A new report from PwC has uncovered alarming gaps in global cybersecurity practices among organisations. The 2025 Global Digital Trust Insights survey, which gathered insights from 4,042 business and technology executives across 77 countries, revealed that only 2% of organisations have fully implemented cyber resilience measures in all areas assessed.
Specifically the survey evaluated 12 key resilience actions related to people, processes, and technology. Fewer than 42% of executives believe their organisations have fully adopted any one of these measures. Among the most critical gaps are:
Establishing a resilience team, with only 34% reporting implementation organization-wide
Developing a cyber recovery playbook for IT-loss scenarios, achieved by just 35%
Mapping technology dependencies, with only 31% completed
These findings highlight a concerning vulnerability, leaving many organisations exposed to cyber attacks that could jeopardise their entire operations.
Another critical issue raised in the report is the insufficient involvement of Chief Information Security Officers (CISOs) in essential business activities. Fewer than 50% of CISOs are significantly engaged in strategic planning for cyber investments, board reporting, or overseeing technology deployments. This lack of participation at high decision-making levels creates the risk of misaligned strategies and weaker security postures. The report advocates for granting CISOs a seat at the table to ensure cybersecurity considerations are embedded within core business strategies.
The rapid integration of new technologies is introducing additional cybersecurity challenges. According to the report, 67% of security executives indicated that the rise of generative AI has expanded their attack surface over the past year. Vulnerabilities are also increasing due to the adoption of cloud technologies and connected devices. Despite these risks, organisations continue to invest in new technologies, with 78% of executives reporting increased spending on generative AI in the last year, underscoring the tension between innovation and security.
Cybersecurity regulations are emerging as a significant catalyst for investment, with 96% of executives acknowledging that regulatory requirements have driven enhancements in their security measures. Furthermore, 78% believe that regulations have prompted improvements or challenges to their cybersecurity posture. However, the report also highlights a notable confidence gap between CISOs/CSOs and CEOs concerning compliance with AI and resilience regulations. This 13-point disparity indicates a disconnect in how different executives view their organisation’s readiness to meet regulatory demands.
Senior officials from GCHQ, the UK’s cyber and signals intelligence agency, published a rare article defending the role of legal frameworks in guiding cyber operations. The article responds to recent criticism by an anonymous European intelligence official in Binding Hook, who argued that the West’s cyber capabilities are being constrained by overly stringent legal oversight. According to the article, these restrictions may be giving cyber actors from countries like China and Russia a strategic advantage, as they face fewer operational constraints. The article also points to recent public statements by former leaders of Germany’s foreign intelligence service, who have voiced concerns that excessive legal oversight is weakening national security efforts.
Although the GCHQ article does not reference specific cyber operations, it addresses a significant challenge faced by agencies focused on foreign intelligence. Under current laws, such agencies may be prohibited from collecting intelligence from systems owned by their own citizens, even if those systems are being exploited by foreign attackers.
GCHQ’s stance emphasises the need for a balanced approach, arguing that cyber operations can and should be conducted in a ‘responsible and democratic’ manner. The following article reflects the agency’s growing engagement with public and academic discussions on the evolving role of law in modern cybersecurity.
Three Iranian nationals have been indicted in the US for their alleged involvement in a hacking campaign targeting former President Donald Trump’s 2020 campaign. The US Justice Department unsealed charges against Seyyed Ali Aghamiri, Yasar Balaghi, and Masoud Jalili, who are believed to be affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC). The three individuals, based in Iran, face charges including material support for terrorism, computer fraud, wire fraud, and identity theft.
Though no evidence suggests the stolen data was used, Iran’s intent to influence the US election was highlighted. The State Department has issued a $10 million reward for information leading to the capture of Aghamiri, Balaghi, and Jalili. According to the indictment, the hackers impersonated government officials and used spear-phishing tactics to infiltrate systems and steal sensitive information. Their motives, beyond general geopolitical disruption, reportedly included avenging the death of Iranian military commander Qasem Soleimani, who was killed in a US strike in January 2020.
The US and UK governments issued indictments alongside sanctions and alerts, highlighting ongoing cybersecurity threats posed by the IRGC. Both countries’ cybersecurity agencies jointly released a 14-page advisory detailing recent cyber activities linked to the IRGC, cautioning against tactics described in the indictment and additional tools used to target presidential campaigns, senior government officials, think tank leaders, journalists, activists, and lobbyists. In addition, John Hultquist from Google’s Threat Intelligence Group stated that Iran controls ‘multiple contractors’ responsible for some of the most aggressive cyber operations in the Middle East, Europe, and the US.
Google has restricted the creation of new accounts for Russian users, according to Russia‘s digital ministry. The move follows mounting pressure on the tech giant over its failure to remove content deemed illegal by Moscow and for blocking Russian media channels on YouTube following the invasion of Ukraine. Telecom operators have also reported a sharp decline in the number of SMS messages sent by Google to Russian users.
The digital ministry warned there is no guarantee that two-factor authentication SMS confirmations will continue functioning for Google services. It advised users to back up their data and consider alternative authentication methods or domestic platforms. Google had already deactivated AdSense accounts in Russia in August and halted serving ads in the country in March 2022.
Google has blocked over 1,000 YouTube channels linked to state-sponsored Russian media, as well as more than 5.5 million videos. Slower speeds on YouTube in Russia have been recorded recently, with Russian lawmakers blaming the issue on Google’s equipment, a claim the company disputes.
Spotify faced a three-hour outage, disrupting service for over 40,000 users in the US. Users reported problems with playlists, random stops in music, and being unable to stream beyond recently played songs. By the afternoon, fewer than 600 users continued to experience issues.
Downdetector, a site that tracks outages, recorded the disruption, while Spotify reassured users on social media that services were returning to normal. However, the company did not comment on the cause of the outage when contacted by Reuters.
We’re aware of some issues right now with the app and our web page, and are checking them out!
Despite this incident, Spotify’s subscriber base remains strong. In the second quarter, the number of paying subscribers rose to 246 million.
The temporary outage in the US was an inconvenience for many, but Spotify quickly moved to resolve the issue. Most users saw their services restored within a few hours, ensuring minimal disruption overall.
A federal judge has scaled down a privacy lawsuit against Apple, which alleged the company collected personal data from iPhone, iPad, and Apple Watch users without permission. The lawsuit targets Apple’s apps, including the App Store, Apple Music, and Apple TV. US District Judge Edward Davila dismissed most claims involving the “Allow Apps to Request to Track” setting, clarifying that it only governs data collection by third-party apps and websites, not Apple’s in-house apps.
Despite dismissing many claims, the judge allowed some to proceed related to Apple’s ‘Share [Device] Analytics’ setting. The plaintiffs claim that Apple continued collecting data even after users disabled the setting, despite promises that it would stop data sharing. Judge Davila agreed, noting that users could reasonably assume they had withdrawn consent based on Apple’s own disclosure that disabling the option would prevent data collection.
This lawsuit is part of a broader trend of legal actions against major tech companies like Google and Meta, accusing them of gathering user data without proper consent. Neither Apple nor the plaintiffs’ lawyers have responded to requests for comment on the case as it unfolds.
A British man has been arrested and charged by US authorities for hacking into the computers of five companies to illegally obtain information about their expected earnings, resulting in profits of $3.75 million from insider trading. Robert Westbrook, 39, from London, faces multiple charges, including securities fraud, wire fraud, and five counts of computer fraud, with the US Department of Justice seeking his extradition.
Westbrook was arrested this week in the UK and is facing additional civil charges from the US Securities and Exchange Commission (SEC). Although the companies involved were not explicitly named in court documents, financial details indicate that they could include Tupperware, Tutor Perini, Guidewire Software, Murphy USA, and Lumentum Holdings.
Authorities allege that Westbrook was involved in a “hack-to-trade” scheme, gaining access to executives’ email accounts between January 2019 and May 2020. He allegedly utilised nonpublic information to trade stocks and options before at least 14 earnings announcements and even set up automatic forwarding of emails from these executives to his accounts.
Jorge Tenreiro, acting chief of the SEC’s crypto assets and cyber unit, characterised Westbrook’s actions as sophisticated international hacking, involving the use of anonymous email accounts, VPNs, and bitcoin to conceal his activities. Each charge of securities and wire fraud carries a maximum penalty of 20 years in prison, while the computer fraud charges could lead to up to five years each.
The Saudi Data and AI Authority (SDAIA) outlines a crucial framework for data protection compliance among organisations operating in Saudi Arabia. One key requirement is appointing a Data Protection Officer (DPO) for specific entities, particularly public organisations engaged in large-scale personal data processing or those that regularly monitor data subjects.
The DPO must possess the appropriate qualifications and experience in personal data protection to manage data breaches and navigate complex regulatory landscapes effectively. Furthermore, SDAIA mandates that organisations register with the National Data Governance Platform, thus emphasising transparency and accountability in data management practices.
In addition to compliance requirements, the SDAIA outlines strict guidelines for transferring personal data outside Saudi Arabia. For instance, organisations must implement appropriate safeguards, such as standard contractual clauses, to protect the transferred data. Moreover, organisations must conduct risk assessments for these transfers, especially when sensitive data is involved, ensuring that data subjects’ rights are safeguarded.
Furthermore, the SDAIA outlines the importance of developing comprehensive privacy policies that detail the types of personal data collected, the purposes for collection, and the rights of data subjects. Organisations are encouraged to ensure these policies are easily accessible and periodically reviewed to maintain compliance. Additionally, SDAIA stresses the principle of data minimisation, thus requiring organisations to collect only the minimum necessary personal data and to assess what data can be destroyed regularly.
British police announced on Thursday that they are investigating a cyberattack that displayed an Islamophobic message on Wi-Fi services at major railway stations. Passengers trying to connect to the Wi-Fi encountered a message referencing terror attacks, leading to the immediate shutdown of the system managed by communications group Telent. The British Transport Police reported that they received notifications about the incident at approximately 5:03 p.m. on September 25.
The incident occurred amid heightened tensions in Britain, where anti-Muslim riots erupted over the summer following the tragic killing of three young girls. Misinformation initially blamed the attack on an Islamist migrant, further inflaming community tensions. In response, the police are working closely with Network Rail to investigate the cyberattack promptly.
Following the incident, which impacted 19 stations including London Bridge, London Euston, Manchester Piccadilly, and Edinburgh Waverley, Network Rail confirmed that the Wi-Fi service remained offline. Telent stated that no personal data was compromised in the hack, explaining that an unauthorised change was made to the Network Rail landing page using a legitimate administrator account. As a precaution, Telent temporarily suspended all Global Reach services to verify that other customers were not affected. Network Rail expects the Wi-Fi service to be restored over the weekend after conducting final security checks.
The National Communications Commission (NCC) has introduced new regulations to curtail telecom fraud in Taiwan significantly. These measures establish a comprehensive framework to identify users categorised as ‘high-risk’ based on their repeated involvement in fraudulent activities. As a result, these high-risk users will face strict limitations and be permitted to apply for only three telephone numbers across the three major telecom providers within three years. The initiative is designed to deter fraudulent behaviour by restricting access to essential communication services.
Moreover, these regulations align with the recently enacted Fraud Hazard Prevention Act, which provides a foundational legal framework for addressing and mitigating fraud within the telecom sector. The NCC also prioritises collaboration with governmental agencies such as the National Police Agency (NPA) and the National Immigration Agency (NIA). That partnership aims to develop a comprehensive strategy for effectively combating telecom fraud and protecting consumers.
To further this goal, the NCC implements advanced verification systems allowing telecom companies to access NIA and NPA databases. That access will enable them to reauthenticate user identities upon receiving fraud alerts, ensuring that only legitimate users can access telecom services. This proactive approach fosters a safer environment for subscribers and empowers providers to make informed decisions to prevent fraud before it occurs.
In addition to these domestic initiatives, the NCC focuses on the international dimensions of telecom fraud, particularly regarding international roaming services. Under the new regulations, telecom providers must verify that users activating roaming services have entered Taiwan and can present appropriate identification.
That crucial measure aims to curb the misuse of these services for fraudulent purposes. Furthermore, the NCC plans to monitor high-risk offshore telecom operators, assessing their involvement in fraudulent activities and exploring the potential need for mutual legal assistance agreements with their home countries to strengthen enforcement efforts.
