1. Gartner identifies 3 strategic focus points for CISOs amid AI hype

As AI hype gathers pace, Gartner has identified three priorities for CISOs: 1) be mission-aligned by demonstrating how cybersecurity efforts directly support organisational goals, 2) be innovation-ready by experimenting with AI in security, 3) be change-agile by understanding how hype influences organisational change and empowers teams to embrace new technology.

2. ENISA releases NIS2 technical guidance to aid implementation

The EU Agency for Cybersecurity (ENISA) has released technical guidance for implementing the NIS2 regulation. The guidance supports companies in 18 critical sectors, and details security requirements like risk management, incident handling and supply chain security.

3. EY: C-suite disconnect on cybersecurity means risks for US companies

Sixty-six per cent of chief information security officers in US organisations are worried that the cybersecurity threats they face are more advanced than their company’s defenses, according to a survey by EY. By comparison, only 56 per cent of CISOs’ counterparts in the C-suite express similar concerns. “Companies need to move beyond a ‘check the box’ mentality and recognise cybersecurity as a strategic investment, not simply a cost center,” said Jim Guinn, II, cybersecurity leader for EY Americas.

4. Secure enterprise browsers to support remote SaaS users

A quarter of all organisations will use secure enterprise browsers (SEBs) to improve remote access security by 2028, according to Gartner. SEBs add an extra layer of control and visibility within the browser and offer a simpler security solution for organisations relying on SaaS solutions with hybrid working arrangements.

5. UK cyberattacks decreasing, says survey

Breaches and cyberattacks decreased among UK businesses and charities surveyed for the Cyber Security Breaches Survey 2025, conducted by UK’s Department for Science, Innovation & Technology. The survey shows a decrease of 7 percentage points, dropping from 50 per cent in 2024 to 43 per cent for the current report. The decrease is mainly attributable to fewer micro- and small businesses reporting phishing attacks.

6. 95% of C-suite execs see AI growth spurring cybersecurity investment

GenAI has already driven, or will drive, greater cybersecurity investments, say 95 per cent of CIOs and CTOs responding to an NTT Data survey of C-suite leaders across 34 countries. But the survey also found that 45 per cent of CISOs expressed concerns about GenAI adoption and that 54 per cent reported that their internal guidelines or policies on GenAI responsibility are unclear. Only 20 per cent of CEOs expressed similar concerns about their GenAI policies.

7. Public sector leaves security vulnerabilities unaddressed an average of 315 days

Seventy-eight per cent of government organisations are “operating with significant security debt” – that is, security vulnerabilities that they have left unaddressed for more than a year – according to research by the application risk management company Veracode. The research also found that public-sector organisations take an average of 315 days to resolve half of their software security vulnerabilities, compared to the 252-day average for organisations overall. “This 63-day delay creates substantial windows of opportunity for potential application-layer attacks and data breaches,” Veracode stated in a press release.

8. AI will likely increase business email compromise attacks

Europol, the EU’s law-enforcement agency, says that AI is likely to drive increased business email compromise (BEC) activity. BECs are defined by Microsoft as activity that “occurs when cybercriminals impersonate trusted leaders to trick employees into sending money or data.” The agency’s EU Serious and Organised Crime Threat Assessment 2025 report says that AI, including large language models and deepfakes, will enable bad actors to make more convincing fraud emails, as well as voice messages, images and videos.

9. ‘Resurgent’ vulnerabilities disproportionately threaten edge devices, research finds

So-called ‘resurgent’ vulnerabilities – cybersecurity flaws that can be exploited after long periods of inactivity – pose an emerging threat that most often affect edge technologies, according to research from cybersecurity firm GreyNoise Intelligence. The research found that more than half of the top-exploited resurgent CVEs (common vulnerabilities and exposures) and nearly 70 per cent of ‘Black Swan’ vulnerabilities affect edge technologies like routers and VPNs.

10. Industrial operators see growing number of ransomware, trojan attacks

The number of ransomware attacks on industrial operations increased by 46 per cent between the last quarter of 2024 and the first quarter of 2025, according to Honeywell’s 2025 Cybersecurity Threat Report. Trojans also pose a threat, with one in particular – W32.Worm.Ramnit – accounting for 37 per cent of industrial files blocked by Honeywell’s enterprise threat monitoring solution.