Cybersecurity & Cloud Computing - Q1 2025

Cybersecurity & Cloud Computing

“Now is the time to elevate

Vanessa Henneker, Chief Operating Officer, UK Cyber Security Council Page 06

“The responsibility for data security sits squarely with the principal service provider.”

Patrick Burgess & Steve Sands, Member & Chair of BCS Information Security Specialist Group (ISSG) Page 07

Addressing the rising demand for cloud security skills

As cloud adoption rises in the UK, developing cloud security skills has never been more crucial. Strengthening cloud expertise is essential to enable secure adoption.

Research shows that 28% of cybersecurity teams are experiencing gaps in cloud security skills,1 making it one of the region’s largest technical skills gaps, second only to artificial intelligence. Several factors contribute to this issue: multi-cloud strategies increase the need for diverse cloud skills. Infrastructure as code means security as code, requiring programming skills and familiarity with cloud-native technologies. Additionally, shared responsibility models and outsourcing require organisations to adapt their skill sets for managing security through third parties.

Cloud adoption and cybersecurity

While cloud adoption undoubtedly offers business benefits such as increased resilience, cost efficiency and flexibility, it has also altered the attack surface presented to threat actors. Security professionals need to maintain their knowledge and understanding of modern attack techniques and effective countermeasures, which differ considerably from network-based attacks and perimeter defences.

1. Building platformagnostic skills

Security professionals should develop broad expertise that transcends individual cloud platforms. Understanding foundational cloud security principles, rather than limiting knowledge to the functionality of a single provider, helps to adapt and transfer experience in multi-cloud environments. Certifications such as ISC2’s Certified Cloud Security Professional (CCSP) promote this broadbased knowledge, ensuring security teams can handle diverse cloud infrastructures effectively.

2. Leveraging technology training programmes

Paradoxically, professionals should also take advantage of the extensive low or no-cost training resources and education programmes offered by major cloud providers. Organisations should encourage employees to take advantage of these resources, offering incentives such as study time or certificate reimbursement to boost participation.

3. Shared responsibility approach Cloud security is not solely the responsibility of IT or security teams; risk, compliance and governance professionals also play a crucial role. By promoting a general understanding of cybersecurity across these functions, organisations can strengthen security governance and risk management and benefit from relevant expertise in other teams, like procurement or risk.

It’s no surprise that hiring managers identify cloud security as the most in-demand cybersecurity skill and professional development area. To ease the burden on cybersecurity teams and help develop cloud security skills, organisations should consider the following approaches:

By investing in skills development and building capability across functional units, UK businesses can better navigate the evolving cloud security landscape. Reference:

Securing the analogue to digital shift across healthcare systems

As threat levels grow, and new technologies increase access opportunities, we need to work across regulatory policies to secure patient data and NHS systems.

As the NHS embraces the shift from analogue to digital, including the widespread adoption of cloud-based systems and connected devices, cybersecurity has become a critical concern. From electronic health records to remote monitoring platforms, the reliance on digital technologies offers immense benefits but also exposes the healthcare sector to sophisticated cyber threats. As recent cyber-attacks have shown, the stakes could not be higher — patient safety and trust are on the line.

Increasing threat level on healthcare data

Healthcare is one of the most targeted sectors. With highly sensitive patient data and interconnected networks, health systems, such as the NHS, are prime targets for ransomware attacks and data breaches.

The NHS faces unique challenges, including ageing IT infrastructure, a vast number of access points and the sheer scale of its operations. High-profile attacks, like the 2017 WannaCry incident, underscore the devastating impact of inadequate cybersecurity measures on patient care and operational continuity. More recent attacks, such as that on pathology partnership Synnovis, also highlight the vulnerabilities in the health supply chain.

Regulatory alignment is vital

Healthtech incorporates increasingly connected capabilities and is being deployed in the health system and people’s homes to diagnose, monitor and treat individuals, enhancing care delivery and system efficiency. However, there is a risk of conflict between healthtech regulation and NHS cybersecurity rules, primarily driven by the differing primary outcomes of the policies. These conflicts can be seen in areas such as device certification, patching requirements and network segmentation.

While the NHS has acknowledged these challenges, resolving these conflicts fully requires better alignment between healthtech regulations and cybersecurity policies, as well as formal ongoing dialogue among stakeholders.

Proactive strategies for the NHS

To safeguard patient data and maintain public trust, the NHS must adopt a proactive cybersecurity strategy. Collaboration between the NHS, private tech companies and government bodies is essential to establish unified cybersecurity standards and address emerging threats effectively.

The NHS’s incorporation of connected devices is a step towards greater efficiency and innovation, but it comes with responsibilities. With patient lives and data at stake, robust cybersecurity is not optional — it is a necessity.

Urgent IT upgrades can help combat cyber-attacks on businesses

Information technology (IT) experts are urging small to medium businesses to upgrade their computer systems and infrastructure to help guard against cyber-attacks.

Cyber-attacks continue to pose a significant threat to small and medium-sized enterprises, as underlined by the National Cyber Security Alliance, which states that 60% of small businesses that suffer a cyber-attack go out of business within six months. With changes looming, notably support ending for Windows 10 PCs, experts warn companies that they need to take urgent steps to protect their businesses. This means updating systems but also being aware of the potential of AI — both as a threat and safeguard.

Security risks SMEs face

Outlining the current scenario facing SMEs in maintaining IT infrastructure security, Vivecka Budden, Small and Medium Business Segment Lead on Intel’s Commercial PC Business, believes one of the major challenges is the increasing complexity and sophistication of cyber threats. “SMEs must continuously work to stay ahead of potential attacks to protect their business,” she says, “as out-of-date devices could expose SMEs to increased vulnerability and security risk.”

While AI is an area of significant potential for SMEs, it can also be an attack surface for ‘bad actors’ to exploit.

SMEs must implement a comprehensive PC strategy across hardware and software that protects their data, employees and business.

Budden says such a scenario raises the importance of SMEs having an AI strategy that helps front-foot their business for increased threat detection and prevention. However, she also recognises that SMEs are having ‘to do more with less’ against a backdrop of tighter budgets and IT skills shortages.

Critical skills to combat cyber threats

Cyber threats for SMEs include phishing (fake emails) and ransomware attacks that involve encrypting data and demanding a ransom for its release.

“Ransomware is also evolving to avoid software-only detections and can cause significant financial and operational damage,” adds Budden. Phishing attacks, meanwhile, use deceptive emails or messages to trick individuals into revealing sensitive information or downloading malicious software.

Pointing to a lack of premium security tools or a dedicated cybersecurity team hindering SMEs in creating a proactive security posture, she cites a survey highlighted by ITPro, which indicates 96% of SMEs are missing critical cybersecurity skills at a time when cybercriminals are constantly evolving their techniques. Yet, the consequences of cyber-attacks can be severe.

“It can lead to devastating operational, financial and reputational consequences, such as lost sales, recovering costs from attacks and compensation to

clients/customers, among other things,” says Budden, who focuses on small business insights and feedback to ensure the right hardware capabilities are being designed for the sector.

How can businesses respond?

Experts say that in addition to building staff awareness of cybersecurity, SMEs should keep software and systems updated as well as leverage security tools to automatically detect threats and monitor status. SMEs must implement a comprehensive PC strategy across hardware and software that protects their data, employees and business.

Budden says: “This proactive approach helps SMEs use the latest technology advancements to stay a step ahead of evolving threats and ensures a robust security posture.” She points to the Intel vPro® business PC platform as an example that offers holistic hardware security that integrates with OS software like Windows 11 Pro to provide advanced threat protection.

“Older devices can open up an SME to the potential of greater exposure to these attacks since they don’t have the latest in security advancements,” she warns.

Risks from outdated PCs

Expanding on that risk from ageing devices, Acer points out that SMEs must retire Windows 10 PCs with Win 10 support ending in October. Philip Burger, Vice President of US Channel at Acer says: “Once Microsoft ends support for Windows 10, SMEs that continue using outdated PCs will face significant security risks. Hackers often exploit unpatched vulnerabilities, leading to increased risks of ransomware attacks, data breaches and operational downtime and severely impacting business continuity. Without these updates, SMEs essentially become sitting ducks for cybercriminals.”

While the Win 10 EoS scenario is one that businesses must respond to, experts such as Burger feel it presents ‘a good opportunity’ for businesses to adopt new devices and transition to AI PCs. Within this context, TravelMate AI PCs, with Intel vPro® for built-in security and Intel® Core™ Ultra processors for AI-powered threat detection, can support the transition.

Device transition for SME growth

As businesses typically require several months to transition to a new system, they should act now and move to Windows 11, for example, before October. Additionally, the latest neural processing unit (NPU)-powered PCs can boost productivity in areas like content creation, data analysis, insight generation and meeting summaries and have a range of AI applications to help ensure ‘uninterrupted and secure business operations.’

Burger explains: “This allows SMEs to expand their capabilities and overcome limitations related to resources or workforce. Windows 11 Pro PCs enable a reported 62% drop 1 in security incidents and accelerate workflows by an average of 50%. 2 Investing in AI PCs is a futureproof strategy, allowing SMEs to take advantage of the evolving AI landscape.” Tech giants Acer and Intel have a robust partnership in delivering the latest secure technology for businesses and point to the advantages AI PCs have over non-AI PCs in terms of efficiency and threat detection.

Risks of delaying OS upgrade

However, companies that are slow in transitioning will be vulnerable to increased cyber-attacks amid fears that cybercriminals will target Windows 10 devices after support ends.

Burger says: “Delaying the transition leaves SMEs exposed to increased and evolving cyber threats, as outdated operating systems will no longer receive security

updates. Cybercriminals often target unsupported operating systems, knowing that vulnerabilities will remain unpatched.

“Without security updates, SMEs risk experiencing similar attacks, potentially leading to data loss, financial harm and severe operational disruptions. The longer they delay, the greater the exposure to cyber threats.”

Making the switch is a critical step

“The shift from traditional PCs to AI PCs is not just a luxury; it’s rapidly becoming a strategic necessity for SMEs,” continues Burger. “AI PCs offer significant advantages in terms of improved security, enhanced productivity through AI-powered tools and future-proofing the business against technological advancements. Companies that fail to upgrade risk falling behind competitors who leverage AI to streamline operations and automate tasks.

At-a-glance: what AI PCs can offer SMEs

Acer TravelMate AI PCs have clear advantages over non-AI PCs that can deliver key benefits to SMEs. They are faster, offer more efficient threat detection, use an NPU to detect and neutralise threats without slowing down the system, analyse real-time threat patterns to block emerging cyber-attacks and handle tasks more efficiently and securely.

Security, productivity and performance

Acer TravelMate AI PCs utilise a philosophy of multi-layer security, protecting users against firmware attacks by combining the hardware and software-based protection of Intel vPro® and Windows 11 Pro while also leveraging unique security tools such as Acer ProShield Plus, which provides BIOSlevel protection and encryption to secure sensitive data, and Acer Office Manager, which enables IT managers to monitor, manage and enforce security policies across an organisation’s fleet of devices. The benefits also go beyond security. AI-powered productivity tools such Acer PurifiedView 2.0 ensure professional video calls by allowing users to look their best in virtual meetings without slowing down performance while Acer PurifiedVoice delivers crystal-clear audio with AI noise reduction. With the help of Intel® Core™ Ultra processors, updating to Acer TravelMate AI PCs could offer up to: 2.5x more efficient* battery life; 40% increased graphics performance**; and 40% lower power consumption for AI-enhanced collaboration.***

“This transition is crucial for SMEs to stay competitive in the modern digital landscape, enabling them to operate more efficiently, securely and innovatively,” Burger adds. The threat of cyber-attack remains a real and present danger for SMEs; but taking the right steps, and updating and investing in the latest equipment, can help negate these risks and enable small and medium companies to continue to grow and flourish.

References:

1. Techaisle, 2024. Windows 11 Survey Report.

2. Principled Technologies, 2023. Improve your day-today experience with Windows 11 Pro laptops.

Improved compatibility

As SMEs transition to AI PCs, application compatibility is critical. Built on Intel’s AI-ready architecture, Acer TravelMate AI PCs help these businesses transition with ease with 99.7% application compatibility. Intel also powers the broadest set of commercial AI workflows with more than 400 ISV features that are optimised on its AI PC hardware.

With a powerful combination of security, productivity and performance, Acer TravelMate AI PCs, supercharged by Intel, provide comprehensive security and AI-powered tools that ensure businesses stay protected, efficient and ready to tackle the evolving threats of the new AI generation.

UN Convention against cybercrime addresses cybersecurity amid global threats

Cybersecurity investments prevent financial losses, yet global security remains fragmented. The UN’s new cybercrime treaty enhances international cooperation, tackling threats, protecting vulnerable groups and strengthening digital resilience worldwide.

WRITTEN BY

Mehdi Snene Senior Advisor AI and Digital Transformation, Office for Digital and Emerging Technologies, United Nations

Traditional investments focus on financial growth and efficiency while cybersecurity investments aim to prevent financial losses, disruptions and reputational damage. This leads to the concept of Return on Security Investment (ROSI), where the value lies in loss prevention rather than profit. Underinvestment in security creates industry-wide disparities, with vulnerabilities potentially impacting the entire digital ecosystem.

Organisations vulnerable to cyber threats

As cyber threats grow in sophistication and frequency, fragmented security measures leave organisations and nations vulnerable. A global, coordinated response is no longer optional but an imperative. Only through an international cybersecurity treaty can we establish the collective defence necessary to protect digital infrastructure and ensure global resilience.

cybercriminals leverage malware, ransomware and hacking to compromise digital systems, many times targeting individuals, businesses and governments.

While trying to meet these risks, the Convention promotes fast electronic evidence exchange, cross-border investigation and international legal cooperation. It will enhance the tracking, investigation and prosecution capabilities of law enforcement through a 24/7 network with cooperation in mutual legal assistance, asset recovery and extradition.

With nearly 70% of the world’s population online,1 cybercriminals leverage malware, ransomware and hacking to compromise digital systems.

A landmark step: the UN Convention against cybercrime

In December 2024, the UN General Assembly, adopted by consensus the Convention Against Cybercrime, marking the first global treaty of its kind. This landmark agreement strengthens international cooperation in countering cyber threats.

With nearly 70% of the world’s population online,1

Why professionalism matters for cybersecurity

The Standard of Professional Competence and Commitment (UK SPCC) offers a national benchmark, en-suring accountability, ethical integrity and verified expertise in a rapidly evolving industry.

Cyber threats are escalating, yet cybersecurity remains a mainly unregulated profession with inconsistent standards. Unlike medicine or law, the cybersecurity profession lacks a universal accreditation system, leaving room for variable expertise and ethical concerns.

Cybersecurity trust and competence

Introduced in 2021, the UK Cyber Security Council’s Standard of Professional Competence and Commitment offers a solution by ensuring practitioners meet a nationally recognised benchmark of competence and integrity. Cybersecurity is a profession

Strengthening protections for vulnerable groups

The recent Convention marks a monumental step forward in safeguarding the wellbeing of children in the digital age. By addressing the pervasive issue of online exploitation, this global agreement establishes a robust framework for governments to tackle the various threats facing minors in cyberspace. Not only does the treaty reinforce legal measures to combat harmful activities targeting children online, but it also underscores the importance of providing comprehensive support to victims.

With this Convention, nations now have a structured mechanism to combat cybercrime. Businesses operating in the global digital economy must align their security strategies with these international efforts to strengthen cyber resilience.

Reference:

where individuals enter the field through varied routes, from computer science degrees to selftaught pathways. This competence standard was created in partnership with the Government, industry and academia to create a universal mechanism to assess expertise, introduce ethical accountability and address malpractice.

The Council has also mapped the profession into a series of ‘specialisms,’ which cover the vast majority of current cyber roles. By contextualising the SPCC for a selection of these specialisms, individuals have been able to go through a peer assessment process to demonstrate their skills and

experience against this nationally recognised Standard.

Why is UK SPCC important for industry?

As someone who has gone through the process of becoming a Chartered Cyber Security Professional in the Security Testing specialism, Tamar Everson from Arcanum knows the importance of assessment to prove competence and trust.

Everson says: “It has always been a challenge for organisations to identify high-quality cybersecurity vendors. The rigorous assessment we undergo as part of the professionalism process means that organisations can trust the expertise of the individuals carrying out work in a way that was previously difficult to verify.”

Industry standards for cybersecurity

Cybersecurity is critical to national security and business resilience. Without a formalised professional standard, the industry remains vulnerable to inconsistencies. Becoming professionally registered offers a path to professionalism, ensuring accountability, ethical integrity and a trusted benchmark of excellence. Now is the time to elevate cybersecurity into a mature, structured profession that society can depend on.

Why cloud security and protecting your data responsibly matter

Most of us use cloud computing every day without realising it. Whether you are streaming, shopping, banking, travelling, checking your email or accessing NHS services, you’re using ‘the cloud.’

As we continue to share increasing amounts of personal and private information, we should all start to care more about privacy and security and ask who is responsible for keeping it secure and available.

Complex and convoluted supply chains

The supply chains that provide online services we use daily have become extremely complex, and the companies providing them are largely invisible to the average user. We may assume that the company we sign up to is in full control, but this is almost never true. Services are built on top of each other, stacked like a tower. We and others make assumptions about the cybersecurity, resilience and quality of the bricks further down the tower. The result is that service users are increasingly impacted by data breaches and service outages by organisations they have not heard of but have real-world impacts on their lives.

AI

and data security

Artificial intelligence (AI) is now everywhere, with some companies incorporating unproven technologies to keep up with the trend. Most of us simply don’t know (or probably care) what happens when we input information into an AI system. We’re unlikely to know how it’s used and stored. There are questions that we don’t think to ask but perhaps should. After all, it’s our information.

Accountability through risk management

With such reliance on third-party services and cloud computing, organisations using such platforms and services must manage them effectively. They need to truly understand ‘all the blocks in their tower’ and ensure effective risk management throughout their supply chain. We won’t stop using online services that improve our lives, but it would be good if we became more curious about how services are delivered. The responsibility for data security sits squarely with the principal service provider. They need to understand the cyber and privacy risks inherent in their own tower, down to the last brick, and build on solid foundations using recognised standards and frameworks.

Strengthening cybersecurity teams through skills-based hiring

A shift to skills-based hiring and training is key to solving cybersecurity’s workforce shortage, creating more opportunities and stronger security teams.

The cybersecurity industry is facing a significant workforce shortage, with organisations often struggling to fill necessary roles. Yet, traditional hiring often overlooks qualified candidates due to rigid degree requirements. Shifting to skills-based hiring expands access to a broader talent pool.

Power of skills-based hiring

Skills-based hiring and training can create more opportunities for aspiring cybersecurity professionals while strengthening organisational security. By focusing on demonstrable skills rather than rigid educational requirements, organisations can tap into a broader talent pool, including self-taught professionals, career changers and graduates from alternative training programmes. While credentials are important, this approach not only fosters diversity in cybersecurity but also ensures that hiring decisions are based on merit and real-world capability rather than credentials alone.

BY

WRITTEN

Steve Sands Chair of BCS

(ISSG)

WRITTEN BY Patrick

Burgess Member of BCS

Building training pathways for growth

Cybersecurity is a rapidly changing field. It requires continuous learning and skills development. Cyber talent must be continually developed. Structured upskilling, mentorship and training programmes help professionals advance in their careers. Such initiatives can ensure that organisations nurture talent from within, reducing turnover and fostering a culture of growth and innovation. Importantly, this hands-on learning enables organisations to keep their workforce up to date with emerging cyber threats and technologies.

Advancing cybersecurity by merit

A skills-based hiring and training approach leads to a more capable and well-rounded workforce. Organisations that prioritise skills over credentials create a stronger workforce while enhancing their overall security posture. By embracing this shift, the industry can bridge the talent gap, empower more individuals to enter the field and ultimately create a safer digital landscape for everyone.

Like any transformative technology, AI can be used for good purposes and malicious purposes.

Why firms need ‘exposure management’ to reduce cyber risk for cloud and AI

With cloud apps and AI tools creating potentially harmful gaps in a company’s security infrastructure, it’s time to take a ‘know, expose and close’ approach to risk reduction.

Increasingly, businesses that crave data privacy and protection — which, naturally, should be all of them — are laser-focused on the issue of cloud security. That’s just as well, insists Liat Hayun, VP of Product and Research for Cloud Security at Tenable, and for very sound reasons.

Cloud security challenges increase

First, thanks to AI, companies are now more motivated to store exponentially greater amounts of data in the cloud, including sensitive data.

Second, while most cloud providers offer their customers great security mechanisms, these may not always provide them with the most effective security for their unique needs. Third, because the cloud can be connected to a company’s own on-premises IT architecture, it becomes a tantalising entry point to the infrastructure of the entire organisation and a gift to any would-be attackers.

So, companies must ensure their cloud infrastructure is secure.

The trouble is: just one cloud environment is complex enough.

“But if your business uses multiple cloud environments — for, say, flexibility and/or financial reasons — that complexity is compounded,” says Hayun, highlighting the risks of fragmented tool management as an example. “Different cloud environments will have different tools, each pointing at different problems. Without an aggregated view, some security issues could be missed.”

Added to that are potential risks presented by the shared responsibility

model, where different teams manage different aspects of the cloud environment. “These siloed views can create potentially harmful gaps in security, which is why cloud security needs to have its own level of dedication,” explains Hayun.

How AI is accelerating risks for organisations Unfortunately, the emergence of artificial intelligence only adds to the immediacy of the threat. Simply put, organisations that leverage AI internally are helpfully presenting bad actors with an expanded attack surface and so increasing the risk of security breaches.

“Like any transformative technology, AI can be used for good purposes and malicious purposes,” says Hayun.

“On the malicious side, it can be leveraged for more sophisticated phishing attacks by helping to craft believable emails that victims are more likely to open. AI can also find areas of the cloud environment that are more likely to be misconfigured and therefore exposed. It’s a useful tool for attackers.”

Other risks from AI stem from ignorance rather than malicious intent: staff may unwittingly upload sensitive information to online AI tools, for example. Although, on the plus side, AI is transforming methods used to protect the cloud by assessing large amounts of data very quickly to identify patterns or anomalies, flag up suspicious activity and help thwart attacks.

The exposure management approach to cybersecurity

Organisations should introduce a well-designed ‘exposure management’ approach to cybersecurity — that is, identifying, assessing, prioritising and then addressing the security risks they are exposed to, starting with the most critical risks. Tenable sums this up in three words: ‘Know, expose and close.’

The ‘know’ aspect is about helping businesses know their cloud resources and understand where security risks may lurk. “But knowing is not enough,” says Hayun. “To provide actual value, we ‘expose’ issues that matter most to an organisation by assessing, prioritising and aggregating cyber risks so that they can focus on what’s most important to them. Then, we ‘close’ by providing the mechanisms and tools to address, mitigate and remedy the security issues we have found. So, it’s not just equipping organisations with knowledge. It’s also making sure they are able to address issues in the most efficient way.”

Hayun’s advice for any organisation is to understand the very real cyber threats caused by AI and the cloud and act before damage can occur.

“When technology evolves, a new risk emerges that must be addressed with cybersecurity tools,” she says. “Now, AI is being introduced into the cloud environment — and the same thing is happening again.”