Capita’s troubled Civil Service Pension Scheme hit by data breach

Copyright TechTarget - All rights reserved ComputerWeekly’s best articles of the day https://cyber.law.harvard.edu/rss/rss.html Techtarget Feed Generator en Thu, 09 Apr 2026 20:30:17 GMT https://www.computerweekly.com editor@computerweekly.com <p>The financial data of just under 140 members of the UK <a href="https://www.civilservicepensionscheme.org.uk/memberhub/" target="_blank" rel="noopener">Civil Service Pension Scheme</a> (CSPS) has been exposed following a data breach affecting its online portal, which is overseen by <a href="https://www.capita.com/" target="_blank" rel="noopener">Capita</a>.</p> <p>According to the outsourcer, the issue led to scheme members being able to view personal annual benefit statements (ABSs) that were not their own. Capita pulled the ABS functionality to investigate and remediate the issue, and at the time of writing, it remains offline.</p> <p>Computer Weekly understands all affected members of the pension scheme were contacted on 3 April – those who have not received any message at this stage were not impacted and do not need to take any further action.</p> <p>A Capita spokesperson said: “We are aware of an issue that occurred on the CSPS member portal for around 35 minutes on 30 March 2026, affecting the accuracy of a small number of annual benefit statements generated in this period.</p> <p>“This was identified quickly, ABS functionality was immediately suspended, and a full investigation undertaken,” they said. “We sincerely apologise for this issue and any concerns you may have. We take the protection of members’ personal data extremely seriously.”</p> <p>A Cabinet Office spokesperson added: “We are aware of the incident and take the issue extremely seriously. While only a very small number of members were affected, we are working with Capita to establish the facts and ensure appropriate measures are taken. We will consider further action as required.”</p> <p>Dominic Hook, national officer at the <a href="https://www.unitetheunion.org/" target="_blank" rel="noopener">Unite</a> union, said: “Once again, Capita has proved itself to be totally unfit to manage the pensions of millions of public sector workers. This latest in a litany of extremely serious failures by Capita shows why the government’s manifesto promise to reverse outsourcing is more important than ever. Ministers need to keep that promise by bringing the CSPS back in-house.”</p> <section class="section main-article-chapter" data-menu-title="Pension crisis"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Pension crisis</h2> <p>Though minor in its scope, the breach at the CSPS comes amid serious ongoing issues with Capita’s administration of the scheme, which it took over in December 2025 under a seven-year, £239m contract over which the Public Accounts Committee had already <a href="https://www.computerweekly.com/news/366633358/Capita-rubbishes-Public-Accounts-Committee-report-claims" target="_blank" rel="noopener">raised significant concerns</a>.</p> <p>During this transition, it emerged that Capita had inherited a “significant volume” of outstanding work, including almost 90,000 work-in-progress cases and <a href="https://www.computerweekly.com/news/366639026/Thousands-of-unread-emails-and-20-million-database-errors-cause-civil-service-pension-hardship" target="_blank" rel="noopener">15,000 emails that had never been read</a>.</p> <p><a href="https://www.computerweekly.com/news/366640779/Capita-left-to-deal-with13000-civil-service-pension-cases-over-a-year-old" target="_blank" rel="noopener">At the end of March</a>, Richard Holroyd, who leads Capita’s public services unit, told MPs the firm was making progress on addressing its backlog, saying it has cleared and closed 145,000 open cases since December.</p> <p>“Whilst challenges remain, we’re seeing progress and expect services to improve in the coming months,” he said, suggesting that normal service levels could be resumed by June.</p> <p>However, the remedial work needed to get the CSPS back in good order has led to missed payments for pensioners, among other problems. Computer Weekly recently reported the story of a former civil servant of 40 years standing – with no other source of income – <a href="https://www.computerweekly.com/news/366639686/Civil-service-veteran-incandescent-as-wait-for-pension-hits-four-months-amid-outsourcing-mess" target="_blank" rel="noopener">who had not received any payments for four months</a>.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about data breaches</h3> <ul class="default-list"> <li>Details of over 70 million customers of US sportswear giant Under Armour were leaked following a supposed ransomware attack <a href="https://www.computerweekly.com/news/366637595/Sportswear-firm-Under-Armour-falls-victim-to-data-breach" target="_blank" rel="noopener">by the Everest gang</a>.</li> <li>A consistent barrage of small healthcare data breaches defined 2025, rather than the high-impact breaches <a href="https://www.techtarget.com/healthtechsecurity/news/366637268/2025-Double-the-breaches-but-less-patient-data-compromised" target="_blank" rel="noopener">that dominated prior years</a>.</li> <li>Synnovis, the pathology lab services provider hit by a Qilin ransomware attack in 2024, is notifying its NHS partners that their patient data was compromised, <a href="https://www.computerweekly.com/news/366634454/Synnovis-to-notify-NHS-of-data-breach-after-nearly-18-months" target="_blank" rel="noopener">following a lengthy investigation</a>.</li> </ul> </div> </div> </section> A data breach affecting 138 members of the Civil Service Pension Scheme piles pressure on the service’s administrator, Capita, amid ongoing issues https://cdn.ttgtmedia.com/visuals/German/article/data-leak-breach-2-adobe.jpg https://www.computerweekly.com/news/366641501/Capitas-troubled-Civil-Service-Pension-Scheme-hit-by-data-breach Wed, 08 Apr 2026 12:42:00 GMT Capita’s troubled Civil Service Pension Scheme hit by data breach <p>The UK’s <a href="https://www.ncsc.gov.uk/news/apt28-exploit-routers-to-enable-dns-hijacking-operations" target="_blank" rel="noopener">National Cyber Security Centre</a> (NCSC) and <a href="https://www.microsoft.com/en-us/security/blog/2026/04/07/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks/" target="_blank" rel="noopener">Microsoft</a> have exposed an extensive <a href="https://www.techtarget.com/searchnetworking/tutorial/How-to-optimize-DNS-for-reliable-business-operations" target="_blank" rel="noopener">Domain Name System</a> (DNS) hijacking campaign against vulnerable consumer and small and home office (Soho) broadband routers conducted by the Russian cyber intelligence services.</p> <p>Orchestrated by APT28 or Forest Blizzard – <a href="https://www.computerweekly.com/news/366627547/NCSC-exposes-Fancy-Bears-Authentic-Antics-malware-attacks" target="_blank" rel="noopener">more widely known as Fancy Bear</a> – the operations saw the threat actor alter the settings of compromised devices to reroute internet traffic through malicious servers they held.</p> <p>In this way, Fancy Bear was able to steal data such as login credentials, passwords and access tokens from personal web and email services belonging to their victims in a so-called adversary-in-the-middle (AiTM) attack.</p> <p>The NCSC said the campaign was likely opportunistic, with Fancy Bear having cast a wide net to ensnare as many victims as possible. By targeting <a href="https://www.computerweekly.com/news/252523313/DrayTek-patches-SOHO-router-bug-that-left-thousands-exposed" target="_blank" rel="noopener">insecure home and small office equipment</a>, Fancy Bear took advantage of less closely monitored or managed assets to pivot into larger enterprise environments or targets of interest to Russian intelligence.</p> <p>Indeed, Microsoft said it had identified over 200 organisations and 5,000 consumer devices impacted since the campaign began in August 2025.</p> <p>“This activity demonstrates how exploited vulnerabilities in widely used network devices can be leveraged by sophisticated hostile actors,” said NCSC operations director Paul Chichester.</p> <p>“We strongly encourage organisations and network defenders to familiarise themselves with the techniques described in the advisory and to follow the mitigation advice. The NCSC will continue to expose Russian malicious cyber activity and provide practical guidance to help protect UK networks.”</p> <section class="section main-article-chapter" data-menu-title="Routers on trial"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Routers on trial</h2> <p>The exposure of Fancy Bear’s latest campaign comes amid a fierce debate on the other side of the Atlantic following the Federal Communications Commission’s (FCC’s) implementation of <a href="https://www.computerweekly.com/news/366640628/US-government-bans-imported-routers-raising-tough-questions" target="_blank" rel="noopener">tight restrictions on routers built outside the US</a> – which in effect means virtually every commercially available router.</p> <p>The US’s decision was framed on the basis that such hardware poses an unacceptable risk to the country’s national security and that of its citizens and residents.</p> <p>However, it has been criticised on the basis that while it eases fears over the potential for other governments – such as China – to interfere with networking hardware produced in their factories, it does not address the fact that security vulnerabilities such as those exploited by Fancy Bear will still exist regardless of where they were manufactured.</p> <p><a href="https://www.computerweekly.com/opinion/Banning-routers-wont-fix-whats-already-broken" target="_blank" rel="noopener">Writing in Computer Weekly</a>, Forescout vice-president of security intelligence Rik Ferguson said routers present highly attractive footholds for attackers because they sit at the network edge, generally face the public internet, and are easily overlooked once deployed.</p> <p>“Many of the weaknesses we see come from familiar, measurable issues like outdated software components, slow patching cycles, weak credentials, exposed management interfaces and long lifespans that extend well beyond vendor support,” he said.</p> <p>“In firmware analysis, we regularly see common components that are years behind current versions, carrying known vulnerabilities that attackers can and do exploit.”</p> <p>Ferguson advised security teams to treat routers and similar network infrastructure as part of the active attack surface, which in practice means keeping accurate inventories, prioritising their lifecycle management, and enforcing firmware updates and patching.</p> <p>To prevent attackers like Fancy Bear from scoring easy wins, security teams should also look to disable any internet-exposed management interfaces, enforce unique credentials and apply network segmentation measures so that one compromised router does not necessarily enable wider access.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about network security</h3> <ul class="default-list"> <li>Threat actors are using increasingly sophisticated tools to make their attacks more costly. It’s time for organisations to craft <a href="https://www.techtarget.com/searchnetworking/answer/How-are-network-management-and-security-converging" target="_blank" rel="noopener">a comprehensive security management strategy</a>.</li> <li>5G has better security than 4G, including stronger encryption, privacy and authentication. But enterprises need to know the challenges of <a href="https://www.techtarget.com/searchnetworking/tip/5G-security-Everything-you-should-know-for-a-secure-network" target="_blank" rel="noopener">5G’s complex, virtualised architecture</a>.</li> <li>What does 2026 have in store for network security? Omdia analyst John Grady shares his top five predictions <a href="https://www.techtarget.com/searchsecurity/opinion/NetworkSecurity-predictions" target="_blank" rel="noopener">for the upcoming year</a>.</li> </ul> </div> </div> </section> The UK’s NCSC and Microsoft have shared details of an ongoing cyber espionage campaign targeting vulnerable network routers, orchestrated by Russian state actor Fancy Bear https://cdn.ttgtmedia.com/visuals/ComputerWeekly/HeroImages/bear-wild-threat-Lubos-Chlubny-adove.jpg https://www.computerweekly.com/news/366641403/Russian-cyber-spies-targeting-consumer-Soho-routers Tue, 07 Apr 2026 14:55:00 GMT Russian cyber spies targeting consumer, Soho routers <p>There is a familiar story that plays out every time another news report emerges of children being seriously harmed online. Parents are told to “take control”. Schools are asked to “do more”. Tech companies promise another round of tweaks. But this framing misses the real issue. The harm children experience on social media is not a failure of parenting or education. It is the outcome of commercial systems designed to maximise engagement at all costs.</p> <p>If the tech sector genuinely prioritised child safety, we would not be facing the scale of harm that now confronts children and young people. What is happening online is not accidental, or the result of a few bad actors. It is the consequence of algorithmic recommender systems deliberately engineered to keep users scrolling. Systems optimised for profit do not suddenly behave differently because the user is a child.</p> <p>This was laid bare by the findings of the <a href="https://bigtechlittlevictims.org/"><i>Big tech’s little victims</i></a> algorithm experiment. The project, led by the National Education Union, created four fictional profiles of British 13-year-olds across TikTok, Snapchat, YouTube and Instagram to see what content children are served when they sign up for the first time. The results were shocking, but sadly not surprising to teachers. Within minutes, children were shown harmful and inappropriate content, including guns, self-harm, sexualised material and misogynistic narratives.</p> <section class="section main-article-chapter" data-menu-title="Harmful material in three minutes"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Harmful material in three minutes</h2> <p>Most alarming, the experiment found that for every minute spent scrolling, children were shown a piece of concerning content. Harmful material appeared within just three minutes of logging on – and in some cases it was the very first thing served.</p> <p>This matters because teachers are not debating the online harm of children in theory - they are already dealing with its consequences. In classrooms, we see the impact of children being exposed to violent content, self-harm and suicide material, sexualised imagery, and extreme narratives pushed at scale.</p> <p>One visible example is the rise of online misogyny - girls being targeted or harassed, and female staff facing open hostility. What starts on a feed becomes offline behaviour and, once embedded, becomes far harder for schools to unpick. As Louis Theroux’s recent documentary <i>The manosphere</i> has brought into sharp focus, the scaling of misogynistic content, for example, is not incidental - it is by design.</p> <p>So what needs to happen?</p> <p>First, we need honesty about the limits of half measures. The government has launched a <a href="https://www.computerweekly.com/news/366639654/UK-government-consults-on-social-media-ban-for-under-16s">national consultation on children’s digital wellbeing</a>. Ministers have also announced a <a href="https://www.gov.uk/government/news/children-and-parents-to-pilot-social-media-bans-time-limits-and-curfews-at-home-as-government-tests-next-steps-to-give-uk-kids-their-childhood-back">six-week pilot</a> involving 300 teenagers, in which families will trial different forms of social media restriction at home – including disabling social media apps entirely, imposing one-hour daily limits, or enforcing overnight curfews – with a control group continuing as normal, to assess the impact on children’s sleep, wellbeing and school life.</p> <p>This approach fundamentally misunderstands how social media platforms actually work. A partial ban that still leaves some children on social media is not a meaningful test of safety. Harmful content does not stay neatly contained on one screen. If even one child in a friendship group remains on a platform, others will still be exposed through shared videos, images and messages. When algorithms can push extreme material within minutes of account creation, tinkering with time limits or overnight blocks will not keep children safe.</p> <p>Secondly, tech companies must take accountability now, not later. If platforms know a user is a child – or cannot be sure they are not – the duty of care must be to prevent foreseeable harm by design, not to apologise after it happens.</p> </section> <section class="section main-article-chapter" data-menu-title="Why social media for under 16s should be banned"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why social media for under 16s should be banned</h2> <p>This failure is why we are calling for a <a href="https://informaplc-my.sharepoint.com/personal/bill_goodwin_informa_com/Documents/Documents/Computer%20Weekly%20Files/2026%20Documents/2026%20Opinions/The%20UK’s%20proposed%20social%20media%20ban%20explained">ban on social media access for under-16s</a>. Of course, raising the age of access is not a silver bullet. It must be paired with guaranteed space in the curriculum for high quality digital literacy, so young people develop the skills to navigate online life safely and critically.</p> <p>The tech sector has had repeated warnings, mounting evidence and countless opportunities to act - and it has failed to do so. That is why government action now matters. Raising the age of social media access to 16 is the only meaningful step that would reduce harm at scale – and every day of inaction leaves more children exposed to avoidable harm.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more on proposals for a UK social media ban</h3> <ul class="default-list"> <li><a href="The%20UK’s%20proposed%20social%20media%20ban%20explained">The UK’s proposed social media ban explained</a> -The UK government will use new legal powers to lay the groundwork for an under-16 social media ban after its consultation on children’s digital well-being, but opponents warn the measures being considered will only treat the symptoms of the problem if they ignore the structural power of big tech</li> <li><a href="https://www.computerweekly.com/news/366639654/UK-government-consults-on-social-media-ban-for-under-16s">UK government consults on social media ban for under-16s</a>.<b> </b>A UK government consultation launched today asks whether under-16s should be banned from social media, and age restrictions introduced for VPNs and chatbot</li> <li><a href="https://www.computerweekly.com/news/366639244/Governments-urged-to-step-up-enforcement-of-big-tech-amid-rush-to-ban-social-media-for-under-16s">Governments urged to step up enforcement of big tech amid rush to ban social media for under-16s</a> - The Council of Europe’s Commissioner for Human Rights says that European governments should consider better enforcement against big tech companies before banning children from social media</li> </ul> </div> </div> <p></p> </section> The general secretary of the UK's largest teachers’ union explains why social media should be banned for under-sixteens https://cdn.ttgtmedia.com/visuals/ComputerWeekly/HeroImages/child-kid-teen-phone-JackF-adobe.jpg https://www.computerweekly.com/opinion/Tech-cant-wait-for-regulation-to-protect-children-online Tue, 07 Apr 2026 14:38:00 GMT Tech can’t wait for regulation to protect children online <p><a href="https://www.computerweekly.com/resources/Identity-and-access-management-products" target="_blank" rel="noopener">AI-driven identity solutions</a> are often presented as the grown-up answer to modern access control: smarter verification, less friction, better security, happier users. In principle, yes. In practice, they also drag a fairly hefty suitcase of compliance, privacy and ethical questions in behind them.</p> <p>The first issue is compliance. Identity is not a side topic in enterprise environments. It sits right in the middle of security, governance, risk and accountability. Once AI is involved in deciding who gets access, who is challenged, who is flagged as suspicious, or who is denied entry altogether, that stops being just a technical control and quickly becomes a governance matter. Many of these solutions rely on large volumes of personal data, sometimes including biometrics, behavioural analysis, device data, location information and patterns of use. That means organisations need to be crystal clear on lawful basis, necessity, proportionality, retention and oversight. In other words, they need to know not just that the tool can do something, but that they should be doing it at all. Like knowing that an iPhone is a tool, not the conversation.</p> <p>Privacy is where things get a bit soupy. AI identity systems are usually marketed on the basis that they can take more signals into account and make better decisions as a result. That sounds great, and sometimes it is. But it also means more collection, more processing and more potential intrusion. The line between intelligent authentication and overreach can get thin very quickly. Data gathered to confirm identity can easily become data used to monitor behaviour, profile staff, track habits or support broader surveillance if the guardrails are poor. That is where trust starts to wobble. Enterprises need privacy by design, proper impact assessments, transparent notices and disciplined boundaries around how identity data is used. Just because a system can infer more does not mean it should. It’s a potential minefield that should be navigated mindfully and with integrity.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">The Computer Weekly Security Think Tank on AI and identity</h3> <ul class="default-list"> <li>Mike Gillespie, Advent IM: <a href="https://www.computerweekly.com/opinion/The-impact-of-AI-driven-ID-solutions-on-enterprise-environments" target="_blank" rel="noopener">AI-driven identity must exist in a robust compliance framework</a>.</li> </ul> </div> </div> <p>That brings us to is the ethical question, which is where the machine gets a little too smug for its own good. AI models are not neutral simply because they are mathematical. If an identity tool has been trained on incomplete or biased data, it may perform unevenly across different groups. That can lead to higher false rejections, repeated challenges for legitimate users, or decisions that disproportionately affect certain individuals. In a business setting, that is not just inconvenient. It can be unfair, exclusionary and potentially discriminatory. Organisations cannot simply deploy these systems and hope the algorithm behaves itself. That’s magical thinking.</p> <p>Explainability matters too. If someone is denied access, locked out of a process or flagged as high risk, there must be a way to explain that decision in plain language and to challenge it if necessary. Black box identity decisions are a poor fit for any organisation trying to claim strong governance. Human review, escalation routes and clear accountability all need to be part of the design.</p> <p>The real implication is that AI-driven identity should never be treated as a shiny bolt-on security upgrade. It is part of a much bigger picture involving data protection, user trust, accountability and control. Used well, it can strengthen resilience and reduce fraud. Used badly, it can create exactly the kind of opaque, over-engineered risk that good governance is supposed to prevent. The smart approach is not to resist the technology, but to govern it properly from the outset. Because in identity, as in most things, clever without controlled is just chaos in a smarter outfit.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about AI regulation</h3> <ul style="list-style-type: square;" class="default-list"> <li>As AI rules evolve, compliance grows more complex. CIO Jonas Hansson encourages IT leaders to assess data risk and track vendor sub-processors <a rel="noopener" target="_blank" href="https://www.techtarget.com/searchcio/feature/How-axis-communications-navigates-global-ai-regulation">to stay compliant.</a></li> <li>Medicines and Healthcare products Regulatory Agency (MHRA) wants to know how to regulate AI technologies in the NHS <a rel="noopener" target="_blank" href="https://www.computerweekly.com/news/366636693/MHRA-seeks-views-on-healthcare-AI-regulation">while keeping patients safe</a>.</li> <li>With AI, it's better to be proactive, not reactive. This tracker compiles the major AI legislation, laws and frameworks <a rel="noopener" target="_blank" href="https://www.techtarget.com/searchenterpriseai/tip/Global-AI-legislation-and-regulation-tracker">across the US, Europe, Asia and beyond</a>.</li> </ul> </div> </div> The Computer Weekly Security Think Tank considers the intersection of AI and IAM. In this article, learn how AI-driven IAM projects must account for important questions around data protection, user trust, accountability and control. https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/Security-Think-Tank-hero.jpg https://www.computerweekly.com/opinion/Identity-and-AI-Questions-of-data-security-trust-and-control Thu, 02 Apr 2026 14:15:00 GMT Identity and AI: Questions of data security, trust and control <p>The boilerplate has it that German software powerhouse <a href="https://www.sap.com/index.html" target="_blank" rel="noopener">SAP</a> supports mission-critical workloads for thousands of customers all over the world, and as one of the biggest customers of the big three hyperscalers – Amazon Web Services (AWS), Google Cloud and Microsoft Azure – probably runs the largest private cloud in the world.</p> <p>However large its business may be aside, under the surface, the complexities that SAP experiences in securing the confidential enterprise data of thousands of its clients while dealing with an ever-more dangerous threat landscape and the ever-changing data security compliance and sovereignty requirement environment are undeniable.</p> <p>This surely makes former chess champion and candidate master Roland Costea, now SAP chief information security officer (CISO) for enterprise cloud services, one of the world’s busiest cyber professionals.</p> <p>“The main challenge for us when it comes to security is we need to have the right visibility end-to-end [and] we need to act with speed into all the layers of identity, detect, protect, respond and recovery,” Costea tells Computer Weekly.</p> <p>If it sounds like a tall order, it is. The price of analysing such vast datasets, which regularly exceed 150TB per month, via Splunk, was becoming too much to bear, says Costea, not just in terms of time, but in terms of network capacity and financial cost as well. To make matters worse, it wasn’t even analysing half of its data.</p> <p>The problem this created for SAP and its customers is obvious: it simply wasn’t possible to find all the relevant security signals. Important things were probably being missed, and that’s far from ideal. Take vulnerability management, which Costea says has been a problem “since forever”. Traditionally, he would scan the environment for a new vulnerability, research whether an exploit was available, and patch it if possible.</p> <p>“But every exploit has preconditions,” he says, “and SAP is so complex that the preconditions for an exploit may be a list of 10 or 12 things that I want to know in real time. I want to know … am I vulnerable to this, and why, and to be able to inject and search for what kind of preconditions I have there and how they are configured, and to know, based on the state the application has today, that I am or am not vulnerable.</p> <p>“I can’t do that with the vulnerability management tool, I can’t do that with an <a href="https://www.techtarget.com/searchsecurity/tip/SIEM-vs-SOAR-vs-XDR-Evaluate-the-differences" target="_blank" rel="noopener">XDR</a> [extended detection and response], I can’t do that with any tool on the market,” adds Costea.</p> <p>New, advanced approaches to security data analytics were clearly needed, and in a bid to ease some of its burdens – SAP has now teamed up with <a href="https://www.uptycs.com/" target="_blank" rel="noopener">Uptycs</a>, a Boston innovator in AI-powered hybrid cloud security, to implement its <a href="https://www.uptycs.com/juno-ai" target="_blank" rel="noopener">Juno AI</a> analyst platform.</p> <p>“Uptycs is in the business of cloud infrastructure security,” says company founder and CEO Ganesh Pai. “What that means is, when large enterprises and operators such as SAP deploy massive infrastructure in one of the large hyperscalers, we provide the technology which gets integrated with their hyperscale providers and the workloads they run.</p> <p>“We provide security observability, which manifests as a series of security controls or a <a href="https://www.techtarget.com/searchsecurity/tip/CNAPP-vs-CSPM-Comparing-cloud-security-tools" target="_blank" rel="noopener">cloud-native application protection platform</a> [CNAPP], a suite of tooling which empowers organisations to do both proactive and reactive security controls, most of which fall in the bucket of governance, regulation and compliance, or that of threat operations, detection and response, incident response, and the like.”</p> <section class="section main-article-chapter" data-menu-title="D’you know Juno?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>D’you know Juno?</h2> <p>Juno itself joins AI agents and human cyber analysts together in a team where the humans are left free to concentrate on advanced threat hunting and deeper attack path analysis while the AI handles the grunt work.</p> <p>According to Pai, Juno was originally built as a threat-hunting tool for both cloud-native and on-premise environments, but, working alongside the likes of SAP, it is now delivering more value as a strategic agentic consultant that goes beyond standard threat detection.</p> <p>“Why this is important is that, as you can imagine, there is a lot of AI which is available out there today, but we harness telemetry and we make it available in a way such that in addition to what we collect, we’re able to integrate with the [customer] data lake to provide an interface which inspires user confidence,” he says.</p> <p>“This is key because when they start asking ad hoc questions across the spectrum of security controls that are needed, the answers which come back inspire confidence by showing the elements of trust but verify.”</p> <p>In essence, while many threat-hunting agents will happily yell “fire”, they won’t say why (and like a too-sensitive fire alarm, they will often be responding to burnt toast). Juno differs, says Pai, because its outputs are verifiable – a human can check its output against the same signals, and it cites its sources and produces its receipts.</p> <p>“That’s where the value proposition of what we built comes into play,” he tells Computer Weekly. “We built an agent tech framework which marries the rest of the components to create workflows. And hence it’s not a typical agent; it has got autonomous abilities to go and do a series of steps which a human would have otherwise hours, or, in some cases, weeks, and it’s able to collapse that into order.”</p> <p>Pai, who coined the term “the Wikipedia of cyber” with help from his public relations team, claims Juno is already capable of producing “McKinsey-level” strategic risk reports in minutes.</p> <p>“The industry is tired of security slop and AI that guesses,” he says. “This partnership demonstrates how we can safely combine human and AI capabilities, moving from reactive security to strategic transformation.”</p> </section> <section class="section main-article-chapter" data-menu-title="Juno in practice"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Juno in practice</h2> <p>So, how is SAP using Juno? Costea explains: “We have smaller lakes in every subscription based on hyperscalers, but we also have what we call a big data lake based in Databricks today that represents the core for us.</p> <p>“What we are building with Uptycs is, practically, more like an in-house in private cloud mechanism to have real-time activity and real-time searches and real-time insights based on all the possible data sets and telemetry we have stored in Databricks, because it’s much cheaper than sending it to Splunk, and we can get to a level of granularity that we could never go to with Splunk,” he says.</p> <p>“What we are looking for all the time is what I like to call the low and slow operational activities that could become a suspicious attempt.”</p> <p>For example, a user with valid cloud identity session has accessed the AWS instance and assumed what appears to be a normal deployment role in a standard continuous integration and deployment (CI/CD) pipeline, but is then using the system manager in AWS to access a small set of different instances and conduct additional actions in the bucket: maybe they enhance their permissions in some way, or exfiltrate a small snapshot to another account. It could be nothing.</p> <p>“It’s literally normal – nothing fancy or extensive,” says Costea. “What you will see with normal toolsets, say you have an XDR on the endpoint, you will maybe see a shell, but for an admin, if it’s nothing malicious, it’s normal.</p> <p>“If you are not granularly looking and correlating the right context, the right action, the right timing, and all that, it’s hard to get to the point where you can say it’s actually suspicious.</p> <p>“What you can do with Uptycs and Juno by searching in the big pool of data is you can say, show me some evidence of, let’s say, an identity session provenance, or a role assumption, or a permission change, and then show me some specific commands that were made,” he says. “Then you can search all the datasets and find the trails and everything that happened that, in the end, could say that from an operational perspective, that’s not normal activity for us – there’s something weird happening.”</p> <p>It’s these details, says Costea, that matter the most for SAP, because ultimately, it enables his defenders to spot discrepancies and oddities before they blow up into something much noisier – in the worst-case scenario, ransomware.</p> </section> <section class="section main-article-chapter" data-menu-title="New toys"> <h2 class="section-title"><i class="icon" data-icon="1"></i>New toys</h2> <p>For Costea, the value SAP is realising from Juno is apparent when he thinks about how his team is responding to it. He compares them – not unkindly – to kids showing off a new toy to their parent.</p> <p>“It’s that kind of feeling like they got a new toy, and they are so excited about it, and they are trying to exploit it to the level that they can do more things,” he says.</p> <p>“They’re discovering things that they were not able to see before or they thought did not exist.”</p> <p>Again, much of what Juno is surfacing is not, in the moment, malicious or necessarily even suspicious, says Costea, but rather an indication that people are doing things that they shouldn’t be doing or shouldn’t be able to.</p> <p>This kind of data, previously inaccessible, is incredibly valuable to the security team because if a random administrator at SAP was able to perform a dangerous action, an attacker already inside the organisation’s network certainly could. This knowledge enables them to work potential attack scenarios that may not have been obvious before.</p> <p>“Security in today’s cloud-centric world demands tools that not only detect threats, but elevate strategic decision-making,” he says.</p> <p>“Our partnership with Uptycs reflects a shared commitment to verifiable, intelligent cyber security solutions that empower teams to stay ahead of risk while transforming how enterprise security operates.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about AI for security professionals</h3> <ul class="default-list"> <li>Agentic AI is touted as a helpful tool for managing tasks, and cyber criminals are already taking advantage. <a href="https://www.computerweekly.com/feature/Are-AI-agents-a-blessing-or-a-curse-for-cyber-security" target="_blank" rel="noopener">Should information security teams look to AI agents to keep up? </a></li> <li>Cyber security companies have jumped on the AI bandwagon. We look at where artificial intelligence is a useful add-on <a href="https://www.computerweekly.com/feature/Making-sense-of-AIs-role-in-cyber-security" target="_blank" rel="noopener">and where it poses potential risks</a>.</li> <li>At RSA in San Francisco, NCSC chief exec Richard Horne says security professionals have an opportunity and a responsibility to get in front of the security issues <a href="https://www.computerweekly.com/news/366640680/Cyber-pros-must-grasp-the-vibe-coding-nettle-says-NCSC-chief" target="_blank" rel="noopener">raised by the popularity of ‘vibe coding’</a>.</li> </ul> </div> </div> </section> SAP runs enormous cloud environments for some of the world’s most heavily-regulated organisations, and in the hyperscale era, data security and compliance were becoming big challenges. It turned to cutting-edge agentic tools from Uptycs to cut through the noise https://cdn.ttgtmedia.com/visuals/LeMagIT/hero_article/Hero-Danger-by-InfiniteFlow-Adobe-10.jpg https://www.computerweekly.com/news/366641057/How-Wikipedia-of-cyber-helps-SAP-make-sense-of-threat-data Thu, 02 Apr 2026 10:15:00 GMT How ‘Wikipedia of cyber’ helps SAP make sense of threat data <p>News that an estimated 30,000 employees are losing their jobs at Oracle comes at a time when the company is claiming to have <a href="https://www.computerweekly.com/news/366640817/Oracle-Cloud-Infrastructure-The-bare-metal-facts">$533bn in orders to fulfil</a>.</p> <p>As of May 2025, Oracle had a workforce of approximately 165,000. Its latest quarterly earnings filing shows that the company expects revenue of $67bn and capital expenditure of $50bn in 2026, which it stated is unchanged from its previous financial guidance.</p> <p>For 2027, Oracle’s financial guidance forecasts revenue of $90bn. Neither the latest quarterly earnings filing nor the subsequent earnings call with financial analysts revealed any changes to headcount.</p> <p>Yet, in a widely reported <a href="https://www.linkedin.com/in/michael-shepherd-6b374033/">LinkedIn post, Michael Shepherd,</a> an artificial intelligence (AI) operations lead at Oracle Cloud Infrastructure (OCI), reposted messages from several colleagues at the company saying they had been made redundant in the latest round of job cuts.</p> <p>One post, from a security alert manager at Oracle, sums up the situation, stating: “Many of the absolute best colleagues were laid off as well. It seems layoffs follow an algorithm of high-level individual contributors and mid-level managers – especially those with outstanding stock options.”</p> <p>A post from a former employee – responsible for managing a team to ensure Oracle products and services offered by the business comply with standards such as PCI-DSS (Payment Card Industry Data Security Standard), HIPAA (Health Insurance Portability and Accountability Act), PA-DSS (Payment Application Data Security Standard) and GDPR (General Data Protection Regulation) – described the layoffs as “unprecedented”.</p> <p>A former principal staff engineer posted: “I have quite a few friends who were laid off today. Top performers, extremely talented and really solid at their job. They just got caught up in a wave.”</p> <p>Another, who describes himself as a founding engineer at OCI’s File Storage Service, said he has handled “countless on-call shifts and solved countless problems under pressure” during his tenure at Oracle.</p> <p>Those posting include people with job roles such as service operations engineer, software development architect and software development manager. </p> <p>While these LinkedIn posts represent just a small snapshot of the job losses at the tech giant, they illustrate that the cuts have affected senior people involved closely in product development, security and regulatory compliance.</p> <p>At the time of writing, Computer Weekly had not received a response from Oracle about how the job cuts would affect its customers and product development. </p> <section class="section main-article-chapter" data-menu-title="Is AI behind the headcount reduction?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Is AI behind the headcount reduction?</h2> <p>In its <a href="https://www.computerweekly.com/news/366639939/Oracle-cost-cutting-points-to-AI-infrastructure-gamble">fiscal year 2026 third-quarter earnings call</a> in March, the company reported cloud infrastructure revenue of $4.9bn, up 84%. At the time, Oracle co-CEO Mike Sicilia spoke about AI helping the company to deliver software more quickly.</p> <p>“The use of AI coding tools inside Oracle is enabling smaller engineering teams to deliver more complete solutions to our customers more quickly,” he said. “We are building brand-new SaaS [software-as-a-service] products using AI, and embedding AI agents right into our existing application suites.”</p> <p>Sicilia’s sentiment on the role of AI was mirrored by Steve Miranda during his appearance at the <a href="https://www.computerweekly.com/news/366640560/Oracle-endows-Fusion-applications-with-more-autonomy">Oracle AI World Tour London</a> event. When discussing people’s role in enterprise resource planning software, he suggested AI can replace certain tasks. <a href="https://www.computerweekly.com/blog/Cliff-Sarans-Enterprise-blog/Things-to-consider-about-Oracles-Agentic-Fusion">At the time, Miranda said</a>: “Nobody is in business to run ERP [enterprise resource planning]. The more we can save them on the ERP side, the more they invest in what they do.”</p> <p>While Oracle’s executive leadership team clearly has ambitions to deploy AI automation in roles previously achieved by humans, Forrester principal analyst JP Gownder believes the company’s decision to cut jobs is more focused on improving its share price.</p> <p>“When AI replaces employees, an organisation has a vetted, proven and deployed AI solution that can do the job of the employees who lost their jobs,” he said. “That is to say, the work done by a human before the layoffs is being done by AI the day after the layoffs.”</p> <p>Gownder added: “This is rare; even big tech firms don’t have mature AI agents that can take on the myriad tasks of dozens of different types of jobs that get eliminated. With Oracle, there are financial pressures to lay off staff – the company’s stock has fallen by more than 50% since Q3 2025.”</p> <p>What this may point to is the financial markets being more cautious about Oracle’s ability to execute its AI strategy, especially as the company recently announced it would be seeking to raise $50bn in 2026 using a combination of debt and equity financing.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more Oracle stories</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366639064/Oracle-readies-AI-note-taker-for-NHS">Oracle readies AI note-taker</a> for NHS: The AI tool drafts structured notes from patient-clinician interactions, helping to reduce administrative work.</li> <li><a href="https://www.computerweekly.com/news/366640725/Oracle-applications-chief-sees-enterprise-AI-agents-as-task-specific-helpers">Oracle applications chief</a> sees enterprise AI agents as task-specific helpers: At Oracle AI Summit in London, Steve Miranda, executive vice-president of Oracle applications development, discussed Oracle’s Fusion Agentic Applications.</li> </ul> </div> </div> </section> Thousands of job losses have been reported, affecting many roles at Oracle Cloud Infrastructure, including those in software engineering and product compliance https://cdn.ttgtmedia.com/visuals/German/article/job-interview-3-adobe.jpg https://www.computerweekly.com/news/366641177/Whats-driving-Oracles-latest-job-cuts Thu, 02 Apr 2026 06:45:00 GMT What’s driving Oracle’s latest job cuts? <p>As enterprises rush to integrate <a href="https://www.techtarget.com/searchenterpriseai/definition/AI-Artificial-Intelligence" target="_blank" rel="noopener">artificial intelligenc</a>e‑driven identity and verification solutions, it is tempting to be swept up in their operational elegance and apparent efficiency. But as I have argued repeatedly, deploying AI without <i>governance‑first thinking</i> is a strategic mistake, and one that risks compliance failures, ethical missteps, and reputational harm. The UK’s shifting regulatory landscape and the emergence of new standards such as <a href="https://www.iso.org/standard/42001" target="_blank" rel="noopener">ISO 42001</a> only reinforce that <a href="https://www.techtarget.com/searchsecurity/definition/governance-risk-management-and-compliance-GRC" target="_blank" rel="noopener">governance, risk and compliance</a> (GRC) must sit ahead of technological adoption, not trail behind it.</p> <p><a href="https://www.techtarget.com/searchenterpriseai/tip/Does-your-organization-need-an-AI-ethics-committee" target="_blank" rel="noopener">Ethical risks</a> in AI identity systems include discriminatory bias, privacy intrusions, lack of transparency, excessive automation without oversight, and heightened risks for children and vulnerable populations, all consistently flagged across UK regulatory guidance and legal developments.</p> <p>AI‑driven identity systems lean heavily on sensitive personal data; biometrics, behavioural signals, and other high‑risk attributes. AI’s appetite for data does not override the UK GDPR obligations around lawfulness, minimisation, purpose limitation, and transparency. <a href="https://ico.org.uk/media2/migrated/4022261/how-to-use-ai-and-personal-data.pdf" target="_blank" rel="noopener">ICO guidance</a> stresses that organisations deploying AI must conduct robust DPIAs, understand controller‑processor relationships, and maintain meaningful human oversight.</p> <p>Ethically, the risks are just as significant. AI identity systems can amplify bias, disproportionately impact vulnerable groups, or become opaque decision‑engines that erode trust. Regulators are increasingly explicit that fairness, explainability, and contestability are not “nice to haves” but essential design principles embedded throughout the lifecycle of an AI system.</p> <p>The UK is advancing a principles‑based, regulator‑led model for AI oversight. Even without a single AI Act, the <a href="https://www.legislation.gov.uk/ukpga/2025/18/contents" target="_blank" rel="noopener">Data (Use and Access) Act 2025</a>, updated ICO guidance, and ongoing reforms significantly shape how AI identity systems must operate.</p> <p>The Data (Use and Access) Act 2025 expands organisational duties around automated processing, children’s data protections, and complaint handling, signaling that AI-driven identity checks will face greater scrutiny regarding oversight and safeguards.</p> <p>Updated ICO guidance places renewed emphasis on fairness, transparency, and clear legal bases for processing, especially where AI influences decisions with “legal or similarly significant effects.”</p> <p>Additionally, sector‑specific legislation such as the UK’s <a href="https://www.gov.uk/government/publications/online-safety-act-explainer/online-safety-act-explainer" target="_blank" rel="noopener">Online Safety Act 2025</a> mandates “highly effective” age and identity verification for high‑risk online services, again reinforcing the need for accuracy, privacy‑preserving methods, and demonstrable compliance.</p> <p>The pattern is unmistakable: organisations must <i>prove</i> responsible use, not merely assert it. That means implementing effective GRC as part of the adoption.</p> <p>ISO/IEC 42001, the world’s first AI management system standard, introduces a structured approach for governing AI responsibly, integrating leadership accountability, lifecycle controls, risk assessment, and ongoing performance evaluation.</p> <p>It provides a governance architecture that organisations can use to ensure AI identity solutions are explainable, monitored, tested, and continuously improved.</p> <p>ISO 42001 does not replace compliance obligations but it provides the organisational discipline needed to navigate them confidently.</p> <p>Implementing effective GRC requires embedding governance from the outset: adopting ISO 42001’s structured AI management framework, performing DPIAs, enforcing privacy‑ and fairness‑by‑design, maintaining transparency and documentation, and ensuring robust human oversight.</p> <p>AI‑driven identity solutions offer genuine value, but only when implemented within a robust framework of governance, privacy protection, and ethical responsibility. Emerging UK legislation and ISO 42001 do not constrain innovation, they make it sustainable. The organisations that succeed will be those that resist the lure of technology‑led adoption and instead build AI identity solutions on a foundation of trust, accountability, and principled design.</p> <p>With regulators increasingly focused on accountability, fairness, and privacy, these measures are no longer optional. They are essential for safe, lawful, and responsible AI identity management.</p> <p>The message aligns closely with the argument I’ve long made: privacy and ethics are not parallel workstreams; they form the foundation for any legitimate use of AI.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about AI regulation</h3> <ul class="default-list"> <li>As AI rules evolve, compliance grows more complex. CIO Jonas Hansson encourages IT leaders to assess data risk and track vendor sub-processors <a href="https://www.techtarget.com/searchcio/feature/How-axis-communications-navigates-global-ai-regulation" target="_blank" rel="noopener">to stay compliant. </a></li> <li>Medicines and Healthcare products Regulatory Agency (MHRA) wants to know how to regulate AI technologies in the NHS <a href="https://www.computerweekly.com/news/366636693/MHRA-seeks-views-on-healthcare-AI-regulation" target="_blank" rel="noopener">while keeping patients safe</a>.</li> <li>With AI, it's better to be proactive, not reactive. This tracker compiles the major AI legislation, laws and frameworks <a href="https://www.techtarget.com/searchenterpriseai/tip/Global-AI-legislation-and-regulation-tracker" target="_blank" rel="noopener">across the US, Europe, Asia and beyond</a>.</li> </ul> </div> </div> The Computer Weekly Security Think Tank considers the intersection of AI and IAM. In this article, learn how while AI‑driven identity solutions offer genuine value, they must be implemented within a robust framework of governance, privacy protection, and ethical responsibility. https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/Security-Think-Tank-hero.jpg https://www.computerweekly.com/opinion/The-impact-of-AI-driven-ID-solutions-on-enterprise-environments Wed, 01 Apr 2026 15:12:00 GMT AI-driven identity must exist in a robust compliance framework <p>The <a title="https://www.computerweekly.com/news/366640628/US-government-bans-imported-routers-raising-tough-questions" target="_blank" href="https://www.computerweekly.com/news/366640628/US-government-bans-imported-routers-raising-tough-questions" rel="noopener">US decision</a> to add foreign-made consumer routers to the FCC’s Covered List has sparked predictable debate about supply chains, geopolitics and trust. Those are valid concerns. But if we are honest about where risk actually sits today, the truth is that the ban addresses tomorrow’s procurement decisions far more than today’s security exposure.</p> <p>That matters, because attackers are not waiting for procurement cycles.</p> <p><a href="https://www.techtarget.com/searchnetworking/definition/router" target="_blank" rel="noopener">Routers</a> have quietly become one of the most attractive footholds in both enterprise and home networks. They sit at the edge, are often internet-facing and frequently overlooked once deployed. In our own research, routers consistently rank among the riskiest devices, with high vulnerability density and a growing role in real-world exploitation.</p> <p>Whereas the FCC decision focuses on where a device is made, the problem organisations need to deal with is how those devices are built, managed and maintained.</p> <p>“Made in” is not the same as “secure” – it’s not even close.</p> <p>Many of the weaknesses we see come from familiar, measurable issues like outdated software components, slow patching cycles, weak credentials, exposed management interfaces and long lifespans that extend well beyond vendor support. In firmware analysis, we regularly see common components that are years behind current versions, carrying known vulnerabilities that attackers can and do exploit.</p> <p>And crucially, none of that changes because a new device is banned from import.</p> <p>The bigger blind spot in this conversation is the installed base. Millions of routers already sit in homes, branch offices and remote worker environments. They will remain there for years. They are rarely patched or monitored and hybrid working has made them part of the enterprise attack surface <a href="https://www.techtarget.com/searchsecurity/opinion/Cybersecurity-Awareness-Month-The-endpoint-security-issue" target="_blank" rel="noopener">whether organisations like it or not</a>. A compromised home router can be used for traffic interception, credential harvesting, or as a pivot point into corporate systems.</p> <p>So while the ban may reduce future exposure in a narrow sense, it does nothing to address the risk organisations already carry today, which will inevitably extend into the future.</p> <p>There is also a risk that policy discussions drift into a false sense of progress. Focusing on supplier origin can create the impression that risk is being reduced at a structural level, when in reality the underlying issues remain unchanged. Security is not something you import. It is something you continuously verify.</p> <p>Network infrastructure needs to be treated as part of the active attack surface, not background plumbing. That means maintaining an accurate inventory of routers across enterprise and remote environments, including firmware versions and exposure. Lifecycle management should also be prioritised and that means replacing end-of-life devices, enforcing firmware updates and demanding transparency from vendors around software components as well as patch cadence.</p> <p>In order to remove easy wins for attackers, disable internet-exposed management interfaces, enforce unique credentials and apply segmentation so that one compromised router does not automatically lead to broader access.</p> <p>Finally, recognise that the FCC decision raises important questions about trust and resilience in technology supply chains, but if it leads organisations to believe the problem has been dealt with, it risks becoming a distraction. The real work is less visible, less political and far more operational. It is about fixing the conditions that make routers such an easy and persistent target in the first place.</p> <p>And that work is long overdue.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about network security</h3> <ul style="list-style-type: square;" class="default-list"> <li>BT inks deal worth up to £200m to help modernise infrastructure, strengthen resilience against cyber threats, and support delivery of electricity to <a rel="noopener" target="_blank" href="https://www.computerweekly.com/news/366640626/BT-boosts-connectivity-security-for-Northern-Ireland-Electricity-Networks">around a million homes, farms and businesses in Northern Ireland</a>.</li> <li>5G has better security than 4G, including stronger encryption, privacy and authentication. But enterprises need to know the challenges of <a rel="noopener" target="_blank" href="https://www.techtarget.com/searchnetworking/tip/5G-security-Everything-you-should-know-for-a-secure-network">5G's complex, virtualised architecture</a>.</li> <li>What does 2026 have in store for network security? Omdia analyst John Grady shares his top five predictions <a rel="noopener" target="_blank" href="https://www.techtarget.com/searchsecurity/opinion/NetworkSecurity-predictions">for the upcoming year</a>.</li> </ul> </div> </div> America's foreign-made router ban sparked valid debate about supply chains, geopolitics and trust, but the truth is that the ban addresses tomorrow’s procurement decisions far more than today’s security exposure. https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/network-security-padlock-businessman-adobe.jpeg https://www.computerweekly.com/opinion/Banning-routers-wont-fix-whats-already-broken Tue, 31 Mar 2026 08:00:00 GMT Banning routers won’t fix what’s already broken <p>After Google moved up its <a href="https://www.computerweekly.com/news/366640650/Google-targets-2029-for-post-quantum-cyber-readiness" target="_blank" rel="noopener">quantum readiness timeline</a> and revealed it was working on building <a href="https://www.techtarget.com/searchsecurity/video/An-explanation-of-post-quantum-cryptography" target="_blank" rel="noopener">post-quantum cryptography</a> (PQC) features into the next version of its Android mobile operating system, cyber experts have welcomed indications that the pace of travel towards effective, security-preserving PQC is speeding up, but also highlighted that the data security risks posed by quantum computers must be addressed today, not whenever the so-called Q-Day occurs.</p> <p>Google’s target of migrating to PQC in 2029, three years from now, blasts past the migration schedules of others, including the US Commercial National Security Algorithms (CNSA) 2.0 <a href="https://media.defense.gov/2022/Sep/07/2003071836/-1/-1/0/CSI_CNSA_2.0_FAQ_.PDF" target="_blank" rel="noopener">migration schedule</a>. <a href="https://www.pingidentity.com/en.html" target="_blank" rel="noopener">Ping Identity</a> head of privileged access management engineering Suman Sharma said: “Google accelerating its timeline to 2029 underscores a growing realisation across the industry that the window to prepare for a post-quantum world is smaller than many anticipated. </p> <p>“We’re already in the midst of the largest overhaul of the internet’s encryption backbone in decades, with hybrid quantum-resistant standards rolling out across browsers and core infrastructure,” he said.</p> <p>“High-security sectors are moving quickly toward fully quantum-safe deployments, yet much of the broader ecosystem is still operating in a transitional, hybrid state,” said Sharma. “This latest move reinforces that leading technology providers no longer see post-quantum security as a distant concern. It’s now an immediate priority, and the pace of adoption will only continue to accelerate.”</p> <p>According to Mark Pecen, chair of the Technical Committee on Quantum Technologies at the <a href="https://www.etsi.org/">European Telecommunications Standards Institute</a> (ETSI), Google’s accelerated deadline reflects a shift from trying to predict Q-Day to preventative management of present-day risks.</p> <p>“The real concern isn’t when quantum computers arrive, it’s that adversaries are already collecting encrypted data today to decrypt later,” said Pecen. “The existing public key cryptographic systems that protect our internet and wireless transactions, Rivest-Shamir-Adelman (RSA) and Elliptic Curve Cryptography (ECC) are aging cryptosystems, developed in the 1970s and 1980s respectively.</p> <p>“These algorithms become weaker for every year that technology advances, so post-quantum cryptography is also being viewed as the next generation of data security.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about quantum computing</h3> <ul style="list-style-type: square;" class="default-list"> <li>We speak to Lucy Robson, a quantum algorithm scientist at Universal Quantum, about her work in helping to develop <a rel="noopener" target="_blank" href="https://www.computerweekly.com/podcast/Understanding-quantum-A-Computer-Weekly-Downtime-Upload-podcast">simulations for drug discovery</a>.</li> <li>Japan and Singapore will work together to bridge the gap between quantum research and real-world commercialisation, marking Singapore’s first government-to-government pact <a rel="noopener" target="_blank" href="https://www.computerweekly.com/news/366637028/Singapore-and-Japan-team-up-on-quantum-computing">dedicated to the technology</a>.</li> <li>Claims that quantum computing will destroy Bitcoin may be exaggerated, <a rel="noopener" target="_blank" href="https://www.computerweekly.com/opinion/Will-Quantum-Computing-Kill-Bitcoin">but Bitcoin will need to adapt</a>.</li> </ul> </div> </div> <p>Additionally, newer and faster quantum decryption algorithms are already being developed, such as Jesse-Victor-Gharabaghi (JVG) – <a href="https://www.securityweek.com/quantum-decryption-of-rsa-is-much-closer-than-expected/" target="_blank" rel="noopener">which caused a stir in March 2026</a> – as it appears to need vastly less quantum computational power (qubits) to break legacy algorithms.</p> <p>Its creators say that given the right hardware, when Q-Day comes, JVG could break RSA in 11 hours.</p> <p>“By moving earlier than government timelines, Google is effectively forcing the industry to treat post-quantum migration as an immediate operational priority rather than a future compliance exercise,” said Pecen.</p> <section class="section main-article-chapter" data-menu-title="Harvest now, decrypt later"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Harvest now, decrypt later</h2> <p>At present, <a href="https://globalriskinstitute.org/publication/quantum-threat-timeline-report-2025b/" target="_blank" rel="noopener">much of the concern</a> stems from the demonstrable growth in so-called <a href="https://www.techtarget.com/searchsecurity/feature/Cybersecurity-trends-to-watch" target="_blank" rel="noopener">harvest now, decrypt later</a> (HNDL) cyber attacks in which threat actors exfiltrate encrypted data now and keep it in readiness for the moment present-day algorithms fail, and Simon Pamplin, chief technology officer at <a href="https://certes.ai/" target="_blank" rel="noopener">Certes</a> – a PQC specialist – said that for many organisations, the most dangerous moment in time is not the day quantum computers arrive, but rather right now.</p> <p>“Adversaries are already running HNDL campaigns: exfiltrating encrypted data today with the intention of unlocking it once a cryptographically relevant quantum computer [CRQC] exists,” he said.</p> <p>“If your organisation is still relying on RSA, TLS or standard PKI to protect sensitive data in transit, that data is already at risk, regardless of whether Q-Day lands in 2029 or 2035,” added Certes.</p> <p>“With data flowing across legacy systems, multi-cloud environments, AI and the edge, the potential risk organisations face today is very real, and extremely serious if left unchecked.”</p> </section> <section class="section main-article-chapter" data-menu-title="Next steps"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Next steps</h2> <p>Matt Campagna, who chairs ETSI’s Quantum-Safe Cryptography working group, said Google’s prioritisation of quantum-resistant digital signatures demonstrated important industry leadership in the field, and hailed significant progress in a field for which ETSI has been advocating for 13 years.</p> <p>“Organisations operating information technology systems should take note,” he said. “Understanding local PQC migration timelines, as set by customers and regulators, is now essential. Businesses must develop their own PQC migration strategies and actively engage with vendors and suppliers to ensure alignment.”</p> <p>Certes’ Pamplin echoed this sentiment. “Post-quantum migration is a multi-year project for most organisations, and with Gartner predicting a CRQC could arrive by 2029, the gap between where most businesses are and where they need to be is closing fast – and action should be taken today,” he said.</p> <p>Some of the looming challenges that business tech leaders will soon need to face include legacy systems that may prove impossible to natively upgrade to PQC, multi-cloud environments causing issues due to inconsistent security models and data privacy policies, and gaps around the user and network edge.</p> <p>Pamplin said: “Firms need to look at end-to-end PQC solutions that are able to protect data across any app, any infrastructure, anywhere. Specifically, solutions that enforce sovereign, crypto-agile PQC protection, where only the data owner controls the key, from server to edge, and ones where protection persists with the data, not infrastructure.</p> <p>“Quantum readiness isn’t about predicting a date,” he said. “It’s about eliminating a long-term exposure before that date becomes irrelevant.”</p> </section> Google’s decision to move up its timeline for migration to post-quantum cryptography highlights that some of the cyber security risks posed by quantum computing are already reality https://cdn.ttgtmedia.com/visuals/ComputerWeekly/HeroImages/risk-Omid-studio-adobe.jpg https://www.computerweekly.com/news/366640684/Shrinking-PQC-timeline-highlights-immediate-risk-to-data-security Tue, 31 Mar 2026 05:30:00 GMT Shrinking PQC timeline highlights immediate risk to data security <p>We’re living through a genuinely groundbreaking moment in technology. Every week brings new breakthroughs in AI agents – capabilities that seemed impossible just months ago are now becoming reality. Organisations are rushing to adopt them, and they’re right to.</p> <p>But there are important security considerations beneath the enthusiasm. According to our research, <a target="_blank" href="https://www.okta.com/newsroom/articles/ai-at-work-2025--securing-the-ai-powered-workforce/" rel="noopener">at Okta</a>, 91% of organisations are now adopting <a href="https://www.computerweekly.com/feature/Getting-started-with-agentic-AI">AI agents</a>, yet only 10% have governance strategies in place. Closing this gap will require intentional focus and effort.</p> <p>The reason comes down to something more fundamental than most people realise. We’re shifting from one architectural model to something fundamentally different and we haven’t fully reckoned with what that means for security.</p> <p><b>When applications stop following the script</b></p> <p>For decades, we’ve built applications that operate within predictable boundaries. Think of a travel booking application. You navigate defined screens and execute a transaction. What’s possible is finite. Security works because users move through guarded corridors deep inside the application’s logic.</p> <p>But AI agents operate differently. They’re conversational. They accept natural language input from anywhere and make autonomous decisions we can’t entirely predict. The access point isn’t buried in application code anymore. It’s right there at the front end, in the conversation itself.</p> <p>This is an architectural shift, and it means the security controls we’ve relied on are now being tested in ways we’re only beginning to understand.</p> <p><b>Security at the frontline</b></p> <p>This shift exposes internal APIs and data surfaces in ways traditional applications never did. When you compromise a deterministic application, damage is typically contained. But when you compromise an AI agent, you’re looking at potential access across your entire infrastructure and actions that ripple in unpredictable ways.</p> <p>What used to be hypothetical is now happening, and the complexity compounds when agents work together. We’re moving beyond single agents to agent-to-agent communications. That introduces permission and identity challenges we’ve genuinely never had to think about before.</p> <p><b>Rethinking identity in an AI-driven world</b></p> <p><a target="_blank" href="https://www.verizon.com/business/en-gb/resources/reports/dbir/" rel="noopener">80% of breaches</a> today involve compromised identity or credentials, which remains a key attack surface for threat actors. But, solving this in an agent-driven world requires thinking about identity differently.</p> <p>For developers and organisations deploying agents, four identity requirements have become non-negotiable:</p> <ul class="default-list"> <li><b>First,</b> genuine agent and user authentication. You must securely link each agent’s actions back to the human user who authorised them.</li> <li><b>Second,</b> standardised, secure API access. Agents connect to dozens of applications. Those connections need hardening against token leakage and credential compromise.</li> <li><b>Third</b>, human validation in the loop for anything high-risk or sensitive. This isn’t about lack of faith in AI; it’s about maintaining human agency while these systems mature.</li> <li><b>Fourth,</b> fine-grained permissions. An agent should access only the data it needs, only for the time it needs it, with every action logged and auditable.</li> </ul> <p><b>Learning from past mistakes</b></p> <p>I’ve watched this pattern before with cloud, APIs, and microservices. Security considerations often come in later in the development of new architectural models, not earlier.</p> <p>We’re seeing it again with agent protocols. <a href="https://www.techtarget.com/searchdatamanagement/feature/One-year-of-MCP-Support-a-must-for-data-management-vendors">MCP, agent-to-agent frameworks</a>, and cross-app access standards are developing rapidly with genuine effort to embed security from the start. But security still feels like it’s catching up rather than leading design.</p> <p>The practical reality is that you can’t wait for perfect standards. You need to implement governance with available frameworks today, while remaining flexible to adapt as standards mature.</p> <p><b>What leaders must do now</b></p> <p>Business leaders face real pressure to unlock AI’s potential and genuine concerns about security. These aren’t mutually exclusive. Here’s what needs to happen.</p> <ul class="default-list"> <li>Complete visibility into every agent running in your environment and what it’s doing. No shadow agents. No hidden permissions.</li> <li>Apply identity and permission strategies with the same rigour you’d use for human users.</li> <li>Ensure agents connect through secure, auditable channels. Whether building customer agents or using MCP servers, the same principles apply.</li> <li>Finally, log everything. Agent activity will operate at a scale that might surprise you but if every action is captured, you’ll meet regulatory requirements and investigate incidents quickly.</li> </ul> <p><b>Be proactive, not reactive</b></p> <p>Breaches linked to agents are happening now and will continue to happen. That’s not a reason to slow AI adoption – it’s a reason to be serious about security from the start.</p> <p>The encouraging part is that the foundational principles we’ve relied on – identity governance, least-privilege access, encryption, comprehensive auditing – still work. In fact, they’re more important than ever. We just need to scale them intelligently for this non-deterministic world.</p> <p>The technology exists and the frameworks are emerging. What matters now is whether we approach this thoughtfully or spend the next couple of years managing preventable incidents.</p> <p>I’m betting we’re smarter than that.</p> <p><i>Shiv Ramji, is Auth0 President at Okta</i></p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about agentic AI and security</h3> <p>What <a href="https://www.techtarget.com/searchsecurity/tip/What-agentic-AI-means-for-cybersecurity">agentic AI means for cybersecurity</a></p> <p><a href="https://www.computerweekly.com/opinion/Generative-and-agentic-AI-in-security-What-CISOs-need-to-know">Generative and agentic AI in security</a>: What CISOs need to know</p> <p>Agentic AI requires <a href="https://www.computerweekly.com/news/366637022/Agentic-AI-requires-rethink-of-cloud-security-strategy">rethink of cloud security strategy</a></p> </div> </div> Agentic AI adoption may be surging, but security is lagging behind and its fundamental principles need to be intelligently re-scaled for a non-deterministic world https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/chess-strategy-game-intelligence-1-adobe.jpeg https://www.computerweekly.com/opinion/AI-agents-are-here-Are-we-ready-for-the-security-implications Mon, 30 Mar 2026 11:51:00 GMT AI agents are here. Are we ready for the security implications? <p>The UK’s <a href="https://committees.parliament.uk/committee/127/public-accounts-committee/" target="_blank" rel="noopener">Public Accounts Committee</a> (PAC) has accused the government of lacking the “modernising ambition” to use technology to fight tax fraud and error, as taxpayers continue to lose anywhere between £55bn and £81bn per annum, the bulk of them in the tax and welfare systems.</p> <p><a href="https://committees.parliament.uk/committee/127/public-accounts-committee/publications/" target="_blank" rel="noopener">In a report published today</a>, the PAC said the use of legacy technology and a lack of leadership persisted, and public bodies were failing to embrace the opportunity to deploy new data analytics technology. The body declared itself sceptical of the government’s ability to make any form of improvement without a robust plan.</p> <p>Though Westminster has said using data analytics to tackle the problem could save taxpayers up to £6bn every year, the PAC said it did not believe all public bodies were set up to achieve such savings, and there is not yet enough detail on how this will be achieved.</p> <p>It pointed to the delayed <a href="https://gds.blog.gov.uk/2026/01/20/our-roadmap-for-modern-digital-government/" target="_blank" rel="noopener">roadmap for modern digital government</a> – published earlier in 2026 – which said the government would embrace artificial intelligence (AI) and replace outdated technology, but did not go into detail about how, or address how this might tackle fraud and error.</p> <p>“Our committee has long identified a failing in digital leadership and fragmented data across government as one of the main blockers in government’s ability to deliver,” said PAC chair Geoffrey Clifton-Brown. “Our evidence suggests that government has a lot of data, but no information. One of the most obvious areas in which new technology could protect the taxpayer’s pound is in error and fraud.</p> <p>“But while this government has talked a big game on embracing new technology, its delayed roadmap on modern digital government fails to even mention how this will tackle fraud and error, and it continues to struggle with the dead weight of legacy technology,” he added.</p> <p>“We are not convinced that the government is making best use of fast-moving technology such as AI to tackle the difficult subject of fraud.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about digital fraud</h3> <ul class="default-list"> <li>LexisNexis Risk Solutions warns of a 450% rise in agentic traffic and an eight-fold increase in synthetic identity fraud as cyber criminals scale automation <a href="https://www.computerweekly.com/news/366640815/Agentic-bots-and-synthetic-identities-fuel-surge-in-fraud" target="_blank" rel="noopener">to bypass security controls</a>.</li> <li>Industries and policymakers are strongly aligned on the need for digital company IDs for UK businesses, as progress is made towards the implementation <a href="https://www.computerweekly.com/news/366640405/Digital-IDs-edge-closer-to-practical-reality-for-UK-businesses" target="_blank" rel="noopener">of a practical standard</a>.</li> <li>Banks are able to set their own contactless card payment limits from 19 March, following rule change <a href="https://www.computerweekly.com/news/366640337/Contactless-payment-limit-removal-will-happen-overnight-but-change-wont" target="_blank" rel="noopener">by the Financial Conduct Authority</a>.</li> </ul> </div> </div> <p>The PAC said the apparent lack of planning in government reflected a backdrop of longstanding issues with legacy technology – previous reports have highlighted a swathe of out-of-date systems across government, and noted that <a href="https://www.computerweekly.com/news/366580233/Government-struggles-to-upgrade-legacy-IT-systems-says-PAC-chair" target="_blank" rel="noopener">this has been the case for years</a>.</p> <p>An apparent lack of digital leadership is not helping matters, it added. In 2023, it recommended that all government departments have a digital expert on their boards, which has not come to pass, and the Department for Science, Innovation and Technology’s (DSIT’s) decision to not after all appoint a government-wide chief digital officer (CDO) represented a “serious shortcoming”, said the PAC, as it would have given the department more clout across government when it came to digital transformation.</p> <section class="section main-article-chapter" data-menu-title="Warnings and limitations"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Warnings and limitations</h2> <p>The latest PAC report also repeats a warning from March 2025 over the government’s apparent opacity regarding algorithmic decision-making. This time last year, just 33 records had been published on a special website set up to improve transparency in this area, and as of the time of writing, <a href="https://www.gov.uk/algorithmic-transparency-records" target="_blank" rel="noopener">there are just 125</a>, of which only 11 mention fraud, and of which only two were filed this year – both by the Information Commissioner’s Office (ICO).</p> <p>The PAC said DSIT had admitted that not all the expected cases have been recorded and said it was clear departments were not doing enough to be transparent or build public trust in government’s use of data analytics to fight fraud, calling on DSIT to work to ensure all government bodies record their use of algorithms.</p> <p>The PAC said it had further identified a legislative limitation in relation to the deployment of data analytics techniques against fraudsters, in that because the law does not allow for individual profiling, the government can’t flag known bad actors as an indicator for future work on fraud, while National Fraud Initiative data can only be retained for two years.</p> <p>The report further identified a limitation in current legislation in how government can deploy modern data analytics techniques to fight fraud. The law does not allow for individual profiling, meaning that government is not allowed to flag known fraudsters as an indicator for future fraud detection work, while National Fraud Initiative data can only be retained for two years.</p> </section> <section class="section main-article-chapter" data-menu-title="Next steps"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Next steps</h2> <p>The PAC report makes six recommendations for the government:</p> <ul class="default-list"> <li>The Treasury should require public bodies to include information on what they are doing to tackle fraud and error in their annual fraud, and set out the types of counter-fraud activity they are undertaking. This reporting should include information on targets agreed with the Public Sector Fraud Authority (PSFA) and steps to improve future performance;</li> <li>The Government Digital Service (GDS), PSFA, and Government Finance Function (GFA) should communicate a plan to cooperate on cutting fraud losses with the use of data analytics technology, which should include targets and milestones, and more clarity on how government means to move from a system that detects and recovers losses from fraud, to one that prevents it to begin with;</li> <li>Reflecting concerns that neither the digital capability nor the senior leadership capacity to achieve change exists, DSIT should mandate digitally skilled leaders at board level in all departments and any arms’ length bodies (ALBs) in which technology plays a key role. Moreover, DSIT should appoint a government CDO at permanent secretary level and equip this person with the necessary authority to effect change. DSIT should also better set out how it means to hit its target of having 10% of civil servants digitally trained;</li> <li>Within six months, the PSFA should report to the PAC on progress towards building a library of counter-fraud controls, and set out steps to address data sharing issues through the Digital Economy Act. DSIT should also set out further information on the single data platform, specifically a timetable for completion and expected benefits around tackling fraud and error. And together, the Treasury, DSIT and the PSFA should decide which elements of the National Fraud Initiative could be useful within central government, and apply them accordingly;</li> <li>DSIT should do more to ensure government bodies comply with the Algorithmic Transparency Reporting Standard to capture all relevant uses of AI and machine learning in a fashion that continually monitors, updates and ensures compliance around transparency to be as upfront as possible without accidentally creating a reference library for cyber criminals;</li> <li>Finally, the PSFA should review legislation that impacts its mission to implement fraud and error analytics, and work with DSIT on a review of the regulatory regime around fraud and error activities, and communicate to Parliament any areas in which additional powers or legislative changes might be helpful.</li> </ul> <p>“There are specific actions which this committee will continue to raise which government could take to back up its loud ambitions,” said Clifton-Brown. “It could enable better information sharing across departments; DSIT could gain the heft a small department with such a big responsibility needs by appointing a government chief digital officer; and it could move with more speed to place digital experts at the top decision-making table of each department, a PAC recommendation government has already accepted.</p> <p>“We hope to see a robust plan from government in this area. Without one, government will only be able to mouth its disapproval as billions in public money continue to roll out of the door into the hands of fraudsters.”</p> </section> The Public Accounts Committee says the UK government has dropped the ball on the use of data analytics to tackle tax fraud and error, as the public purse haemorrhages billions of pounds https://cdn.ttgtmedia.com/rms/German/fraud-detection-2-adobe.jpg https://www.computerweekly.com/news/366640841/UK-government-lacks-ambition-to-fight-tax-fraud-says-PAC Fri, 27 Mar 2026 12:45:00 GMT UK government lacks ambition to fight tax fraud, says PAC <p>Lloyds Banking Group’s response to a request from the UK government’s Treasury Committee shows that a programming error was the root cause of a breach that exposed details of more than <a href="https://www.computerweekly.com/news/366639996/Lloyds-banking-app-glitch-shows-transactions-of-strangers">114,000 mobile banking customers</a>.</p> <p>The bank said it has made goodwill payments totalling just over £139,000 to around 3,625 customers as of 23 March. It said it also submitted a formal notification to the Information Commissioner’s Office within 72 hours after the breach, in line with statutory timelines.</p> <p>As Computer Weekly has previously reported, on the morning of 12 March, a fault in the Lloyds banking app enabled some customers to see the transactions of other customers. Customers of the group’s Halifax, Bank of Scotland and Lloyds Bank apps were affected by the security breach.</p> <p>While the bank resolved the breach quickly, <a href="https://committees.parliament.uk/publications/52193/documents/289926/default/">Meg Hillier</a>, chair of the Treasury Committee, sent an email to Lloyds Banking Group’s group CEO, Charles Nunn, with the subject line “Improper disclosure of individuals’ account information”. In the email, Hillier described the incident as “an alarming breach of <a href="https://www.computerweekly.com/news/366640367/MPs-asks-Lloyds-Bank-for-more-information-about-alarming-breach">data confidentiality</a>.”</p> <p>The information she requested from the bank’s boss included details of the breach, how many customers were affected, whether customers could be identified and what steps Lloyds Banking Group has taken to encourage those who may have taken copies of data – of which they were not entitled – to delete those copies.</p> <p>Jasjyot Singh, CEO of consumer relationships at Lloyds Banking Group, has now responded to the Treasury Committee’s questions. Singh stated that the incident was caused by an IT change made overnight between 11 and 12 March which introduced a software defect.</p> <p>“The defect meant that when a customer requested to view their current account transactions, their transaction data was potentially visible to other customers who were simultaneously – within small fractions of a second – requesting access to their own transactions,” Singh said.</p> <p>The bank has now established that the defect was in the design of the code used to update the application programming interface (API) used by the app. Singh said the bank is <a href="https://www.techtarget.com/searchsoftwarequality/tip/How-to-handle-root-cause-analysis-of-software-defects">reviewing why this individual defect</a> was not detected by its design, quality assurance and testing processes.</p> <p>According to Singh, a maximum of 447,936 customers who viewed their transaction list during the affected time period may have been presented with other people’s transactions or may have had some of their transactions presented on another customer’s transaction list. The bank has estimated that 114,182 customers clicked through to view the detail behind individual current account transactions during that time and may have been presented with information about individual payments.</p> <p>Singh assured the Treasury Committee that the bank’s fraud and cyber monitoring processes has seen no evidence of misuse or malicious activity as a result of the incident. “Based on our assessment of this incident, we have not identified evidence that customers have suffered financial loss, and no customer has reported a financial loss arising from the incident at this stage. Accordingly, we have not made compensation payments on this basis,” he stated in the letter.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more data breach stories</h3> <ul class="default-list"> <li>Sportswear firm Under Armour falls victim to <a href="https://www.computerweekly.com/news/366637595/Sportswear-firm-Under-Armour-falls-victim-to-data-breach">data breach</a>: Details of over 70 million customers of US sportswear giant Under Armour were leaked following a supposed ransomware attack by the Everest gang.</li> <li>McLaren Health agrees to $14M settlement over <a href="https://www.techtarget.com/healthtechsecurity/news/366639020/McLaren-Health-agrees-to-14M-settlement-over-two-data-breaches">two data breaches</a>: The settlement stemmed from two separate ransomware attacks that McLaren Health Care experienced in 2023 and 2024.</li> </ul> </div> </div> The bank has responded to the Treasury Committee’s request for information on a major data breach in its banking app https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/bank-online-banking-3-adobe.jpeg https://www.computerweekly.com/news/366640568/Lloyds-admits-coding-fault-exposed-customer-transactions Fri, 27 Mar 2026 11:13:00 GMT Lloyds admits coding fault exposed customer transactions <p>The European Parliament has voted against proposals that would allow social media and tech companies to continue to scan the content of private messages of EU citizens for illegal content.</p> <p>A majority of MEPs voted on Thursday 26 March to reject extending a temporary exemption to EU privacy laws that permitted companies such as Meta, Google and LinkedIn to “indiscriminately” scan private messages for child abuse. The decision marks the end of a long-running attempt to introduce Chat Control legislation across Europe.</p> <p>In its original form, Chat Control would have required technology companies to monitor the content of end-to end encrypted communications, raising objections that it would undermine cyber security and put confidential communications at risk.</p> <section class="section main-article-chapter" data-menu-title="US tech barred from scanning private messages"> <h2 class="section-title"><i class="icon" data-icon="1"></i>US tech barred from scanning private messages</h2> <p>In the vote, 311 MEPs voted against a motion to extend a derogation to the <a href="MEPs%20rejected%20the%20Commission%20proposal,%20closing%20EP%20first%20reading%20on%20extending%20an%20existing%20derogation%20of%20the%20ePrivacy%20Directive">e-Privacy directive</a>, with 228 votes in favour, and 92 abstentions, which means that tech companies can no longer legally conduct mass scanning of private messages.</p> <p>Law enforcement agencies will be able to continue to conduct surveillance of private messages when they have concrete suspicions and have obtained a judicial warrant, and will be able to conduct routine scanning of public posts and files. </p> <p>The European Commission first presented a <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2022%3A209%3AFIN&qid=1652451192472">proposal</a> to require all email and messaging providers to conduct mass scanning of all messages and emails sent on their platforms, including end-to-end encrypted messages in 2022. The proposals attracted criticism from technology companies and lawyers.</p> <p>In 2024, European tech companies warned in an open letter that the proposals would “negatively impact children’s privacy and security” and could have “dramatic unforeseen consequences” for cyber security.</p> <p>Leaked <a href="https://www.computerweekly.com/news/366537312/Chat-control-EU-lawyers-warn-plans-to-scan-encrypted-messages-for-child-abuse-may-be-unlawful">internal legal</a> advice showed that the Council of the European Union's own lawyers had serious questions about the lawfulness of the planned measures, which they said could lead to the de facto “permanent surveillance of all interpersonal communications”.</p> </section> <section class="section main-article-chapter" data-menu-title="PhotoDNA flawed"> <h2 class="section-title"><i class="icon" data-icon="1"></i>PhotoDNA flawed</h2> <p>A <a href="https://eprint.iacr.org/2026/486">scientific study published</a> this month found that the “PhotoDNA” technology used by tech companies for Chat Control was “unreliable”. They found that criminals can fool the software into missing illegal images and that harmless images can be manipulated so that innocent citizens are reported to the police.</p> <p>According to a European Commission report, just <a href="https://url.us.m.mimecastprotect.com/s/QSiNC68m05HMrRjy0CmiqS505Ya?domain=urldefense.com">36% of suspicious activity reports from US tech companies</a> originated from the surveillance of private messages, while social media and cloud storage services are becoming increasingly relevant for investigations.</p> <p>US tech companies are permitted to carry out mass scanning of private messages under an EU interim regulation which now expires on 3 April. The regulation allows “hash scanning” for known images and videos, automated analysis of previously unknown images and videos and automated analysis of text in private chats.</p> </section> <section class="section main-article-chapter" data-menu-title="Lobbying exercise"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Lobbying exercise</h2> <p>Patrick Breyer, who has been campaigning against Chat Control, said that tech companies – such as US tech company Thorn – and lobby groups had been trying to “panic” Europe into introducing the measures.</p> <p>“Flooding our police with false positives and duplicates from mass surveillance doesn’t save a single child from abuse. Today’s definitive failure of Chat Control is a clear stop sign to this surveillance mania,” he said. “Indiscriminate mass scanning of our private messages must finally give way to truly effective and targeted child protection that respects fundamental rights.”</p> <p>The European Commission, European Parliament and the European Council are continuing negotiations on a permanent regulation, dubbed Chat Control 2.0. The European Parliament has been pressing for targeted measures rather than mass surveillance since 2023.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about Chat Control</h3> <ul class="default-list"> <li><a href="Plans%20to%20require%20technology%20companies%20across%20Europe%20to%20monitor%20the%20contents%20of%20encrypted%20messages%20and%20emails%20have%20been%20delayed%20after%20European%20Union%20member%20states%20were%20unable%20to%20reach%20agreement%20following%20German%20objections">Chat Control encryption plans delayed after EU states fail to agree</a> – Plans to require technology companies across Europe to monitor the contents of encrypted messages and emails have been delayed after European Union member states were unable to reach agreement following German objections.</li> <li><a href="As%20EU%20member%20states%20prepare%20to%20vote%20on%20plans%20to%20mandate%20tech%20companies%20to%20introduce%20technology%20to%20scan%20messages%20before%20they%20are%20encrypted,%20Signal%20warns%20that%20Chat%20Control%20will%20create%20new%20security%20risks">EU Chat Control plans pose ‘existential catastrophic risk’ to encryption</a>, says Signal – As EU member states prepare to vote on plans to mandate tech companies to introduce technology to scan messages before they are encrypted, Signal warns that Chat Control will create new security risks.</li> <li><a href="Law%20enforcement%20and%20police%20experts%20meet%20on%20Friday%20to%20decide%20on%20proposals%20to%20require%20technology%20companies%20to%20scan%20encrypted%20messages%20for%20possible%20child%20abuse%20images%20amid%20growing%20opposition%20from%20security%20experts">Chat Control: EU to decide on requirement for tech firms to scan encrypted messages</a> – Law enforcement and police experts meet on Friday to decide on proposals to require technology companies to scan encrypted messages for possible child abuse images amid growing opposition from security experts.</li> </ul> </div> </div> </section> MEPs vote down proposals to allow US tech companies to continue scanning private messages for illegal content https://cdn.ttgtmedia.com/visuals/LeMagIT/hero_article/EU-flag-1-fotolia_hero.jpg https://www.computerweekly.com/news/366640781/EU-Parliament-rejects-Chat-Control-message-scanning Fri, 27 Mar 2026 05:35:00 GMT EU Parliament rejects Chat Control message scanning <p>Oracle Cloud Infrastructure (OCI) has become a strategically significant part of Oracle’s business, and one it hopes offers differentiation from the major hyperscalers. The company <a href="https://www.computerweekly.com/news/366639939/Oracle-cost-cutting-points-to-AI-infrastructure-gamble">posted cloud infrastructure revenue</a> of $4.9bn in the <span data-teams="true">third quarter of its 2026 financial year</span>, up 84% from the same period last year. It has also committed to spending $533bn to meet the compute requirements to fulfil customer contracts.</p> <p>At the company’s recent <a href="https://www.computerweekly.com/news/366640725/Oracle-applications-chief-sees-enterprise-AI-agents-as-task-specific-helpers">Oracle AI Tour event</a> in London, Computer Weekly met up with company representatives to discuss how its public cloud competes with the hyperscalers.</p> <p>When asked about the main difference between Oracle’s approach and that of other cloud service providers (CSPs), Nathan Thomas, senior vice-president of product management for OCI, said: “We do delineate a little bit between OCI and other CSPs in that we’ve stayed reasonably focused in that core infrastructure space.”</p> <p>He said OCI comprises around 150 web services available as public and private cloud offerings, and it has a global footprint spanning 200 regions. </p> <p>Oracle’s strategy is intentionally focused on IT infrastructure. “We don’t have some of the bloat – the niche, unprofitable services – that other CSPs carry around,” said Thomas. “We’ve taken a very firm approach to build the highest-performance, lowest-cost cloud that’s highly secure everywhere.”</p> <p>The focus, he added, is to build the OCI IT environment with compute, networking and storage that “are highly tunable”, and that will remain “a major focus” for the company. </p> <p>Significantly, Thomas said that of the OCI customers requiring the highest level of performance, most are opting to buy “bare metal” hosting from Oracle. “When we look at our largest customers, they deploy bare metal with their own AI-driven software and platform management.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about Oracle OCI</h3> <ul class="default-list"> <li>Beyond Stargate – <a href="https://www.techtarget.com/searchcloudcomputing/news/366631471/Beyond-Stargate-Oracle-OCI-ups-cloud-infrastructure-appeal">Oracle OCI</a> ups cloud infrastructure appeal: Oracle has struck market-shaking deals with frontier AI model makers, but experts say it has also intensified its challenges to the big three in enterprise IaaS.</li> <li><a href="https://www.computerweekly.com/news/366634749/Oracle-deploys-the-Middle-Easts-first-AI-supercluster-to-power-sovereign-AI-in-Abu-Dhabi">Oracle deploys the Middle East’s</a> first AI supercluster to power sovereign AI in Abu Dhabi: Oracle expands its Abu Dhabi cloud region with the Middle East’s first Nvidia Blackwell–powered AI supercluster.</li> </ul> </div> </div> <p>When asked why these organisations are choosing bare metal over cloud-based IT infrastructure, Thomas spoke of the performance degradation and potential security risks inherent in server virtualisation compared to direct hardware access.</p> <p>“We find that there is a bit of a tax that comes along with virtualisation, both in terms of efficiency of hardware, but also in terms of security, and the customers at the high end [of compute] are saying they would rather avoid that tax,” he said.</p> <p>In his experience, some Oracle customers are more comfortable than they used to be in managing their own virtualisation as they grow their level of expertise. “A lot of the value that the clouds are bringing to bear in that space has been eroded by domain knowledge that’s growing from a customer perspective,” he said.</p> <p>Thomas claimed that unlike rival cloud service providers, which he said use some level of virtualisation in their bare metal services to support storage and networking, Oracle’s is completely bare. This puts the onus on Oracle bare metal customers to deploy the entire IT environment the servers require.</p> <p>“We do a huge amount of work on our root of trust concept [<em>see box:</em> <a href="#root"><em>What is Orace’s root of trust</em></a><em>]</em>, where we validate the bare metal servers to ensure that they are secure for customers. This has been a huge investment for us. I don’t think we’ve seen anybody else quite follow the same pattern.”</p> <p>Thomas said OCI is the only <a href="https://www.techtarget.com/searchcloudcomputing/tip/Top-bare-metal-cloud-providers">CSP where the bare metal offering</a> is the company’s primary focus. “I think most other CSPs start the other way around, thinking about virtualisation first and then trying to bolt on bare metal. From an engineering capacity management perspective, we think about that bare metal every day,” he said.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading"><a id="root"></a>What is Oracle’s root of trust?</h3> <p>The goal of the Oracle Cloud Infrastructure <a href="https://www.oracle.com/security/cloud-security/hardware-root-of-trust/">hardware root of trust</a> concept is a security component that protects physical servers from firmware attacks. To ensure that each server is provisioned with clean firmware, Oracle has designed, built and implemented a hardware root of trust for the process of wiping and reinstalling server firmware. Oracle uses this process every time a new server is provisioned for a tenant, or between tenancies.</p> <p>The hardware root of trust role is limited to performing the specific task of wiping and reinstalling firmware. It triggers a power cycle of the hardware host, prompts for the installation of known firmware, and confirms that the process has been completed as expected. According to Oracle, this method of firmware installation tends to reduce the risk of firmware-based attacks, such as a permanent denial of service (PDoS) attack or attempts to embed backdoors in the firmware to steal data or make it otherwise unavailable. In addition, internal servers are configured to use secure boot.</p> <p style="text-align: right;">Source: <em><a href="https://www.oracle.com/uk/a/ocom/docs/oracle-cloud-infrastructure-security-architecture.pdf">Oracle Cloud Infrastructure Security Architecture</a></em></p> </div> </div> The Oracle Cloud Infrastructure appears to have more in common with datacentre hosting than with public infrastructure-as-a-service providers https://cdn.ttgtmedia.com/visuals/German/article/network-technician-3-adobe.jpg https://www.computerweekly.com/news/366640817/Oracle-Cloud-Infrastructure-The-bare-metal-facts Thu, 26 Mar 2026 13:00:00 GMT Oracle Cloud Infrastructure: The bare metal facts <p>The United Arab Emirates (UAE) is reinforcing its status as a <a href="https://www.computerweekly.com/news/366639768/CISOs-on-alert-Strengthening-cyber-resilience-amid-geopolitical-tensions-in-the-Middle-East" target="_blank" rel="noopener">regional cyber security leader</a>, advancing a nationally coordinated model to protect critical infrastructure and ensure operational continuity amid an increasingly complex threat landscape.</p> <p>Recent remarks from Mohamed Hamad Al Kuwaiti, head of cyber security for the UAE government and chairman of the UAE Cyber Security Council, underscore the maturity of the country’s cyber security ecosystem, which operates at a high level of readiness across government entities, strategic industries and private-sector partners. </p> <p>At the core of this strategy is continuous monitoring and rapid response capability. Specialised teams operate around the clock, supported by advanced threat detection platforms, early warning systems and clearly defined incident response procedures aligned with international best practices. These capabilities are integrated into a unified national framework that enables swift coordination and effective containment of cyber incidents.</p> <p>The model is built on strong alignment between public and private stakeholders. Cyber operations centres across key sectors are interconnected, enabling real-time intelligence sharing and coordinated responses to emerging threats. This level of integration is increasingly critical as cyber attacks grow more sophisticated and often target multiple sectors simultaneously.</p> <p>“The UAE continues to invest in strengthening its cyber capabilities and enhancing its digital infrastructure, ensuring the protection of digital assets and the continuity of critical services, while maintaining a high level of preparedness to counter evolving threats,” Dr Al Kuwaiti said.</p> <p>Across the GCC, organisations are facing a steadily evolving threat environment shaped by digital transformation, increased connectivity and rising geopolitical complexity. In this context, cyber security strategies are being tested not only for their technical strength but also for their ability to support resilience at scale.</p> <p>For CISOs, the priority is shifting towards ensuring that organisations can withstand disruption while maintaining essential services. As Anoop Kumar, head of information security governance, risk and compliance at Gulf News Al Nisr Publishing, explains, resilience has become the defining principle.</p> <p>“It’s all about resilience to continue business, how to withstand disruption and recover as quickly as possible,” he says. “Security leaders must ensure organisations can withstand more sophisticated cyber threats while educating all stakeholders about the evolving risk landscape.”</p> <p>This focus on resilience is particularly relevant in sectors such as energy, finance and telecommunications, where downtime or data breaches can have far-reaching consequences. The UAE’s framework addresses this by prioritising visibility, response speed and continuity planning, ensuring that critical services remain operational even under adverse conditions.</p> <p>Investment continues to play a central role in sustaining this momentum. The country is actively strengthening its cyber capabilities through the adoption of advanced technologies, the development of skilled talent and the enhancement of digital infrastructure.</p> <p>“As AI adoption accelerates, cyber security priorities are shifting just as rapidly. Attackers are already <a href="https://www.computerweekly.com/opinion/What-lies-in-store-for-the-security-world-in-2026">using AI to enhance ransomware and phishing campaigns</a>, raising the stakes for organisations operating critical infrastructure,” said Omdia chief analyst Trevor Clarke. “As AI is harnessed by attackers for more adaptive ransomware and phishing campaigns, the stakes have never been higher for security teams.”</p> <p>In response, organisations are moving away from static security postures towards adaptive, AI-enabled frameworks. “Firms will leverage unique combinations of machine learning, generative and agentic AI as complementary and foundational capabilities, rather than add-on components,” he said.</p> <p>Equally important is the emphasis on collaboration and knowledge sharing, authorities of the UAE government have highlighted the need for closer cooperation between organisations, both domestically and internationally, to build a more secure and stable digital environment. This includes joint initiatives, shared threat intelligence and coordinated response strategies that extend beyond individual sectors.</p> <p>While global uncertainties continue to shape the broader risk environment, the UAE’s cyber security strategy demonstrates the value of long-term planning and institutional coordination. By embedding cyber security into national priorities and fostering a culture of continuous readiness, the country is not only protecting its digital assets but also setting a benchmark for resilience in the region.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about cyber security</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/366639768/CISOs-on-alert-Strengthening-cyber-resilience-amid-geopolitical-tensions-in-the-Middle-East">CISOs on alert: Strengthening cyber resilience amid geopolitical tensions in the Middle East</a>. As regional uncertainty rises, security leaders across the Gulf focus on resilience, faster incident response and deeper threat intelligence to protect critical systems and data</li> <li><a target="_blank" href="https://www.techtarget.com/healthtechsecurity/news/366640347/CISA-urges-companies-to-bolster-Microsoft-Intune-systems-after-Stryker-cyberattack" rel="noopener">CISA urges companies to bolster Microsoft Intune systems after Stryker cyber attack</a>. CISA is urging US organisations to strengthen the security of their endpoint management systems after cyberthreat actors infiltrated Stryker’s Microsoft environment.</li> </ul> </div> </div> Strategic investment and coordination reinforce the country’s ability to withstand complex cyber threats https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/cyber-security-attack-hack-breach-MaksymFilipchuk-adobe.jpg https://www.computerweekly.com/news/366640834/UAE-positions-cyber-security-as-pillar-of-national-resilience-and-digital-growth Thu, 26 Mar 2026 06:24:00 GMT UAE positions cyber security as pillar of national resilience and digital growth <p>The US government has formally launched a <a href="https://www.state.gov/bureaus-offices/under-secretary-for-arms-control-and-international-security-affairs/bureau-of-emerging-threats/" target="_blank" rel="noopener">Bureau of Emerging Threats</a> within the State Department to protect and mitigate against threats posed to America’s national security by cyber attacks, the weaponisation of space and emerging technologies such as artificial intelligence (AI)</p> <p>Although its existence first became public knowledge <a href="https://www.nextgov.com/policy/2025/04/state-department-moves-cyber-and-intelligence-bureaus-under-agencywide-reorg/404753/" target="_blank" rel="noopener">fewer than 12 months ago</a>, the State Department has kept a tight lid on the precise nature of the bureau until this week, when senior officials broke their silence <a href="https://abcnews.com/Politics/state-department-launches-effort-counter-cyberattacks-ai-risks/story?id=131265350" target="_blank" rel="noopener">in conversation with reporters from TV network ABC</a>.</p> <p>“The bureau will address not only the current threats we face today in cyber space, outer space, critical infrastructure and through the misuse of disruptive technology like AI and quantum, but those we will face in the decades ahead,” State Department principal deputy spokesperson Tommy Pigott told ABC News.</p> <p>Led by career diplomat Anny Vu, the Bureau of Emerging Threats ultimately reports to the under secretary for arms control and international security Thomas DiNanno, and will contain five distinct offices covering cyber security, critical national infrastructure (CNI), disruptive technology, space security and threat assessment.</p> <p>Officials told ABC they would be heavily focused on the activities of the so-called Big Four nation-state threat actors – China, <a href="https://www.computerweekly.com/news/366639722/Iranian-hacktivists-muster-their-forces-but-state-APTs-lay-low" target="_blank" rel="noopener">Iran</a>, North Korea and Russia – as well as international terrorist organisations.</p> <p>The network additionally reported that the State Department has not revealed any details pertaining to the bureau’s budget, staffing levels or how it will work alongside the multiple pre-existing US agencies that claim some degree of expertise on cyber security matters – <a href="https://www.computerweekly.com/news/366640448/Cisa-tells-US-organisations-to-harden-endpoint-management-after-Stryker-attack" target="_blank" rel="noopener">such as the Cybersecurity and Infrastructure Security Agency</a> (Cisa) and the National Security Agency (NSA).</p> <section class="section main-article-chapter" data-menu-title="Engagement"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Engagement</h2> <p>Absent further detail at this stage, for the time being security leaders should continue to try to work with their existing US government contacts, said <a href="https://xcapeinc.com/" target="_blank" rel="noopener">Xcape Inc</a> board member David Small.</p> <p>“Security leaders should prioritise maintaining relationships with Cisa, which remains the operational bridge between the State Department’s diplomatic goals and the private sector’s technical defence needs,” he said.</p> <p>“Hiring a fleet of cyber security experts into the State Department is a bit like asking a career diplomat to debug a kernel panic; they’ll handle the negotiations beautifully, but the system is still going to crash.”</p> <p>The appointment of three long-standing diplomatic experts as its leadership suggests the bureau’s output will initially lean towards sanctions and treaty-writing, as opposed to technical remediation, he said.</p> <p>As the new organisation beds in, Small said the business impact for private sector security pros was a period of increased regulatory noise as it attempts to define international security norms that may not always align with current engineering realities.</p> <p>“To prepare, defenders and policy leaders should look to engage with the Bureau’s Office of Disruptive Technology early, treating it as a primary channel for informing the government on the feasibility of proposed AI and space-asset regulations,” added Small.</p> <p><a href="https://suzulabs.com/" target="_blank" rel="noopener">Suzu Labs</a> senior director for secure AI solutions and cyber security Jacob Krell believes that the Bureau of Emerging Threats was named for threats that have long-since emerged.</p> <p>“Cyber and space capabilities served as the opening instruments in the current campaign against Iran. AI-driven systems are compressing military decision cycles from days to minutes. These are the primary tools of state power being deployed right now by every adversary this bureau names. Standing up a bureau to address them through foreign policy is a recognition that the nature of conflict has fundamentally changed,” he said.</p> <p>“That recognition is what makes the placement under the under secretary for arms control and international security significant. The United States is formally treating cyber, AI and space as part of the same strategic conversation as conventional and nuclear capabilities. That is the right instinct.”</p> <p>But like Small, Krell said he saw challenges ahead, in that technologically driven conflict occurs much quicker than diplomats can handle. For the bureau to be effective, he said it would need to operate at a pace reflecting technological reality, not at the pace of the State Department.</p> <p>“The mandate is sound and the recognition is overdue. What matters now is whether this bureau arrives with the resourcing and operational speed to match threats that have already moved well past the planning stage,” he said.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about US cyber policy</h3> <ul class="default-list"> <li>The US communications regulator has enacted a ban on all router hardware made outside America citing security concerns, but experts say the move may risk creating <a href="https://www.computerweekly.com/news/366640628/US-government-bans-imported-routers-raising-tough-questions" target="_blank" rel="noopener">more issues than it solves</a>.</li> <li>The US has unveiled a six-pillar national cyber security strategy, with developing technological areas such as post-quantum cryptography and artificial intelligence <a href="https://www.computerweekly.com/news/366639879/Trump-looks-to-power-up-post-quantum-AI-security" target="_blank" rel="noopener">front and centre</a>.</li> <li>The conduct of powerful nations is causing knock-on effects in the cyber world as long-standing security frameworks <a href="https://www.computerweekly.com/news/366639044/Western-cyber-alliances-risk-fragmenting-in-new-world-order" target="_blank" rel="noopener">appear increasingly precarious</a>.</li> </ul> </div> </div> </section> The US’ Bureau of Emerging Threats sits within the State Department and will supposedly help address national security threats arising from cyber attacks, the weaponisation of space and other emerging technologies https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/US-capitol-washington-congress-2-adobe.jpeg https://www.computerweekly.com/news/366640778/US-government-launches-Bureau-of-Emerging-Threats Wed, 25 Mar 2026 17:02:00 GMT US government launches Bureau of Emerging Threats <p>Google has announced plans to migrate to <a href="https://www.computerweekly.com/opinion/Quantum-risk-to-quantum-readiness-A-PQC-roadmap" target="_blank" rel="noopener">post-quantum cryptography</a> (PQC) by 2029, moving up its timeline given recent progress in the field and emerging threat vectors.</p> <p>In February, the web giant called on the industry <a href="https://thequantuminsider.com/2026/02/06/google-calls-on-governments-and-industry-to-prepare-now-for-quantum-era-cybersecurity/" target="_blank" rel="noopener">to act on quantum security</a> before the dreaded ‘Q-Day’ on which a yet-to-be-built quantum computer will break current encryption standards permanently.</p> <p>It said its new timeline reflected the pace of developments in areas such as quantum hardware development, error correction and factoring resource estimates.</p> <p>“As a pioneer in both quantum and PQC, it’s our responsibility to lead by example and share an ambitious timeline. By doing this, we hope to provide the clarity and urgency needed to accelerate digital transitions not only for Google, but also across the industry,” said Google vice-president of security engineering, Heather Adkins.</p> <p>It is by now common knowledge that quantum computing poses a threat to encryption and digital standards, a threat that is relevant today with the spread of harvest now, decrypt later attacks (HNDL), but digital signatures, said Google, are an emerging future threat that means the transition to PQC must take place before a cryptographically relevant quantum computer (CRQC) exists.</p> <p>Hence, it is now adjusting its threat model to prioritise PQC migration for authentication services, which are an important component of online security and digital signature migrations.</p> <p>The US National Institute for Standards and Technology’s (NIST) timeline for PQC migration states it plans to deprecate the use of <a href="https://www.computerweekly.com/news/366625113/Noisy-quantum-hardware-could-crack-RSA-2048-in-seven-days" target="_blank" rel="noopener">RSA digital signature algorithms</a> with 112 bits of security (2048-bit keys), alongside many other widely-used algorithms, in 2030, and is proposing to disallow all legacy RSA algorithms by 2035.</p> <p>In the UK, the National Cyber Security Centre (NCSC) aims to have key sectors and organisations <a href="https://www.computerweekly.com/news/366621031/NCSC-proposes-three-step-plan-to-move-to-quantum-safe-encryption" target="_blank" rel="noopener">transitioned to PQC</a> in line with NIST’s final countdown.</p> <section class="section main-article-chapter" data-menu-title="PQC already in reach"> <h2 class="section-title"><i class="icon" data-icon="1"></i>PQC already in reach</h2> <p>The good news, said Google, is that advanced PQC technology is <a href="https://security.googleblog.com/2026/03/" target="_blank" rel="noopener">already in reach for end-users</a>.</p> <p>In parallel with its new timeline, it also announced that testing of PQC enhancements for its Android mobile operating system (OS) is beginning in the next <a href="https://developer.android.com/about/versions/17" target="_blank" rel="noopener">Android 17 beta</a>, with general availability slated for the stable production release – which is widely expected to take place in June 2026.</p> <p>As part of this, Android is receiving a comprehensive architectural upgrade that puts the the <a href="https://www.nist.gov/pqc" target="_blank" rel="noopener">NIST-endorsed</a> Module-Lattice-Based Digital Signature Algorithm (ML-DSA) PQC standard at the platform’s heart.</p> <p>Two significant use cases within Android will be protecting the Android Verified Boot (AVB) library to ensure the software loaded during the device’s boot sequence can resist unauthorised modification, and transitioning Remote Attestation to a fully compliant architecture that enables devices to securely prove their state to relying parties.</p> <p>Google also plans to introduce features to safeguard its ecosystem of third-party Android application developers, and their wares.</p> <p>“We’re establishing a new, quantum-resistant chain of trust. This chain of trust secures the platform continuously – from the moment the OS powers on, to the execution of applications distributed globally,” wrote Android product manager Eric Lynch and Google Play group product manager Dom Elliot.</p> <p>“Android is swapping today’s digital locks for advanced encryption to help enhance the security of every app you download – no matter how powerful future supercomputers get.”</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about quantum computing</h3> <ul class="default-list"> <li>We speak to Lucy Robson, a quantum algorithm scientist at Universal Quantum, about her work in helping to develop <a href="https://www.computerweekly.com/podcast/Understanding-quantum-A-Computer-Weekly-Downtime-Upload-podcast" target="_blank" rel="noopener">simulations for drug discovery</a>.</li> <li>Japan and Singapore will work together to bridge the gap between quantum research and real-world commercialisation, marking Singapore’s first government-to-government pact <a href="https://www.computerweekly.com/news/366637028/Singapore-and-Japan-team-up-on-quantum-computing" target="_blank" rel="noopener">dedicated to the technology</a>.</li> <li>Claims that quantum computing will destroy Bitcoin may be exaggerated, <a href="https://www.computerweekly.com/opinion/Will-Quantum-Computing-Kill-Bitcoin" target="_blank" rel="noopener">but Bitcoin will need to adapt</a>.</li> </ul> </div> </div> </section> Google sets out a timeline for its migration to post-quantum cryptography, saying it will complete its migration before the end of the 2020s https://cdn.ttgtmedia.com/visuals/German/article/quantum-computing-adobe.jpg https://www.computerweekly.com/news/366640650/Google-targets-2029-for-post-quantum-cyber-readiness Wed, 25 Mar 2026 14:22:00 GMT Google targets 2029 for post-quantum cyber readiness <p>The consolidation wave in enterprise security is real, and the business case is compelling. A January 2025 report <a href="https://www.paloaltonetworks.com/blog/2025/01/growing-need-cybersecurity-platformization/" target="_blank" rel="noopener">from IBM and Palo Alto Networks</a> found that organisations manage an average of 83 security solutions from 29 vendors. The complexity is staggering – and attackers exploit the gaps between those tools. The push to rationalise is not just about budget; it's about coherence.</p> <p>But the allure of a unified platform brings its own hazard. Not every vendor offering "end-to-end visibility" is delivering genuine integration. And even when they are, consolidation can silently introduce the very risk it promises to eliminate: a single point of catastrophic failure.</p> <section class="section main-article-chapter" data-menu-title="Spotting integration theatre"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Spotting integration theatre</h2> <p>Integration theatre is the cyber security equivalent of a <a href="https://www.britannica.com/topic/Potemkin-village" target="_blank" rel="noopener">Potemkin village</a>: application programming interfaces (APIs) stitched together with no shared data model, dashboards that aggregate alerts without correlating them, and licensing bundles that market themselves as platforms while operating as loosely coupled point solutions.</p> <p>The diagnostic questions I ask vendors are deliberately outcome-focused, not feature-focused. Does threat detection in one module automatically trigger a policy change in another, without human intervention? Does a compromise of an identity trigger endpoint quarantine in under a minute? Can you demonstrate bi-directional data flow between your extended detection and response (XDR), security information and event management (SIEM) and cloud security posture management in a live environment – not a sales demo? Genuine platforms reduce mean time to detect (MTTD) and mean time to respond (MTTR). Theatre does not.</p> <p>A further tell: ask how the vendor handles failure of a single module. If the answer is that the platform degrades gracefully, probe it. If the whole stack collapses, it was never truly integrated – it was just co-located.</p> </section> <section class="section main-article-chapter" data-menu-title="The CrowdStrike warning shot"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The CrowdStrike warning shot</h2> <p>On 19 July 2024, a faulty configuration update <a href="https://www.computerweekly.com/opinion/One-year-on-from-the-CrowdStrike-outageWhat-have-we-learned">to CrowdStrike’s Falcon sensor</a> brought down approximately 8.5 million Windows devices globally – airlines, hospitals, broadcasters, 911 call centres. Fortune 500 losses were estimated at $5.4bn (£4.03bn). <a href="https://www.computerweekly.com/news/366601558/Microsoft-and-CrowdStrike-hit-back-at-Deltas-legal-threats">Delta Air Lines</a> alone reported $500m in damages. This was not a cyber attack. It was a platform failure.</p> <p>For organisations that had consolidated endpoint protection, identity threat detection and cloud security posture management into one vendor stack, the incident was not a localised disruption – it was organisational paralysis. The lesson, as one post-incident analysis framed it, is not to avoid consolidation. It is to understand what you are trading away: architectural redundancy and failure isolation in exchange for operational simplicity.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">The Computer Weekly Security Think Tank on platformisation</h3> <ul style="list-style-type: square;" class="default-list"> <li>Stephen McDermid, Okta: <a href="https://www.computerweekly.com/opinion/Open-cyber-standards-key-to-cross-platform-integration" target="_blank" rel="noopener">Open cyber standards key to cross-platform integration</a>.</li> <li>Aditya K Sood, Aryaka: <a rel="noopener" target="_blank" href="https://www.computerweekly.com/opinion/Platformisation-without-illusion-Separating-integration-from-theatre">Platformisation without illusion: Separating integration from theatre</a>.</li> <li>Martin Riley, Bridewell Consulting: <a href="https://www.computerweekly.com/opinion/Strong-security-balances-consolidation-and-best-of-breed-capabilities" target="_blank" rel="noopener">Strong security balances consolidation and best-of-breed capabilities</a>. </li> <li>Vaibhav Dutta, Tata Communications: <a rel="noopener" target="_blank" href="https://www.computerweekly.com/opinion/How-CISOs-can-build-a-truly-unified-and-resilient-security-platform">How CISOs can build a truly unified and resilient security platform</a>.</li> <li>Joe Mayhew and Ahmed Tikail, PA Consulting: <a href="https://www.computerweekly.com/opinion/Beyond-integration-theatre-Building-stronger-cyber-platforms" target="_blank" rel="noopener">Beyond integration theatre: Building stronger cyber platforms</a>.</li> <li>Rik Ferguson, Forescout: <a rel="noopener" target="_blank" href="https://www.computerweekly.com/opinion/Cyber-platformisation-Dont-fall-into-the-integration-debt-trap">Cyber platformisation: Don't fall into the integration debt trap</a>.</li> <li>Haris Pylarinos, Hack the Box: <a href="https://www.computerweekly.com/opinion/Cyber-platformisation-is-a-skills-issue-for-security-teams" target="_blank" rel="noopener">Cyber platformisation is a skills issue</a>.</li> </ul> </div> </div> </section> <section class="section main-article-chapter" data-menu-title="Governance and architectural safeguards"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Governance and architectural safeguards</h2> <p>If you are consolidating, the governance framework must be commensurate with the concentration of risk. The Financial Conduct Authority’s (FCA’s) <a href="https://www.fca.org.uk/firms/operational-resilience/crowdstrike-outage-lessons-operational-resilience" target="_blank" rel="noopener">post-CrowdStrike guidance</a> is instructive here: by March 2025, firms in scope of operational resilience rules were required to demonstrate they could sustain important business services in severe but plausible failure scenarios. That is the right standard of thinking for any CISO evaluating platformisation.</p> <p>My approach rests on three pillars. First, <b>layered redundancy</b>: no single vendor should own more than two adjacent security domains without a contractual and technical fallback. Staged rollouts, canary deployments and automated rollback mechanisms are non-negotiable SLA requirements, not optional extras.</p> <p>Second, <b>zero-trust architecture</b>: platformisation does not exempt you from zero trust principles. Compartmentalise blast radius. Even within a unified platform, segment data flows so a compromise or failure in one domain cannot propagate laterally.</p> <p>Third, <b>continuous third-party risk oversight</b>: the <a href="https://www.weforum.org/publications/global-cybersecurity-outlook-2025/" target="_blank" rel="noopener">WEF Global Cybersecurity Outlook 2025</a> explicitly flags supply chain vulnerabilities as a systemic amplifier. Your platform vendor is a critical third party. Contractual rights to audit, independent pentesting, escrow arrangements and documented exit strategies are governance essentials, not aspirations.</p> </section> <section class="section main-article-chapter" data-menu-title="The board conversation"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The board conversation</h2> <p>The WEF notes that boards are no longer asking whether they are secure – they are asking whether they are <i>resilient</i>. Platformisation can absolutely support resilience. But only if the CISO insists on genuine integration over marketing, builds governance structures proportionate to the concentration risk created, and retains the architectural independence to survive vendor failure.</p> <p>Consolidation is a strategy. Platform theatre is a liability. Know the difference before you sign.</p> <p><em>John Bruce is CISO at <a href="https://www.quorumcyber.com/" target="_blank" rel="noopener">Quorum Cyber</a>, an Edinburgh-based managed security services provider and Microsoft partner.</em></p> </section> The Security Think Tank looks at platformisation, considering questions such as how CISOs can distinguish between a truly integrated platform and 'integration theater, and how to protect unified platforms. https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/Security-Think-Tank-hero.jpg https://www.computerweekly.com/opinion/Platformisation-or-platform-theatre-Navigating-cyber-consolidation Wed, 25 Mar 2026 13:36:00 GMT Platformisation or platform theatre? Navigating cyber consolidation <p>Emergency out-of-band fixes issued by enterprise IT giants Microsoft and Oracle have shone a spotlight on issues around both <a href="https://www.techtarget.com/searchenterprisedesktop/definition/patch-management" target="_blank" rel="noopener">update cycles and patching</a>, and identity security and zero-trust.</p> <p>Microsoft’s emergency update, <a href="https://support.microsoft.com/en-us/topic/march-21-2026-kb5085516-os-builds-26200-8039-and-26100-8039-out-of-band-09e85404-1cb6-4ed4-9ca5-3e40d74307b9" target="_blank" rel="noopener">KB5085516</a>, addresses an issue that arose after installing the mandatory cumulative updates pushed live on Patch Tuesday earlier this month.</p> <p><a href="https://learn.microsoft.com/en-us/windows/release-health/windows-message-center#3806" target="_blank" rel="noopener">According to Microsoft</a>, it has since emerged that many users experienced problems signing into applications with a Microsoft account, seeing a “no internet” error message even though the device had a working connection. This had the effect of preventing access to multiple services and applications. It should be noted that organisations using Entra ID did not experience the issue.</p> <p>But Microsoft’s emergency patch comes just days after it doubled down on a commitment to software quality, reliability and stability. In a blog post published <a href="https://blogs.windows.com/windows-insider/2026/03/20/our-commitment-to-windows-quality/" target="_blank" rel="noopener">just 24 hours prior to the latest update</a>, Pavan Davuluri of Microsoft’s Windows Insider Program Team said updates should be “predictable and easy to plan around”.</p> <p>“Microsoft had [a] week,” said Michael Bell, founder and CEO of <a href="https://suzulabs.com/home-suzu-labs" target="_blank" rel="noopener">Suzu Labs</a>. “Their Windows exec published a blog promising improved reliability and quality on 20 March, and by 21 March, they were shipping an emergency out-of-band fix for a sign-in bug that their own March security update introduced.</p> <p>“That’s on top of separate hotpatches for RRAS remote code execution flaws and a Bluetooth visibility bug. Three emergency fixes in eight days does not shout reliability era.”</p> <p><a href="https://www.oracle.com/security-alerts/alert-cve-2026-21992.html" target="_blank" rel="noopener">Oracle’s patch</a>, meanwhile, addresses <a href="https://nvd.nist.gov/vuln/detail/CVE-2026-21992" target="_blank" rel="noopener">CVE-2026-21992</a>, a remote code execution flaw in the REST:WebServices component of Oracle Identity Manager and the Web Services Security component of Oracle Web Services Manager in Oracle Fusion Middleware. It carries a CVSS score of 9.8 and can be exploited by an unauthenticated attacker with network access over HTTP.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about patch management</h3> <ul class="default-list"> <li>These 12 tools approach patching from different perspectives. Understanding their various approaches can <a href="https://www.techtarget.com/searchenterprisedesktop/tip/12-best-patch-management-software-and-tools" target="_blank" rel="noopener">help you find the right product for your needs</a>.</li> <li>Microsoft recently added WSUS to its deprecation list. Now that the battle-tested patch management tool's days are numbered, <a href="https://www.techtarget.com/searchwindowsserver/tip/The-Microsoft-patch-management-guide-for-admins" target="_blank" rel="noopener">what are the alternatives from the company? </a></li> <li>Timely patch management should be crucial in any organisation, but too often it goes by the wayside. Automating the process may offer a path forward <a href="https://www.computerweekly.com/feature/Automated-patch-management-A-proactive-way-to-stay-ahead-of-threats" target="_blank" rel="noopener">for hard-pressed cyber defenders</a>.</li> </ul> </div> </div> <p>There appear to be no reports of active exploitation at the time of writing, but previous high-profile flaws in Oracle have been swiftly attacked – last year, a similar RCE issue in E-Business Suite drew the attention of the prolific <a href="https://www.computerweekly.com/news/366632397/Oracle-patches-E-Business-suite-targeted-by-Cl0p-ransomware" target="_blank" rel="noopener">Cl0p ransomware crew</a>.</p> <p>Bell noted that <a href="https://www.tenable.com/blog/cve-2026-21992-critical-out-of-band-oracle-identity-manager-and-oracle-web-services-manager" target="_blank" rel="noopener">another, possibly related</a> pre-authentication RCE issue in Oracle Identity Manager – CVE-2025-61757 – was added to the Cybersecurity and Infrastructure Security Agency Known Exploited Vulnerabilities list in short order given how trivial and easy-to-exploit it proved to be. He said the latest bug may well follow the same path.</p> <p>“The reason this matters more than a typical 9.8 is the target,” said Bell. “Code execution on an identity management platform means the attacker can rewrite the access policies that control the rest of the enterprise, and that turns a single CVE into persistent access across an entire network.”</p> <section class="section main-article-chapter" data-menu-title="‘Crumbling trust’"> <h2 class="section-title"><i class="icon" data-icon="1"></i>‘Crumbling trust’</h2> <p>Noelle Murata, a senior security engineer at <a href="https://xcapeinc.com/" target="_blank" rel="noopener">Xcape</a>, said the twin updates illustrated a “crumbling trust in traditional update cycles”. </p> <p>“When Oracle Identity Manager, the literal brain of enterprise security, requires an unauthenticated RCE patch, it proves that the tools we use to build zero-trust are often our most dangerous single points of failure,” she said. “At the same time, Microsoft’s need to issue a security update just to stop gaslighting users with phantom connectivity errors highlights a widening quality gap.”</p> <p>Murata lamented a cycle where security services come in the form of either pre-installed backdoors or productivity-killing glitches, and called on the industry to demand more than just faster and better patching if it is to truly protect users.</p> <p>“We need an industry-wide pivot toward resilient-by-design architectures that don’t fail when a single HTTP request reaches the identity layer,” she said. “If zero-trust means we can’t trust the identity manager to stay secure or the operating system to let us log in, then congratulations; the industry has finally achieved its goal.”</p> </section> Emergency out-of-band patches from Microsoft and Oracle signal underlying security issues around update cycles and patching, and identity security and zero-trust, says the community https://cdn.ttgtmedia.com/visuals/LeMagIT/hero_article/security-threat-cyber-attack-1-adobe.jpeg https://www.computerweekly.com/news/366640648/Emergency-Microsoft-Oracle-patches-point-to-wider-cyber-issues Wed, 25 Mar 2026 11:30:00 GMT Emergency Microsoft, Oracle patches point to wider cyber issues <p>Cyber security professionals must embrace a narrow window of opportunity to develop safeguards around artificial intelligence (AI)-enhanced software generation – popularly known as <a href="https://www.techtarget.com/searchsecurity/tip/Vibe-coding-security-risks-and-how-to-mitigate-them" target="_blank" rel="noopener">vibe coding</a> – or risk losing control of the narrative and exposing organisations to cyber attacks and other disruptions, <a href="https://www.ncsc.gov.uk/" target="_blank" rel="noopener">National Cyber Security Centre</a> (NCSC) chief executive Richard Horne has said.</p> <p>In a keynote speech delivered at the annual <a href="https://www.rsaconference.com/" target="_blank" rel="noopener">RSAC Conference</a> in San Francisco on 24 March, Horne called on the security community to work together to develop safeguards around vibe coding, highlighting how modern-day society faces ongoing and fundamental issues with technology thanks to exploitable vulnerabilities.</p> <p>However, Horne also argued that while it was true insecure software produced without human eyes on the code could propagate vulnerabilities far and wide, well-trained AI tooling could yet create <a href="https://www.techtarget.com/whatis/definition/security-by-design" target="_blank" rel="noopener">secure-by-design</a> software which would be transformative for cyber security outcomes throughout its lifecycle.</p> <p>“The attractions of vibe coding are clear. Disrupting the status quo of manually produced software that is consistently vulnerable is a huge opportunity, but not without risk of its own,” he said. “The AI tools we use to develop code must be designed and trained from the outset so that they do not introduce or propagate unintended vulnerabilities.”</p> <p>Horne said cyber pros also have a responsibility to ensure that the future in which vibe-coding and other AI code-generation tools are widely adopted proves to be a “net positive”.</p> <section class="section main-article-chapter" data-menu-title="New paradigm"> <h2 class="section-title"><i class="icon" data-icon="1"></i>New paradigm</h2> <p><a href="http://www.ncsc.gov.uk/blogs/vibe-check-ai-may-replace-saas-but-not-for-a-while">In a thought leadership blog</a> published alongside Horne’s speech on 24 March, senior NCSC technical leadership argued that while vibe coding poses an “intolerable risk” for many organisations as things stand, the trend offers “glimpses of a new paradigm”.</p> <p>Indeed, wrote the agency’s architecture CTO, AI-backed coding could ultimately prove to be as much a technological revolution as <a href="https://www.techtarget.com/searchcloudcomputing/definition/Software-as-a-Service" target="_blank" rel="noopener">software as a service</a> (SaaS) – pioneered at the turn of the century by the likes of Salesforce – proved to be.</p> <p>While careful not to state that organisations will suddenly use AI to whip up a replacement for their CRM tools or other platforms, the NCSC said there are now clear indications that the cost versus effort curve for “bespoke enough” software is shifting and, as such, more organisations will soon begin to make <a href="https://www.techtarget.com/searchitoperations/news/366639662/SaaSpocalypse-Maybe-not-but-SaaS-applications-are-changing" target="_blank" rel="noopener">different choices when it comes to software</a>.</p> <p>Given the many security concerns around SaaS – such as appropriate authentication and access controls, misconfigurations and third-party risks –  which have never really been fully addressed to the satisfaction of all, this therefore raises the question of what technology, guardrails, platforms and assurances does the security community need to have in place to ensure that the vibe-coded future is safer than the status quo.</p> </section> <section class="section main-article-chapter" data-menu-title="Things to consider"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Things to consider</h2> <p>Some of the safeguards that security leaders need to advocate for are obvious, said the NCSC. For example, AI models must be schooled in security-by-design methods, humans need to have confidence in the provenance of the model and trust that it hasn’t been badly developed, and thought needs to be given to how AI can be used to review both human- and AI-generated code.</p> <p>But there are also more nuanced questions, such as how to use deterministic architectures to limit what code can do should it prove malicious, compromised or unsafe, what platforms need to be designed to host AI-generated services that implement the needed controls to protect data and users, and how AI might be used to ensure the security hygiene of software through practices such as documentation, test cases, fuzzing or updating threat models.</p> <p>The NCSC noted the possibility of a future where AI code is more restricted and locked down than even the most secure on-premise or SaaS products ever were. Ironically, it concluded, this may at last address the unsolved security issues that still dog SaaS and that have prevented the last, most cyber-conscious hold-outs from going all in on the cloud.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about vibe coding</h3> <ul class="default-list"> <li>AI-driven coding is adding maintenance debt to OSS projects, adding a new dimension of risk to software supply chains. <a href="https://www.techtarget.com/searchapparchitecture/tip/Vibe-coding-is-killing-open-source-increasing-software-risk" target="_blank" rel="noopener">Learn how the OSS ecosystem and the orgs that rely on it should adapt</a>.</li> <li>Vibe coding shifts programming from line-by-line tasks to natural language collaboration with AI. <a href="https://www.techtarget.com/searchcio/feature/Vibe-coding-What-IT-leaders-need-to-know" target="_blank" rel="noopener">This new approach accelerates delivery but raises new risks</a>.</li> <li>Is vibe coding a bad idea for enterprises? AI can produce results faster than manual coding, but its benefits eventually unravel due to hidden costs and complexities. <a href="https://www.theserverside.com/tip/The-case-against-vibe-coding" target="_blank" rel="noopener">Here's why</a>.</li> </ul> </div> </div> </section> At RSA in San Francisco, NCSC chief exec Richard Horne says security professionals have an opportunity and a responsibility to get in front of the security issues raised by the popularity of ‘vibe coding’ https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/software-code-developer-adobe.jpeg https://www.computerweekly.com/news/366640680/Cyber-pros-must-grasp-the-vibe-coding-nettle-says-NCSC-chief Tue, 24 Mar 2026 17:01:00 GMT Cyber pros must grasp the vibe coding nettle, says NCSC chief ComputerWeekly.com 60 editor@computerweekly.com