Filings tagged: Commentary

A new wave of startups is publishing 'AI-native' org charts where seven named LLM agents do most of the work. The first step isn't restructuring around agents. It's making your business legible enough that anything, a new hire, an auditor, or eventually an agent, could read it and act on it. AI can help you get there. Future agent costs are a reason not to skip past it.

Most AI policies are vendor templates with the company name swapped in. They ban the obvious, permit the vague, and tell you nothing about how the business actually wants AI used. A coherent policy is a short one that takes a position.

The 1990 Computer Misuse Act predates the public web. Reform has been promised for six years. The May 2026 King's Speech finally put it in a bill, bundled into the National Security Bill. Here's what's likely to change and what's still vague.

A lot of guidance is telling UK businesses they need an electronic complaint form by 19 June 2026. The statute doesn't say that. It says facilitate, and gives a form as one example. Here's what's actually required and what isn't.

A year on from the April 2025 retail attacks, the numbers are in. M&S has posted £101.6 million in direct costs and a 16.4% fall in fashion sales. The Cyber Monitoring Centre put the combined bill at £270 million to £440 million. The useful lessons for an SME are the unglamorous ones.

Cifas surveyed 2,000 UK employees at large companies. Nearly a quarter know someone who has fiddled expenses. One in eight know someone who has sold a login. Insider risk is a culture problem before it is a tooling problem.

The NCSC has told UK organisations to prepare for a wave of urgent patches as AI accelerates vulnerability discovery. The same week, NHS England decided the answer was to make its open source repositories private. Only one of those approaches actually fixes anything.

Two-thirds of UK IT leaders say they have an AI exit plan. Nearly half admit switching would seriously disrupt the business. A plan you can't execute is not a plan.

The NCSC has flipped its authentication advice at CYBERUK 2026. Passkeys are now the recommended default, and password plus two-step verification is the fallback. The reasoning is worth understanding.

Tickets closed. Rules written. Logs ingested. The NCSC's Dave Chismon argues most security operations metrics actively make detection worse. The one that counts is whether you spot attacks in time.

The UK's data protection regulator is being restructured under the Data (Use and Access) Act 2025. New board, new CEO, new statutory objectives. The name is the least interesting part.

The biggest overhaul of UK security regulation since 2018 is in committee. MSPs are in scope, incident reporting gets a 24-hour clock, and fines go up to £17 million. Here's what it means in practice.

CVE-2026-2441 is actively being exploited in the wild. A use-after-free bug in CSS handling means a crafted webpage is all it takes. Push the update now.

Western Digital's entire HDD capacity for 2026 is sold out. Cloud is 89% of their revenue. HDD prices are up 46% since September. The window for sensible storage pricing is closing.

Schneier and co have reframed prompt injection as 'promptware': a full 7-stage kill chain. The uncomfortable truth: LLMs can't distinguish instructions from data. This isn't a bug you can patch.

Viva.com sends verification emails missing the Message-ID header. Google Workspace and Zoho reject them. The fix is one line of code.

Microsoft's FY2025 numbers tell a clear story. Azure and M365 are two-thirds of revenue. Windows is about 6%. This is a cloud and productivity company.

Notepad++ had its update service hijacked by state-sponsored attackers. Windows Notepad got a CVSS 8.8 command injection. Two editors, two attack vectors, same lesson.

Global Telnet scanning dropped overnight in January 2026. Days later, a critical telnetd authentication bypass was disclosed. The protocol is old. The lesson is current.