Study Concludes Cybersecurity Training Doesn’t Work
UC San Diego study finds cybersecurity training ineffective; trained employees still click on phishing attacks. Research suggests enhancing system defenses rather than relying on training.
UC San Diego study finds cybersecurity training ineffective; trained employees still click on phishing attacks. Research suggests enhancing system defenses rather than relying on training.
TLDR: Relying on individuals to navigate AI adoption leads to chaos and risks. Organizations need to establish clear guidelines, support systems, and systematic tools to integrate AI effectively, ensuring consistent collaboration and security. AI should be treated as a significant organizational change rather than an individual task, necessitating structured interventions, robust training, and shared resources.
CISO Doug Kersten shares audit preparation tips in a Help Net Security video, emphasizing organization, communication, and team training to avoid common mistakes, improve auditor relations, and enhance security practices.
https://www.helpnetsecurity.com/2025/10/31/ciso-audit-preparation-video/
CISOs should focus on top cybersecurity frameworks: NIST CSF 2.0 for strategy, ISO 27001 for ISMS, CIS Controls v8.1 for safeguards, NIST 800-53 for controls, SOC 2 for assurance, PCI DSS v4.0.1 for cardholder data, MITRE ATT&CK for threat defense, CSA CCM v4 for cloud, IEC 62443 for OT, and NERC CIP for the power grid. Current frameworks ensure compliance and preparedness against regulations, improving overall security postures.
https://programminginsider.com/top-10-cybersecurity-frameworks-every-ciso-should-know/
European agencies, like Austria's Ministry of Economy, are increasingly migrating to open-source solutions (e.g., Nextcloud) to achieve digital sovereignty and control over sensitive data, distancing from US tech giants. This trend reflects broader efforts across Europe to manage data sovereignty, encourage local solutions, and ensure compliance with privacy regulations. While some migrations are successful, others face challenges requiring careful planning to avoid disruptions.
Passwords remain critical in cybersecurity, often being the weakest link despite advanced protections. Common vulnerabilities include forgotten accounts and user fatigue, leading to predictable password patterns. To enhance security, organizations must implement robust password controls, such as intelligent banned password lists, nuanced rotation strategies, and prioritizing length over complexity. A staged approach to policing passwords, including user education and ongoing monitoring, helps in creating a dynamic security strategy that adapts to evolving threats. Ultimately, effective password management transforms a persistent challenge into a resilient defense mechanism.
https://www.bleepingcomputer.com/news/security/why-password-controls-still-matter-in-cybersecurity/
Key points:
Threat Increase: Attacks targeting software supply chains have sharply risen, especially in open source components.
Hardened/Distroless Images: Use minimal, security-hardened containers to cut down vulnerabilities, especially in regulated environments.
Compliance Focus: Follow NIST, STIG, FIPS, and SLSA frameworks for assured compliance and traceability.
Disconnected Readiness: Prepare infrastructure and tooling for air-gapped environments and automated compliance management.
Holistic Security: Integrate security across all stages, not just at the beginning of the development process.
https://thenewstack.io/what-good-software-supply-chain-security-looks-like/
AI agents can inadvertently leak sensitive company data via web searches. Research shows attackers can manipulate webpages with hidden instructions, leading agents to retrieve and transmit confidential information without users realizing it. The model's normal operations mask the attack, which does not require direct manipulation or special access. Varied success rates across 1,068 attack attempts highlight that training practices matter more than model size. Existing defenses often overlook this indirect method, emphasizing the need for robust security measures and monitoring. Organizations must treat AI agents as risky software and establish strict control over their operations.
https://www.helpnetsecurity.com/2025/10/29/agentic-ai-security-indirect-prompt-injection/
The NHS conducted a large-scale trial of Microsoft 365 Copilot AI across 90 organizations, involving over 30,000 staff members. The pilot demonstrated that AI-powered admin support can save staff 43 minutes each day on average, resulting in significant time and cost savings, with estimates of 400,000 staff hours and millions of pounds saved each month. These gains allow staff to focus more on patient care. Microsoft Copilot is now broadly available across the NHS at no additional cost, helping to streamline tasks such as email and note-taking, and contributing to a broader government strategy to modernize and enhance NHS productivity.
https://www.gov.uk/government/news/major-nhs-ai-trial-delivers-unprecedented-time-and-cost-savings