidents before they escalate.

Identity Threat Detection and Response is critical. Attackers increasingly target identity systems, so monitoring and responding to identity-based threats should be a priority.

Tip: Assess out-of-hours coverage and escalation paths. If you can’t investigate and respond in minutes, not hours, consider 24/7 managed detection and response for faster risk reduction.

To effectively harness the benefits of AI while minimising risk, organisations must take a structured approach to AI governance. This starts with curbing the use of Shadow AI, which is unapproved applications or tools that staff may adopt without IT oversight, as these can introduce significant security and compliance concerns.

Organisations should formalise the use of Sanctioned AI by clearly defining approved tools and implementing robust controls to ensure safe, compliant deployment.

The end goal should be to progress towards Adopted AI , where artificial intelligence is fully integrated into business processes, thoroughly auditable, and aligned with organisational objectives.

Most importantly, sensitive data must be classified accurately and steps taken to prevent oversharing. By doing so, organisations can reduce the risk of AI-powered assistants inadvertently exposing confidential information to unauthorised individuals, strengthening both security and trust within the workplace.

Tip: Conduct a free data assessment to ensure your organisation knows what data exists, where it lives, who has access, and how it’s classified. This single step reduces the risk of sensitive information leaking into AI models, prevents inadvertent oversharing, and establishes a strong foundation for safe, compliant AI adoption. Think of it as switching on the lights before inviting AI into the room.

In this episode, Stuart Wilson from Forcepoint explores the risks, rewards and rising challenges of AI in data protection, from shadow AI to safeguarding sensitive data, while helping businesses navigate secure innovation in an AI‑driven world.

Identifying vulnerabilities is only the start; the real challenge is fixing them swiftly. While prompt patching is essential, not all issues can be resolved immediately. This means that mitigating controls, such as tightening permissions or disabling unused services, are vital.

Virtual patching can protect where permanent fixes are unavailable. The next step is AI-driven remediation, which automates prioritisation and coordinates fixes based on business risk, enabling faster, more consistent vulnerability closure and freeing teams to focus on strategic security.

This shifts organisations from reactive to intelligent, risk-based remediation, reducing attacker opportunities and strengthening resilience.

Tip: Rank vulnerabilities by business impact, exploit likelihood, and data sensitivity, then move fast on the top tier. Where patches aren’t immediately available, apply mitigating controls and virtual patching to reduce exposure.

AI is changing the game, and the steps outlined above make it clear that success comes from strengthening your people, enhancing detection and response with AI, putting firm governance around data and tools, and moving toward smarter, risk‑based remediation.

When these elements work together, organisations build real resilience and stay ahead of fast‑moving threats. The most effective way to continue that journey is to understand your current level of risk

HackRisk reports give you a clear, practical view of your exposure so you can prioritise what matters most and take action with confidence.

Phishing remains one of the most common entry points for cyber attacks.

CyberLab outlines what phishing is, why it matters, how to enable people to recognise and avoid it, and how organisations can gain confidence that defences are working.

Phishing is a form of social engineering where an attacker sends a deceptive message that appears to come from a trusted source. The goal is to trick the recipient into taking an action, for example entering credentials, opening a malicious attachment, approving a fraudulent payment, or installing malware that leads to ransomware or data theft.

Phishing is serious for three reasons:

• It targets people, not just systems. Even well secured environments can be compromised if a user is manipulated into granting access.
• It often starts bigger incidents. Many breaches begin with a single click that leads to credential theft, lateral movement and impact on critical services.
• It keeps evolving. Messages are increasingly polished, personalised and timed to match real business processes, which reduces the likelihood that staff will recognise them on sight.

Technology is necessary, but it is not sufficient on its own. Building capability in people requires an ongoing programme that is practical, engaging and measurable.

Design training for how adults learn

• Short, focused modules. Ten to fifteen minute sessions, delivered regularly, improve retention without disrupting the day.
• Varied formats. Video, interactive scenarios, quick reads and micro‑quizzes cater for different learning styles.
• Role‑specific examples. Finance teams, customer service and executives face different lures and require tailored scenarios.
• Just‑in‑time nudges. Brief reminders at the point of risk, for example before seasonal peaks or system changes, reinforce good judgement.

Make simulations realistic and continuous

• Diverse templates. Use a wide variety of lures and brands so knowledge cannot spread as “avoid that specific email”.
• Adaptive scheduling. Send simulations at different times and frequencies so vigilance becomes a habit, not a one‑off event.
• Teachable moments. If a user interacts with a simulation, show a friendly landing page that explains the red flags they missed and how to spot them next time.

Encourage reporting, not silence

• One‑click reporting. Provide a report phishing button in email clients and make sure it is monitored.
• Positive tone. Thank staff for reporting, even if the message turns out to be benign. Avoid blame, focus on learning.
• Clear playbooks. Ensure staff know what to do if they have clicked. Quick reporting enables faster containment.

Occasional simulations and a long video once a year do not provide assurance. A stronger approach combines training, testing and metrics.

• Run continuous, varied simulations. Measure click rates, data submission, and reporting rates. Aim to improve all three.
• Segment results. Understand performance by team, location and role. Target support where it is most needed.
• Close the loop. Provide immediate feedback to participants, offer quick refreshers to those who need them, and celebrate improvement publicly.
• Test processes, not just people. Validate that reported emails reach the right team, that triage is timely, and that containment actions are triggered.

Beware common pitfalls: over‑reliance on a single template, predictable schedules that are easy to game, or punitive responses that discourage reporting.

A layered programme combines people, process and technology.

People and process

• Establish a security awareness plan with quarterly themes, micro‑modules and ongoing simulations.
• Define a clear policy for reporting suspected phishing and responding to mistakes without blame.
• Run tabletop exercises that include finance approvals, supplier changes and executive impersonation scenarios.
• Provide onboarding and refresher pathways so new joiners and high‑risk roles receive timely guidance.

Technical controls

• Email security gateway with attachment sandboxing, URL rewriting and impersonation detection.
• Authentication hardening with multi‑factor authentication, conditional access and device posture checks.
• Domain protections using SPF, DKIM and DMARC with alignment and reject policies.
• Browser and DNS filtering to block known malicious destinations and risky categories.
• Endpoint protection with behaviour‑based detection and rollback for ransomware scenarios.
• Least privilege and separation of duties for sensitive actions, for example payment approvals and credential resets.
• Automation and orchestration so that reported messages are auto analysed and similar emails are removed from other mailboxes.

What good looks like

• Training completion above a defined threshold, improved assessment scores over time, and increased voluntary reporting.
• Declining click‑through and data submission rates on simulations, with faster reporting of real threats.
• Documented response playbooks, measured mean time to triage and containment, and regular post‑incident reviews.

Malware is one of the most persistent threats to modern businesses. CyberLab outlines what malware is, how the threat has evolved, and five practical steps any organisation can take to reduce risk and strengthen defences.

Malware (short for “malicious software”) is an umbrella term for software designed to infiltrate systems, disrupt operations, or steal data. Categories often overlap, but common types include:

• Viruses
  Malicious code that attaches to legitimate files and can corrupt, modify, or delete data.
• Worms
  Self‑propagating software that spreads across connected devices and networks without user action.
• Trojans
  Malware that masquerades as legitimate software, often creating a “backdoor” that allows further compromise.
• Adware
  Software that displays intrusive adverts; beyond nuisance, it can weaken security and lead to additional malware.
• Spyware
  Software that covertly captures sensitive information such as credentials, payment data, and browsing activity.
• Rootkits
  Tools that provide stealthy, privileged access so an attacker can operate like an administrator without detection.

Historically, threats tended to sit neatly within one category. Today, adversaries combine techniques to maximise impact. A single campaign might hide like a trojan, spread like a worm, disrupt systems like a virus, and quietly harvest credentials.

Motivations have also shifted. Where older malware often aimed to cause nuisance, modern operators are financially driven. Ransomware remains one of the most common and disruptive threats: attackers encrypt business data and demand payment for decryption. Increasingly, groups use double‑extortion tactics, exfiltrating sensitive data before encryption, then threatening to leak it to increase pressure on victims.

The implications are clear. Organisations need layered controls that can prevent, detect, and respond to sophisticated, multi‑stage attacks, and they need the governance and processes to recover quickly.

1) Use modern endpoint protection

Traditional antivirus relies on signatures of known threats. Given the pace of change, that is no longer sufficient by itself. Organisations should adopt behaviour‑based protection such as Endpoint Detection and Response (EDR) or Next‑Gen AV, which use analytics and machine learning to detect suspicious activity, block unknown malware, and provide investigation and response capabilities. Consider managed detection to extend coverage outside business hours.

What good looks like:

• Behaviour‑based detection, not only signatures
• Ransomware rollback or containment features
• Centralised policy, alerting and response across all endpoints

2) Manage devices and privileges

Limit administrative rights and separate admin accounts from day‑to‑day user accounts. Apply least privilege and strong authentication to reduce the blast radius if an account is compromised. For mobiles and laptops, use device management to enforce security baselines, control app installation, and protect corporate data.

What good looks like:

• Role‑based access, separate admin credentials, multi‑factor authentication
• Mobile and endpoint management (for example, Microsoft Intune) to enforce policies
• Only approved app stores such as Google Play and the Apple App Store

3) Keep software up to date

Attackers routinely exploit known vulnerabilities. Maintain an accurate asset inventory, apply security updates promptly, and remove software that is end‑of‑life or unsupported. Regular vulnerability assessments help identify gaps and track remediation progress.

What good looks like:

• Standard patching cadence with clear service‑level objectives
• Prioritisation for internet‑facing and business‑critical systems
• Continuous scanning and reporting to verify closure of issues

4) Control USB and other removable media

Removable media can introduce malware into otherwise controlled environments. Reduce risk by blocking ports where not required, restricting device types, and scanning any permitted media. Provide secure alternatives for file transfer so staff do not need ad‑hoc USB sticks.

What good looks like:

• Default block on removable storage, allow by exception with approval
• Device control and data loss prevention to monitor usage
• Approved, secure file‑sharing solutions and clear guidance for staff

5) Use firewalls and network controls

Firewalls act as a first line of defence between internal networks and the internet. Apply default deny where practical, restrict inbound and outbound traffic, and enable features such as intrusion prevention and web filtering. Use host firewalls on endpoints and segment internal networks to limit lateral movement.

What good looks like:

• Properly configured perimeter and host‑based firewalls
• Application‑aware controls, DNS and web filtering
• Segmentation of critical services and monitoring of east‑west traffic

No single control stops every threat. A layered approach that combines prevention, detection, response, and recovery is essential. Training and clear processes matter as much as technology. When organisations align controls to their risk profile and keep them well managed, they significantly reduce the likelihood and impact of malware incidents.

CyberLab helps organisations assess their exposure, strengthen controls, and get more value from existing tools. To discuss how to improve protection against malware and wider cyber threats, the team is available to help shape a pragmatic plan that fits the environment, budget, and risk appetite.

When people think of insider threats, they often picture a disgruntled employee misusing legitimate access. In reality, one of the most dangerous risks comes from well‑intentioned employees being manipulated by attackers. This is the essence of social engineering.

Social engineering is a tactic where attackers exploit human behaviour rather than technical flaws. Instead of breaking through firewalls, they trick individuals into giving away information, credentials or access. These attacks rely on trust, curiosity or a desire to help.

Unlike malicious insiders, social engineering attacks are usually launched by external actors who manipulate employees into actions that compromise security – such as clicking a malicious link or sharing sensitive data.

Phishing

The most widespread form of social engineering. Attackers send emails, messages or create fake websites that mimic trusted organisations (banks, government agencies, major brands). Victims are lured into entering credentials or downloading malware.

Baiting

Offering something enticing – like free music downloads or branded USB drives – in exchange for action. Once the bait is taken, malware is installed or data is harvested.

Quid Pro Quo

An attacker offers a service in return for information. For example, posing as IT support and offering “free troubleshooting” in exchange for login details.

Pretexting

Building a false sense of trust by impersonating someone in authority (e.g., HR, IT, auditors). The attacker fabricates a scenario to justify requests for sensitive data or access.

Piggybacking (Tailgating)

Physical intrusion by following an authorised person into a restricted area or borrowing a device under false pretences. For example, asking someone to hold a door open because they “forgot their badge”.

• Human nature: People want to be helpful and avoid conflict.
• Authority and urgency: Attackers often create pressure to act quickly.
• Familiarity bias: Impersonating colleagues or trusted brands lowers suspicion.

1. Be cautious with emails and attachments

If you don’t recognise the sender, don’t engage. Even if you do, verify suspicious requests through a separate channel (e.g., call the person directly). Remember: email addresses can be spoofed.

2. Use layered security

Deploy professional spam filters and enable multi‑factor authentication (MFA). MFA adds a critical layer of defence if credentials are compromised.

3. Think before you click

If an offer seems too good to be true, it probably is. A quick online search can confirm whether it’s legitimate or a scam.

4. Secure your devices

Maintain a standard build, keep antivirus and firewalls active, and apply patches promptly. Outdated systems are easy targets.

5. Educate and test regularly

Run security awareness training and simulated phishing exercises. People are the first line of defence – make sure they know how to spot and report suspicious activity.

Technology alone cannot stop social engineering. The most effective defence combines awareness, process and technology.

By training staff, enforcing strong access controls and maintaining layered security, organisations can significantly reduce the risk of a successful attack.

A recent survey by Forbes found that 63% of respondents worked remotely or in a hybrid model, showcasing that even years after the COVID 19 pandemic, hybrid working remains the norm. The importance of securing employees and the systems they access, whether they are working in the office or remotely, cannot be understated.

In this blog, we discuss distributed nature of hybrid working, the risks and cyber threats that hybrid working organisations are exposed to, alongside some recommendations and best practices that organisations can implement for securing hybrid and remote working environments.

According to a report by the Wales Institute of Social and Economic Research and Data (WISERD) just 4.7% of UK employees worked from home in 2019, prior to the COVID-19 pandemic. However, by April 2020, 46.6% of employees did at least part of their job from home, and in 2022, a quarter of all UK employees worked in hybrid environments and 13% were working fully remotely.

The speed and scale at which the pandemic shifted a significant portion of UK’s workforce to hybrid/remote working, underscores the massive increase in cyber threats and incidents that followed, and the challenges that businesses and organisations would need to address in order to adapt. [source: ONS]

Cyber attacks Up 238% Since the Pandemic

According to a study by Alliance Virtual Offices, the frequency of cyber attacks has surged by 238% since the shift to widespread remote working, largely driven by vulnerabilities in home networks and personal devices. Remote work has also increased the cost of data breaches for companies by an average of £104,077 (converted from $USD). Despite this, only 56% of remote employees receive regular cyber security training, increasing the risks for organisations operating in a more digital environment. [source: Yahoo Finance]

BYOD and Home Networks Expand Attack Surface

Research from Lookout found that 32% of remote workers use apps not approved by their company’s IT department, and 90% access corporate networks from multiple locations, including coffee shops and public Wi-Fi, which increases cyber risk. This can also increase exposure to threats like phishing and malware attacks, especially as 46% of employees save work files on personal devices. [source: IT Security Guru]

Common Attack Vectors – An increase in RDP Abuse

In light of so many organisations migrating to remote/hybrid working models, threat actors have turned their sights to exploiting remote/virtual desktop technologies as a means of bypassing external defensive parameters and gaining a foothold on the internal network.

Remote desktop protocol (RDP) is a common method for establishing remote access on Windows systems. According to a recent report by Sophos found that cyber criminals abused remote desktop protocol in 90% of attacks. This was the highest incidence of RDP abuse since Sophos began releasing its Active Adversary reports in 2021, covering data from 2020.

Remote Work Security Gaps

Cyber security experts also warn that hybrid work models expose companies to new risks. Remote workers that use unsecured personal devices and networks are a target for cyber criminals as they increasingly target collaboration apps like Slack and Teams to launch social engineering attacks. With the introduction of faster 5G networks, attacks on mobile devices are also expected to rise, as noted by UpGuard.

The evolution of digital security is now at a pivotal point. The old models, based on clear boundaries between “inside” and “outside,” no longer hold. IT and InfoSec teams now have to contend with much greater digital attack surfaces, endpoint and firmware management challenges and company-wide adherence to remote/hybrid working policies.

A Forrester study in 2023, found that remote and hybrid working models has magnified IT operational challenges for 75% of participating organisations. Below are some best practices and essentials for secure remote/hybrid working models:

Implement Strong Access Controls

Organisations must ensure that only authorised users can access corporate systems. This includes multi-factor authentication (MFA) and device authentication, which requires pre-registering devices before allowing network access. Zero-trust security models that continuously verify user identities and devices are also highly recommended for hybrid environments (Security Boulevard).

Adopt Zero Trust Architecture

Zero Trust is an architectural approach where inherent trust in the network is removed, the network is assumed hostile, and each request is verified based on an access policy. By implementing a “never trust, always verify” approach to network security, requiring continuous authentication and least-privilege access to ensure that every request—whether from inside or outside the network—is fully verified before access is granted, organisations can significantly reduce lateral movement from possible threat actors and improves security across cloud, on-premises, and hybrid environments. NIST has published further guidance on Zero Trust Architecture here.

Develop and Enforce a BYOD Policy, Using Encryption and Backups

Clear policies for using personal devices for work must be established, covering security measures such as mandatory installation of security software and limiting personal use on company devices, while limiting the amount of access through personal devices. This minimises the risk of unauthorised access and data leakage.

Encrypting all stored data on devices used for remote work adds an extra layer of protection in case of theft or unauthorised access. It’s also essential to back up important data regularly, ensuring it can be restored in the event of a cyber attack or system failure. Additionally, enabling remote wipe capabilities for lost or compromised devices ensures sensitive data can be erased quickly.

Use Secure Networks and Tools

Remote workers should avoid public Wi-Fi where possible due to its high vulnerability. Instead, they should rely on personal hotspots or secure VPNs, which encrypt data and protect it from potential attackers on unsecured networks. Similarly, using secure video conferencing platforms and company-approved email systems helps reduce the risk of unauthorised access to communications.

Regular Penetration Testing and Red Teaming

Penetration testing and Red Team exercises are crucial for identifying vulnerabilities across their external and corporate networks, applications or devices before attackers can exploit them. By conducting Targeted Attack Simulations (TAS) or Red Team exercises that simulate exploiting vulnerabilities or gaps in remote/hybrid working environments companies can evaluate their overall security posture of their remote working infrastructure and focus resources on vulnerable areas to improve their defences against such attack vectors.

Regular Software Updates and Endpoint Protection

Ensuring that all devices, including personal ones used for work (BYOD), have up-to-date antivirus and firewall protection is crucial. 

Regularly updating and patching software, coupled with continuous vulnerability assessments, is vital for maintaining a secure infrastructure. Cyber security as a Service (CSaaS) solutions, such as HackRisk, can help companies manage vulnerabilities effectively without overburdening internal teams.

Phishing and Social Engineering Awareness Training

Employees are often the first line of defence against cyber threats. Regular training sessions on phishing, social engineering, and secure data handling can significantly reduce the risk of human error leading to a security breach

Managed Detection and Response (MDR)

Endpoint detection alone is no longer sufficient given today’s digital threat landscape. Organisations must now employ an “always-on” threat detection and monitoring capability. However, employing and retaining qualified cyber security analysts, engineers can very expensive and hard to come by, let alone the continuously high costs of using XDR and SIEM technologies. Running a 24/7 SOC (Security Operations Centre) in-house with experienced analysts and security experts with state-of-the-art defensive technologies are typically reserved for multi-national conglomerates and banks.

MDR services (Managed Detection and Response) provide continuous monitoring and analysis of an organisation’s entire estate, including endpoints, network traffic and activity logs. By outsourcing to experts, firms can ensure that threats are detected and mitigated in real-time, reducing the risk of a successful attack.