UK Reports Warn of Persistent Basic Cybersecurity Gaps and Rising Social-Engineering Risk
UK reporting highlighted persistent weaknesses in baseline cyber hygiene and a growing expectation that phishing and social engineering will succeed against many organizations. A Vodafone Business-commissioned snapshot cited by Tech Radar/SC Media reported that 63% of UK businesses feel more exposed to cyberattacks than a year ago, 71% of leaders think employees are vulnerable to phishing, and staff reuse work passwords across an average of 11 personal accounts; only 45% of organizations said all staff had completed basic cyber awareness training. The same coverage noted increasing concern about AI-enabled scams and deepfakes, with 70% reporting greater suspicion of video calls impersonating senior leaders, and pointed to the UK government’s planned Telecommunications Fraud Charter as part of broader anti-fraud efforts.
Separately, the Bank of England’s 2025 CBEST review (summarized by The Register) found that regulated financial firms and financial market infrastructures (FMIs) still commonly fail on fundamentals observed during 13 CBEST assessments and regulator-backed penetration tests, including weak access controls, poor password practices, misconfigured and inconsistently patched systems, and gaps in intrusion detection and vulnerability management. The report emphasized that firms should be prepared to handle breaches rather than relying only on preventive controls, and that weak security culture enables attackers to bypass controls via social engineering; it also warned that inadequate helpdesk identity-verification processes can enable fraudulent credential access, with the NCSC noting such tradecraft aligns with groups like Scattered Spider.
Sources
Related Stories
Email-Borne Social Engineering and Credential Theft Risk
Recent coverage emphasized that **phishing and social engineering via email** remain a primary initial access vector, with attackers increasingly blending into routine workflows (emails, meeting invites, and trusted SaaS notifications). TechTarget highlighted that user judgment is often the last control when filters fail, citing the *Microsoft Digital Defense Report 2025* claim that **28% of breaches** trace back to phishing/social engineering, and noting reports of spam relayed through **legitimate Zendesk domains/instances** (e.g., leveraging recognizable brands) to bypass filtering and drive credential theft or follow-on access. Separate reporting and guidance reinforced how attackers operationalize these patterns: The Hacker News described **Operation Nomad Leopard**, a spear-phishing campaign targeting Afghan government entities using government-themed decoys and a **GitHub-hosted ISO** that drops a **LNK** to execute a **FALSECUB** backdoor capable of remote command execution. Other items in the set were largely general best-practice or “common threats” explainers (password hygiene, generic threat overviews) rather than incident-specific intelligence, but they align with the same overarching risk theme: weak/reused passwords and routine email behaviors continue to enable account takeover and downstream compromise.
1 months ago
Reports Highlight Shift Toward Identity-First Attacks and Phishing-Driven Intrusions
Recent reporting and vendor research indicate threat actors are increasingly prioritizing **identity-based intrusion paths**—notably phishing, credential theft, and **Business Email Compromise (BEC)**—over traditional vulnerability exploitation as the most common initial access vector. A Darktrace report cited by SC Media describes identity breaches as the leading entry point, alongside broader trends including accelerated breach tempo, increased automation, and “converging” tactics; it also notes exploitation can occur **before public disclosure** and that overall **CVE volume rose by 20%+ year-over-year**. Email remains a dominant delivery mechanism in these identity-first campaigns. Darktrace telemetry referenced by SC Media reported **32M+ high-confidence phishing emails** across its customer base, with many messages bypassing baseline controls (including **70% passing DMARC**), targeting executives, using **malicious QR codes**, and leveraging newly registered domains. Separately, a SOCRadar analysis frames the U.S. financial sector as a disproportionate target for phishing and dark-web activity, emphasizing AI-enabled crime, persistent BEC, and third-party/supply-chain risk, and citing metrics such as **~48% of global financial phishing activity** and **~23.5% of finance-related dark web threat activity** attributed to the U.S. market.
2 weeks agoPersistent Failures in Cybersecurity Awareness Training and Human-Centric Defenses
Despite years of investment in cybersecurity awareness campaigns and training, organizations continue to struggle with fundamental security issues such as poor password hygiene and susceptibility to phishing attacks. A recent discussion among cybersecurity journalists highlighted that nearly 30% of companies still rely on outdated password policies, while only a small fraction have adopted more secure passphrase approaches recommended by experts. The persistence of these problems underscores the limited effectiveness of current training programs, even as organizations face increasingly sophisticated threats targeting human vulnerabilities. The ongoing challenges are exacerbated by the shift to hybrid workforces, which has rendered traditional perimeter-based security models obsolete and increased the attack surface for social engineering and credential-based attacks. Security experts emphasize the need for organizations to move beyond checkbox training and adopt more robust identity and behavioral detection strategies, as threat actors like Scattered Spider exploit weaknesses in identity systems and cloud environments. The failure to address these human-centric risks leaves organizations exposed to both basic and advanced cyber threats, highlighting the urgent need for a strategic overhaul of security awareness and identity protection measures.
3 months ago