tag: governance.

2026·05·23 The nine-second problem An AI agent took nine seconds to delete a production database and its backups. The agent did what it was authorised to do. That is the finding. ai · governance · ned 4 min 2026·05·23 The week in cyber — 18 to 22 May 2026 A self-spreading npm worm, a government letter that boards should read, and the second-quietest Patch Tuesday in two years. What the past working week looked like through a UK board lens. weekly · governance · ned · board 6 min 2026·05·22 The regulator pivot Four documents in May, from four different parts of the UK regulatory apparatus, tell one story. ICO five-step guide. BoE/FCA/HMT joint statement. Cabinet Office letter. South Staffordshire Water fine. The polite phase is over. regulation · ico · governance · ai 6 min 2026·05·16 The week in cyber — 11 to 15 May 2026 A self-spreading npm worm hit TanStack, Patch Tuesday had its quietest month in two years, the Cyber Security and Resilience Bill moved to Report Stage, and the ICO issued a five-step plan boards should actually read. weekly · governance · ned · board 6 min 2026·05·14 Things I wish boards would actually ask Twelve questions that would tell you more than any maturity score. None of them mention zero-trust. governance · ned · board 7 min 2026·05·11 April 2026, in retrospect The worst single month for cyber attacks on record. 105 publicly disclosed ransomware incidents globally. The UK third by volume. Looking back at it with a week's distance, three patterns matter more than the count. retrospective · ransomware · attribution · governance 7 min 2026·05·09 The week in cyber — 4 to 8 May 2026 The ICO fined South Staffordshire Water nearly £1m, the DSIT cyber newsletter quietly confirmed the regulatory direction of travel, and the Canvas extortion played out on a public timeline. weekly · governance · ned · board 5 min 2026·05·04 The £320 myth: what Cyber Essentials actually costs Cyber Essentials is marketed from £320. For an unprepared 10-person UK business under the new v3.3 Danzell question set, the true first-year cost is £13,000 to £30,000 over 10 to 14 weeks. Here is the breakdown. cyber essentials · small business · ned · board · governance 9 min 2026·05·02 The week in cyber — 27 April to 1 May 2026 A learning platform serving thirty million people was breached, cPanel disclosed a zero-day that had been live in the wild for months, and April closed as the worst month for ransomware on record. weekly · governance · ned · board 5 min 2026·04·25 The week in cyber — 20 to 24 April 2026 NCSC and CISA named the Beijing-based outfit running covert botnets, the UK cyber chief told businesses to brace, and a sitting MP's website was hit with 142 million requests. A busy week. weekly · governance · ned · board 6 min 2026·04·18 What it changed about my other machines Last in the six-post series on the Covert Cyber Deck. The deck as catalyst, not destination — what designing and living with it changed about how I look at my work laptop, my home network, the firm's estate, and the boards I advise. cyberdeck · reflection · governance · sovereignty 6 min 2026·04·04 Healthcare's reckoning Three months of attacks have produced a clarifying set of numbers. £32.7m at Synnovis. 150,000 households warned at NHS Dumfries and Galloway. At least one patient death attributed. Healthcare is where concentration risk meets the lowest acceptable downtime threshold. healthcare · ransomware · governance · cni 7 min 2026·02·14 The Cyber Security and Resilience Bill, a board read What the Bill actually does, what it changes for boards in and out of scope, and what the executive should be preparing to evidence over the next twelve months. regulation · governance · ned · board 8 min 2026·01·17 SolarWinds at five Five years on from the disclosure of the SolarWinds Orion compromise, what actually changed in how UK boards think about third-party software risk — and what did not. A practitioner's retrospective on the case study that defined the decade. supply chain · governance · ned · retrospective 8 min 2026·01·10 The supplier underneath the supplier Three disclosures last month tell the same story from three angles: NHS England's tech provider, an NHS GP software supplier, and the Foreign Office. None of them is the headline brand. All of them are where the actual attack surface lives. supply-chain · third-party · governance · cni 6 min 2025·12·29 The year 2025 was actually about An end-of-year reflection on what 2025 turned out to be, what the noise mostly was, and what the genuinely consequential shifts were for UK cyber security at board level. annual review · governance · ned · board 8 min 2025·09·27 The line the ICO is now drawing Capita £14m. Advanced Computer Software £3.07m. Neither fine was for the breach. Both were for the controls that preceded it. The ICO has redrawn what "adequate security" means in evidence — and most boards have not noticed. ico · enforcement · governance · regulatory 6 min 2025·09·15 What pen testing now actually buys you AI-assisted offensive tooling, cloud-native estates, supply-chain shaped scope — what pen testing in 2025 actually looks like, and what boards are still mis-reading in the deliverable. pen testing · craft · governance · ned 7 min 2025·08·09 From prepositioning to action Iran has shifted its UK-facing cyber activity from quiet infrastructure presence to operational disruption. The NCSC's August advisory on Salt Typhoon names three Chinese firms. The trajectory of 2025 is no longer ambiguous. state-aligned · attribution · governance · cni 5 min 2025·07·08 The thing an accreditation cannot do I have sat on the CREST European Council since 2022. This is what the work has taught me about what accreditation can and cannot do, and why I think the next chapter is harder than the last. crest · governance · craft · standards 6 min 2025·06·14 What the retail wave actually cost M&S resumed online orders this week after 46 days offline. Co-op is counting £206m. Harrods got off relatively lightly. Three compromises, one actor, one Easter weekend — and a lesson UK retail boards are still digesting. retail · ransomware · scattered-spider · governance 6 min 2024·08·20 CrowdStrike: cyber resilience without a bad actor Four weeks after the CrowdStrike Falcon update that took 8.5 million Windows machines offline, the post-mortem is in. The interesting question is not what CrowdStrike did wrong. It is what the rest of us did wrong by assuming this kind of event could not happen. resilience · supply chain · ned · governance 7 min 2023·11·30 The CISO in the dock The SEC's charges against Tim Brown over the SolarWinds disclosures, alongside Joe Sullivan's conviction over Uber a year ago, signal a regime change in personal accountability for security leaders. What it means for UK CISOs and the boards that employ them. ciso · governance · regulation · ned 7 min 2023·11·14 23andMe, and the data with the longest half-life Last month 23andMe disclosed that attackers used credential stuffing against accounts opted in to relative-matching to scrape data on roughly 6.9 million people. The board lesson is about which data has the longest half-life — and it is not what most firms think. privacy · breach · governance · ned 6 min 2022·04·26 What the teenagers taught the Fortune 500 LAPSUS$ compromised Microsoft, Okta, Nvidia, Samsung, Vodafone, and several others in a few months. They were teenagers using social engineering and MFA fatigue. The lesson, awkwardly, is that the dominant compromise vector in 2022 is social, not technical. incident · social engineering · mfa · governance 8 min 2022·01·12 Log4Shell, and the inventory question we cannot keep ducking A month on from CVE-2021-44228, the headline-grabbing exploits have slowed but the underlying problem has not. The discomfort of the past month was not really about Log4j. It was about how few firms could answer the question 'where is it running?' vulnerability · supply chain · governance · craft 7 min 2021·08·17 Pegasus, and the question for UK boards we have been pretending not to face The Pegasus Project disclosures last month confirmed what specialists have privately known for years: commercial spyware is a mature, well-funded industry, and its customer list includes governments most UK firms do business with. The board question is what to do about it. spyware · privacy · ned · governance 7 min 2021·06·10 Colonial Pipeline: the CNI lesson the UK should not need to learn the hard way Five weeks after the DarkSide ransomware attack on Colonial Pipeline shut down 45% of US East Coast fuel supply, what UK critical national infrastructure boards should be doing about it. cni · ransomware · governance · ned 7 min