Cyber News Global Issue 17

SCOTLANDIS NOW IN THE UAE

Supporting members and partners across the UAE—connecting organisations to Scotlandʼs world-class tech capabilities.

How we support in the UAE

• Curated introductions

• Access to capability directories

• Sector clusters

• Skills & talent connections

• Export & investor links

• Events & market intelligence

• Procurement navigation

As we head to our 17th edition of Cyber News Global, we will be attending GITEX GLOBAL 2025, the 45th edition, stands as the world’s most established and iconic large-scale tech exhibition. The UAE has made one of the boldest commitments to AI and Quantum they plan to secure its region’s ability to be the worlds leading AI centre by 2030. With this focus comes great opportunity to collaborate where capability is required.

Global experts will come together to share knowledge, capability, and experiences to help shape the future of Cyber security and the advancements of AI and Quantum.

Cyber News Global will be there to capture every opportunity that will be presented, we will meet the experts, hear their views and share their ideas, this is the start of something truly extraordinary, we have the entire UAE Government and Cyber eco system to thank for such events as GITEX, truly a world leading event.

With the advancements in AI and its use being embraced so widely, its no surprise that AI Governance has become a critical process to ensure that everyone understands their responsibility when utilising AI to expand their capability. The UAE has taken a bold step in this direction with establishing their AI Governance laws, you can read more in this GITEX Special Edition.

Quantum computing plans to revolutionise industry like never before, once again the UAE has taken a huge bold leap to become one of the World’s leading authorities in delivering Quantum safely and progressively.

So dear readers, don’t loose sleep, know that there is an army of cyber and AI warriors out there looking at the future.

ONCA DIGITAL

RISK PROTECTION SERVICES

Brand Impersonation

Unauthorised Access

We monitor for threats and data breaches outside your network on the surface, deep, and dark web and tailor alerts to your needs.

ONCA DRP HELPS TO MITIGATE AGAINST: HELPING COMPLIANCE AND IMPROVING CYBER MATURITY

Illicit activity on the dark web can pose a threat to your business operations and revenues. Monitoring the dark web can be dangerous, time-consuming, and requires specialist skills. To avoid putting security staff and networks at risk, adopt our fully managed Digital Risk Protection Service so that you can continue with busines as usual.

Navigating the AI Frontier: The

UAE’s Bold Strategy on Regulation and Innovation

The Current State of AI Regulation in the UAE. In the sunny skyscrapers of Dubai and the vibrant innovation centers of Abu Dhabi, artificial intelligence is more than just technology; it is essential for the nation.

The United Arab Emirates (UAE) finds itself at a crucial point in its AI governance journey, combining ambitious strategies with varying guidelines instead of a single solid law. Unlike the European Union’s AI Act, which sets specific responsibilities for high-risk systems, the UAE’s approach is flexible, focusing on ethical principles and sector-specific needs rather than strict regulations.

At the core of this framework is the National Strategy for Artificial Intelligence 2031, introduced in 2017 by His Excellency Dr. Omar Sultan Al Olama, then-Minister of State for Artificial Intelligence - the world’s first such appointment. This plan aims to place the UAE among the top five global AI economies by 2031, estimating AED 335 Billion ($91 Billion) in annual GDP contributions through AI integration in healthcare, finance, transport, and education.

Updates in 2024 and 2025 have honed the strategy’s focus on national AI capabilities, highlighted by the launch of the UAE AI Charter in July 2024.

This non-binding document presents eight principles: human wellbeing, safety, transparency, fairness, privacy, accountability, sustainability, and awareness. It draws from UNESCO’s Ethics of AI Recommendation and adjusts them for local culture and economy.

Legally, AI falls under current federal laws rather than specific legislation. The Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL), which has been effective since 2022, requires consent, data minimization, and impact assessments for AI systems that handle personal data. This aligns with global standards like GDPR but includes UAE-specific exemptions for national security.

Regulations in different sectors add additional layers: the UAE Central Bank’s AI guidelines for financial institutions demand explainability and bias audits, while the Telecommunications and Digital Government Regulatory Authority (TDRA) enforces ethical AI use in digital services.

In free zones such as Abu Dhabi Global Market (ADGM) and Dubai International Financial Centre (DIFC), common-law inspired rules impose stricter requirements, such as mandatory disclosure of AI risks for major deployments.

A significant moment occurred in April 2025 when the UAE Cabinet approved the world’s first AIpowered regulatory ecosystem. Named “AI Legis,” this platform uses generative AI to draft, revise, and analyze laws, bringing together various regulations into a seamless database.

Early tests have simplified fintech approvals, but concerns remain about relying too much on unclear algorithms for lawmaking.

Vulnerability management is a prime example. Many organisations focus on patching vulnerabilities with the highest severity scores, 9.9 or 10 out of 10, without considering the actual risk. If a vulnerable system isn’t connected to the network, the risk of exploitation is minimal. By managing risk rather than just vulnerabilities, you focus resources where they matter most: on systems critical to your essential business functions.

A Practical Approach to Risk

The first step is asset classification. Review systems one by one and determine whether each is essential to continuing operations. If a document management system contains your plant’s startup and shutdown procedures, losing it could mean you can’t operate safely. That’s a critical risk.

If you run a shop and your point-of-sale system fails, can you still trade? If you can take cash, yes. If you’re cashless, the shop closes. These simple assessments clarify where to focus protection efforts.

Once assets are classified, risks can be clearly identified, prioritised, and addressed. This not only supports operational continuity but also ensures that the right investments are made to protect what matters most.

The Updated Unity Launch

The updated Unity platform, with its enhanced risk management capabilities, is being released this month to both new and existing customers. Tekgem will be hosting webinars, demos, and a full campaign to showcase and educate how Unity supports a proactive, resilient approach to cybersecurity.

For more information or to arrange a demonstration, contact Tekgem directly.

For organisations looking to shift from reacting to incidents towards actively managing and reducing risk, this update represents a major step forward.

for Board, Executive and Senior Managers

ASSURED TRAINING

This course provides delegates with the opportunity to explore and discuss cyber risk and resilience and how to provide effective governance, risk management and strategic implementation.

Delivered by:

Aimed at Board members including Executive Officers , this course is for those who need to provide governance and implement strategy for cyber risk, i ncluding data protection and resilience.

Richard Preece, Chief Training Officer OSP Cyber Academy

A co-opted core panel member of the British Standard (BS) 31111 Cyber Risk and Resilience Guidance for Boards and Executive Management. A chapter author for Managing Cybersecurity Risk – How Directors & Corporate Officers can protect their businesses.

To reserve your place - contact training@ospcyberacademy.com - or scan QR Code

The Quantum Reckoning: How Hackers Are Already Winning Tomorrow’s War

While executives debate timelines, cybercriminals are positioning themselves for the ultimate heist

The corporate world loves a timeline. When will autonomous vehicles dominate our roads? When will artificial intelligence replace human workers? When will quantum computers revolutionise business? The answer to that last question— somewhere between five and thirty years, depending on whom you ask— has lulled many executives into a dangerous complacency.

This is a critical miscalculation. While quantum computing may seem like a distant concern, the quantum threat is already here, and it’s growing more urgent by the day.

Inside the Hacker’s Quantum Playbook

Cybercriminals have already adapted their strategies for the quantum age, displaying a sophistication that should alarm every corporate leader. Statesponsored hackers and criminal organisations have quietly begun what cybersecurity experts call “harvest now, decrypt later” attacks. They’re systematically collecting encrypted data with a chilling patience, storing it like vintage wine, waiting for the day when quantum computers can crack it open in minutes rather than millennia.

The hacker methodology is disturbingly elegant. Rather than attempting to break current encryption—a futile exercise that would take millions of years—they’re playing the long game.

Intelligence agencies report massive data theft operations where hackers aren’t even attempting immediate decryption.They’re simply stockpiling encrypted databases, communications, and intellectual property, confident that quantum technology will eventually deliver the keys.

The mathematics are stark. Today’s computers would need approximately two million years to break RSA encryption—the cryptographic foundation underlying virtually all digital security, from SSL certificates to VPNs. A commercially viable quantum computer, armed with Shor’s algorithm, could accomplish the same task in minutes. Every email, every financial transaction, every piece of intellectual property currently protected by traditional encryption becomes vulnerable the moment that quantum threshold is crossed.

This represents a fundamental shift in the threat landscape. Hackers have moved from opportunistic attacks to strategic positioning. They’re not just stealing data; they’re investing in future capabilities. The most sophisticated threat actors are already recruiting quantum computing he most sophisticated threat actors are already recruiting quantum computing expertise, establishing partnerships with academic institutions, and developing quantum-enabled attack frameworks.

This isn’t theoretical. The encryption protecting today’s data—your company’s R&D secrets, customer information, strategic plans—is already compromised in principle. The only question is timing.

Dr Meera Sarma

Modern businesses operate through complex webs of suppliers, partners, and service providers, each representing a potential entry point for quantum-enabled attacks. A single compromised supplier could expose dozens of downstream companies to catastrophic data breaches.

Consider the automotive industry, where a single component manufacturer might supply parts to multiple car brands. If quantum computers can crack the encrypted communications between that supplier and its customers, hackers could potentially access design specifications, manufacturing processes, and strategic plans across the entire automotive ecosystem. The same vulnerability exists in pharmaceuticals, aerospace, financial services, and virtually every other interconnected industry.

The challenge is compounded by the global nature of modern supply chains. Companies may have quantum-safe encryption in their headquarters, but their suppliers in different countries might be operating with outdated cryptographic standards. The weakest link principle means that quantum vulnerabilities anywhere in the supply chain can compromise the entire network.

Financial supply chains present particularly attractive targets. Payment processors, banks, and fintech companies all rely on encrypted communications to handle transactions.

A quantum-enabled attack on any single point in this network could potentially compromise millions of transactions, customer data, and financial records. The interconnected nature of global finance means that a breach in one institution could cascade across continents within hours.

The Boardroom Awakening

Smart money is already moving, and the implications of inaction are becoming clearer with each passing month. IBM has committed $150 billion to quantum research and development, a figure that should make any chief executive pause. By 2027, more than half of Fortune 500 companies are expected to have adopted quantum technologies at some level. These aren’t speculative investments in distant futures; they’re strategic preparations for imminent realities.

One international bank has already assembled an entire steering committee dedicated to quantum threats. Their reasoning is sound: financial institutions are treasure troves of sensitive data, and the cryptographic methods protecting customer information and trading algorithms are exactly what quantum computers will render obsolete.

The operational benefits are equally compelling. Companies using quantum sensing technologies have reported operational efficiencies of up to 80 percent. Aircraft manufacturers are exploring quantum applications to optimise wing design and reduce carbon footprints. Pharmaceutical companies are using quantum computing to accelerate drug discovery, potentially revolutionising how we approach cancer treatment and Alzheimer’s research.

But hackers understand these opportunities too. The same quantum capabilities that can optimise supply chains can also be weaponised to disrupt them. Criminal organisations are positioning themselves to exploit quantum advantages for financial gain, industrial espionage, and geopolitical manipulation. They’re not waiting for commercial quantum computers; they’re preparing to acquire or access them through various means.

Regulatory Reality Check

The regulatory landscape is crystallising rapidly, leaving little room for procrastination. The UK’s National Cyber Security Centre has given organisations a clear directive: prepare now, complete the transition within three years. The U.S. National Institute of Standards and Technology has already published five quantumresistant algorithms, establishing the foundation for post-quantum cryptographic migration.

These aren’t suggestions; they’re mandates. The European Union’s Digital Operational Resilience Act (DORA) explicitly addresses cryptographic requirements, with quantum resistance becoming a compliance necessity rather than a competitive advantage. Germany’s Federal Office for Information Security has mandated quantum-safe cryptography for public sector and critical infrastructure by 2025.

The message from regulators is unambiguous: the quantum transition isn’t optional, and the timeline isn’t negotiable.

The price differential is significant. Early adopters can implement quantum-safe measures systematically, testing and optimising as they go. Late adopters will face crisis-driven implementations, rushed timelines, and the compounding costs of urgency.

The Cost of Inaction

Delaying quantum preparation isn’t just risky; it’s expensive. Every month of inaction increases the eventual cost of migration. Insurance companies are beginning to factor quantum vulnerabilities into their risk assessments, and organisations without quantum-safe measures may soon find themselves uninsurable.

Post-quantum migration isn’t a simple software update. It requires comprehensive cryptographic inventory assessment, risk modelling, and phased implementation across entire technology stacks.

Beyond the Threat

The quantum conversation shouldn’t focus solely on security risks. The technology promises transformative opportunities across sectors.

Quantum computing can optimise supply chains, accelerate materials discovery, and solve complex logistical problems that currently require enormous computational resources.

However, security must come first. Without robust quantum-safe foundations, organisations cannot safely exploit quantum opportunities. The companies building quantum readiness now will be positioned to capitalise on quantum advantages as they emerge.

Industry consortiums are emerging to establish quantum-safe standards across sectors. These collaborative efforts recognise that quantum security is only as strong as the weakest participant in any business ecosystem.

The Geopolitical Dimension

The quantum race has profound geopolitical implications. Nations leading in quantum technology development will hold significant advantages in intelligence gathering, financial manipulation, and strategic communications. Recent power outages affecting multiple countries hint at the potential scale of quantumenabled disruption.

The Practical Path Forward

The good news is that quantum preparation doesn’t require revolutionary changes overnight. The process begins with understanding current cryptographic dependencies— what encryption methods protect which systems, where vulnerabilities exist, and how data flows through the organisation and its supply chain network.

Smart companies are conducting quantum risk assessments, mapping their cryptographic inventory, and developing migration roadmaps that account for supplier relationships and third-party dependencies. They’re implementing hybrid cryptographic approaches, combining traditional and quantum-resistant algorithms to ensure security during the transition period.

The key is crypto-agility—building systems that can adapt to new cryptographic standards as they emerge.

This flexibility will prove invaluable as quantum technologies evolve and new threats emerge. Companies must also extend this agility to their supplier networks, establishing quantumsafe communication protocols and requiring vendors to meet minimum cryptographic standards. Supply chain security requires collaborative approaches. .

The quantum divide could reshape global power dynamics. Countries and companies that fail to prepare may find themselves at the mercy of those that do. This isn’t hyperbole—it’s the logical extension of technological advantage in an interconnected world.

The Time to Act

The quantum timeline isn’t measured in decades; it’s measured in years, possibly months. The corporate leaders who understand this reality are already moving. They’re not waiting for quantum computers to arrive; they’re preparing for the moment when they do.The quantum imperative isn’t about implementing exotic new technologies. It’s about protecting existing business operations, ensuring regulatory compliance, and positioning for future opportunities. The companies that act now will determine their competitive position for the next generation of computing.

The question isn’t whether quantum computing will transform business— it’s whether your organisation will be ready when it does. The clock is ticking, and the time for preparation is now.

Dr. Meera Sarma is CEO of Cystel, a cybersecurity firm offering quantum safe cybersecurity products and services for enterprise and government clients. She has spent over a decade researching hackers, Quantum Computing cyber threats and contributes to the UK Parliamentary Office for Science and Technology.

Quantum Cyber Services

Our services are designed to fit into wherever you are on your cybersecurity and business risk journey.

Our approach allows us to dovetail into your existing cyber programmes and also to step you forward and join up with future transformation without incurring risk gaps and misalignment

Quantum Readiness Workshop All organisational stakeholders must be lenges, risks, and potential ert-led, customized training for : quantum computers and the nd quantum safe cryptography.

nables enterprises to e strategies to safeguard their m computing. A quantum nisations to quantum risk e current state of their s; Identify vulnerable and m quantum threats; develop a cybersecurity

curity transformation is the d quantum cryptography ctices This involves utilizing to enhance the security of nication networks

urity road mapping is a needsss to help identify, select, and o satisfy a set of

t: the creation of a clientmework and an update to the rporate quantum quantum technology into

Building Trust, Reducing Risk.

Unlocking value, reducing risk and building resilience across your business. We help organisations like yours navigate today’s complex cyber risk landscape with confidence.

Our services are designed to assess, strengthen, execute and optimise your risk management capabilities so you can focus on what matters most – growing your business securely.

Scan the QR Code to learn more.

THE EVOLUTION OF DATA PROTECTION: HOW GDPR IS SHAPING GLOBAL PRIVACY STANDARDS

By Irene Coyle, Chief Operating Officer at OSP Cyber Academy

In the digital age, where personal data is a critical asset, the need for robust data protection measures has never been more pressing. The General Data Protection Regulation (GDPR), introduced in 2018, has set a global benchmark for data privacy. It has transformed not only how organisations manage data but also how individuals view their personal information. But what makes GDPR so impactful, and how is it shaping the global landscape of data privacy?

For Irene Coyle, Chief Operating Officer at OSP Cyber Academy, GDPR represents a paradigm shift in how data is treated.

“GDPR is more than just a regulation,” Irene explains. “It’s a framework that redefines the relationship between individuals and organisations in terms of data. It places the individual at the heart of all data processing activities, ensuring their rights are prioritised.”

This shift from a compliance-driven model to one that emphasises individual rights marks GDPR’s most significant contribution to the privacy landscape.

The regulation has empowered individuals to take control of their data.

“ If it was your data, you would want to have control over how it’s used, how it’s stored, and how it’s shared. GDPR puts that power back into the hands of the individual, ” Irene highlights.

The Global Impact of GDPR

One of the most remarkable aspects of GDPR is its global influence. While it originated in the EU, it has set the standard for data privacy laws worldwide. Irene points out that many countries have followed suit, recognising GDPR as the blueprint for modern data protection.

“Obviously we now have the UK GDPR too but also countries like Brazil, South Korea, and various states in the US are adopting GDPR-like laws because they see the value in creating a unified framework for data protection,” she says.

This influence extends beyond simple adoption; GDPR has prompted a cultural shift towards transparency and accountability in data practices.

“GDPR makes organisations answerable to the people whose data they handle. It ensures that privacy is not just a legal obligation but a fundamental value,” Irene notes.

Why GDPR’s Approach to Consent and Transparency Matters

One of the cornerstones of GDPR is its emphasis on consent and transparency. Before GDPR, consent was often buried in long detailed legalese, making it difficult for individuals to fully understand what they were agreeing to. GDPR changed that.

“GDPR requires clear, informed, and affirmative action consent. It forces organisations to be transparent and to explain their data practices in simple, understandable terms,” Irene explains.

This shift towards transparency has been crucial in building trust.

As Irene highlights,“Transparency isn’t just about compliance—it’s about trust. Companies that are clear about how they use data are more likely to earn the trust of their customers. And in today’s world, trust is a competitive edge.”

Data Governance Under GDPR

The implementation of GDPR has forced organisations to rethink their approach to data governance. No longer is data protection viewed solely as an IT issue; it is now recognised as a business risk.

“Data protection is a business-wide issue that affects every department, from marketing to HR. GDPR makes it clear that this is essential to the integrity and reputation of the organisation,” says Irene.

For Irene, a key component of effective data governance is having a dedicated data protection officer (DPO).

“A DPO plays a crucial role in ensuring that an establishment adheres to GDPR principles. It’s not something that can be tacked onto someone’s existing responsibilities,” she explains. “Without a dedicated DPO, organisations struggle to demonstrate the level of accountability that GDPR demands.”

Irene describes the importance of mapping data flows:

“GDPR forces companies to trace the entire journey of their data—from collection to storage, sharing, and disposal. This mapping process is not only essential for compliance but also for strengthening an organisation’s overall data governance framework.”

GDPR

vs. CCPA: Key Differences

Comparing GDPR with other privacy laws, such as the California Consumer Privacy Act (CCPA), highlights some key differences. While both laws aim to protect personal data, GDPR takes a more comprehensive approach.

“GDPR requires opt-in consent, whereas CCPA allows individuals to opt out of data sales. This is a fundamental difference because opting in ensures that the individual is fully aware and in control of how their data is used,” Irene explains.

Furthermore, GDPR introduces the concept of “privacy by design,” meaning that privacy must be integrated into the development of new products and services from the very beginning. Irene underscores this by saying,

“GDPR doesn’t allow organisations to scramble to comply at the last minute. Privacy must be embedded in the design process from day one. It’s about proactively protecting data, not reacting to issues after the fact.”

Another critical distinction between GDPR and CCPA is GDPR’s extraterritorial scope.

“Even if a company is based outside the EU, if they process the personal data of EU citizens, they must comply with GDPR. This global reach is something that other regulations, like CCPA, don’t have,” Irene notes.

“This extraterritorial reach ensures that organisations worldwide are held to the same high standards of data protection, which is crucial for the digital economy.”

Looking Ahead: The Future of Data Protection

This global reach is something that other regulations, like CCPA, don’t have, Irene notes.

“This extraterritorial reach ensures that organisations worldwide are held to the same high standards of data protection, which is crucial for the digital economy.” she says.

As Irene prepares to attend the GISEC Conference in Dubai, she reflects on the future of data protection and GDPR’s continuing evolution.

“The world is changing rapidly, and data protection must evolve with it. GDPR has set the foundation, but it’s important for organisations to continue to adapt and embrace data protection as a core business value,” she says.

At OSP Cyber Academy, Irene and her team are helping companies navigate the complexities of GDPR compliance and data protection training.

“We’re seeing a real shift in how organisations approach data protection. It’s no longer seen as a regulatory hurdle but as a strategic asset that can enhance brand value and build consumer trust,” Irene adds.

Looking ahead, GDPR is likely to remain the global standard for data protection, influencing not just new regulations but also the way businesses think about data.

“GDPR has set the bar for data privacy, and it’s up to all of us to ensure that we continue to meet and exceed those expectations,” Irene concludes.

Statement from the Cyber Centre of Excellence’s Chief Executive Kurtis Toy

By Kurtis Toy CEO and Lead vCISO for ONCA Technologies Ltd

As Chief Executive of the Cyber Centre of Excellence (CCoE), I was delighted to be asked to open Day 1 of this year’s International Cyber Risk Symposium and welcome so many colleagues from across the public sector and cyber security community.

This first opportunity to host the opening session was an important moment to highlight what the CCoE stands for – collaboration, vigilance and innovation in the face of fast-evolving cyber threats.

Local authorities are on the frontline of this challenge. They provide essential services and hold the trust of the communities they serve, making them frequent targets for attackers. That is why the work we do together –sharing intelligence, benchmarking vulnerabilities and learning from each other – is so vital.

The launch of our third annual cyber vulnerability report is central to this effort. It has quickly become a trusted benchmark, enabling councils to measure progress and identify areas of concern. This year, we are especially proud to include deep and dark web insights, offering a clearer picture of risks that are often hidden from view.

My hope is that this report not only provides valuable data but also reinforces the power of collaboration.

Together, we can transform shared knowledge into stronger defences and ensure safer digital environments for our organisations and the communities we serve.

Download Your Authority’s Latest Cyber Report

Local authority leaders and their IT specialists can now download their third free annual report from the Cyber Centre of Excellence (CCoE) which reveals whether their cyber security vulnerability level has improved compared to previous years.

This year’s report also includes exclusive insights into vulnerabilities discovered on the deep and dark web for each authority.

This is the third year running that the CCoE – an organisation which aims to make the UK the safest place to work, play and do business online –has funded a research exercise using the attack surface management tool Hexiosec. The technology scans the Internet using a domain name or IP address to look for misconfigurations, security vulnerabilities and exposed data.

This year, the CCoE are proudly offering a more comprehensive report than ever before by including deep and dark web scan results for each local authority, courtesy of Onca Technologies. In each report, local authorities will find the number of email addresses with plain text passwords, hashed passwords, and without passwords found using their organisation’s domain, allowing them to remediate vulnerabilities before they can be exploited by cyber criminals.

The CCoE is an initiative designed to protect all organisations from cyber-attacks by keeping them abreast of adversary developments, giving them access to a suite of cyber protection – including the military-grade zero-trust software AppGuard –at high street prices. The organisation is backed by an Advisory Forum of some of the UK’s leading cyber security experts who can jointly assist with the full remit of everything an organisation of any size needs to do to stay as cyber secure as possible.

With the scope of cyber warfare no longer confined to state-onstate conflicts in 2025, marked by the alarming string of attacks on prominent organisations in both the retail and public sector, the need for fortified cyber security in local government is more crucial than ever. The vulnerabilities identified by the tool could be seen by anyone online, including hackers, revealing potential routes – or open back doors – into organisational systems. The aim of the CCoE Passive Scan exercise and personalised report is to allow the CCoE and the individual local authorities to identify areas of focus, in turn developing a united defence against adversaries.

“Increasingly, local authorities across the UK are being deliberately targeted as entry points for attackers aiming to disrupt essential services, erode public trust, and exploit emerging technologies. These threats are no longer theoretical. Every day, the lines between global conflict and local vulnerability blur further.” explained Kurtis Toy, Chief Executive of the CCoE.

“Building on the success of last year – when around half of all councils downloaded their reports and were well received – we have now carried out this exercise for the third time. This has enabled us to continue year-on-year comparisons and build a clearer picture of trends for each individual local authority. We’re also very pleased to offer additional insights this year through the deep and dark web scan, which we hope will empower councils to take further action against hidden vulnerabilities in their security” He added.

The CCoE is committed to conducting the exercise annually for the foreseeable future. “We are aiming to provide an objective annual spot check to help ensure that the systems and processes local authorities already have in place are working to their expectations. The feedback we got from local authorities last year was either that they were grateful or that they were reassured. This is entirely sponsored by the CCoE as a research exercise and as a helping hand. We have again included the recommendations in the report of where vulnerabilities are and how to fix them.”

Within each council report, scores are generated in four areas, with each area receiving a score between 1 and 5. On this scale, 5 is classed as excellent and a 1 would place an organisation as being very vulnerable to attack. As well as providing an individual comparison to allow each local authority to identify whether their vulnerability has increased or decreased since the scan was carried out in 2023 and 2024, the report also provides an overview of the council compared with their region, and they get a total number of vulnerabilities and a comparison to where that sits for the UK. The report also highlights the top twenty vulnerabilities for the local authority and top twenty actions to address them.

Toy stressed that the data in the report is only one small metric in the context of an overall cyber security strategy. “A lower score doesn’t mean that a local authority has terrible security, it just means that aspect of their security needs improving. There are other strands that need to be in place in addition for a strong cyber security stance, including staff training and endpoint security, for example. And, likewise, a perfect score does not mean they are invulnerable. All we are giving is effectively a map of where a hacker is most likely to look if they were targeting their domain, which is very different to if they receive a phishing email and someone clicks on it.”

Vulnerabilities frequently found included configuration settings, out of date software, forgotten servers and neglected websites affected by mergers or organisational changes. Often configuration changes are made which accidently make information available online without an organisation’s knowledge.

As with the reports in previous years, information on individual councils will not be made publicly available. Copies of the individual 2025 reports will only be available to download by a CEO, vCISO or IT manager within each local authority or by their authorised IT representatives.

Contact the CCoE to request a copy of your organisation’s report or email enquiries@ccoe.org.uk

The Human Side of Cybersecurity –Ben Owen on OSINT, Digital Footprints

and Global Collaboration

Ben Owen is the co-owner of The OSINT Group, a unique cyber risk mitigation and intelligence collection training company with a global reach. The business specialises in safeguarding digital environments for individuals and organisations, providing expert training in open source intelligence, digital vulnerabilityassessments and strategic security awareness.

Cyber News Global recently caught up with Ben, well known to many for his role on the hit TV show Hunted. Over the past decade, the series has become a fascinating look at how people can be tracked down using both privileged information and open source intelligence, OSINT. Ben has appeared in the UK, US and Australian versions, and has seen first-hand how much valuable information can be found online in minutes.

People have no idea just how much they share every day. Signing up for accounts, leaving reviews, commenting on social media, even logging activity on fitness apps and all of it creates a trail. That data can be used by both the good guys and the bad guys.

One case study from his training sessions illustrates the point.

Within 15 minutes, Ben and his team gathered a wealth of personal information on the Chief Information Officer of a major British energy company who is a professional well versed in cyber security and even advised by the government.

They found personal email addresses, phone numbers, home address, vehicle details, passwords, internal images of their home, and fitness app routes that tracked them to within 20 metres of their front door.

The point, Ben says, is not to scare but to show the reality. We are the good guys, so we lock things down and remove what we can, but imagine the opportunity for hackers. Espionage, blackmail, social engineering – the vulnerabilities are huge.

Why OSINT is Not Just for Techies

A common misconception is that OSINT is purely a technical skill. You do not need to be a coder to be a great online investigator. It is about how you think.

You need to be dynamic, curious, mentally agile. You have to follow threads, backtrack when needed, and most importantly, corroborate what you find. The first piece of information you uncover might look like gold, but it could be misleading. You have to find the gaps.

In a world of user generated content, much of what is online is personal opinion or unverified data. It is not a linear process. You have to be ready to explore, get lost down a rabbit hole, then work your way out again.

Ben has seen regional differences in threats and solutions. But he has also noticed a welcome trend –more collaboration in the OSINT community. One of the best things about this field is that people share. Yes, we run businesses, but there is enough work for everyone. The more collaborative we are, the stronger the whole community becomes.

Some regions stand out for their forward thinking approach, particularly the UAE. They have such a positive mindset. They get it, and they are brilliant to work with.

The Corporate- Personal Security Gap

Most large organisations have strong corporate cyber security. They invest in technology, enforce good password policies, use multi factor authentication and employ skilled teams. But outside the office, it is a different story.The real weakness is when people log off and revert to their personal devices and accounts.

That is where hackers are striking. Look at the major breach at password manager LastPass. This attack started with the developer’s personal laptop, not the corporate network. Hackers take the path of least resistance.

Threats Around the World

With work taking him to over a dozen countries and four continents already this year,

He has also seen a growing appetite for OSINT in regulated industries like finance and government, and in sectors like logistics, green energy and tech start-ups. But the latter often put speed to market above security, which is a risk that can be costly later, particularly in areas like electric vehicles and smart transport.

Why Technology Alone is Not Enough

Too many organisations think that investing in expensive security technology is enough. Tech is only as good as the people interpreting the data. It is not about ripping everything up and starting again. Many of the biggest wins come from awareness and small, strategic changes.

One of the most effective tools his company offers is the Digital Vulnerability Assessment.

One of the most effective tools his company offers is the Digital Vulnerability Assessment. This is a process that identifies what information is publicly available about an organisation and its key people. It is not a technical scan, it is looking at what a hacker could find in minutes and use against you. Every client is shocked by how much is uncovered.

Information might include email addresses, passwords, home images, travel patterns, vehicle details and even favourite pubs. Hackers often have no moral limits, so they may target spouses or children as a route in.

The Rising Threat of Digital Extortion

While ransomware grabs headlines, another threat is growing in the shadows – blackmail and extortion based on stolen personal data. This could involve finding that someone is in a relationship but also active on dating sites, for example. Even if that information is not illegal, it is highly sensitive. In most cases Ben and his team can map almost all of someone’s digital footprint.

Because such incidents often do not involve leaked customer data, companies may not be legally obliged to report them. Many victims simply leave the company quietly. But his team deals with blackmail cases every week, and the numbers will keep rising as breached data becomes more available.

The key is prevention. If you can manage your digital footprint, you can remove many of the opportunities for hackers. That does not need to cost the earth –it just needs awareness, the right

and innovation

Defending Critical Information Infrastructure (CII) - The need for collaboration

The need to effectively defend Critical Information Infrastructure (CII) and achieve resilience has never been greater. In an increasingly digital world, Critical Information Infrastructure has become a prime target for cyber threat actors, including nation states, criminal syndicates, and attackers with financial motives. Also called Critical National Infrastructure (CNI), these are the various essential resources of a nation, that form a part of its very fiber.

From energy grids and water systems to transportation networks and healthcare institutions, CII is the backbone of the essential services that keep societies running. Over the decades these systems have become more interconnected and reliant on digital technology, making them more vulnerable to cyberattacks. However, this challenge can be effectively overcome by adopting an innovative and collaborative approach, with a relentless focus on the security-basics.

The defense of CII must be a national priority. But no single organization or entity can do it alone. The complexity and scale of the threat landscape require a joint effort between government entities, the private sector and technology vendors. Fortunately, across the world, we are witnessing a positive shift towards more inclusive and forward-thinking cybersecurity strategies that emphasize resilience, collaboration, and shared responsibility. A shift from security to resilience, from partnership to collaboration.

The protection of CII in the United Arab Emirates – An overview

The UAE Cybersecurity Council has been doing a tremendous job in driving the adoption of robust security practices across government entities, both critical and non-critical. With the goal of not just achieving a sound security posture, but effectively maintaining resilience.

The recently released National Cybersecurity Strategy (2025-2031) places a critical emphasis on securing CII, with clear metrics to report, for CII sectors. Built on 5 pillars of governance, digital resilience, innovation, cyber capabilities and collaboration, the strategy provides an effective framework to achieve cyber resilience, as well as lays down the guidelines to implement the strategy. Pillar 2 titled Delivering a safe, secure and resilient digital environment places specific requirements for CII within the government sector.

Several initiatives have been launched as part of implementing the National Cybersecurity Strategy, such as the Cyber Protective Shield, under which critical sectors in the country engage in cyber drills regularly to strengthen defenses and enhance cyber resilience.

Another initiative launched as part of the National Cybersecurity Strategy is the secure supply chain program for government and CII’s, with the aim of ensuring a secure ecosystem of vendors.

The critical value of collaboration

One of the most effective ways to strengthen the cybersecurity of CII is through strong public-private collaboration. Governments play a pivotal role in setting cybersecurity standards, regulatory frameworks, platforms for threat intelligence sharing, and responding to major incidents. Meanwhile, private sector organizations, which own and operate much of the infrastructure, bring technical expertise, innovation, and firsthand insight into operational vulnerabilities

Collaborations thrive in an environment of trust. Governments must create safe and legally protected environments where companies can report threats or breaches without fear of reputational damage or regulatory backlash. Likewise, private operators need to proactively engage with government agencies to align their security practices with national standards and participate in coordinated defense initiatives.

Programs such as the UAE’s award winning Cyber Pulse program, the United States’ Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) have shown the power of this partnership model.

The Cyber Pulse Program which was awarded at the World Summit on Information Society, is a community-focused program that provides awareness to all community segments.

In addition, these federal agencies provide realtime alerts, sector-specific guidance, governance frameworks and training programs that empower CII entities to stay ahead of emerging threats. Countries across the globe can learn from and adapt these models to suit their own unique contexts.

Embracing Innovation and Next-Generation Technologies

Defending CII requires not just collaboration but also innovation. Cyber threat actors are constantly evolving their tactics, so defenders must stay one step ahead. Integrating emerging technologies such as artificial intelligence (AI), machine learning (ML), and behavioral analytics into cybersecurity frameworks is becoming increasingly essential.

For example, AI-powered intrusion detection systems can analyze massive volumes of network data in real time, identifying anomalies that may signal a breach. Behavioral analytics can detect unusual activity by legitimate users—such as accessing systems at odd hours or transferring large volumes of data—and flag it for investigation. These tools not only improve threat detection but also reduce response time, which is critical in minimizing damage during a cyberattack.

Moreover, innovations like zero-trust architecture—a model that assumes no user or system is inherently trustworthy—can significantly reduce the risk of internal threats. Combined with strong encryption, multi-factor authentication, and micro-segmentation of networks, these technologies create a layered defense approach that makes it harder for attackers to move laterally within a system.

Five Good Practices for Strengthening CII Cybersecurity

1. Implement Continuous Risk Assessments

CII operators must regularly assess and update their understanding of potential vulnerabilities. Risk assessments should consider both external threats and internal weaknesses, including outdated systems or poor access controls. These assessments should feed into a dynamic security strategy that adapts as new threats emerge.

2. Foster a Cyber-Vigilant Culture

Human error remains one of the leading causes of successful cyberattacks. Training employees to recognize phishing emails, use strong passwords, and report suspicious behavior can dramatically improve an organization’s security posture. Cyber vigilance should be part of onboarding, ongoing training, and even executive leadership development.

3. Participate in Information Sharing Networks

No organization has complete visibility into the threat landscape. By joining sector-specific Information Sharing and Analysis Centers (ISACs) or national-level cybersecurity forums, CII entities gain access to real-time threat intelligence, shared experiences, and collective defense strategies. Governments can facilitate these exchanges and provide actionable insights.

4. Establish

Preparedness is key, when dealing with OT/ICS. Every CII organization should have a well-documented and regularly tested incident response plan. This includes roles and responsibilities, communication protocols, legal considerations, and recovery procedures. Simulated cyber drills can help teams respond effectively under pressure.

5. Invest in Secure Design and Resilient Systems

Security should be built into systems from the ground up—not bolted on as an afterthought. Using secure-by-design principles, adopting redundant systems, and maintaining offline backups ensure that services can continue or be quickly restored in the event of an attack. Resilience is just as important as prevention.

Looking Ahead: A National Mission

Securing critical national infrastructure is not just a technical challenge - it’s a national mission that requires vision, leadership, and unity. As cyber threats grow more sophisticated, the lines between civilian, government, and military domains blur. What happens in one sector can have ripple effects across an entire nation.

Therefore, fostering a cybersecurity ecosystem where innovation thrives, collaboration is the norm, and resilience is a shared goal must be the way forward. Governments should lead the charge by setting clear policies, funding research, and building frameworks for cooperation. The private sector should bring its agility, technical talent, and on-the-ground insights. Academia and civil society can contribute with education, research, and community outreach.

Together, we can defend our most vital assets against even the most persistent threats. With the right approach, cybersecurity becomes not just a shield, but a source of national strength, economic stability, and public trust. The future of our critical infrastructure depends on what we do today—and by choosing innovation and collaboration, we are making the right investment for a safer tomorrow.