Cyber_Bytes - Issue 82
Welcome to Issue 82 of Cyber_Bytes, our regular round-up of key developments in cyber, tech and evolving risks.
NCSC calls for action to strengthen resilience during severe cyber threat
The National Cyber Security Centre (NCSC) has published new guidance aimed at helping organisations prepare for periods of severe cyber threat. Accompanying the guidance, NCSC CEO Richard Horne has called on senior leaders to act now to strengthen resilience before a significant cyber incident occurs.
The guidance focuses on practical preparedness measures, including identifying critical services, understanding key dependencies and reviewing response and recovery arrangements. It encourages organisations to consider how decisions would be made during a period of heightened threat and whether existing plans would remain effective under pressure.
The announcement reflects a broader shift in the UK's approach to cyber resilience. Increasingly, cyber security is being viewed not solely as a technical issue. Whilst the guidance is aimed primarily at operators of critical national infrastructure, many of its principles will be relevant to any organisation that depends on critical systems, suppliers, or operational technology.
The NCSC's Guidance is available here.
ICO highlights steps to protect against AI-enabled cyber threats
The Information Commissioner's Office (ICO) has published guidance on protecting organisations against AI-powered cyber threats. The guidance reflects growing concern that artificial intelligence is increasing the scale, speed and accessibility of established attack techniques.
Rather than creating entirely new threats, AI is increasingly being used to enhance familiar tactics such as phishing, social engineering and vulnerability discovery. Generative AI tools can produce convincing communications at scale, whilst automation can reduce the time and resource required to identify and target potential victims.
The guidance highlights the importance of maintaining strong cyber security fundamentals, including robust authentication measures, effective patch management and appropriate staff awareness programmes. The ICO also encourages organisations to consider how incident response plans may need to evolve as AI-enabled threats become more prevalent.
The wider message is that AI-enabled threats may look familiar, but they can operate at greater scale and with more convincing content. For many organisations, the guidance is a timely reminder to validate whether current controls, monitoring arrangements and response processes can withstand higher‑velocity threat activity.
The ICO's guidance on AI-enabled cyber-threats is available here.
Data Use and Access Act 2025 complaints procedure comes into force
Section 103 of the Data Use and Access Act 2025 (DUAA) inserted a provision into the Data Protection Act 2018 (DPA) (s.164A) creating a statutory right for data subjects to complain to controllers in respect of infringements of UK GDPR or of Part 3 of the DPA. As of 19 June, controllers must have procedures in place to permit such complaints to be made, must acknowledge them within 30 days and must, without undue delay, take steps to respond and inform the complainant of the outcome.
Data subjects must be able to complain directly to the controller, although the method is not specified and does not have to be a new tool, for example it could be an existing complaint tool adapted to include data protection complaints. Controllers should however be aware that data subjects can complain in any way they choose, so must be vigilant in keeping an eye out for complaints and responding within the required deadlines.
This highlights the importance of proper governance procedures and systems as well as up-to-date staff training to avoid negative publicity and criticism from regulators. It could also be relevant in the context of dealing with communications from data subjects following a personal data breach. If those communications constitute a complaint, they will need to be dealt with in a way which complies with the new requirements.
The ICO advises that if someone complains to them about a controller's actions, the ICO will first advise them to raise a complaint with the controller which may shift the burden of dealing with the majority of complaints from the ICO to data controllers.
The ICO's explanatory page is available here.
NCSC urges caution when adopting agentic AI
The National Cyber Security Centre (NCSC) has published guidance encouraging organisations to think carefully before adopting agentic AI systems. The guidance comes amid growing interest in technologies capable of acting with a greater degree of autonomy than traditional AI tools.
Whilst recognising the potential benefits of agentic AI, the NCSC highlights the additional risks that may arise when systems are granted authority to make decisions or take actions on behalf of users. The guidance encourages organisations to understand the limits of these technologies and ensure appropriate oversight is maintained.
The publication reflects a broader shift in the discussion around AI adoption. As organisations move beyond experimentation and begin deploying AI within operational environments, questions around accountability, resilience and security are becoming increasingly important.
The challenge for organisations will be balancing the efficiencies offered by increasingly autonomous systems with the need for meaningful human oversight. As adoption accelerates, organisations may wish to assess whether existing controls, escalation routes and oversight mechanisms can manage the risks associated with agentic AI.
The NCSC's Guidance on the application of agentic AI systems is available here.
ICO finalises guidance on smart devices and connected products
The Information Commissioner’s Office (ICO) has published final guidance on consumer Internet of Things (IoT) products and services. The guidance is intended to help organisations understand how UK data protection requirements apply to connected products throughout their lifecycle, from initial design through to deployment and ongoing use.
The guidance covers a broad range of technologies, including wearable devices, smart home products and internet-connected appliances. A recurring theme is that privacy considerations should be embedded into products from the outset, rather than addressed after launch. The ICO also highlights the importance of transparency, user choice and ensuring that individuals understand how their personal information is collected, used and shared.
Regulatory attention in this area continues to grow as internet-connected devices generate increasing volumes of personal data, particularly where they operate continuously and interact with multiple services. This keeps the close relationship between cyber security and data protection in focus as part of day-to-day product operation.
The guidance reflects growing regulatory recognition that connected products can create both privacy and cyber security risks throughout their lifecycle. As organisations continue to expand their use of smart technologies, ensuring these considerations are addressed at the design stage is likely to remain an area of focus for regulators.
The ICO's guidance on smart devices is available here.
Stay connected and subscribe to our latest insights and views
Subscribe Here