Welcome to this very special edition of Cyber News Global, with a Global focus on Cyber the challenges and the advancements we have focused our attention to a number of very key issues that are now becoming leading priorities.
The UK Public sector finally has a voice, the Cyber Centre of Excellence is leading the way, uniting so many small and medium public authority bodies supporting their needs with military grade cyber security capability at a fraction of the costs most organisations would need to pay, the collective capability of the Cyber Centre of Excellence is now making a difference up and down the entire length of the United Kingdom.
Our critical national infrastructure has never been so vulnerable, partnering with experts from Industry to understand more about risk whilst hearing the thoughts from the Principal Information Security Officer of the Ministry of Energy within the UAE confirms that challenges, we all know are there.
Regulation is still driving the standards, Dora is setting the bar for the financial services and banking sector, whilst the EU AI act has a role to play. Quantum Cryptography has just about every major enterprise organisation losing sleep, we are delighted to publish a tremendous article on quantum by Dr Meera Sarama CEO of Cystel UK.
Deep Fake mastery is becoming so hard to detect Cyber Rangers has shared an insightful example of why. The human side of cyber security has now become more of a major asset when looking to take the threat actors on, the OSINT Group co-founder Ben Owen has shared his experiences and enlightens us with capable proactive cyber capability.
So dear readers, don’t loose sleep, know that there is an army of cyber warriors fighting the good fight to keep us all safe at night.
Dr Meera Sarma
ONCA DIGITAL
RISK PROTECTION SERVICES
Brand Impersonation
Unauthorised Access
We monitor for threats and data breaches outside your network on the surface, deep, and dark web and tailor alerts to your needs.
ONCA DRP HELPS TO MITIGATE AGAINST: HELPING COMPLIANCE AND IMPROVING CYBER MATURITY
Illicit activity on the dark web can pose a threat to your business operations and revenues. Monitoring the dark web can be dangerous, time-consuming, and requires specialist skills. To avoid putting security staff and networks at risk, adopt our fully managed Digital Risk Protection Service so that you can continue with busines as usual.
Statement from the Cyber Centre of Excellence’s Chief Executive Kurtis Toy
By Kurtis Toy CEO and Lead vCISO for ONCA Technologies Ltd
As Chief Executive of the Cyber Centre of Excellence (CCoE), I was delighted to be asked to open Day 1 of this year’s International Cyber Risk Symposium and welcome so many colleagues from across the public sector and cyber security community.
This first opportunity to host the opening session was an important moment to highlight what the CCoE stands for – collaboration, vigilance and innovation in the face of fast-evolving cyber threats.
Local authorities are on the frontline of this challenge. They provide essential services and hold the trust of the communities they serve, making them frequent targets for attackers. That is why the work we do together –sharing intelligence, benchmarking vulnerabilities and learning from each other – is so vital.
The launch of our third annual cyber vulnerability report is central to this effort. It has quickly become a trusted benchmark, enabling councils to measure progress and identify areas of concern. This year, we are especially proud to include deep and dark web insights, offering a clearer picture of risks that are often hidden from view.
My hope is that this report not only provides valuable data but also reinforces the power of collaboration.
Together, we can transform shared knowledge into stronger defences and ensure safer digital environments for our organisations and the communities we serve.
Download Your Authority’s Latest Cyber Report
Local authority leaders and their IT specialists can now download their third free annual report from the Cyber Centre of Excellence (CCoE) which reveals whether their cyber security vulnerability level has improved compared to previous years.
This year’s report also includes exclusive insights into vulnerabilities discovered on the deep and dark web for each authority.
This is the third year running that the CCoE – an organisation which aims to make the UK the safest place to work, play and do business online –has funded a research exercise using the attack surface management tool Hexiosec. The technology scans the Internet using a domain name or IP address to look for misconfigurations, security vulnerabilities and exposed data.
This year, the CCoE are proudly offering a more comprehensive report than ever before by including deep and dark web scan results for each local authority, courtesy of Onca Technologies. In each report, local authorities will find the number of email addresses with plain text passwords, hashed passwords, and without passwords found using their organisation’s domain, allowing them to remediate vulnerabilities before they can be exploited by cyber criminals.
The CCoE is an initiative designed to protect all organisations from cyber-attacks by keeping them abreast of adversary developments, giving them access to a suite of cyber protection – including the military-grade zero-trust software AppGuard –at high street prices. The organisation is backed by an Advisory Forum of some of the UK’s leading cyber security experts who can jointly assist with the full remit of everything an organisation of any size needs to do to stay as cyber secure as possible.
With the scope of cyber warfare no longer confined to state-onstate conflicts in 2025, marked by the alarming string of attacks on prominent organisations in both the retail and public sector, the need for fortified cyber security in local government is more crucial than ever. The vulnerabilities identified by the tool could be seen by anyone online, including hackers, revealing potential routes – or open back doors – into organisational systems. The aim of the CCoE Passive Scan exercise and personalised report is to allow the CCoE and the individual local authorities to identify areas of focus, in turn developing a united defence against adversaries.
“Increasingly, local authorities across the UK are being deliberately targeted as entry points for attackers aiming to disrupt essential services, erode public trust, and exploit emerging technologies. These threats are no longer theoretical. Every day, the lines between global conflict and local vulnerability blur further.” explained Kurtis Toy, Chief Executive of the CCoE.
“Building on the success of last year – when around half of all councils downloaded their reports and were well received – we have now carried out this exercise for the third time. This has enabled us to continue year-on-year comparisons and build a clearer picture of trends for each individual local authority. We’re also very pleased to offer additional insights this year through the deep and dark web scan, which we hope will empower councils to take further action against hidden vulnerabilities in their security” He added.
The CCoE is committed to conducting the exercise annually for the foreseeable future. “We are aiming to provide an objective annual spot check to help ensure that the systems and processes local authorities already have in place are working to their expectations. The feedback we got from local authorities last year was either that they were grateful or that they were reassured. This is entirely sponsored by the CCoE as a research exercise and as a helping hand. We have again included the recommendations in the report of where vulnerabilities are and how to fix them.”
Within each council report, scores are generated in four areas, with each area receiving a score between 1 and 5. On this scale, 5 is classed as excellent and a 1 would place an organisation as being very vulnerable to attack. As well as providing an individual comparison to allow each local authority to identify whether their vulnerability has increased or decreased since the scan was carried out in 2023 and 2024, the report also provides an overview of the council compared with their region, and they get a total number of vulnerabilities and a comparison to where that sits for the UK. The report also highlights the top twenty vulnerabilities for the local authority and top twenty actions to address them.
Toy stressed that the data in the report is only one small metric in the context of an overall cyber security strategy. “A lower score doesn’t mean that a local authority has terrible security, it just means that aspect of their security needs improving. There are other strands that need to be in place in addition for a strong cyber security stance, including staff training and endpoint security, for example. And, likewise, a perfect score does not mean they are invulnerable. All we are giving is effectively a map of where a hacker is most likely to look if they were targeting their domain, which is very different to if they receive a phishing email and someone clicks on it.”
Vulnerabilities frequently found included configuration settings, out of date software, forgotten servers and neglected websites affected by mergers or organisational changes. Often configuration changes are made which accidently make information available online without an organisation’s knowledge.
As with the reports in previous years, information on individual councils will not be made publicly available. Copies of the individual 2025 reports will only be available to download by a CEO, vCISO or IT manager within each local authority or by their authorised IT representatives.
Contact the CCoE to request a copy of your organisation’s report or email enquiries@ccoe.org.uk
TRANSFORM YOUR BUSINESS WITH GRC WORKSHOPS
RISK MANAGEMENT APPROACH
ISMS & PIMS, RELEVANT FRAMEWORKS & BEST PRACTICES
SETTING UP GOVERNANCE WITHIN YOUR ORGANISATION
COMPLIANCE EFFORTS
CYBER RESILIENCE IN CRITICAL NATIONAL INFRASTRUCTURE: WHY RISK MANAGEMENT NEEDS A MINDSET SHIFT
By Ian Gemski, CEO at Tekgem
In the world of Critical National Infrastructure (CNI), understanding cyber risk is only half the challenge.
The real difficulty lies in prioritising and managing that risk and this is something that has to be owned from the boardroom to the shop floor. At its core, the goal is simple: to be able to operate business as usual in the event of a cyber incident.
While it sounds straightforward in theory, putting it into practice is far from easy. A recent example makes this clear. Over the Easter weekend earlier this year, multinational retailer Marks and Spencer suffered a major cyber attack. Their online shopping services were suspended for three months, only returning in late July. Shelves in their supermarkets were empty, product availability across clothing lines was limited, and the financial impact was estimated at around £300 million. This is what happens when cyber resilience is lacking, normal operations grind to a halt.
For 20 years, Tekgem has been working with operators of essential services in the CNI space, helping them understand and manage their cybersecurity risks.
This experience underpins the launch of a new version of Unity, Tekgem’s software platform, now featuring a comprehensive risk management capability designed to address the challenges of becoming truly cyber resilient.
Risk Assessment vs Risk Management
The new Unity risk management feature walks organisations through the process of identifying and classifying critical systems for essential business services. It determines cyber risks based on identified vulnerabilities and known threat actors, aligning this process with international cybersecurity standards and risk management frameworks. It also provides a live risk register and an action tracker, ensuring risks are managed throughout the lifecycle of business operations.
Unity’s dashboards play a key role here. They give executives clear visibility of total risks, scores, priorities, and the top 10 highest risks.
Crucially, they also track the actions being taken to address those risks. Risks without actions are meaningless and visibility is essential for everyone from operational teams to board-level decision-makers.
A risk assessment is only one part of the bigger picture. It is a snapshot in time. The moment a new system, process, or technology is introduced, your risk profile changes. Risks are fluid, and the cyber threat landscape changes constantly. That’s why the industry is moving away from static, annual risk assessments towards continuous, dynamic risk management.
From Reactive to Proactive
For too long, cybersecurity has been focused on reacting to incidents after they occur. The shift that needs to happen is towards proactive prevention.
CEO at Tekgem Ian Gemski
Vulnerability management is a prime example. Many organisations focus on patching vulnerabilities with the highest severity scores, 9.9 or 10 out of 10, without considering the actual risk. If a vulnerable system isn’t connected to the network, the risk of exploitation is minimal. By managing risk rather than just vulnerabilities, you focus resources where they matter most: on systems critical to your essential business functions.
A Practical Approach to Risk
The first step is asset classification. Review systems one by one and determine whether each is essential to continuing operations. If a document management system contains your plant’s startup and shutdown procedures, losing it could mean you can’t operate safely. That’s a critical risk.
If you run a shop and your point-of-sale system fails, can you still trade? If you can take cash, yes. If you’re cashless, the shop closes. These simple assessments clarify where to focus protection efforts.
Once assets are classified, risks can be clearly identified, prioritised, and addressed. This not only supports operational continuity but also ensures that the right investments are made to protect what matters most.
The Updated Unity Launch
The updated Unity platform, with its enhanced risk management capabilities, is being released this month to both new and existing customers. Tekgem will be hosting webinars, demos, and a full campaign to showcase and educate how Unity supports a proactive, resilient approach to cybersecurity.
For more information or to arrange a demonstration, contact Tekgem directly.
For organisations looking to shift from reacting to incidents towards actively managing and reducing risk, this update represents a major step forward.
for Board, Executive and Senior Managers
ASSURED TRAINING
This course provides delegates with the opportunity to explore and discuss cyber risk and resilience and how to provide effective governance, risk management and strategic implementation.
Delivered by:
Aimed at Board members including Executive Officers , this course is for those who need to provide governance and implement strategy for cyber risk, i ncluding data protection and resilience.
Richard Preece, Chief Training Officer OSP Cyber Academy
A co-opted core panel member of the British Standard (BS) 31111 Cyber Risk and Resilience Guidance for Boards and Executive Management. A chapter author for Managing Cybersecurity Risk – How Directors & Corporate Officers can protect their businesses.
To reserve your place - contact training@ospcyberacademy.com - or scan QR Code
Interview with Tom Egglestone on Cyber Risk, Ransomware and Cyber Insurance
Cyber News Global recently caught up with Tom Egglestone who shared his thoughts around cyber risk, ransomware, cyber insurance, and how they are all connected.
I’ve been doing cyber insurance for the last 10 years, always on the claims side, supporting clients through cyber incidents. I’ve been with Resilience for three of those years, where I’m the Head of Claims International, which means I’m responsible for the building, delivery, and quality of the claim service across the UK and continental Europe.
Prior to that, I actually spent several years in the psychology field. I spent time as a support worker. I worked on mental health support hotlines, suicide hotlines, and also spent some time volunteering on a secure ward. The reason I bring that up is because it essentially means if you look at my career, I’ve always supported people through various types of crises and in difficult situations.
I’m looking to bring that human-led and empathic way of managing cyber incidents, combining that with technical expertise to support insurers when they have these incidents.
Ransomware Trends
Ransomware is a pervasive threat and it’s continued to gain traction at all levels. That’s evidenced by the fact we’ve seen the UK government recently undertaking a consultation.
They’ve had the results back and they’ve provided some initial comments about measures they’re looking to introduce to help manage the threat of ransomware to UK businesses. It’s clearly on the public agenda, the government’s agenda – and there’s good reason for that.
Although ransomware is still a threat –and when it impacts a company it can still be very detrimental and cause a great deal of impact – we have seen that, over the last several years, the frequency at which actual ransom payments are being made has come down quite significantly.
If you look at public reporting like Coveware – who are a ransomware negotiation specialist – their most recent report puts it at around 26% of cases where they saw ransom being paid. But if you go back to 2022, 2021, that percentage is up in the 60s & 70s.
I think the reason for that is that we’ve seen companies better prepare. We’re generally seeing a higher level of control in place, better cyber hygiene, and just more awareness from senior figures within companies. We’re seeing the board being aware and seeing cyber risk as a board issue, not just a technical issue for the CISO to manage. Still pervasive, but the frequency at which we’re seeing ransoms being paid is going down, which is excellent.
Transfer Fraud Challenges
Transfer fraud is challenging because it takes advantage of human culpability. It goes beyond technological controls and takes advantage of people’s lack of awareness.These phishing campaigns that people are falling victim to are getting more and more advanced. That’s where AI starts to come into things.
If I think about what companies can do to try and mitigate the risk of transfer fraud happening, first of all, it’s about preparedness. We talk about practicing an IR plan. I think these phishing training sessions are great, but could we do more? Could they be more real life-type scenarios? For example, if you’ve got an accounts team, can you actually put them through a real life fraud scenario where they actually have to face that down?
One of the other things that we often see threat actors using in these transfer fraud scenarios is fear and urgency: saying something like ‘We need to do this now otherwise this deal is going to collapse’. We saw that type of narrative being used on a case quite recently.
When it’s coming from someone that the victim thinks is their CEO, it’s really quite powerful. And this is where technology can come in: Are there ways that technology can be used to just slow everything down a little bit if money’s moving around? Whether that’s prompts or warnings that this account doesn’t match or these records aren’t the same as what we have for that person, is there a way for tech to just help people take a breath when they’re going through these situations?
The other thing is there’s a culture issue. I still think there’s a blame culture. If someone falls victim to a phishing attack, there’s a lot of shame and that will only play into the fraudster’s hand. There’s a shifting culture that needs to come from the top of companies around this type of risk.
AI’s Role in Cybersecurity
I remember at the start of last year, everyone got into prediction season – what are the big things that’s going to happen in 2024? I saw at least two people or companies projecting some kind of AI-supercharged ransomware pandemic.
Everyone will be pleased to know we’ve not seen that. We’ve not seen some kind of super ransomware that’s been built purely out of AI or a campaign that’s purely AI-driven. I think the way that AI is being used by threat actor groups is the same as how you and I would use it: It’s taking basic tasks off your desk so that you can spend time focusing on the stuff that matters. For threat actor groups, maybe pushing coding activities through AI, which allows them to free up time to devise new approaches.
The thing to highlight here is that AI is also being used capably by defenders to spot anomalies and identify trends and to respond more quickly to compromises or cyber attacks. Both sides are using it. It’s whether we’re keeping the good guys ahead of the bad guys that’s the challenge.
Supply Chain Risk
You can’t really control your supply chain’s risk. What can you do? I think there’s a shift in mindset from control to visibility. Step one is having a very clear view of what is our vendor ecosystem; not just who are our vendors but who are their vendors and how does that all impact our business and what impact might X vendor being implicated or that system going down have?
That’s something that should absolutely be undertaken as part of incident response planning. It’s almost like taking business continuity planning, which many businesses have always done for fires or natural risks, and extending that to cyber risk as well. It’s about prioritizing impact on your business versus which vendors you spend the most money with. Which one is the one that’s going to impact you the worst if it goes down?
That’s reflected if you look at two supply chain attacks we’ve seen in the last couple of years. CrowdStrike – globally recognized, everyone knows who CrowdStrike is, they’re on F1 cars, huge company – had an outage, impacted a lot of people and caused some financial loss, but maybe not as much as some people thought.
But then we also saw some claims come out of software called CDK, which is used by the auto dealership industry, particularly in the US and Canada. That had a very small impact in terms of global recognition, but on those companies, it had massive detrimental impacts and really rendered them completely unable to do anything. It’s that difficulty of having the big vendors, but also what about these small vendors that provide a very specific service to a very specific industry? It can be a real point of aggregation.
I think there’s prioritizing impact and this is something that Resilience is developing products to assist clients with. It’s about having dynamic ongoing monitoring. A tick box exercise at the point you enter into a contract with a vendor is not sufficient. You need to have a dynamic ongoing view of the risk that’s presenting. That’s something that Resilience is hoping to launch some interesting products on in the near future.
As we’ve talked about, it comes back to the board. Just making sure that cyber risk, supply chain risk and cyber risk more broadly is a board level discussion so it’s not just for the CISO or the head of IT – it’s for the CFO, the risk manager, CEO – should all be being discussed at that board level.
FOR MORE SCAN
THE QR CODE
The Quantum Reckoning: How Hackers Are Already Winning Tomorrow’s War
While executives debate timelines, cybercriminals are positioning themselves for the ultimate heist
The corporate world loves a timeline. When will autonomous vehicles dominate our roads? When will artificial intelligence replace human workers? When will quantum computers revolutionise business? The answer to that last question— somewhere between five and thirty years, depending on whom you ask— has lulled many executives into a dangerous complacency.
This is a critical miscalculation. While quantum computing may seem like a distant concern, the quantum threat is already here, and it’s growing more urgent by the day.
Inside the Hacker’s Quantum Playbook
Cybercriminals have already adapted their strategies for the quantum age, displaying a sophistication that should alarm every corporate leader. Statesponsored hackers and criminal organisations have quietly begun what cybersecurity experts call “harvest now, decrypt later” attacks. They’re systematically collecting encrypted data with a chilling patience, storing it like vintage wine, waiting for the day when quantum computers can crack it open in minutes rather than millennia.
The hacker methodology is disturbingly elegant. Rather than attempting to break current encryption—a futile exercise that would take millions of years—they’re playing the long game.
Intelligence agencies report massive data theft operations where hackers aren’t even attempting immediate decryption.They’re simply stockpiling encrypted databases, communications, and intellectual property, confident that quantum technology will eventually deliver the keys.
The mathematics are stark. Today’s computers would need approximately two million years to break RSA encryption—the cryptographic foundation underlying virtually all digital security, from SSL certificates to VPNs. A commercially viable quantum computer, armed with Shor’s algorithm, could accomplish the same task in minutes. Every email, every financial transaction, every piece of intellectual property currently protected by traditional encryption becomes vulnerable the moment that quantum threshold is crossed.
This represents a fundamental shift in the threat landscape. Hackers have moved from opportunistic attacks to strategic positioning. They’re not just stealing data; they’re investing in future capabilities. The most sophisticated threat actors are already recruiting quantum computing he most sophisticated threat actors are already recruiting quantum computing expertise, establishing partnerships with academic institutions, and developing quantum-enabled attack frameworks.
This isn’t theoretical. The encryption protecting today’s data—your company’s R&D secrets, customer information, strategic plans—is already compromised in principle. The only question is timing.
Dr Meera Sarma
CEO of Cystel , A cybersecurity firm
Modern businesses operate through complex webs of suppliers, partners, and service providers, each representing a potential entry point for quantum-enabled attacks. A single compromised supplier could expose dozens of downstream companies to catastrophic data breaches.
Consider the automotive industry, where a single component manufacturer might supply parts to multiple car brands. If quantum computers can crack the encrypted communications between that supplier and its customers, hackers could potentially access design specifications, manufacturing processes, and strategic plans across the entire automotive ecosystem. The same vulnerability exists in pharmaceuticals, aerospace, financial services, and virtually every other interconnected industry.
The challenge is compounded by the global nature of modern supply chains. Companies may have quantum-safe encryption in their headquarters, but their suppliers in different countries might be operating with outdated cryptographic standards. The weakest link principle means that quantum vulnerabilities anywhere in the supply chain can compromise the entire network.
Financial supply chains present particularly attractive targets. Payment processors, banks, and fintech companies all rely on encrypted communications to handle transactions.
A quantum-enabled attack on any single point in this network could potentially compromise millions of transactions, customer data, and financial records. The interconnected nature of global finance means that a breach in one institution could cascade across continents within hours.
The Boardroom Awakening
Smart money is already moving, and the implications of inaction are becoming clearer with each passing month. IBM has committed $150 billion to quantum research and development, a figure that should make any chief executive pause. By 2027, more than half of Fortune 500 companies are expected to have adopted quantum technologies at some level. These aren’t speculative investments in distant futures; they’re strategic preparations for imminent realities.
One international bank has already assembled an entire steering committee dedicated to quantum threats. Their reasoning is sound: financial institutions are treasure troves of sensitive data, and the cryptographic methods protecting customer information and trading algorithms are exactly what quantum computers will render obsolete.
The operational benefits are equally compelling. Companies using quantum sensing technologies have reported operational efficiencies of up to 80 percent. Aircraft manufacturers are exploring quantum applications to optimise wing design and reduce carbon footprints. Pharmaceutical companies are using quantum computing to accelerate drug discovery, potentially revolutionising how we approach cancer treatment and Alzheimer’s research.
But hackers understand these opportunities too. The same quantum capabilities that can optimise supply chains can also be weaponised to disrupt them. Criminal organisations are positioning themselves to exploit quantum advantages for financial gain, industrial espionage, and geopolitical manipulation. They’re not waiting for commercial quantum computers; they’re preparing to acquire or access them through various means.
Regulatory Reality Check
The regulatory landscape is crystallising rapidly, leaving little room for procrastination. The UK’s National Cyber Security Centre has given organisations a clear directive: prepare now, complete the transition within three years. The U.S. National Institute of Standards and Technology has already published five quantumresistant algorithms, establishing the foundation for post-quantum cryptographic migration.
These aren’t suggestions; they’re mandates. The European Union’s Digital Operational Resilience Act (DORA) explicitly addresses cryptographic requirements, with quantum resistance becoming a compliance necessity rather than a competitive advantage. Germany’s Federal Office for Information Security has mandated quantum-safe cryptography for public sector and critical infrastructure by 2025.
The message from regulators is unambiguous: the quantum transition isn’t optional, and the timeline isn’t negotiable.
The price differential is significant. Early adopters can implement quantum-safe measures systematically, testing and optimising as they go. Late adopters will face crisis-driven implementations, rushed timelines, and the compounding costs of urgency.
The Cost of Inaction
Delaying quantum preparation isn’t just risky; it’s expensive. Every month of inaction increases the eventual cost of migration. Insurance companies are beginning to factor quantum vulnerabilities into their risk assessments, and organisations without quantum-safe measures may soon find themselves uninsurable.
Post-quantum migration isn’t a simple software update. It requires comprehensive cryptographic inventory assessment, risk modelling, and phased implementation across entire technology stacks.
Beyond the Threat
The quantum conversation shouldn’t focus solely on security risks. The technology promises transformative opportunities across sectors.
Quantum computing can optimise supply chains, accelerate materials discovery, and solve complex logistical problems that currently require enormous computational resources.
However, security must come first. Without robust quantum-safe foundations, organisations cannot safely exploit quantum opportunities. The companies building quantum readiness now will be positioned to capitalise on quantum advantages as they emerge.
Industry consortiums are emerging to establish quantum-safe standards across sectors. These collaborative efforts recognise that quantum security is only as strong as the weakest participant in any business ecosystem.
The Geopolitical Dimension
The quantum race has profound geopolitical implications. Nations leading in quantum technology development will hold significant advantages in intelligence gathering, financial manipulation, and strategic communications. Recent power outages affecting multiple countries hint at the potential scale of quantumenabled disruption.
The Practical Path Forward
The good news is that quantum preparation doesn’t require revolutionary changes overnight. The process begins with understanding current cryptographic dependencies— what encryption methods protect which systems, where vulnerabilities exist, and how data flows through the organisation and its supply chain network.
Smart companies are conducting quantum risk assessments, mapping their cryptographic inventory, and developing migration roadmaps that account for supplier relationships and third-party dependencies. They’re implementing hybrid cryptographic approaches, combining traditional and quantum-resistant algorithms to ensure security during the transition period.
The key is crypto-agility—building systems that can adapt to new cryptographic standards as they emerge.
This flexibility will prove invaluable as quantum technologies evolve and new threats emerge. Companies must also extend this agility to their supplier networks, establishing quantumsafe communication protocols and requiring vendors to meet minimum cryptographic standards. Supply chain security requires collaborative approaches. .
The quantum divide could reshape global power dynamics. Countries and companies that fail to prepare may find themselves at the mercy of those that do. This isn’t hyperbole—it’s the logical extension of technological advantage in an interconnected world.
The Time to Act
The quantum timeline isn’t measured in decades; it’s measured in years, possibly months. The corporate leaders who understand this reality are already moving. They’re not waiting for quantum computers to arrive; they’re preparing for the moment when they do.The quantum imperative isn’t about implementing exotic new technologies. It’s about protecting existing business operations, ensuring regulatory compliance, and positioning for future opportunities. The companies that act now will determine their competitive position for the next generation of computing.
The question isn’t whether quantum computing will transform business— it’s whether your organisation will be ready when it does. The clock is ticking, and the time for preparation is now.
Dr. Meera Sarma is CEO of Cystel, a cybersecurity firm offering quantum safe cybersecurity products and services for enterprise and government clients. She has spent over a decade researching hackers, Quantum Computing cyber threats and contributes to the UK Parliamentary Office for Science and Technology.
Building Trust, Reducing Risk.
Unlocking value, reducing risk and building resilience across your business. We help organisations like yours navigate today’s complex cyber risk landscape with confidence.
Our services are designed to assess, strengthen, execute and optimise your risk management capabilities so you can focus on what matters most – growing your business securely.
Scan the QR Code to learn more.
THE EVOLUTION OF DATA PROTECTION: HOW GDPR IS SHAPING GLOBAL PRIVACY STANDARDS
By Irene Coyle, Chief Operating Officer at OSP Cyber Academy
In the digital age, where personal data is a critical asset, the need for robust data protection measures has never been more pressing. The General Data Protection Regulation (GDPR), introduced in 2018, has set a global benchmark for data privacy. It has transformed not only how organisations manage data but also how individuals view their personal information. But what makes GDPR so impactful, and how is it shaping the global landscape of data privacy?
For Irene Coyle, Chief Operating Officer at OSP Cyber Academy, GDPR represents a paradigm shift in how data is treated.
“GDPR is more than just a regulation,” Irene explains. “It’s a framework that redefines the relationship between individuals and organisations in terms of data. It places the individual at the heart of all data processing activities, ensuring their rights are prioritised.”
This shift from a compliance-driven model to one that emphasises individual rights marks GDPR’s most significant contribution to the privacy landscape.
The regulation has empowered individuals to take control of their data.
“ If it was your data, you would want to have control over how it’s used, how it’s stored, and how it’s shared. GDPR puts that power back into the hands of the individual, ” Irene highlights.
The Global Impact of GDPR
One of the most remarkable aspects of GDPR is its global influence. While it originated in the EU, it has set the standard for data privacy laws worldwide. Irene points out that many countries have followed suit, recognising GDPR as the blueprint for modern data protection.
“Obviously we now have the UK GDPR too but also countries like Brazil, South Korea, and various states in the US are adopting GDPR-like laws because they see the value in creating a unified framework for data protection,” she says.
This influence extends beyond simple adoption; GDPR has prompted a cultural shift towards transparency and accountability in data practices.
“GDPR makes organisations answerable to the people whose data they handle. It ensures that privacy is not just a legal obligation but a fundamental value,” Irene notes.
Why GDPR’s Approach to Consent and Transparency Matters
One of the cornerstones of GDPR is its emphasis on consent and transparency. Before GDPR, consent was often buried in long detailed legalese, making it difficult for individuals to fully understand what they were agreeing to. GDPR changed that.
“GDPR requires clear, informed, and affirmative action consent. It forces organisations to be transparent and to explain their data practices in simple, understandable terms,” Irene explains.
This shift towards transparency has been crucial in building trust.
As Irene highlights,“Transparency isn’t just about compliance—it’s about trust. Companies that are clear about how they use data are more likely to earn the trust of their customers. And in today’s world, trust is a competitive edge.”
Data Governance Under GDPR
The implementation of GDPR has forced organisations to rethink their approach to data governance. No longer is data protection viewed solely as an IT issue; it is now recognised as a business risk.
“Data protection is a business-wide issue that affects every department, from marketing to HR. GDPR makes it clear that this is essential to the integrity and reputation of the organisation,” says Irene.
For Irene, a key component of effective data governance is having a dedicated data protection officer (DPO).
“A DPO plays a crucial role in ensuring that an establishment adheres to GDPR principles. It’s not something that can be tacked onto someone’s existing responsibilities,” she explains. “Without a dedicated DPO, organisations struggle to demonstrate the level of accountability that GDPR demands.”
Irene describes the importance of mapping data flows:
“GDPR forces companies to trace the entire journey of their data—from collection to storage, sharing, and disposal. This mapping process is not only essential for compliance but also for strengthening an organisation’s overall data governance framework.”
GDPR
vs. CCPA: Key Differences
Comparing GDPR with other privacy laws, such as the California Consumer Privacy Act (CCPA), highlights some key differences. While both laws aim to protect personal data, GDPR takes a more comprehensive approach.
“GDPR requires opt-in consent, whereas CCPA allows individuals to opt out of data sales. This is a fundamental difference because opting in ensures that the individual is fully aware and in control of how their data is used,” Irene explains.
Furthermore, GDPR introduces the concept of “privacy by design,” meaning that privacy must be integrated into the development of new products and services from the very beginning. Irene underscores this by saying,
“GDPR doesn’t allow organisations to scramble to comply at the last minute. Privacy must be embedded in the design process from day one. It’s about proactively protecting data, not reacting to issues after the fact.”
Another critical distinction between GDPR and CCPA is GDPR’s extraterritorial scope.
“Even if a company is based outside the EU, if they process the personal data of EU citizens, they must comply with GDPR. This global reach is something that other regulations, like CCPA, don’t have,” Irene notes.
“This extraterritorial reach ensures that organisations worldwide are held to the same high standards of data protection, which is crucial for the digital economy.”
Looking Ahead: The Future of Data Protection
This global reach is something that other regulations, like CCPA, don’t have, Irene notes.
“This extraterritorial reach ensures that organisations worldwide are held to the same high standards of data protection, which is crucial for the digital economy.” she says.
As Irene prepares to attend the GISEC Conference in Dubai, she reflects on the future of data protection and GDPR’s continuing evolution.
“The world is changing rapidly, and data protection must evolve with it. GDPR has set the foundation, but it’s important for organisations to continue to adapt and embrace data protection as a core business value,” she says.
At OSP Cyber Academy, Irene and her team are helping companies navigate the complexities of GDPR compliance and data protection training.
“We’re seeing a real shift in how organisations approach data protection. It’s no longer seen as a regulatory hurdle but as a strategic asset that can enhance brand value and build consumer trust,” Irene adds.
Looking ahead, GDPR is likely to remain the global standard for data protection, influencing not just new regulations but also the way businesses think about data.
“GDPR has set the bar for data privacy, and it’s up to all of us to ensure that we continue to meet and exceed those expectations,” Irene concludes.
DEEPFAKE DEFENSE: RED TEAMING THE NEXT GENERATION OF THREATS
Daniel Hejda is the co-owner, ethical hacker, and Red Team member at Cyber Rangers Ltd., as well as one of the founders of the Cyber Intelligence Club. His core competencies include the preparation of simulated APTstyle cyber attacks, intelligence operations related to cybersecurity, and social engineering techniques.
Daniel Hejda
Co-Founder | Ethical Hacker
Today’s era in the field of AI, specifically large language models (LLMs), is truly turbulent. AI brings new opportunities, but also introduces new threats that both companies and individuals must face. Things that were impossible yesterday are now commonly used, and what we consider impossible today may be completely normal tomorrow.
In recent years, we have seen a variety of better and worse frauds using AI, especially in the area of video, voice, and image modification, which appear much more believable to the average person— especially when they see a person they know and respect. These are mainly socio-manipulative frauds that exploit human trust, or push for quick profits from investments, or simply appeal for help in crisis situations.
Attackers using AI do not hesitate to exploit any difficult situation or take advantage of people’s kindness and empathy.
How attackers actively exploit new and publicly available technologies for DeepFake was something we shared at the GISEC 2025 conference, where we presented the possibilities of creating fraudulent videos and face replacement using a technique called FaceSwap. The principle of this technique is the redrawing of part of the face while maintaining the surrounding environment, hair, and beard of the person in the source image. The facial features of the person, thanks to several AI models integrated into already available applications, are almost indistinguishable from the original, with everything being able to be redrawn in real time.
These techniques make it very easy to conduct online calls with people and refer the victim to websites where the impersonated person appears. If we include in this fraud ecosystem our own trained voice models using, for example, Whisper as one of the text-to-speech models, we can achieve very believable frauds that a large portion of the public is likely to fall for.
Even though achieving perfection may not be desirable in some cases from the attackers’ perspective, the quality is reaching a very advanced stage, and in the coming months and years, this area will evolve to a point where even experts will not be able to immediately distinguish what is and is not real.
The need to test such AI using offensive testing—aimed at exploiting the AI for purposes for which it was not intended— should definitely not be ignored.
We can also expect the continued circumvention of authentication and verification in digital Customer) systems, allowing attackers to open accounts without needing
We can also expect the continued circumvention of authentication and identity verification systems in the digital world, such as bypassing KYC (Know Your Customer) systems, allowing attackers to open bank accounts without needing mules to act as intermediaries.
We can also expect that in the coming years we will see court evidence showing individuals committing crimes, while the actual image and voice are being misused through AI.
We can also expect that more and more statements by famous individuals will be generated by AI and will try to actively manipulate public markets and stock exchanges. But these are certainly not the only situations and threats that await us in the near future. These situations are already happening today, but their use is not yet as widespread and publicly accessible as it may be in a few months or years.
Many of you are creating your own AI or modifying existing AI models, and therefore it is very important to educate yourselves in this area.
The Human Side of Cybersecurity –Ben Owen on OSINT, Digital Footprints
and Global Collaboration
Ben Owen is the co-owner of The OSINT Group, a unique cyber risk mitigation and intelligence collection training company with a global reach. The business specialises in safeguarding digital environments for individuals and organisations, providing expert training in open source intelligence, digital vulnerabilityassessments and strategic security awareness.
Cyber News Global recently caught up with Ben, well known to many for his role on the hit TV show Hunted. Over the past decade, the series has become a fascinating look at how people can be tracked down using both privileged information and open source intelligence, OSINT. Ben has appeared in the UK, US and Australian versions, and has seen first-hand how much valuable information can be found online in minutes.
People have no idea just how much they share every day. Signing up for accounts, leaving reviews, commenting on social media, even logging activity on fitness apps and all of it creates a trail. That data can be used by both the good guys and the bad guys.
One case study from his training sessions illustrates the point.
Within 15 minutes, Ben and his team gathered a wealth of personal information on the Chief Information Officer of a major British energy company who is a professional well versed in cyber security and even advised by the government.
They found personal email addresses, phone numbers, home address, vehicle details, passwords, internal images of their home, and fitness app routes that tracked them to within 20 metres of their front door.
The point, Ben says, is not to scare but to show the reality. We are the good guys, so we lock things down and remove what we can, but imagine the opportunity for hackers. Espionage, blackmail, social engineering – the vulnerabilities are huge.
Why OSINT is Not Just for Techies
A common misconception is that OSINT is purely a technical skill. You do not need to be a coder to be a great online investigator. It is about how you think.
You need to be dynamic, curious, mentally agile. You have to follow threads, backtrack when needed, and most importantly, corroborate what you find. The first piece of information you uncover might look like gold, but it could be misleading. You have to find the gaps.
In a world of user generated content, much of what is online is personal opinion or unverified data. It is not a linear process. You have to be ready to explore, get lost down a rabbit hole, then work your way out again.
Ben has seen regional differences in threats and solutions. But he has also noticed a welcome trend –more collaboration in the OSINT community. One of the best things about this field is that people share. Yes, we run businesses, but there is enough work for everyone. The more collaborative we are, the stronger the whole community becomes.
Some regions stand out for their forward thinking approach, particularly the UAE. They have such a positive mindset. They get it, and they are brilliant to work with.
The Corporate- Personal Security Gap
Most large organisations have strong corporate cyber security. They invest in technology, enforce good password policies, use multi factor authentication and employ skilled teams. But outside the office, it is a different story.The real weakness is when people log off and revert to their personal devices and accounts.
That is where hackers are striking. Look at the major breach at password manager LastPass. This attack started with the developer’s personal laptop, not the corporate network. Hackers take the path of least resistance.
Threats Around the World
With work taking him to over a dozen countries and four continents already this year,
He has also seen a growing appetite for OSINT in regulated industries like finance and government, and in sectors like logistics, green energy and tech start-ups. But the latter often put speed to market above security, which is a risk that can be costly later, particularly in areas like electric vehicles and smart transport.
Why Technology Alone is Not Enough
Too many organisations think that investing in expensive security technology is enough. Tech is only as good as the people interpreting the data. It is not about ripping everything up and starting again. Many of the biggest wins come from awareness and small, strategic changes.
One of the most effective tools his company offers is the Digital Vulnerability Assessment.
One of the most effective tools his company offers is the Digital Vulnerability Assessment. This is a process that identifies what information is publicly available about an organisation and its key people. It is not a technical scan, it is looking at what a hacker could find in minutes and use against you. Every client is shocked by how much is uncovered.
Information might include email addresses, passwords, home images, travel patterns, vehicle details and even favourite pubs. Hackers often have no moral limits, so they may target spouses or children as a route in.
The Rising Threat of Digital Extortion
While ransomware grabs headlines, another threat is growing in the shadows – blackmail and extortion based on stolen personal data. This could involve finding that someone is in a relationship but also active on dating sites, for example. Even if that information is not illegal, it is highly sensitive. In most cases Ben and his team can map almost all of someone’s digital footprint.
Because such incidents often do not involve leaked customer data, companies may not be legally obliged to report them. Many victims simply leave the company quietly. But his team deals with blackmail cases every week, and the numbers will keep rising as breached data becomes more available.
The key is prevention. If you can manage your digital footprint, you can remove many of the opportunities for hackers. That does not need to cost the earth –it just needs awareness, the right
and innovation
Defending Critical Information Infrastructure (CII) - The need for collaboration
The need to effectively defend Critical Information Infrastructure (CII) and achieve resilience has never been greater. In an increasingly digital world, Critical Information Infrastructure has become a prime target for cyber threat actors, including nation states, criminal syndicates, and attackers with financial motives. Also called Critical National Infrastructure (CNI), these are the various essential resources of a nation, that form a part of its very fiber.
From energy grids and water systems to transportation networks and healthcare institutions, CII is the backbone of the essential services that keep societies running. Over the decades these systems have become more interconnected and reliant on digital technology, making them more vulnerable to cyberattacks. However, this challenge can be effectively overcome by adopting an innovative and collaborative approach, with a relentless focus on the security-basics.
The defense of CII must be a national priority. But no single organization or entity can do it alone. The complexity and scale of the threat landscape require a joint effort between government entities, the private sector and technology vendors. Fortunately, across the world, we are witnessing a positive shift towards more inclusive and forward-thinking cybersecurity strategies that emphasize resilience, collaboration, and shared responsibility. A shift from security to resilience, from partnership to collaboration.
The protection of CII in the United Arab Emirates – An overview
The UAE Cybersecurity Council has been doing a tremendous job in driving the adoption of robust security practices across government entities, both critical and non-critical. With the goal of not just achieving a sound security posture, but effectively maintaining resilience.
The recently released National Cybersecurity Strategy (2025-2031) places a critical emphasis on securing CII, with clear metrics to report, for CII sectors. Built on 5 pillars of governance, digital resilience, innovation, cyber capabilities and collaboration, the strategy provides an effective framework to achieve cyber resilience, as well as lays down the guidelines to implement the strategy. Pillar 2 titled Delivering a safe, secure and resilient digital environment places specific requirements for CII within the government sector.
Several initiatives have been launched as part of implementing the National Cybersecurity Strategy, such as the Cyber Protective Shield, under which critical sectors in the country engage in cyber drills regularly to strengthen defenses and enhance cyber resilience.
Another initiative launched as part of the National Cybersecurity Strategy is the secure supply chain program for government and CII’s, with the aim of ensuring a secure ecosystem of vendors.
The critical value of collaboration
One of the most effective ways to strengthen the cybersecurity of CII is through strong public-private collaboration. Governments play a pivotal role in setting cybersecurity standards, regulatory frameworks, platforms for threat intelligence sharing, and responding to major incidents. Meanwhile, private sector organizations, which own and operate much of the infrastructure, bring technical expertise, innovation, and firsthand insight into operational vulnerabilities
Collaborations thrive in an environment of trust. Governments must create safe and legally protected environments where companies can report threats or breaches without fear of reputational damage or regulatory backlash. Likewise, private operators need to proactively engage with government agencies to align their security practices with national standards and participate in coordinated defense initiatives.
Principal Information Security Officer Cyber Security Unit
- Vijay Velayutham
Programs such as the UAE’s award winning Cyber Pulse program, the United States’ Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) have shown the power of this partnership model.
The Cyber Pulse Program which was awarded at the World Summit on Information Society, is a community-focused program that provides awareness to all community segments.
In addition, these federal agencies provide realtime alerts, sector-specific guidance, governance frameworks and training programs that empower CII entities to stay ahead of emerging threats. Countries across the globe can learn from and adapt these models to suit their own unique contexts.
Embracing Innovation and Next-Generation Technologies
Defending CII requires not just collaboration but also innovation. Cyber threat actors are constantly evolving their tactics, so defenders must stay one step ahead. Integrating emerging technologies such as artificial intelligence (AI), machine learning (ML), and behavioral analytics into cybersecurity frameworks is becoming increasingly essential.
For example, AI-powered intrusion detection systems can analyze massive volumes of network data in real time, identifying anomalies that may signal a breach. Behavioral analytics can detect unusual activity by legitimate users—such as accessing systems at odd hours or transferring large volumes of data—and flag it for investigation. These tools not only improve threat detection but also reduce response time, which is critical in minimizing damage during a cyberattack.
Moreover, innovations like zero-trust architecture—a model that assumes no user or system is inherently trustworthy—can significantly reduce the risk of internal threats. Combined with strong encryption, multi-factor authentication, and micro-segmentation of networks, these technologies create a layered defense approach that makes it harder for attackers to move laterally within a system.
Five Good Practices for Strengthening CII Cybersecurity
1. Implement Continuous Risk Assessments
CII operators must regularly assess and update their understanding of potential vulnerabilities. Risk assessments should consider both external threats and internal weaknesses, including outdated systems or poor access controls. These assessments should feed into a dynamic security strategy that adapts as new threats emerge.
2. Foster a Cyber-Vigilant Culture
Human error remains one of the leading causes of successful cyberattacks. Training employees to recognize phishing emails, use strong passwords, and report suspicious behavior can dramatically improve an organization’s security posture. Cyber vigilance should be part of onboarding, ongoing training, and even executive leadership development.
3. Participate in Information Sharing Networks
No organization has complete visibility into the threat landscape. By joining sector-specific Information Sharing and Analysis Centers (ISACs) or national-level cybersecurity forums, CII entities gain access to real-time threat intelligence, shared experiences, and collective defense strategies. Governments can facilitate these exchanges and provide actionable insights.
4. Establish and Test
Preparedness is key, when dealing with OT/ICS. Every CII organization should have a well-documented and regularly tested incident response plan. This includes roles and responsibilities, communication protocols, legal considerations, and recovery procedures. Simulated cyber drills can help teams respond effectively under pressure.
5. Invest in Secure Design and Resilient Systems
Security should be built into systems from the ground up—not bolted on as an afterthought. Using secure-by-design principles, adopting redundant systems, and maintaining offline backups ensure that services can continue or be quickly restored in the event of an attack. Resilience is just as important as prevention.
Looking Ahead: A National Mission
Securing critical national infrastructure is not just a technical challenge - it’s a national mission that requires vision, leadership, and unity. As cyber threats grow more sophisticated, the lines between civilian, government, and military domains blur. What happens in one sector can have ripple effects across an entire nation.
Therefore, fostering a cybersecurity ecosystem where innovation thrives, collaboration is the norm, and resilience is a shared goal must be the way forward. Governments should lead the charge by setting clear policies, funding research, and building frameworks for cooperation. The private sector should bring its agility, technical talent, and on-the-ground insights. Academia and civil society can contribute with education, research, and community outreach.
Together, we can defend our most vital assets against even the most persistent threats. With the right approach, cybersecurity becomes not just a shield, but a source of national strength, economic stability, and public trust. The future of our critical infrastructure depends on what we do today—and by choosing innovation and collaboration, we are making the right investment for a safer tomorrow.
THE DARK AGE OF AI Welcome to the Era of Innovation, Uncertainty,
and Risk -
By Susanne Bitter
Artificial Intelligence is no longer just a buzzword or a sci-fi fantasy— it’s a quiet force embedded in the fabric of everyday life. It wakes us up with voice assistants like Siri and Alexa, recommends shows on Netflix we didn’t know we wanted, flags suspicious activity in our bank accounts, and even helps detect diseases in medical imaging. It finishes our sentences through predictive text, , curates our social feeds on Facebook and LinkedIn, offers instant translations via Google, and tailors shopping suggestions on Amazon down to the smallest preference. We don’t just use AI—we rely on it.
But despite how familiar it feels, most people—including many professionals—have only a partial grasp of what AI actually is. And that lack of clarity matters.
At a high level, AI can be grouped by how capable it is. Most of what we use today falls under what’s known as narrow AI—systems built to do one thing really well. Whether it’s recommending music, scanning resumes, or driving a car, narrow AI is powerful but limited. The next stage up, general AI, doesn’t yet exist. In theory, it would be able to perform any task a human can, with the same flexibility and reasoning ability. Beyond that lies super or strong AI, a concept mostly found in speculative fiction, describing machines that would outperform humans at virtually everything.
There’s also a functional lens through which to understand AI. Some systems are reactive—they operate purely in the moment, without any memory or learning capability. Think of early chess-playing computers or basic customer service bots. Others have limited memory and can learn from past data to improve their responses—like self-driving cars or your favourite smart assistant.
Information Security and GRC Specialist
The most advanced forms, like “theory of mind” AI or truly self-aware systems, remain hypothetical. They’d need to understand human emotions, beliefs, or even have consciousness—an area we’re nowhere near achieving.
And that’s where the paradox lies. We use AI every day. It guides decisions, automates tasks, and increasingly influences policy and behaviour. Yet, we still don’t have a shared understanding of what it is, how it should be used, or where it might lead. Development is outpacing governance. Hype is outpacing understanding. This isn’t the golden age of AI. It’s the dark age—a time when the tools are advancing faster than our ability to control them. And if we don’t confront that reality now, we may find ourselves dependent on systems we no longer understand—or trust.
Here are five hard truths that every professional needs to reckon with in today’s AI-driven world.
Susanne Bitter
1. Nobody Knows What AI Actually Is
Despite its omnipresence, there is no universally accepted definition of AI. Is it statistical pattern recognition? Machine learning? A simulation of human cognition? Ask five experts and you’ll get ten answers.
This lack of consensus isn’t just academic—it’s operational chaos. Without clear definitions, it’s nearly impossible to regulate AI, set safety standards, or even benchmark performance.
Organizations are investing in “AI” without a shared understanding of what they’re actually buying or building. It’s like commissioning a bridge from a company that can’t define what a bridge is.
2. AI Risk Is a Novelty—and That’s a Problem
Most corporate risk frameworks are decades old, built for financial crises or cybersecurity threats—not generative adversarial networks or reinforcement learning agents. The result? Blind spots. Boards are unsure how to classify AI failures: Are they bugs? Biases? Legal liabilities?
Worse still, the industry lacks historical precedents. We don’t yet fully understand how AI systems fail, let alone how to mitigate those failures. This novelty means we’re often learning about risks after something has gone wrong— whether it’s an AI-driven hiring tool discriminating against candidates, or a chatbot going rogue in the wild.
3. The Compliance Nightmare Is Just Beginning
With new AI laws popping up from Brussels to Beijing, the regulatory landscape is rapidly fragmenting. The EU AI Act, the U.S. Executive Orders, China’s draft laws—each has different definitions, requirements, and enforcement strategies. For global organizations, compliance is turning into a maze of local expectations and overlapping jurisdictions.
Compounding the issue, many compliance officers and legal teams are undertrained in AI-specific topics like data provenance, model interpretability, or automated decisionmaking.
This makes aligning AI development with legal obligations more guesswork than governance.
4. Integration Is the Wild Wild West
Every company wants to “AI-enable” its operations, but integration is often chaotic. Many AI solutions are stitched into legacy systems like a patch on a patch, with little regard for transparency, explainability, or scalability.
Worse, third-party AI vendors often operate as black boxes. Enterprises are deploying models they don’t fully understand, with unclear data sources, opaque algorithms, and unknown failure modes. In this environment, the line between innovation and irresponsibility becomes dangerously thin.
5. AI Is VERY Criminally Effective
The darker side of AI isn’t just a theoretical concern—it’s already here. From deepfake scams and synthetic identity fraud to automated phishing and AI-assisted hacking, bad actors are embracing AI with terrifying speed and sophistication.
This asymmetry is alarming: criminal groups don’t need to follow ethical guidelines or compliance rules. They move fast, experiment freely, and exploit vulnerabilities before regulators or enterprises even know they exist. In the wrong hands, AI becomes a force multiplier for cybercrime.
Where Do We Go From Here?
We’re in uncharted territory. The current wave of AI innovation resembles a gold rush—but one without maps, laws, or sheriffs. For professionals, now is the time to move beyond the hype and engage with the real, complex challenges of the AI era.
This “Dark Age” doesn’t have to last. But it does require vigilance, collaboration, and humility. We must build the legal, ethical, and technical frameworks needed to bring AI out of the shadows—and into a future we can all trust.
Targeted training programs designed specifically for professionals can provide the essential knowledge and skills to confidently steer AI initiatives within your organization. Whether you’re looking to deepen your understanding of AI risks, sharpen your compliance strategies, or master integration best practices, expert-led courses and workshops are the best help to stay ahead in this fast-moving field. Investing in the right training today is the smartest way to ensure you’re not just reacting to AI’s challenges—but proactively shaping its future.
K D Adamson Futurist & Ecocentrist
Ian Ritchie Tech Entrepreneur
Quantum Cyber Services
Our services are designed to fit into wherever you are on your cybersecurity and business risk journey.
Our approach allows us to dovetail into your existing cyber programmes and also to step you forward and join up with future transformation without incurring risk gaps and misalignment
Quantum Readiness Workshop All organisational stakeholders must be lenges, risks, and potential ert-led, customized training for : quantum computers and the nd quantum safe cryptography.
nables enterprises to e strategies to safeguard their m computing. A quantum nisations to quantum risk e current state of their s; Identify vulnerable and m quantum threats; develop a cybersecurity
curity transformation is the d quantum cryptography ctices This involves utilizing to enhance the security of nication networks
urity road mapping is a needsss to help identify, select, and o satisfy a set of
t: the creation of a clientmework and an update to the rporate quantum quantum technology into
