Author: Eternity Lab

Cyber attacks are a constant in the IT press, but every now and again they cut through to the front pages of national newspapers and evening bulletins. The recent attack on Jaguar Land Rover (JLR) gained international attention due to the combination of its recognisable name and the wide-ranging effects.

The fallout from this incident is likely to continue for months, and probably years. With car production halted for over a month and over 5,000 businesses affected, the Cyber Monitoring Centre has estimated a financial impact of £1.9bn, and likely “the most economically damaging cyber event to hit the UK”. The shutdown meant that the number of cars manufactured in September 2025 was the lowest in the UK since 1952.

Reportedly, JLR had “failed to finalise” its cyber insurance cover ahead of the attack and will bear a great deal of this cost. The UK government has underwritten a loan of £1.5bn to JLR to support the company and, crucially, its supply chain.

Undoubtedly, approaches to cyber security will be top of the agenda in boardrooms across the country, as leaders devise plans on how to avoid a similar fate. Chief financial officers (CFOs) and finance directors have likely been asked about levels of insurance coverage, while chief information security officers (CISOs) will be under pressure to strengthen security practices.

Big news stories can shift attitudes. There’s no doubt that insurance vendors and brokers are using this moment to promote their products, but can cyber security teams also use it to help their businesses be better prepared?

A tipping point in perception?

Previously, a business case for digital transformation would be focused on the costs and benefits. Now, security risks are likely to be scrutinised more closely.

Security teams will have a vital role in determining just what this greater awareness of cyber security risks will mean. While it needs to be understood that cyber security threats are very real and can have massive consequences if they are successful, it’s important for businesses to strike a balance, exercising caution rather than being paralysed by fear. The message communicated to the wider business will be key in making sure risks are understood and the right precautions are taken, but not in a way that will stop innovation.

It is also an opportunity to communicate the need for layers of security. It’s not as simple as strong passwords and multi-factor authentication (MFA), but an end-to-end resilience approach is needed to keep a business safe. Cyber insurance can be thought of as one of those layers.

Getting cyber insurance right

Thanks to a greater awareness of cyber insurance, and the risks of not holding it, many businesses will be rushing to check their coverage. Even before the JLR shutdown, cyber insurance was one of the fastest-growing sectors in the global insurance market. Despite this growth, the FCA has warned that the UK is “potentially massively underinsured” against the cyber risks it faces.

For SMEs, cyber insurance policies are often bundled within broader business protection packages, but the terms for payout can be complex. Insurers will, as they do with any claim, scrutinise the business to ensure the policyholder had sufficient safeguards in place at the time of the incident. If those controls were lacking i.e. if the business failed to maintain up-to-date software, lacked MFA, or had poor backup practices, then the claim may be reduced or rejected altogether.

It is, again, the responsibility of cyber security teams to educate the business on how cyber insurance works and what changes may be necessary to make sure a policy is valid. While businesses may understand this principle for other forms of insurance, for example, a fire insurance policy may not pay out if a business holds an impromptu indoor barbecue for its staff, the requirements for cyber insurance may not be so obvious.

Insurance requirements as a guide to better security

Cyber insurance can, in fact, be used to get businesses on the right track when it comes to cyber security requirements. For example, two-factor authentication can often be unpopular with employees who see it as unnecessary, or who have bad experiences as consumers. But if 2FA is a requirement for cyber insurance, then that makes objections easier to overcome. What may be seen as optional before, despite the urging of the security team, will become embedded.

Of course, insurance requirements are not a complete guide to cyber security needs, but for businesses that are lacking in security, they can be a useful guide to help progress and to win internal arguments. Again, this is about using the moment correctly, with minds focused on cyber security, it’s an opportunity to build a better security culture and help everyone in the business understand their shared responsibility.

Fear vs. focused minds

Cyber security teams have a window of opportunity to get their businesses on the path to better security. It’s a rare occasion when those who care about security find that the rest of the business is thinking about the same problem.

While businesses are reflecting on how they can make sure they do not become another headline, security teams should be on hand to offer guidance and counsel, and can set the tone for how to approach the issue. While fear is a great motivator, this is really about striking the right balance, educating on potential threats and how they can be prevented. Insurance is but one piece of the puzzle.

For businesses where security is lacking, these conversations have the potential to be an inflection point, leading to better security. With minds focused on the need to avoid disaster, experts can be the voice of reason and help keep their businesses safe.

Robert Johnston is general manager of Adlumin at N-able.

Source

If 2024 and 2025 were the years organisations felt the strain of tightening budgets, 2026 is the year those decisions will fully manifest in their cyber risk exposure. Across both the private and public sectors, years of belt-tightening have led to reduced headcount, ageing infrastructure and postponed modernisation. Analyst reports show growth in cyber security spending has slowed markedly and many security teams are operating with fewer specialists than they had three years ago. The cumulative effect of this means fewer defenders, slower detection and weakening resilience at a time when adversaries are escalating in both ambition and sophistication.

The past year has provided irrefutable proof of how these gaps translate directly into risk. A major supply-chain compromise of Oracle Cloud reportedly exposed millions of records and impacted more than 140,000 tenants. The Salesloft/Drift breach illustrated how attackers can exploit interconnected SaaS ecosystems to cascade access across multiple organisations. Meanwhile, Jaguar Land Rover’s cyber incident halted vehicle production and disrupted supply chains for weeks, demonstrating how even relatively mature, well-funded industries can be brought to a standstill by a single compromise. These incidents reveal a systemic weakening of defensive capacity and third-party oversight.

This is the backdrop against which 2026 begins, and the legacy of recent budget cuts will continue to degrade the defensive posture of many organisations. With smaller teams and constrained resources, adversaries will enjoy longer dwell times, greater freedom to move laterally and more opportunities to exploit unpatched systems. Supply-chain compromise and zero-day exploitation will remain primary attack vectors, especially in environments where patch cycles have slowed or asset inventories are incomplete. Compounding this is the fact that several national cyber bodies have themselves faced funding and workforce reductions, limiting their ability to coordinate incident response at scale. In short, the high-impact attacks of 2025 should not be viewed as peaks, unfortunately, but as early indicators of a worsening trend.

However, budget pressure is not the only factor reshaping the threat landscape. A parallel shift is emerging that is driven by a rise in what might be termed casual cyber aggression, outside the more predictable threats such as nation states or organised crime threat actors. Across the UK, several high-profile incidents in 2025 have been traced back to loosely affiliated individuals, often teenagers, wielding commodity hacking tools, rented botnets and downloadable exploit kits. These attackers are not motivated by complex financial schemes or geopolitical goals, instead drawn by curiosity, frustration, social validation or the mere thrill of notoriety.

This behaviour is being fuelled by two converging forces. First, the accessibility of attack tooling has increased dramatically. Automated scripts, ransomware-as-a-service platforms and AI-driven reconnaissance tools require minimal technical expertise, lowering the barrier to entry. Second, the volume of open source intelligence, from corporate data leaks to overshared social media profiles, has exploded. Executives, public figures and organisations leave digital footprints that can be assembled into highly persuasive social engineering campaigns. For would-be attackers, the pathway from idea to impact has never been shorter.

What appears to be eroding at the same time – maybe due to the frequency of attacks or complacency – is the perceived risk of consequence. Arrests and prosecutions for cyber offences remain rare relative to the scale of attacks; and within online communities where many of these individuals operate, reputation and bravado often outweigh caution. Combined with social disaffection and worsening economic pressures, hacking is becoming, for some, a form of digital expression by offering an accessible outlet with very real-world repercussions and very little perceived consequence.

In 2026 that will translate into an expectation of more erratic and attention-grabbing attacks by small groups or individuals using widely-available tools. While these incidents may lack technical sophistication, their public visibility and collateral impact, particularly when they target public services, transportation networks or major consumer brands, will make them strategically significant. They also risk eroding public trust in digital services at a moment when that trust is already fragile.

Of course, it wouldn’t be a look ahead without the mention of the rapid evolution of artificial intelligence in cyber security on top of everything. Back in 2020, predictions that AI would reshape defensive strategies seemed optimistic; today, they look understated. By 2025, an IBM report revealed more than two-thirds of organisations reported using AI in their cyber security programmes and nearly a third rely on it extensively. AI now underpins anomaly detection, automated response, threat-hunting and vulnerability management. But cyber criminals have adopted it just as aggressively. Research suggests that the majority of email-based attacks now incorporate AI, and AI-assisted ransomware campaigns are becoming the norm.

Generative AI has made it far easier to craft targeted phishing emails, credible social-engineering scripts and realistic deepfake impersonations. For high-value targets such as CEOs, the oversharing of personal and professional information online materially increases risk. And the growing maturity of agentic AI, those autonomous systems capable of multi-step tasks, introduces both powerful defensive opportunities and new avenues for attack.

Taking all of this into account, three trends stand out.

First, the knock-on effects of underinvestment will continue; i.e. fewer breaches overall, but those that do occur will be larger, more complex and more damaging due to longer dwell times and interconnected supply chains.

Second, casual cyber aggression will become more visible, testing societal resilience and challenging policymakers to rethink digital accountability.

Third, the AI arms race will accelerate on both sides, with defenders and attackers deploying increasingly autonomous systems, driving the next stage of the cat-and-mouse dynamic.

It’s fair to say that 2026 will not necessarily be the most catastrophic year in cybersecurity but it could be one of the most telling. The choices organisations make now, in restoring investment, rebuilding cyber skills and governing AI responsibly, will determine whether the curve bends towards resilience or further fragility.

Anthony Young is CEO at Bridewell, a managed security services provider working in the UK and US.

Source

Gunnar Glasneck, data workstream lead at tobacco company, Imperial Brands, describes his role as the data tower lead. He is responsible for data migration, as well the implementation of the company’s SAP analytical cloud.

Computer Weekly met up with Glasneck during the UK and Ireland SAP User Group (UKISUG) conference in Birmingham at the start of December to discuss the role of strong data management in successful SAP S4/Hana projects.

The company has grown through acquisition. This resulted in 50 or so ERP systems in operation, which were not truly integrated. Imperial Brands recognised it needed to bring all of these legacy ERP systems together into one single S4/Hana instance.

Understanding data has been a key factor in Imperial Brand’s successful S/Hana deployment. But as Glasneck notes, this was the toughest aspect of the project. It required blending capable people from the business and functional consultants and analysts. “I selected three people from business who are at ease with data,” he says. But this can be a challenge. “The topic of data ownership is difficult to implement if you don’t have a data culture,” Glasneck adds, which means there is a lack of data ownership in the business.

What is interesting from the conversation with Glasneck is that the company selected the UK and Ireland, one of its five primary markets, to deploy S/4Hana.

When asked why take this risk, Glasneck says: “I wouldn’t say it was a simple decision. Our ambition was to design a global template, keeping the core clean. But if you start with an easy factory, with say, two or three production lines, or a simple market, then you won’t get to the state where you have a global template, or at least a significantly advanced template which you can then roll out then to the other markets and factories.”

Looking at the approach the company has taken in terms of getting its data ready for S/Hana, he says: “We’re migrating data and this data needs to be validated by the business and approved. It is always difficult to convince people in the business that they own the data and they need to understand it.” 

He says data was organised into three functional towers: global supply chain, finance and commercial. The people responsible for these data towers were provided with functional capabilities, which included data analysts  and people from within the business.

“This enabled us to understand and profile the legacy data,” says Glasneck, which helped with data cleansing exercises as well as data mapping and documentation.

Having a hand-picked team from the business who knew local business processes and recognised the value of optimising and standardising processes, combined with system integrator consultants providing functional S4/Hana expertise, were key to the project’s success. Glasneck says: “We had a strong governance structure. The processes are always owned by the business and through the governance with our business design authorities and technical design authorities, we were able to present a design that was approved by the business.”

Source

The company behind open source satellite internet protocol Spacecoin has announced it has successfully launched three satellites aboard a rideshare mission from Vandenberg Space Force Base in the US.

Designed to be an alternative to Starlink to provide global connectivity without relying on centralised providers or traditional ground infrastructure, Spacecoin is claimed to be the world’s first decentralised physical infrastructure network (DePIN) enabled by low-Earth orbit (LEO) satellite constellations.

Built to serve as the open protocol for permissionless, global internet connectivity, Spacecoin uses blockchain-enabled nanosatellites to deliver censorship-resistant internet access around the globe, with an initial focus on underserved and remote regions.

The satellites are owned and operated by STI, which holds the necessary regulatory approvals for satellite operations, and integrated on the mission via Arrow Science and Technology. Spacecoin functions as the underlying protocol that governs the open satellite data network, managing authorisation, authentication and accounting across the decentralised infrastructure.

The three CTC-1 satellites follow and take advantage of insights gained from the inaugural CTC-0 mission launched in 2024, which is said to have served as a proof of concept, pioneering the transmission of an encrypted blockchain message from Earth to space and back with verified payload integrity. Another claimed result is to have demonstrated that blockchain operations can maintain their security and functionality through space-based communication.

STI says the launch marks the first time a blockchain protocol has been integrated into a satellite constellation designed specifically for decentralised internet infrastructure, backed by proprietary technology with issued and pending patents.

CTC-1 is attributed with advancing to the critical next phase of validating two key capabilities essential for decentralised satellite internet: uninterrupted user connections as satellites move across the sky in low-Earth orbit, and direct satellite-to-satellite data exchange with minimal ground station dependence. The mission will take what is called “a definitive step” towards establishing the open architecture standards essential to assure interoperability in future satellite constellations.

Furthermore, STI says the successful validation of these inter-satellite capabilities will enable connectivity demonstrations with multiple government and telecom partners who have already signed agreements and committed to testing Spacecoin’s decentralised satellite internet infrastructure in real-world conditions.

“This launch marks the next frontier for decentralised connectivity,” said Tae Oh, founder of STI. “With multiple satellites now in orbit, we’re proving that internet services need not be centralised, making connectivity permissionless and impossible to switch off. This is a step toward a world where everybody, everywhere has access to the basic human right of internet access.”

To demonstrate the benefits of a decentralised communication architecture for users, the Spacecoin ecosystem is also developing Starmesh, a decentralised VPN that allows users to experience how private, anonymous and encrypted internet browsing will operate across distributed networks. Early Starmesh prototype testing is expected early-mid 2026, focusing on privacy and security advantages.

As the Spacecoin protocol ecosystem expands beyond initial partnerships, the project is actively seeking new collaborations with governments, telecom operators and institutional stakeholders worldwide.

Source

The concept of security awareness training is traditionally one of static procedures, including online training and tests, phishing simulations, and physical elements such as posters and displays.

This is all practical for compliance, but does this concept move with the times? In a world where AI is king, how does awareness training fit with this technology trend? As an example, delegates at KnowBe4’s recent user conference in London heard how the company’s more AI-driven direction is taking shape.

Increase in agents

CEO Bryan Palma predicts that AI would lead to an increase in the number of people and agents saying that “AI makes us more productive”, and with the number of agents being deployed in cyber security increasing. This could result in fewer people being employed; however, the attitude at KnowBe4 is to train the workforce regardless of whether they are man or machine.

“We don’t care as, ultimately, we’re going to prepare your organisation and your workforce to be trained correctly and be an advantage for you in the market,” he says. “Now it is probably 100% humans we train and zero agents, tomorrow it may be 60 humans and 65 agents – we’re not going to care.”

That movement towards agents, and supporting them as much as employees, is particularly forward-looking as the adoption of AI-based options increases. Palma claims that this adoption of support for agents is “about security culture, and that is really the outcome that we’re trying to build”.

He says: “The reality is that agents will be part of your security culture, and bots will be part of your world. If we turn the clock forward a few years, you will have multiple bots that work for you, and you’re going to tell them to do things, and they will work independently, and instead of managing only people, you’re going to need to manage bots as well.”

This move is all about culture, and agents have to be part of that culture “just as humans would be”, he explains.

Workforce trust management

Palma states that the company’s direction is towards the concept of “workforce trust management”, an extension of the original security awareness training and the more commonly used term “human risk management”.

He explains that workforce trust management considers autonomous security, which governs and trains both humans and AI agents, as the workforce will be diverse: “You need to protect them all, as each can be a vulnerability.”

The obvious question is how AI and automated functions are changing both workforce trust management and KnowBe4’s core awareness and training mission? Sitting with Palma, Computer Weekly had the opportunity to ask him about this move towards automation and if there was enough of a grasp of the roll-out of automated tasks in the way that KnowBe4’s technology works.

Palma says the company was thinking about it and developing around it, and then when he joined the firm, he realised both the impact of this from other things that he has done and the need to accelerate development.

“I’ve put more focus on it; I’m putting more investment behind it. I want to accelerate what we’re doing, but we have six agents in the market – we were already doing this, and it becomes critical because it just allows our system to run better,” he says.

Is there more demand from customers for that kind of automation in a workforce trust management offering? He explains that one of its agents creates a phishing landing page to save time for the IT and cyber security teams to build new versions of the phishing tests continually.

Donna Huggett, information security education and awareness manager at Belron – the parent organisation of Autoglass and Safelite – tells Computer Weekly that she uses KnowBe4 for phishing simulations. The AI-enabled technology “actually helps us massively cut down quite a huge chunk of work”, as time was previously spent on developing templates and choosing the right one to use, the options in the AIDA technology do the work for you.

She also said this determines the level of phishing message to be sent to an employee, for those who need to be challenged more and who will receive slightly harder emails. “And that’s all automated now, so that’s a massive help,” she says.

Paul Maxwell, cyber security engineer at retailer Poundland, says he primarily uses KnowBe4 for phishing simulation, and used 115 templates, but found that some were no longer working. This required new templates to be built, and it “was adding 35 hours a month” to his workload as users became savvier, and he needed to create new emails.

“I spent a good couple of hours at night, just thinking ‘That’s a good one, that’s going to catch people out’. With that kind of stuff, you can’t just go half measure, you’ve really got to try and catch them out,” he says. “Because if you don’t catch them out, you don’t help them learn.”

He explains that the most effective options were those that appeared to come from HR, such as clicking to claim annual leave, and finance and IT issues, including updating to Windows 11. However, the staff engagement has seen an increase in reported phishing attacks. While Maxwell admits that each alert takes time to investigate, he acknowledges that the platform has been really helpful.

“This is exactly what I need: firstly to help me move security forward in the business, but also to be able to take a step back and look at other areas I need to focus on,” he adds.

Automated agents

In terms of automated agents, Computer Weekly asked Palma if the intention was to add machine learning to enable the examples above, and if it could get to the level where it could replace the practitioner’s need to do awareness training by determining the right campaign for employees?

Palma explains that people are overlooking this link and are moving directly to AI, while the human link is vital; there is machine learning involved. “Everybody wants to think GenAI, everybody wants to think next generation: we’ve had lots of machine learning and regular vanilla AI for a long time, and that’s still very meaningful and that still does a lot of the work, but conceptually it will absolutely look and say, ‘Hey, these are the mistakes you’re making’, or ‘These are the mistakes the system is making’ and how you solve that.”

Palma says that the development of agents has increased over the past year, and he sees a future where “our email, our training, our compliance is all going to be in one single platform”, which will allow KnowBe4 to add in components and capabilities as it moves forward.

Different-sized businesses

Palma also discussed whether small- and medium-sized enterprises (SMEs) are more adaptable to a changing technology concept, compared to a large organisation that has been retrospectively building in security since the 1990s.

“I think the bigger organisations have more people, they have more process, they tend to move slower,” he says. “The smaller organisations are going to be very efficient – among many of our SMEs, they don’t have a CISO, and they don’t have an information security department.

“Now, if they have three or four agents that can help them around workforce trust, they’re going to be really happy about that. So, I think adoption at that part of the market is going to be faster and quicker.”

This move to offer automated technologies is one where the company can move with the times, but the question is how adaptive are the practitioners to this new form of technology to do this straightforward task? Creating phishing templates is time-consuming, and creating new emails takes time and effort, and we have not really begun considering the energy required to filter through the phishing simulation results.

It is interesting to see this adoption of the newer ways of working, and perhaps the next step will be for practitioners to go all in on an agentic approach. Being able to offload a cumbersome task and see the results without hours of extra work would surely be worth the effort.

Source

Leicester-based Cambridge and Counties Bank has been using a modern middleware platform from SnapLogic to help it drive out manual processes.

Chief transformation officer (CTO) David Holton has worked at the 10-year-old bank for four years and is responsible for integrating more technology into the bank and its processes. Cambridge and Counties Bank operates mainly in the real estate finance and asset finance markets serving small and medium-sized enterprises (SMEs).

“Our bank was set up primarily through a manual underwriting lens to assess things that were a little bit harder, but we thought we could overcome,” says Holton, who describes the work with SnapLogic as “trying to reimagine the asset finance business”, including financing required by SMEs that need to purchase machinery.

While the majority of the bank’s balance sheet covers real estate, Holton says asset finance propositions are highly manual: “A lot of the benefit to your broker or your customer is pace, so the ability to get back quickly is quite a differentiator, but we find this very difficult with a highly manual process.” 

According to Holton, working with SnapLogic has enabled the bank to remove a lot of the point-to-point integrations between systems that it previously needed, which has gotten rid of much of the manual work its staff used to do as SnapLogic connects data sources.

While the bank is just 10 years old, it has evolved during this time, which means some of its IT systems may not be functioning the way the bank currently operates. Holton has spent the past few years building on the bank’s expertise in understanding the business processes. “Things have drifted into a process that we don’t necessarily need to do anymore,” he says.

The old system needed a workaround to get access to data – which is now available using SnapLogic – meaning that the business process had to be revisited. “In some ways, process rationalisation is as important as the new technology,” adds Holton.

Partnership based on business value

Holton describes the way the bank has been working with SnapLogic as a partnership: “When I’m working with SnapLogic, I’m looking at the business outcomes I want to achieve, and then I ask them to help me deliver that rather than setting out a very detailed set of business requirements for building a widget. That’s quite a different way of working.”

For instance, Holton says the bank has partnered with SnapLogic for a specific piece of work looking at agentic AI: “SnapLogic experts have effectively come in-house with us to help us build on their AI environment because this is emerging tech. So, we’re leveraging their expertise.”

“Any AI system that I bring in has to empower colleagues to do more [face-to-face interation], not less”

David Holton, Cambridge and Counties Bank

Discussing the possibilities of AI at the bank, Holton says: “Obviously, there’s a lot of narrative about the risks, which need to be managed and far more understood.” While some banks may consider AI-powered chatbots as online interactions with their customers, Holton says Cambridge and Counties Bank believes the real value it provides is in the face-to-face human interaction it has with its customers, adding: “Any AI system that I bring in has to empower colleagues to do more of that, not less.”

Holton does not see AI replacing humans in the bank’s customer dialogue and relationship. However, he says: “I do see AI replacing humans in the processing and the non-value-add tasks that are necessary to get the customer what they need. ” These are the tasks that need to happen in the background, which, for Holton, means that customer does not necessarily see as valuable.

Given that there is so much AI hype, Holton believes that IT and business leaders need to have a thorough grasp of the business proposition and the customer. He says that this understanding is as important now in the era of AI innovation as in previous technology waves, such as digital innovation.

“You’ve got to be very clear on your business proposition before you go on the AI journey,” he says. “There’s a risk that if you don’t set your stall out at the start and really understand what it is that your customers value and what you value about your offering, you could end up running down the road to greater efficiency and using an AI agent to achieve this.”

As Holton notes, if businesses replace too many facilities and tasks with AI agents, customers may actually move away.

Source

2025 was a wild ride for cyber security. The landscape is shifting faster than ever, and several themes stand out when I think about the most important cyber security lessons from the year.

Nation-state risk remains constant. In June, US authorities urgently warned companies to prepare for Iranian cyber attacks. This is just one example of the environment we’re in. Security teams must be ready to defend at a moment’s notice. Threats will mix disinformation and low-level disruption with more sophisticated tradecraft, all of which combined can have destructive consequences.

Human vulnerability is a favourite target of attackers. We continue to see this point proved by the cyber criminal group Scattered Spider, who focused on the insurance sector last June, using classic social engineering techniques to prove that humans are oftentimes the weakest link. If you’re relying only on technology, you’re missing the mark: attackers will always find a way in through people.

AI’s rise pressures us to modernise, but introduces new gaps.  Enterprise adoption of generative AI surged in 2025. Traffic to generative AI sites jumped by 50%, while 68% of employees used free-tier tools, and 57% admitted to pasting sensitive data into them. With this, it’s key to remember that AI-generated exploits and misinformation are already here. The security community needs to zero in on model manipulation techniques like prompt injection and proactively test these AI systems through the eyes of the attackers. Crowd-led testing remains one of our strongest defenses, even across new and evolving attack vectors. Diverse human researchers can catch what others miss.

Accountability is no longer optional. Governance is catching up. Take the Qantas incident as an example. After a breach exposed millions of customer records, the airline tied executive bonuses to cyber security outcomes. Docking CEO pay sends a clear message that the accountability for funding, prioritising, and evangelising security practices sits with the CEO and senior leadership team.

Critical infrastructure remains a soft target. Recent third-party attacks like the cyber disruption at European airports caused by a breach in check-in software last September remind us that the human impact of cyber risk can’t be abstract. Critical infrastructure is a soft target for cyber criminals. Disruptions to services leveraged by millions represent a growing threat. Zero trust and privileged access controls should be non-negotiable in all industries, but especially critical infrastructure, where their security stack is outdated or built on legacy systems.

In 2025, we found that the threats we face are more personal, more technical, more interconnected, and more tied to accountability. When I look forward and consider what 2026 has in store for all of us, I see six major trends emerging or continuing to grow.

1. Attack sophistication and scale will continue to accelerate.

In 2026, the pace and sophistication of cyber attacks will reach levels that are increasingly difficult to anticipate. Organisations will be less focused on identifying whether attacks come from criminal groups or nation-state actors and more focused on how to respond effectively when an incident occurs.

2. Critical infrastructure remains a prime target.

Attacks against critical infrastructure will remain a top concern. Hardware security, including IoT devices, pipelines, and water systems, will continue to be key risk areas, requiring organisations to prioritise protective measures across the evolving attack surface.

3. Security controls must adapt to diversity of attacks.

The variety of attacks will keep expanding, and security teams will need to implement flexible, effective controls that balance access and protection. Ensuring that employees understand how to identify threats and escalate concerns will be critical to maintaining resilience in this complex landscape.

4. AI confidence can mislead.

In 2026, AI-generated outputs will continue to present information confidently, even when incorrect. As organisations rely on AI for efficiency, reports on threats or incidents may be confidently wrong, creating noise that security teams must cut through to identify real risks.

5. Human oversight remains critical.

The rise of AI-driven hallucinations, deepfakes, and lifelike synthetic media will make it harder for non-technical users to discern reality from AI-generated content. Organisations will need to foster a culture of human validation and critical thinking, ensuring that teams understand AI’s capabilities and limitations.

6. Trust and verification will evolve.

With AI changing how information is created and shared, individuals and organisations will need new methods for verifying content. In 2026, security teams and broader stakeholders will face a culture and mindset shift: determining what to trust, what to validate, and how to respond responsibly to AI-driven outputs.

As defenders, we must embrace people-centric security, rigorously test with human insight, and demand leadership that treats cyber security as a business imperative.

Dave Gerry is CEO at crowdsourced cyber security platform Bugcrowd.

Source

Mamun_Sheikh/Shutterstock

Waze sets itself apart from the competition, like Google Maps, by making the experience more engaging. For starters, it’s focused on car and bike drivers, versus generalized maps and traffic alerts. That means, Waze is a great app to use if you’re looking to find the best possible route to somewhere, especially fast. But also, Waze uses social cues — those funny emojis — to show you what’s going on at any given time. You can see road hazards, accidents, potential police traps, and other drivers, all denoted by smiling or emotive icons on the map. There are some other differences in how they operate and how they’re used — Waze can show you local gas prices, for example — but the big callout is that they’re both owned by Alphabet, and Waze is a subsidiary. That means Google Maps and Waze are similar when it comes to data collection and privacy, and all that information goes to the same source.

If you have a problem with how Google handles data collection, you’ll likely have the same problem with Waze. That’s worth considering. According to the Waze privacy policy, hosted by Google support, by the way, information you provide includes account details, usernames, phone numbers, home and work addresses, and other addresses you save in the app, your car’s details, destinations you visit, search queries, calendar info, and files you upload to the service. Additional metadata related to your device, browser, and app usage may also be collected. Waze may also collect information “about you from […] partners,” including, but not limited to, unique advertising IDs, local storage, browser web storage, app data caches, databases and server logs. It’s not necessarily clear exactly what info these data stores contain, but it’s safe to assume anything related to Waze or Google’s services is scooped up.

Google Maps and Waze also share features

Harry Howitt/Shutterstock

When Google acquired Waze, it began incorporating some of the features into Google Maps, which is why they now look so similar if you use them both. For example, in 2021, Google Maps was updated so it now displays prices of tolls, a feature it borrowed from Waze. In addition, Waze community incident reports now show up in Google Maps. There’s still a clear difference between the two if you pit them against each other in a Google Maps versus Waze matchup. But this feature sharing also helps to back up the idea that Google Maps and Waze share similar data management policies. If the two apps are sharing community reporting of road incidents, well, you can figure out the rest — they’re also sharing data, period.

If you want to take a deep dive into what kind of road and geographic data Waze and Google’s apps are collecting, the full list from Google Support is pretty substantive. It does appear like the two apps and services share at least some real-time data, as well, even if Waze is tailored to show more of it to drivers and users. They share infrastructure for sure, but not necessarily all data collected, but if it’s going to the same place — Alphabet’s databases — does that truly even matter?

When all is said and done, if you’re going to use Waze, it’s worth noting the infrastructure and data sharing capabilities, and if you’re against how Google handles data and privacy, it might be worth avoiding both apps, Google Maps included.

Source

The use of “trusted” digital ID software to verify your identity online in the UK has taken on a statutory footing as of 1 December.

The measures contained in the Data (Use and Access) Act, which became law in June this year, have now taken effect, introducing a formal and legally backed set of standards and governance rules with which all certified providers of digital verification services (DVS) must conform.

The move is intended to provide the public with confidence when using certified digital identity apps, through a framework that shows suppliers are considered trustworthy.

The statutory regime is also likely to underpin the UK government’s plans for a national digital ID scheme, which was announced by prime minister Keir Starmer in September, and is due to go through a consultation phase early next year.

The statutory system formalises processes that have been in place on a trial basis for some time. Suppliers of DVS tools have to conform to the government’s Digital Identities and Attributes Framework (DIATF) and associated codes that add further specifications for use cases such as right to work or right to rent checks.

Once certified, suppliers are listed on a statutory register and will be able to use a trust mark to prove their conformance for potential users. So far, 48 DVS providers who have gained DIATF certification have applied to join the register.

“This regime of standards, governance and oversight helps to ensure the public can trust digital verification services offered under it in the UK,” said John Peart, CEO of the Office for Digital Identities and Attributes (OfDIA), which oversees the framework.

Critical time for digital identity

The move comes at a critical time for digital identity in the UK. Suppliers were blindsided by Starmer’s announcement of a national digital ID scheme that will be mandatory for right-to-work checks by 2029. Many in the sector believe such a national scheme undermines all the work and investment they have put in to developing apps and achieving conformance to the statutory regime.

Today (2December 2025), representatives of DIATF-certified DVS providers are meeting with Darren Jones, Starmer’s chief secretary, who has taken on policy responsibility in the Cabinet Office for the digital ID plan.

Last week’s Autumn Budget revealed that government has put aside £1.8bn to develop the national scheme, which many suppliers say is a needless expense when they already provide apps that can deliver right-to-work checks and other services within the scope of the government proposals.

“[Government] is proposing to add £1.8bn of new costs to build a system that duplicates DVS,” said Adrian Field, director of market development at digital ID supplier OneID, writing on LinkedIn.

“Is this the best use of taxpayer funds? [The] private sector has proven that ID services can be delivered far more effectively and at far cheaper cost – why not use the efficient, effective services more?”

The meeting with Jones came about after industry representatives requested a formal collaboration on the government scheme.

The Association of Digital Verification Professionals wrote an open letter to Jones, to request a meeting to propose a cross-sector forum to “support clarity and alignment” on the digital identity scheme, noting that government messaging on its policy has made no mention of the DIATF regime.

“For over a decade, with cross-party support, the UK has developed the Digital Identity and Attribute Trust Framework – a voluntary model that protects individual rights, lets government regulate and allows industry to innovate,” the letter said.

“It is unclear whether the aim is a new national digital ID stored in certified private wallets, a single credential sitting solely in the Gov.uk Wallet accessed by certified DVS providers (the current plan), or something entirely different. Each variation represents a fundamentally different social and economic model. This uncertainty risks market stability, discourages investment and weakens trust across the entire digital ecosystem – not just government.”

An online petition opposing the introduction of digital ID in the UK has gathered almost three million signatures, and many DVS providers are privately outraged at the government’s proposals.

MPs on the Home Affairs Committee launched an inquiry in June 2025 into the introduction of new forms of digital ID. At a hearing last month, the MPs were warned that a mandatory digital ID could pave the way for greater mass surveillance and digital exclusion, and would fail to deliver Starmer’s suggested benefits of reducing illegal migration or preventing people from working illegally.

Source

Off the back of its expanding agentic AI security vision, identity specialist Okta has turned in a solid third quarter, with revenues up 12% to $742m (£562m), along with reversing a 12 month-ago multimillion dollar GAAP operating loss and booking GAAP net income of $43m, up from $16m year-on-year.

In a signal that strategic decisions taken earlier this year may be paying off, Okta revealed it currently has a subscription backlog of over $4bn, with approximately $2.3bn of that figure set to be recognised in the coming 12 months.

Okta CEO Todd McKinnon, who proclaimed a few short weeks ago that identity security and agentic AI security are basically one and the same, described a solid set of results highlighted by continued strength with large customers and adoption of its new products.

Speaking to Computer Weekly ahead of the results announcement, president and COO Eric Kelleher said: “Coming out of last year we had an important shift in strategy. We realised that going out to Q4 [1 November 2024 – 31 January 2025] our product innovation had accelerated to the point where it was putting a burden on our sales organisation to have to sell all products to all people.

“We made a significant change to specialise our go-to-market organisation on two buyer personas, the enterprise buyer, primarily chief information officers [CIOs] and chief information security officers [CISOs] and the developer buyer, and specialising our platforms as well – the Auth0 platform for developers and the Okta platform for CIOs and CISOs.”

Based on that, Kelleher said that Q1 2026 had been broadly on-track, Q2 had shown improvement and Q3 was “solid against our plans and expectations”.

He said the firm was now having more successful conversations with both of its core audiences and described identity security as never having been more important – something buyers are starting to recognise too, particularly those that have deployed multiple point solutions for different identity scenarios.

“They’re looking for an identity partner that can help them solve all these use cases with a single pane of glass … so we give them the administrative layer to make their businesses more secure.

“When you add to that the industry momentum around agents and people now having a brand new problem to solve with how they secure the identity of agents that are deployed in their environments, we are very optimistic for what the future holds for us,” he added.

AI bubble?

Amid more ambient chatter about an AI bubble – the Organisation for Economic Cooperation and Development’s (OECD’s) latest forecast for the US talks of a key risk to its projections being a “correction to equity markets that have been buoyed by the hopes of high returns to investment in AI” – Kelleher said there would be winners and losers at every level of the AI world at some point, but that regardless of who they may turn out to be, AI agents are not going away.

“People are going to have agents deployed … and the existence of the agents is what creates the need for a platform to secure their identities, irrespective of whatever bubble there may or may not be,” he said.

Source