Jessica Entwistle
July 17 2026
Today's brief highlights the operational consequences of insider access, the practical support available to smaller organisations, and the importance of understanding how social engineering techniques continue to evolve. From sentencing in a high-profile transport breach to new NCSC resources for small businesses, the stories reflect both the human side of cybersecurity and the technical discipline required to manage risk across enterprise and operational technology environments.
Owen Flowers, 19, and Thalha Jubair, 20, were each sentenced to five and a half years in prison at Woolwich Crown Court on 16 July 2026 for their role in the 2024 cyber-attack on Transport for London. The Guardian reports that the pair gained access to the heart of TfL's IT systems over four days, compromising the data of millions of commuters and forcing all 27,000 TfL staff to reset their passwords in person. The attack left 148 systems inoperable and cost the organisation £39 million in recovery and remediation. Both individuals were linked to the Scattered Spider hacking group, known for targeting large organisations through social engineering and credential theft. The National Crime Agency and Crown Prosecution Service described the breach as one that gave the attackers the "keys to the kingdom" of London's transport network.
This case underscores the operational impact that insider-level access can have on critical infrastructure and large public sector organisations. The fact that two teenagers were able to penetrate such a significant network and cause widespread disruption highlights the importance of identity and access management, privileged account monitoring, and the ability to detect lateral movement once initial access has been gained. For UK businesses, particularly those managing large workforces or critical services, this is a reminder that access control is not just a technical control but a foundational element of operational resilience. The cost and disruption caused by this breach demonstrate how quickly an attacker with sufficient access can move from initial compromise to organisation-wide impact.
For UK businesses, this is a prompt to review how privileged access is managed, monitored and audited across your environment. Consider whether you have visibility into who holds administrative credentials, how those credentials are protected, and what alerts would trigger if those accounts were used in unexpected ways. This case also reinforces the value of understanding the human and operational side of cybersecurity, not just the technical controls.
Source: The Guardian
The National Cyber Security Centre has announced a new initiative offering free 30-minute cyber security consultations to small businesses across the UK. The NCSC reports that Cyber Advisors will provide hands-on, practical guidance to help small organisations get started with cyber security, addressing a gap in accessible support for businesses that may not have dedicated IT or security teams. The consultations are designed to help small businesses understand their risk, prioritise practical steps, and build confidence in managing cyber security without requiring specialist knowledge or significant budget. This initiative reflects the NCSC's ongoing commitment to making cyber security accessible and actionable for organisations of all sizes.
For many small and medium-sized businesses, cyber security can feel overwhelming, particularly when resources are limited and technical expertise is not readily available. This NCSC initiative provides a practical starting point for organisations that may not know where to begin or what to prioritise. The availability of free, expert-led consultations removes a significant barrier to entry and offers small businesses a trusted source of guidance that is independent, practical and aligned to UK threat intelligence. For larger organisations, this also serves as a reminder of the importance of supply chain security, as many small businesses operate as suppliers, partners or service providers within broader commercial ecosystems. Supporting smaller organisations to improve their security posture benefits the entire supply chain.
For UK businesses, particularly those working with smaller suppliers or partners, this is an opportunity to encourage those organisations to take advantage of the NCSC's free support. If you are a small business yourself, this is a straightforward way to access expert advice and build a foundation for proportionate, practical security. Consider whether your supply chain partners are aware of this resource and whether you can support them in improving their own security posture.
Source: NCSC UK
Microsoft Defender Experts has observed a significant increase in ACR Stealer activity across enterprise environments between late April and mid-June 2026. Microsoft reports that these campaigns are using ClickFix social engineering lures to trick users into executing malicious commands, leading to the theft of browser credentials, authentication tokens and sensitive documents. The attacks are successfully targeting enterprise environments, exploiting user trust and familiarity with legitimate system prompts to gain initial access. ClickFix techniques typically involve fake error messages or system notifications that instruct users to copy and paste commands into PowerShell or other system tools, bypassing traditional email security controls by relying on user interaction rather than malicious attachments or links.
This campaign highlights the continuing effectiveness of social engineering techniques that exploit user behaviour rather than technical vulnerabilities. ClickFix lures are particularly concerning because they can bypass email filtering, endpoint detection and other technical controls by relying on the user to execute the malicious payload themselves. For UK businesses, this is a reminder that security awareness and user education remain critical layers of defence, particularly as attackers continue to refine their techniques to appear legitimate and trustworthy. The theft of browser credentials and authentication tokens can lead to account takeover, lateral movement and data exfiltration, making this a high-impact threat for organisations that rely on cloud services, single sign-on or browser-based authentication.
For many organisations, this is a prompt to review whether your security awareness training covers social engineering techniques that involve fake system prompts, error messages or instructions to run commands. Consider whether your endpoint detection and response tools are configured to alert on unusual PowerShell activity or command execution, and whether your incident response playbooks include steps for responding to credential theft and token compromise. This is also an opportunity to review how browser-based authentication tokens are managed and protected across your environment.
Source: Microsoft Security Blog
CISA has published advisories for multiple vulnerabilities affecting Rockwell Automation CompactLogix, ControlLogix, Compact GuardLogix and GuardLogix controllers. CISA reports that successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition, potentially disrupting industrial control systems and operational technology environments. The affected products include CompactLogix 5370, Compact GuardLogix 5370, ControlLogix 5570 and GuardLogix 5570 controllers running firmware versions up to and including V35.015. Rockwell Automation has released updated firmware versions to address the vulnerabilities and recommends that users update to the latest versions as soon as operationally feasible.
Operational technology environments present unique challenges when it comes to patching and vulnerability management, as many systems cannot be taken offline without affecting production, safety or critical infrastructure operations. However, denial-of-service vulnerabilities in industrial controllers can have significant operational and safety implications, particularly in manufacturing, utilities, critical infrastructure and other sectors where uptime and reliability are essential. For UK businesses operating OT environments, this advisory is a reminder of the importance of maintaining visibility into the firmware versions running on industrial control systems, understanding the patching and update processes for those systems, and ensuring that security updates are applied in a planned and controlled manner. It also highlights the value of network segmentation, monitoring and access control in OT environments, where technical vulnerabilities may remain unpatched for longer periods than in traditional IT environments.
For UK businesses operating industrial control systems or operational technology environments, this is a prompt to review whether you have visibility into the firmware versions running on your controllers, and whether you have a process in place for applying security updates in a way that balances operational continuity with risk management. Consider whether your OT networks are segmented from corporate IT, whether you have monitoring in place for unusual activity, and whether your incident response plans account for the unique challenges of responding to incidents in operational technology environments.
Source: CISA
Good security practice is built on the understanding that risk management is not a one-time project but an ongoing discipline that requires clear ownership, regular review and practical habits that are already in place before incidents happen. The stories in today's brief reflect the importance of understanding both the technical and human sides of cybersecurity, from how access is managed and monitored to how users are trained to recognise social engineering techniques. Whether you are a large organisation managing complex IT and OT environments or a small business taking your first steps in cyber security, the principles remain the same: know what you have, understand who has access to it, and make sure the right people are asking the right questions on a regular basis. Mature security comes from discipline, not drama.