Jessica Entwistle
July 16 2026
Today's stories reflect a shift in how organisations need to think about foundational security. The NCSC has issued new guidance on poorly configured network infrastructure being actively exploited by Russian state actors, while separate research shows identity-based attacks have now overtaken software vulnerabilities as the primary route into ransomware incidents. Alongside these developments, the NCSC is offering direct support to small businesses, and researchers have identified a long-standing gap in how Secure Boot protections have been managed across the industry.
The National Cyber Security Centre, alongside partners including the US Cybersecurity and Infrastructure Security Agency, has published a joint advisory warning that Russian state-sponsored cyber actors are actively exploiting poorly configured routers and network devices to gain access to critical infrastructure and enterprise networks. The advisory, published on 13 July 2026, highlights that attackers are targeting edge devices with weak or default credentials, outdated firmware, and inadequate logging, allowing them to establish persistent access and move laterally within organisations. The NCSC reports that this activity has been observed across multiple sectors globally, with a particular focus on organisations in energy, water, transport and communications.
For UK businesses, this is a reminder that perimeter security remains a live operational risk. Routers, firewalls and VPN gateways are often managed separately from endpoint and identity systems, and in many organisations they do not receive the same level of patch discipline, monitoring or access control. When these devices are compromised, attackers gain a foothold that can be difficult to detect and even harder to remove. The advisory makes clear that this is not theoretical risk, it is active targeting of real infrastructure, and the techniques being used are well within the capability of organised criminal groups as well as state actors.
For UK businesses, this is a prompt to review how network edge devices are managed, monitored and maintained. Check whether routers and VPN gateways are running current firmware, whether default credentials have been changed, and whether logging is enabled and being reviewed. Ensure there is clear ownership of these devices within IT and security teams, and that they are included in regular vulnerability and configuration reviews.
Source: NCSC UK
New research published by Dark Reading on 15 July 2026 shows that identity-based attacks, primarily through compromised credentials and phishing, have overtaken software vulnerabilities as the most common root cause of ransomware incidents. The analysis, based on incident response data from 2025, found that email-based credential theft and abuse of legitimate access now account for the majority of successful ransomware deployments. Notably, the research also found that multifactor authentication was deployed in 97 per cent of cases where credentials were used to gain access, but still failed to prevent compromise, often due to MFA fatigue attacks, legacy protocols that bypass MFA, or attackers using session tokens rather than passwords.
This represents a significant shift in how ransomware groups are operating. Rather than spending time finding and exploiting unpatched vulnerabilities, attackers are increasingly focusing on stealing or tricking users into handing over legitimate credentials, then using those credentials to move through an environment in ways that look like normal business activity. The fact that MFA was present in nearly all cases but did not stop the attack highlights that identity security is about more than just enabling a second factor. It requires understanding how authentication is enforced across different systems, whether legacy access routes still exist, and whether monitoring is in place to detect unusual patterns of legitimate credential use.
For many organisations, this is a signal to review how identity is protected beyond the initial login. Consider whether MFA is enforced consistently across all access methods, whether legacy authentication protocols have been disabled, and whether there is visibility into how credentials are being used after authentication. This is also a reminder that user awareness of phishing and social engineering remains a critical layer of defence.
Source: Dark Reading
The National Cyber Security Centre has announced a new initiative offering free, hands-on cyber security consultations to small businesses across the UK. Published on 15 July 2026, the programme provides access to Cyber Advisors who will offer 30-minute one-to-one consultations to help small organisations understand their cyber security risks and take practical first steps to improve their defences. The service is designed to be accessible and jargon-free, recognising that many small businesses lack dedicated IT or security resource and may not know where to start with cyber security. The NCSC has made clear that the service is aimed at helping businesses get the basics right, covering areas such as password management, software updates, backup practices and recognising phishing attempts.
For small businesses, this represents a significant and practical offer of support. Cyber security advice is often expensive, complex or aimed at larger organisations with established IT teams. The NCSC's approach here is to provide direct, human guidance that helps small businesses understand what good practice looks like in their specific context. For larger organisations, this initiative is also relevant, particularly those that work with or rely on small suppliers, contractors or partners. The security posture of smaller organisations in the supply chain is increasingly a material risk for larger businesses, and initiatives that help improve baseline security across the SME sector benefit the wider business ecosystem.
For UK small businesses, this is an opportunity to access expert guidance at no cost. For larger organisations, it is worth considering how you support or encourage smaller suppliers and partners to take up this kind of support, particularly where those relationships involve access to your systems, data or networks. Supply chain security starts with helping the organisations you work with understand and manage their own risks.
Source: NCSC UK
Security researchers have identified eleven vulnerable UEFI shim bootloaders that were signed by Microsoft but later revoked due to security flaws, yet remained trusted on systems for years, effectively allowing attackers to bypass Secure Boot protections. Infosecurity Magazine reported on 15 July 2026 that these bootloaders, some dating back several years, were never properly removed from the trusted boot chain on many systems, meaning that an attacker with administrative access could use them to load unsigned or malicious code during the boot process, even on systems where Secure Boot was enabled and believed to be protecting the system. The issue highlights a gap in how revoked bootloaders are managed across the industry, with many systems not receiving or applying the necessary updates to remove trust from these components.
Secure Boot is designed to ensure that only trusted software can run during the system startup process, protecting against bootkits and rootkits that load before the operating system. However, this research shows that the revocation process for compromised or vulnerable bootloaders has not been consistently applied, leaving a window of opportunity for attackers who gain administrative access to a system. While exploiting this requires an attacker to already have significant access to a machine, it provides a way to establish deep persistence that is difficult to detect and remove. For organisations, this is a reminder that firmware and boot-level security depends on keeping revocation lists up to date, not just applying operating system patches.
For UK businesses, this is a prompt to review whether systems are receiving and applying UEFI firmware updates and revocation list updates, not just operating system patches. Ensure there is a process for managing firmware updates across the estate, particularly for servers and critical infrastructure where boot-level compromise would have significant operational impact. This is also a useful conversation to have with hardware vendors and managed service providers about how firmware security is maintained.
Source: Infosecurity Magazine
The common thread across today's stories is that effective security depends on maintaining discipline across the foundational layers that are easy to overlook. Network devices, identity systems, firmware and supply chain relationships all require the same level of attention as the more visible parts of the security programme. The organisations that manage these areas well are the ones that have made them part of routine operational practice, with clear ownership, regular review cycles, and visibility into what is actually happening across the estate. Good security is not about reacting to every new threat, it is about building and maintaining the habits that make it harder for any threat to succeed.