Locking up the security keys to the castle

Security was once seen as a “problem” for the IT team to solve.

However, having seen the operational and reputational devastation that it can bring organisations, it finally has the attention of the board.

Late last year, Gartner identified security posture and cyber resilience as top CISO priorities. It’s not hard to see why: cyber crime is booming. Thanks in no small part to the rise of AI agents, criminals are automating and scaling vulnerability scans in higher numbers than ever before. The National Cyber Security Centre’s (NCSC) annual review also identified a 130% spike in "Nationally Significant" cyber incidents, with “Highly Significant” increasing by 50%.

And in the wake of what we are seeing take place in the Middle East, the NCSC is further urging organisations to undertake urgent reviews of their security posture.

The reason? While there has been no real change in terms of threat emerging from the region, as the conflict is fast moving, there is concern surrounding how quickly this could change and organisations must be prepared.

Beyond ransomware

2025 will be remembered in the IT security world as one where major high-profile brands were brought to their knees having undergone debilitating ransomware attacks. M&S, Co-Op, Jaguar LandRover all suffered despite many believing all should have had robust security policies in place.

But just as the technology world can evolve at pace, so too do the approaches and targets by cyber criminals. This year, it is likely they will care less about the value of organisational data (and putting a ransom in place for its safe return) and more about instilling widespread panic by shutting down aspects of Critical National Infrastructure (CNI). This would potentially result in power, water, and the internet all becoming unavailable - not something that would just be debilitating to the companies supplying these utilities, but also those who rely on them to live and work.

Such concerns have been echoed by RenewableUK, which has recently urged the government to treat energy security as a part of the UK’s national security efforts.

Gaining access to such systems has never been easier, however.

The identity fallacy

Despite what many others have preached before, when it comes to identity-based security models such as Multi Factor Authentication (MFA), Single Sign On (SSO), Zero Trust Network Access (ZTNA) and Identity and Access Management (IAM), these have all been built on a single premise: verify a user’s identity and grant access – in effect, checking the peephole and letting someone in through the front door.

In giving all the power to identity, which is so easy to fool, it has become a prime target for those leading cyber crime efforts.

Equally, having previously stolen the relevant identity credentials (something which may have occurred some time ago while waiting for the right opportunity), trust itself becomes weaponised.

Changing our approach to trust

With trust a central pillar of doing business, no one can, or should, risk losing it. And when it comes to organisations maintaining this trust from a cyber perspective, mitigating this risk needn’t come at considerable time or expense.

Instead, it is vital that organisations consider increasing their security layers – and not just hope that more security tools will provide a buffer against unauthorised entry into a system - and trust no one.

Having seen first-hand such an approach work already for a major UK-based CNI in thwarting a nation state attack, it is now of national importance that others see how building a multi-layered defence from the inside out, rather than the outside in, will remove the potential threat of cyber warfare, which is knocking on the door.

While the digitisation of war and international conflict is nothing new, organisations must take a closer look at who they work with and what access levels they have which could commercially impact their operations. Those who pivot their approach, trusting no one who comes near their systems, could be the ones who don’t become a victim of cyber crime this year.