Cyber_Bytes - Issue 80

Welcome to Issue 80 of Cyber_Bytes, our regular round-up of key developments in cyber, tech and evolving risks.

RPC Cyber app: Breach counsel at your fingertips 

As cyber-attacks and follow-on litigation continue to be a board-level issue for organisations worldwide, the RPC Cyber_ App provides a one-stop-shop resource for cyber breach assistance and pre-breach preparedness. As well as information about RPC's cyber-related expertise, the app also contains guidance on prevention against common incidents and access to our ongoing cyber market insights.

RPC Cyber_ can be downloaded for free from the Apple Store or Google Play Store.

AI reshaping cyber risk – and widening the defence gap

Recent UK government messaging has underlined a clear reality for boardrooms: artificial intelligence is no longer an emerging issue at the margins of cyber security. It is actively shifting the threat landscape.

Officials warn that AI is lowering the barrier to entry for threat actors. Generative tools are helping criminals spin up convincing, grammatically flawless phishing emails and social engineering lures at scale, often tailored using publicly available data. At the same time, automated tooling is being used to accelerate reconnaissance and vulnerability discovery, shortening the time from initial probing to compromise.

On the defensive side, AI‑enabled tools are starting to play a more prominent role in security operations. These tools can analyse large volumes of telemetry, surface anomalies, and help teams prioritise alerts and respond more quickly. They are also being woven into identity and access controls, fraud detection and insider risk monitoring.

However, adoption remains uneven and, in many organisations, legacy controls and processes still sit at the heart of the security stack. Even where AI‑driven capabilities are deployed, they are often under‑tuned, poorly governed or constrained by a shortage of skills to manage and interpret them.

For many ordinary businesses, the impact of AI is not on the type of attack vector, but rather the volume and pace of potential attacks common, existing vectors.  The message for now is to invest in making sure that the well-trodden cyber-security basics are in place because predictable vulnerabilities are more likely than ever to be exploited.

For the UK government’s open letter to business leaders on AI‑enabled cyber threats, see here.

See also RPC's article on the impact of AI on cyber incidents for everyday businesses here.

NCSC warns of heightened cyber risk amid Middle East tensions

The UK’s National Cyber Security Centre (NCSC) has issued updated advice urging organisations to strengthen their cyber resilience in light of escalating tensions in the Middle East. The advisory reflects a now familiar pattern: geopolitical flashpoints often coincide with increased cyber activity across multiple regions and sectors.

The NCSC notes the heightened risk from state‑aligned actors and hacktivist groups, including those motivated by ideological or political objectives rather than direct financial gain. Likely tactics include phishing and credential theft, distributed denial‑of‑service (DDoS) attacks, and the exploitation of known vulnerabilities in internet‑facing systems.

Importantly, the risk is not confined to organisations with obvious connections to the region. Supply chains, shared service providers and managed IT arrangements can create indirect exposure, whilst opportunistic actors may simply use the news cycle as a hook for broader campaigns.

Against this backdrop, the NCSC’s guidance focuses on practical, near‑term measures to improve resilience. The NCSC encourages organisations to take a more disciplined approach to resilience by hardening critical systems through timely patching while reinforcing access controls with multi-factor authentication. The guidance also emphasises the importance of communications planning (both internal and external) as part of an effective response.

The NCSC’s latest advice on cyber risk linked to conflict in the Middle East is available here.

ICO and Ofcom signal closer alignment on online safety and privacy

The ICO and Ofcom have issued a joint statement confirming their intention to work more closely together on the regulation of online services. The announcement reinforces a message that has been building for some time: online safety and data protection are converging, and regulators expect organisations to treat them as interlinked rather than separate compliance regimes.

The statement highlights particular areas of overlap, including age assurance and age verification tools, the design of platforms and recommender systems, and measures aimed at protecting children and other vulnerable users. Many of these safety features depend on intensive processing of personal data, sometimes involving profiling or inference of sensitive attributes.

Both regulators stress that safety interventions must still comply with data protection principles. That means ensuring, for example, that age assurance mechanisms are proportionate, that safety‑related monitoring or profiling is clearly explained and justified, and that data minimisation is embedded into technical design.

For platforms, app providers and other digital services, the trajectory is clear. Regulators are moving toward a more integrated model that frames expectations around joined-up risk management across safety, privacy and security, rather than treating them as separate compliance tracks. The Online Safety Act reflects this shift.

In practical terms, the statement calls for closer coordination across in-house teams. Privacy, safety and security functions need to align. This approach helps ensure that steps taken to improve safety do not introduce unintended privacy risks or create friction with other regulatory requirements.

Further detail is available in the full ICO–Ofcom statement here.

EU Cyber Resilience Act: draft guidance provides practical steer

The European Commission has launched a consultation on draft guidance intended to support implementation of the Cyber Resilience Act (CRA). For manufacturers and suppliers of “products with digital elements”, the guidance offers a first meaningful indication of how the regime is expected to operate day‑to‑day.

The CRA sets baseline cyber security requirements for a broad range of connected devices and software. The draft guidance focuses on key operational questions: which products fall in scope, how they should be classified, and what security obligations apply throughout the product lifecycle.

The framework puts particular emphasis on how vulnerabilities are handled over the product lifecycle, including timely software updates and clear incident reporting. It also clarifies how responsibility is allocated between manufacturers, importers and other economic operators across the supply chain.

For organisations placing products on the EU market, this is an opportunity to map the proposed expectations against existing security development and product security practices. It will also be important to consider how CRA compliance can be evidenced, for example, through technical documentation, testing artefacts and governance records.

The consultation phase gives industry a window to shape how the regime will be applied in practice. Organisations in scope should use this opportunity to test assumptions, identify gaps and ensure their approach to product security and lifecycle management will stand up to scrutiny.

The draft guidance can be read in full here.