Security policy changes, regulatory updates, and compliance-relevant developments.
36 items
Microsoft is restructuring the Windows Insider Program to better address performance and reliability problems in Windows 11. This indicates widespread quality concerns that Microsoft believes require organisational and process changes to resolve.
Microsoft is rolling out native passkey support for Entra-protected resources on Windows devices in late April, enabling phishing-resistant passwordless authentication. This represents a significant step in reducing reliance on password-based authentication across enterprise environments.
Microsoft is expanding user controls in Windows Update to allow deferral and scheduling of restarts, reducing operational disruption. While operationally beneficial, this formalises rather than fundamentally changes the forced-restart model that remains a security and stability concern.
Dutch cosmetics retailer Rituals suffered a data breach affecting its 'My Rituals' membership database, with attackers extracting customer names and addresses. The incident highlights ongoing targeting of loyalty programme databases by threat actors seeking PII for fraud and resale.
NIST will cease assigning severity scores to lower-priority vulnerabilities, unable to keep pace with the volume of submissions. This degrades the utility of the Common Vulnerability Scoring System and creates ambiguity for defenders prioritising patch cycles.
Unmanaged service accounts, API keys, and orphaned credentials represent the largest attack surface in cloud environments, with compromised non-human identities responsible for nearly 7 in 10 cloud breaches in 2024. Organisations typically lack visibility into 40-50 automated credentials per employee that persist after project termination or staff departure.
Qualys analysed one billion CISA KEV (Known Exploited Vulnerabilities) remediation records and found that most critical flaws are actively exploited in the wild before organisations can deploy patches. This exposes a fundamental timing mismatch between vulnerability disclosure and attacker speed.
OpenAI has launched a $100 monthly Pro subscription tier matching Anthropic's Claude pricing, reflecting competitive pressure in the generative AI market. This pricing escalation may influence how organisations evaluate AI tool security postures and dependency risks.
LinkedIn deployed hidden JavaScript code scanning visitor browsers for 6,000+ Chrome extensions and collecting device fingerprinting data without explicit user consent, raising questions about the scope and legitimacy of data collection practices by major platforms.
Google is rolling out the ability for U.S. users to change their primary @gmail.com address or create aliases, improving account flexibility but introducing new vectors for account compromise, impersonation, and social engineering attacks.
Microsoft issued an emergency hotfix (KB5086672) to resolve widespread installation failures from a March 2026 preview update that was already pulled. The incident highlights systemic issues in Microsoft's preview testing and release validation processes.
Organisations are acquiring agentic GRC (Governance, Risk, Compliance) tools to automate workflows, but the transition is failing because teams remain operationally focused rather than adopting risk leadership mindsets required for the technology to deliver value.
Google has committed to migrating its infrastructure to post-quantum cryptography by 2029, signalling that the cryptographically-relevant quantum computer threat window is closing faster than many organisations anticipated. This accelerates industry pressure to inventory and remediate legacy systems before quantum capabilities render current encryption obsolete.
The Alliance for Creativity and Entertainment shut down AnimePlay, a pirated anime streaming platform with 5 million users, through coordinated enforcement action. This represents continued success in disrupting consumer-facing piracy infrastructure but raises questions about replacement rate and user migration patterns.
Microsoft released KB5079391 with improvements to Smart App Control, a machine learning-based application allowlisting feature in Windows 11. This represents iterative hardening of Windows' application execution controls rather than a critical security fix.
Dell and HP have announced quantum-resistant security features integrated into their PC and printer products ahead of NIST's finalised post-quantum cryptography standards. This represents early industry adoption to address the theoretical but long-term threat of cryptanalytically relevant quantum computers.
Google is introducing 'Advanced Flow,' a controlled mechanism for Android power users to sideload APKs from unverified developers with enhanced security guardrails. This represents a strategic shift toward flexible but security-conscious OS design.
Aura, an identity protection company, suffered a data breach exposing ~900,000 marketing contact records (names, emails). The breach is particularly damaging given Aura's core business is protecting customers from identity theft and data exposure.
Microsoft Exchange Online experienced a widespread outage blocking mailbox and calendar access for customers globally. This incident underscores the operational risks of cloud-based email dependencies and the cascading business impact when a single provider experiences infrastructure failures.
Google is implementing API restrictions in Android 17 to prevent non-accessibility apps from abusing the accessibility services API, a common malware technique for achieving privileged operations without proper permissions. This is a preventive security hardening measure rather than a response to active exploitation.
OpenAI is rolling out advertisements on ChatGPT's free and Plus tiers, initially limited to US users, with privacy policy updates creating confusion about global deployment timelines. This monetization shift introduces new attack surface for ad injection and data harvesting concerns.
Organizations migrating from VMware to alternative hypervisors face elevated data security and recovery risks during transition periods. Verified backups and cross-platform recovery capabilities are critical to prevent data loss and maintain business continuity.
The EU court's adviser has ruled that banks must immediately refund phishing victims, even if the victim was negligent. This decision could significantly impact financial institutions' liability policies and cybersecurity measures.
The Trump administration's cyber strategy focuses on strengthening deterrence against adversaries, modernizing federal networks, protecting critical infrastructure, and investing in emerging technologies like AI and post-quantum cryptography.
EC-Council has introduced new AI-related certifications to enhance the U.S. cybersecurity workforce's readiness, reflecting growing demand for AI expertise in security.
EC-Council introduced four new AI certifications and updated its Certified CISO program to help bridge the gap between AI adoption and workforce readiness, particularly in the U.S. where 700,000 workers need reskilling.
CISA's 2025 cybersecurity year-in-review report documents a record 97 zero-day vulnerabilities exploited in the wild and identifies edge device exploitation and ransomware as the top threats to critical infrastructure.
NIST released final guidelines for organizations to transition from classical to post-quantum cryptographic algorithms, establishing timelines and priorities for migration across different use cases.
The EU Cyber Resilience Act's vulnerability reporting obligations take effect, requiring manufacturers of products with digital elements to report actively exploited vulnerabilities within 24 hours.
An expanded international law enforcement operation seized remaining LockBit ransomware infrastructure, arrested additional administrators, and released decryption keys benefiting thousands of victims.
PyPI now requires all newly published packages to include build provenance attestations using Sigstore, marking a major milestone in supply chain security for the Python ecosystem.
Google Cloud began enforcing mandatory multi-factor authentication for all user accounts, completing a phased rollout that started in late 2024 and affecting millions of cloud platform users worldwide.
CISA and NSA published joint guidance addressing security risks of AI system deployment in critical infrastructure, covering supply chain, model integrity, and adversarial attack mitigations.
The US Department of Justice announced federal charges against additional members of the Scattered Spider cybercriminal group responsible for high-profile social engineering attacks against major US corporations.
CISA and FBI publish joint guidance urging software manufacturers to adopt memory-safe programming languages and practices to eliminate buffer overflow vulnerabilities at their source.
CISA has issued an emergency directive ordering federal agencies to mitigate Ivanti Connect Secure vulnerabilities amid widespread exploitation by nation-state actors.