Cyber Advisory Briefing - May 2026

In this issue:

• Breakdown of a £963,900 ICO fine

• How attackers remained undetected for 20 months

• Key vulnerabilities affecting UK businesses

• Cyber Essentials v3.3 changes

• Practical steps to reduce risk

## Cyber Security Is Now a Business Survival Metric

Cyber security is no longer just an IT concern it is now a core business risk.

Recent events across the UK demonstrate that organisations can no longer rely on reactive approaches. Waiting for performance issues or a security incident is no longer acceptable. Proactive controls are now an expectation from both regulators and customers.

In May 2026, the Information Commissioner’s Office (ICO) issued a £963,900 fine to South Staffordshire Water following a serious data breach.

The incident originated from a single phishing email in September 2020. Attackers were able to gain access and remain undetected within the organisation’s network for 20 months.

When the attackers became active:

• 4.1 terabytes of data was exfiltrated

• Personal and financial data was exposed

• Over 633,000 individuals were affected

### Key Failures Identified

- Use of unsupported legacy systems

- Limited network monitoring coverage

- Lack of effective vulnerability scanning

This case highlights a consistent pattern: breaches often occur due to gaps in basic security controls rather than advanced attack techniques.

## What This Means for SMEs Many small and medium-sized businesses assume they are unlikely targets.

In reality:

- Attackers use automated tools to scan for weaknesses

- They focus on the easiest entry points

- They can remain undetected for extended periods

For most SMEs, a prolonged breach or outage would result in serious operational and financial impact.

## Key Vulnerabilities

This Month Recent threats have focused on critical vulnerabilities in widely used systems.

### cPanel Vulnerability

Attackers can take control of hosting environments, encrypt data, and disrupt services such as websites and email.

### Palo Alto VPN Flaw

Attackers can bypass authentication mechanisms entirely by forging session credentials, effectively impersonating legitimate users.

In practical terms, these vulnerabilities act like “master keys”, allowing attackers to bypass standard login protections.

## Cyber Essentials v3.3 Update

Recent updates to Cyber Essentials introduce stricter requirements.

### Key changes:

- Critical patches must be applied within 14 days

- Failure to meet this window results in automatic failure

- Multi-Factor Authentication (MFA) is now mandatory where available

These changes reflect the increasing speed at which vulnerabilities are exploited.

## 3 Practical Actions to Take

### 1. Know Your Assets Maintain a complete and accurate inventory of:

- Devices - Servers

- Cloud services

- Internet-facing systems Without visibility, risks cannot be properly managed

### 2. Enforce a 14-Day Patch Cycle Ensure critical updates are applied within two weeks.

This should be:

- Automated where possible

- Regularly reviewed

- Clearly documented

### 3. Implement Strong MFA

Move beyond basic SMS authentication.

Use:

- Authenticator applications

- Hardware security keys

These provide stronger protection against credential-based attacks.

## Final Takeaway Most cyber incidents are not the result of highly advanced techniques. They occur because:

- Basic controls are missing

- Known vulnerabilities are not addressed

- Visibility is limited Ensuring foundational security measures are consistently applied remains the most effective way to reduce risk.