Cybersecurity - Q1 2026

Cybersecurity

“When security becomes a shared responsibility, organisations make more deliberate, risk-aware design choices.”

Curtis Dukes, Executive Vice President and General Manager of Security Best Practices, CIS Page 02

“The asymmetry between attackers and defenders hasn’t disappeared — it’s evolved.”

Jim Reavis, CEO and co-founder, Cloud Security Alliance Page 06

Why new EU rules represent a cybersecurity step change for the energy sector

New EU regulations require the energy sector to protect its assets with a higher level of cybersecurity in the face of increasing hacks and the threat from quantum technology.

Many organisations lack cybersecurity focus because “it’s not their core expertise,” explains Joeri Voets, CEO of cybersecurity company SandGrain. “It’s something they’re required to do, so they see it as a burden to postpone, rather than a benefit.”

This can even apply to entities in the energy sector which operate energy grids. “Grids are vulnerable to cyberattacks,” says Voets. “In fact, they’re attacked daily. To be more resilient, they need to have better protection mechanisms, growing more important daily in today’s geopolitical environment on one side and the push of a European Smart Grid on the other.”

When quantum computers become available, they can also crack common asymmetric encryption methods and easily breach grid security. ‘Harvest now, decrypt later’ (HNDL) attacks pose a particular risk to energy infrastructure, where devices and data must remain secure for 15-30 years.

@Mediaplanet UK & IE

for digital products, including field devices, the electronics automating and controlling the grid, smart meters, field sensors and energy storage systems.

“These regulations require organisations to have a higher level of cybersecurity,” says Voets. “That’s a heavy burden for most grid operators, because replacing their legacy assets — or retrofitting security into them — would be unmanageable.”

SandGrain offers a simpler solution. It uses secure hardware identities with cloud management to authenticate every device, enable safe firmware updates and protect boot processes.

Secure-by-design platforms represent an opportunity to build more resilient infrastructure.

In this regard, two key pieces of European Union legislation — the NIS2 Directive and the Cyber Resilience Act (CRA) — represent a cybersecurity step change for the energy sector.

Turning regulation into resilience with secure-by-design platforms NIS2 expands obligations to energy entities, mandating robust risk management, 24-hour incident reporting, supply chain security and board-level accountability, while prompting a transition to post-quantum cryptography by the end of 2026.

To complement this, the CRA requires security-by-design

Operators can retrofit the system onto existing equipment — even complex AI from Nvidia, Intel or AMD — in one or two days. This allows them to achieve full NIS2 and CRA compliance without expensive replacements, while gaining strong protection against quantum threats for the entire 15-30-year lifespan of their grid devices. Because these platforms are built with symmetric authentication algorithms, they provide futureproof post-quantum resilience, can easily be added to existing electronics and made ‘securely connected’ whether through the cloud, on-prem systems or internal networks, thereby safeguarding the operational resilience of energy networks.

“System breaches are huge, disruptive events which can cost a lot of money and massively impact,” says Voets. “Secure-bydesign platforms are a relatively simple way to prevent these attacks and represent an opportunity to build more resilient infrastructure.”

Contact information: uk.info@mediaplanet.com or +44 (0) 203 642 0737 @MediaplanetUKIE Please recycle

Strategic Sales Manager: Amy Shah amy.shah@mediaplanet.com Interim Managing Director: Sarah Muir | Lead Designer: Ellen

Asfaha | All images supplied by Getty Images, unless otherwise specified

Security starts before the code

Software security must begin long before code is written, reshaping how developers think about risk, resilience and responsibility.

As the connected world expands at unprecedented speed, every new feature or integration creates fresh opportunities for attackers. Relying on patching and incident response is no longer enough. To keep pace with modern threats, security must be engineered into software from the start.

A shift toward intentional security

‘Secure by design’ represents a fundamental shift in how software is created. Instead of treating security as a checklist, it encourages developers to consider how systems will be used and misused in real-world conditions. This means anticipating failure modes, understanding adversary behaviour and designing systems that remain resilient even when individual components fail.

This shift also requires cultural change. Security teams, developers and product owners must collaborate early so decisions reflect both technical realities and user needs. When security becomes a shared responsibility, organisations make more deliberate, risk-aware design choices that strengthen long-term resilience.

Embedding security into everyday engineering

Developers play a central role in this transformation. Secure design begins with foundational architectural decisions: identifying what needs protection, defining trust

boundaries and modelling potential threats. These choices shape everything that follows, from coding practices to deployment pipelines.

Secure development reinforces this foundation. Automated testing, strong secret management and continuous validation reduce vulnerabilities and make security a natural part of building software. Because today’s applications rely heavily on third-party libraries, open source components and cloud services, treating supply chain security as a core engineering responsibility is essential. Visibility, verification and ongoing monitoring help ensure external components meet the same standards expected of internal code.

Learning and improving continuously

Even with strong design and development practices, opportunities for improvement will always emerge. When teams respond with transparency, timely action and thoughtful root cause analysis, they strengthen resilience and improve tools, processes and training. Secure by design is ultimately a commitment to building software that thrives in the realities of a connected world. By embracing intentional design, disciplined development and continuous learning, developers can create systems that are high-performing, resilient and fundamentally trustworthy.

Real security for payment devices: why compliance is only the beginning

Payment devices sit at the heart of the global economy. From contactless point-of-sale terminals to ATMs and embedded payment modules, payment devices process billions of transactions daily.

Yet for the manufacturers, operators and financial solution providers behind them, the challenge isn’t only innovation - it’s resilience.

The pressure is constant: accelerate product launches, meet evolving regulatory requirements, pass certification and maintain customer trust. Compliance frameworks are essential. But as we see, in today’s threat landscape, compliance alone doesn’t guarantee security.

Too often, security efforts concentrate on passing an assessment just before release. A checklist turns green, certification is achieved and the product ships. What may remain hidden are deeper weaknesses in firmware, hardware interfaces, transaction logic or third-party software components. Without continuous visibility after launch, newly disclosed vulnerabilities can trigger emergency patches, costly incident response and reputational damage.

Real-world security requires a lifecycle approach

From early design through development, integration, certification, launch and ongoing operation, payment devices must be evaluated as dynamic systems - not static products. Precompliance penetration testing helps manufacturers uncover exploitable paths across hardware, firmware and communication interfaces before formal certification. This proactive approach reduces late-stage surprises, thereby saving additional costs and strengthening assurance before products reach the market.

But launch isn’t the end of the story

Modern embedded payment devices depend heavily on third-party and open-source software. As software supply-chain risks grow, and for every third-party component, there are new threats and vulnerabilities, regulators and customers increasingly expect transparency into what’s inside a product. Software Bills of Materials

(SBOMs) are becoming a cornerstone of that transparency.

When operationalised correctly, SBOMs move far beyond compliance documentation. By generating or ingesting standardised inventories and linking them to continuously updated vulnerability intelligence, manufacturers gain real-time visibility into affected components when new vulnerabilities are discovered post market-launch. Instead of lengthy “blind spot” investigations after every major CVE (Critical Vulnerabilities and Exposures) disclosure, teams can immediately assess impact, prioritise remediation and respond with precision.

From reactive certification exercises to ongoing security assurance

Continuous, product-focused vulnerability monitoring further strengthens this posture. Tracking emerging threats and mapping them directly to specific device models and firmware versions allows engineering, security and operations teams to work from a shared, actionable view.

As a newly approved Associate Participating Organisation (APO) within the PCI SSC community, PCA Cyber Security supports this shift by helping manufacturers embed security across the entire product lifecycle. Compliance is the baseline. Sustainable trust is built on resilience. For payment device manufacturers navigating an increasingly complex landscape, the question is no longer whether to go beyond compliance, but how.

Twenty years of global payment partnerships and counting

This year marks our 20th anniversary. We’ve had twenty years of working with industry stakeholders to help secure payment environments worldwide.

During this time, the payments ecosystem has changed significantly, but PCI SSC’s mission has remained the same: to enhance global payment account data security by developing standards and supporting services that drive education, awareness and effective implementation by stakeholders.

Evolving with the dynamic nature of payments

It’s vital we continue that collective work. Businesses and consumers are demanding payments that are fast, simple, and most of all, secure. Transactions are by the tens of thousands every second, and as the industry evolves, so must we.

PCI SSC has the opportunity to continue serving as a trusted resource for the industry through our globally recognised security standards, programmes and training. We bring the community together to advance payment security by supporting secure innovation.

us to understand real-world security threats, help prepare best practice mitigation strategies and facilitate critical information sharing. At the core of our efforts, we’re partnering to enhance security for the payment industry, with the payment industry.

At the core of our efforts, we’re partnering to enhance security for the payment industry, with the payment industry.

Collaboration means getting actively involved in a community of experts and professionals and making your voice heard on the issues that matter. We provide the platform for all payment stakeholders — including merchants, banks, processors, fintechs, service providers, hardware and software developers, point-of-sale vendors, etc. — to do it. Participating organisations can ensure their voice is heard in the development of critical payment security standards and that our programmes keep pace with evolving technology.

Collaborating to set standards for the payments industry, with the industry

Working closely with our stakeholders, including representation from top industry thought leaders, allows

This fall, PCI SSC will host our annual Community Meetings in North America, Europe and Asia. This year’s events will commemorate our 20th anniversary, but also demonstrate our focus on the future. We encourage all organisations involved in any aspect of payments to join us, learn what the future of payment security holds and how they can be part of setting the direction for the next chapter.

Why organisations can — and must — change their approach to cybersecurity

In a changing cyber threat landscape, organisations must adopt a new approach to cybersecurity by continuously measuring and quantitatively assessing their cyber risk.

Some organisations only realise they’re vulnerable to a cyberattack when it happens. By that time, it’s too late, and the financial, reputational and legal damage they suffer can be utterly devastating.

This isn’t an issue that’s going away either. Worryingly, cyberattacks have been increasing in frequency, with a string of high-profile breaches across the UK and Europe, including incidents affecting the automotive sector, major UK retailers and critical transport infrastructure. No wonder cybersecurity is now viewed as a critical business risk.

The trouble is, it’s tempting for CEOs and business owners to adopt a traditional approach to cybersecurity by treating it as a checklist or a one-off technical exercise. They assume that if their organisation adheres to essential security compliance requirements, it will be impervious to attack. But sadly, it won’t be.

Why a traditional cybersecurity approach is insufficient

“Obviously, compliance is important,” agrees Basel Katt, Co-Founder of cybersecurity company SeCore. “It gives organisations a baseline of compliance and ensures they have certain cybersecurity controls in place. However, compliance doesn’t equal protection. Breaches can still occur because the threat landscape is changing so dramatically — and so quickly.”

Katt explains that a variety of factors — including cloud adoption, third parties, interconnected systems and AI advances — have increased the threat level exponentially by providing different attack surfaces for cybercriminals to exploit. This means that old cybersecurity methodologies are no longer sufficient.

Traditionally, organisations have assessed their cyber risk in two ways. The first is to measure compliance against a compliance framework checklist. The second is to have a risk assessment specialist carry out point-in-time penetrative testing to discover any vulnerabilities in their systems.

“Unfortunately, the problem with the first way is that it doesn’t give an organisation any measurable insights into its system,” explains Alan Katt, Co-Founder, SeCore. “The problem with the second way is that penetrative testing is very subjective. In other words, different risk assessment specialists from different companies could discover completely different vulnerabilities.”

The other issue with checklist compliance and point-in-time penetrative testing is that they only offer a security snapshot of (as the name suggests)

a particular point in time. “These methods don’t tell organisations what their vulnerabilities will be two weeks’ later when, say, they install thirdparty software onto their system,” says Basel Katt. “What will be their security posture then?”

Giving clear and measurable insights into risk exposure

Instead, what’s needed in this new, ever-changing threat environment is a continuous quantitative, evidence-based approach, which demonstrates in real-time how weaknesses can interact, cascade and amplify risk across systems, cloud environments and third-party dependencies. This gives organisations clear, measurable insights into their risk exposure, highlighting individual weaknesses that could combine into broader systemic risk.

For instance, the SeCore platform performs regular assessments against multiple standards, aggregating assurance activities and testing outputs, which are then translated into clear risk scores. It also highlights risk threat trends and changes over time, suggesting solutions and delivering evidence to enable better decisionmaking.

“Giving companies a quantitative score shows them how much assurance — or trust — they can have in their system,” explains Alan Katt. “It also allows them to use their budgets more strategically. For example, installing an expensive firewall may only increase their score by 0.5 points, whereas making a simple change to their network architecture may increase their score by 1.5 points. Ultimately, a quantitative approach helps them assess their priorities and make cybersecurity investments most affordably and effectively.”

Recent high-profile breaches have affected UK organisations. Why do these happen even where compliance requirements are met?

Alan Katt: Compliance isn’t the same as security. Most compliance frameworks are designed to confirm that certain controls exist at a specific point. They don’t measure how exposed an organisation is as systems change, suppliers are added or attackers adapt methods.

Many recent breaches haven’t occurred because organisations ignored compliance, but because risk accumulated across interconnected systems, third parties and cloud environments. Without a way to measure how those risks interact or escalate, organisations can appear compliant while still being highly exposed.

What does a “quantitative” approach to cybersecurity mean?

Basel Katt: Quantitative cybersecurity means moving away from subjective judgment and long technical reports, and

Why your organisation shouldn’t confuse ‘compliance’ with ‘security’

Organisations that take a quantitative approach to cyber security can affordably prioritise remediation efforts, while genuinely reducing their overall cyber risk.

toward measurable, comparable insight. Rather than simply listing vulnerabilities or controls, we focus on measuring likelihood, impact and overall exposure. This allows risk to be expressed in terms business leaders understand — prioritisation, trade-offs and outcomes — rather than technical detail.

For business leaders, this matters because cyber risk becomes something that can be quantitatively measured, managed and tracked over time, much like financial or operational risk. It supports better investment decisions, what to fix first and how to demonstrate improvement in a defensible way.

How can organisations prioritise remediation efforts to reduce overall risk?

AK: One of the biggest challenges facing organisations is knowing where to start. Most security teams are presented with long lists of issues, many of which look urgent. We help organisations prioritise remediation by quantifying assurance and risk, not just identifying issues.

We look at what controls are in place and, simultaneously, where potential vulnerabilities exist. We then quantify the findings in terms of business impact and how that issue connects to other weaknesses. This means remediation is focused on actions that reduce overall exposure, rather than fixing issues in isolation. The result is more efficient use of time and budget and measurable reductions in risk.

AI and automation are increasingly shaping cybersecurity. How are you using these technologies today, and how will they influence your platform?

AK: AI and automation are essential for keeping pace with how quickly environments and

threats change, but they need to be applied practically. Our platform uses automation to support more accurate and frequent assessments, identify changes in exposure as systems evolve and improve the speed at which risk can be analysed and prioritised. This approach was recently recognised when SeCore was named winner of the AI and Automation category at the Envestors Innovator Awards.

AI helps us surface what matters most, rather than overwhelming teams with raw data. Looking ahead, these capabilities will allow organisations to move toward more continuous assurance, while still relying on human expertise for judgement, validation and remediation.

How do frameworks such as ISO 27001 fit into today’s security and compliance landscape?

BK: They remain important because they provide structure, consistency and a recognised baseline for managing information security. However, they’re most effective when treated as a foundation rather than an endpoint. Certification alone doesn’t show how exposed an organisation is in practice, or how risk is changing between audits. Quantitative assurance complements frameworks like ISO 27001 by providing ongoing visibility into exposure, helping organisations obtain evidence that controls exist — and that they’re effective in reducing real-world risk.

How do you expect organisations’ approach to cyber risk and assurance to evolve over the next few years?

BK: While standards and compliance will continue to be essential, we expect a continued focus away from static, complianceonly approaches toward measured, evidence-based assurance. Cyber risk will increasingly be discussed at the board level, supported by quantitative insight rather than technical reporting. Automation and AI will play a role in enabling more frequent assessment, while human expertise remains critical for interpretation and response.

The hidden battles of IT infrastructure security

From essential public services to national defence, cyberattacks are shifting from personal devices and into the networks and infrastructure that run Britain.

In 2017, the NHS shut down for a week. Thousands of computers stopped working, and 19,000 appointments were cancelled.1 This incident cost the NHS an estimated £92 million.1

In 2024, the Ministry of Defence was breached, and information on 272,000 current and former military personnel was compromised.2 Last year, the Jaguar Land Rover cyberattack was one of the largest economic cyber incidents in UK history. Additionally, thousands of suppliers and downstream businesses were affected, with an estimated £1.9 billion in economic impact across supply chains.3

Due to the benefits of digitalisation, everything, from manufacturing, healthcare, transportation, logistics and energy, is becoming an IT system. And all those ‘IT’ systems need more IT infrastructure to talk to more systems, and to humans using them. Behind these systems exists a vast net of IT infrastructure. Networks, servers, data storage and industrial supervisory systems. While past cyberattacks focused largely on computers and user-facing systems, attacks today focus on infrastructure.

Breaching an Internet Service Provider’s (ISP) network router means you can spy on the traffic of thousands of households. Infiltrating the firewall that protects your company’s or the Government’s network means you can do anything with the data passing through that firewall.

When you have control over the actual infrastructure (the network) carrying the data, you can copy, modify or delete any data in-transit without a trace.

The hidden risk of AI autonomy

Cyberattacks are growing in scale

In 2017, a cyberattack toolkit called Vault7 leaked on WikiLeaks. It contained a sizable set of tools to attack widely deployed network equipment from many device manufacturers. More than 500,000 networks were exploited globally.4

“We saw the impact in real time. Our software (Unimus) flagged changes to vulnerable network equipment across Internet Providers, company networks and public sector organisations,” notes Tomas Kirnak, CEO, Netcore j.s.a. (Unimus).

Last month, Cisco (one of the largest network equipment manufacturers) reported a vulnerability with the highest possible severity score across a range of its networking products. Anyone could take over a device in just a few minutes.

“If you’re managing hundreds or thousands of network devices, you need tools to audit the network infrastructure at scale. You need to monitor compliance with security standards and monitor for vulnerable firmware — exactly what Unimus does across the infrastructure,” Kirnak concludes.

References:

1. NHE. (2018). WannaCry cyber-attack cost the NHS £92m after 19,000 appointments were cancelled. https://tinyurl.com/sw38s4we.

2. UK Parliament. (2024). Defence Personnel Data Breach. https://tinyurl.com/27uswa5h.

3. The Guardian. (2025). Jaguar Land Rover hack has cost UK economy £1.9bn, experts say. https://tinyurl.com/ymkaccem.

4. Loshin, P. (2018). VPNFilter malware infects 500,000 devices for massive Russian botnet. https://tinyurl.com/4c23fj5w.

As AI agents gain autonomy, attackers are exploiting the gap between machine decisionmaking and human oversight.

Imagine receiving a text message confirming a massive payment from your corporate accounts payable system to a vendor you don’t recognise. You call finance — they never authorised it. You check the audit trail — it was approved by the AI agent your company deployed to streamline procurement. The agent did what it was designed to do — just for an attacker who knew how to ask.

Autonomy without accountability

As organisations race to deploy AI agents that can execute real-world actions — approving invoices, scheduling resources, managing clouds — attackers are developing

sophisticated techniques to hijack autonomous systems through manipulated inputs, poisoned training data and compromised model supply chains.

In CSA’s 2025 State of AI Security and Governance survey, 72% of security professionals lack confidence in their organisation’s ability to secure AI 1, even as ENISA reports AI now powers over 80% of social engineering attacks. 2 These are contextually perfect messages crafted from data scraped across your digital footprint — professional networks, corporate filings, social media — delivered at precisely the moment you’re most likely to act.

Attack asymmetry

Attackers are weaponising AI across the entire kill chain: reconnaissance tools that map organisational structures in minutes rather than weeks, vulnerability scanners that prioritise exploits by business impact and malware that adapts in real-time to evade yesterday’s defences.

Organisations must assume AI-generated threats will bypass traditional defences and invest in behavioural detection, zerotrust architectures and identity verification that doesn’t rely on knowledge factors attackers can harvest or fabricate.

Just as we learned to scrutinise software dependencies after highprofile breaches, we must now inventory our AI models, training data and inference pipelines. You cannot defend what you cannot see.

The asymmetry between attackers and defenders hasn’t disappeared — it’s evolved. The organisations that thrive will harness AI for defence as aggressively as adversaries weaponise it for attack.

The agent economy is here, and the stakes are higher. The question is who’s really giving the orders.

References:

1. CSA. (2025). The State of AI Security and Governance. 2. ENISA. (2025). ENISA Threat Landscape 2025.

WRITTEN BY Amanda Finch CEO, CIISec

The year cybersecurity entered the mainstream

Last year, cybersecurity was propelled into public discourse when high-profile breaches made front-page news. Cyber is no longer background noise or an abstract technical issue, but a recurring national conversation.

The ramifications of the attack on Jaguar Land Rover (JLR), for example, were felt by many. UK car production, already under pressure, hit its lowest level since 1952,1 with the supply chain shutdown contributing to an estimated £2bn hit to the UK economy.2

British institutions M&S and the Co-op also experienced prolonged disruption, as consumers were left without access to key services and products, with empty shelves persisting for weeks.

Alongside highly publicised incidents, advances in AI compounded the strain on security teams and made it easier for attackers to reach more victims. Meanwhile, 84% of security professionals believe security budgets are increasing behind the threat level, and only 5% say funding is keeping pace.3

The walls are closing in on cybersecurity professionals, and the risk to those outside of the industry is becoming more ubiquitous.

Alongside highly publicised incidents, advances in AI compounded the strain on security teams and made it easier for attackers to reach more victims.

Cyber resilience as national resilience

Against this fairly bleak backdrop, the government released its new Cyber Action Plan, framing cyber security as an integral part of national resilience. This shift in tone offers hope and direction, with the word ‘collaboration’ referenced 23 times in the report.

A dedicated Government Cyber Unit will be formed under the plan, alongside closer engagement with the CISO community and expanded cyber uplift support. If the Cyber Action Plan is to become more than just policy, this principle of collaboration will be essential.

Collaboration is key

The attack on JLR made clear how cyber incidents rarely stop at organisational boundaries or the initial target. If businesses and the public suffer collectively, they must also defend collectively.

Whether between companies, individuals or public and private sector bodies, the ability to share insight and act together can only drive stronger security.

Organisations must collaborate more openly with each other and engage UK citizens positively, raising awareness and providing training so cyber security isn’t only discussed after an attack. No individual company or person can fight cybercrime alone, but together we can close the gaps that attackers depend on.

References:

1. SMMT. (2025). Cyber attack hits vehicle output with new risk arising from tax charge on auto workers. https://tinyurl.com/4byxyzu9.

2. BBC. (2025). JLR hack is costliest cyber attack in UK history, say analysts. https://tinyurl. com/53nkt7k2.

3. CIISec. (2025). CIISec Blog – Another year older, but is the profession any better prepared?. https://tinyurl.com/ycxd3e8x.

How to create a safer cyberspace

If economics is the ‘dismal science,’ then cybersecurity is the ‘dismal profession.’ It thrives on fatalistic assessments about the present and gloomy projections about the future.

WRITTEN BY Michael Daniel President and CEO, Cyber Threat Alliance

Optimism is reserved for marketing materials touting the latest technology, but the repeated failure of advertised widgets to solve the problem fosters cynicism. A reasonable person might conclude that nothing can be done to make cyberspace more secure.

Three ingredients of a safer cyberspace

That assumption isn’t true. We can improve our digital security and reduce the impact of malicious cyber activity. We cannot eliminate cyber risk, but we can make cyberspace safer. Achieving this goal requires at least three ingredients: changing mindset, enabling collaboration alongside competition and reallocating some of the security burden.

We need to reallocate some of the security burden.

fail, because the bad guys will eventually find a way in. However, if we think about cybersecurity as preventing bad guys from achieving their goals, whatever those are, then the nature of success changes dramatically. Defenders must only succeed once, while the adversary must succeed at every step, or they fail.

Combining collaboration and competition

The second ingredient involves combining collaboration with competition. Societies should incentivise cybersecurity providers to share information about threats and collaborate on actions against malicious actors. At the same time, robust competition among cybersecurity providers in technology, customer experience, timeliness and other factors drives improvements in these areas. Effective cybersecurity requires both collaboration and competition.

The popular images for cybersecurity usually involve locks, walls, shields and similar metaphors. The problem is that a “castle and moat” mindset for cybersecurity will inevitably

Finally, we need to reallocate some of the security burden. As societies, we have put the entire security burden on the end-user, even if that end-user is a small flower shop or a retired grandmother. In most other areas, we expect manufacturers and larger organisations to bear a portion of the safety and security burden. For example, we don’t expect people to install their own anti-lock brakes in their car. We need to take a similar approach with cybersecurity and shift some of the burden to those organisations best able to shoulder it.