{"id":240708,"date":"2026-07-06T09:37:00","date_gmt":"2026-07-06T13:37:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/07\/06\/national-defence-requires-much-better-cybersecurity-advice-for-citizens-resilience-media\/"},"modified":"2026-07-06T10:10:10","modified_gmt":"2026-07-06T14:10:10","slug":"national-defence-requires-much-better-cybersecurity-advice-for-citizens-resilience-media","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/07\/06\/national-defence-requires-much-better-cybersecurity-advice-for-citizens-resilience-media\/","title":{"rendered":"National defence requires much better cybersecurity advice for citizens \u2013 Resilience Media"},"content":{"rendered":"<p><a href=\"https:\/\/resiliencemedia.co\/national-defence-requires-much-better-cybersecurity-advice-for-citizens\/\">National defence requires much better cybersecurity advice for citizens \u2013 Resilience Media<\/a><\/p>\n<p><a href=\"https:\/\/resiliencemedia.co\/national-defence-requires-much-better-cybersecurity-advice-for-citizens\/\">https:\/\/resiliencemedia.co\/national-defence-requires-much-better-cybersecurity-advice-for-citizens\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-07-06 09:37:00<\/a><\/p>\n<p>Source Domain: <a href=\"resiliencemedia.co\">resiliencemedia.co<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points.<br \/>\n\t\t\t\t\t\t\t\tNational security in Europe is being challenged daily by adversaries \u2013 mainly Russia \u2013 from cyber attacks and grey zone sabotage operations. Several high profile figures (politicians and military commanders) have commented that a \u201cwhole of society\u201d effort will be required to defend our continent in the face of these kinds of conflicts.<br \/>\nThat will include defending our nations in cyberspace, and it will not be limited to defending government agencies, military bases, critical national infrastructure and defence companies from malicious hackers. Cyber warfare is a highly effective economic weapon that can be used against all large enterprises, SMBs and every resident who uses the internet in our nations.<br \/>\nAs recent high profile attacks on Jaguar Land Rover, Marks and Spencer and the British Library demonstrate, even large organisations remain highly vulnerable.<br \/>\nAnd the average person pays the price. The British tax payer was obliged to extend a \u00a31.5 billion loan guarantee to support Jaguar Land Rover\u2019s recovery.<br \/>\nIf a future mass cyber attack were considered to be part of a war, cyber insurers might refuse to cover the costs of recovery, and the government would not be able to bail out every affected business. Many large organisations might shut down in such a scenario, with devastating economic and social consequences.<br \/>\nMeanwhile, small organisations (0-49 personnel) account for 99.2% of all UK businesses, but often have little or no cybersecurity. Towards the \u2018micro\u2019 end of this segment (1-9 personnel), there is often little or no differentiation between business and personal systems. Employees often use personal phones or even personal laptops, and even if they don\u2019t, employees often have admin privileges on work devices, meaning they can install whatever software (or malware) they wish. Even the approved software and cloud solutions implemented by these organisations are often consumer-level tools with poor security.<br \/>\nFor example, one of the authors here recently assisted a startup dealing with extremely sensitive client data. The firm was using free, consumer webmail and file sync and share solutions. It gave each employee the admin password for their work laptop, and each employee used a personal phone. For many cloud services, the company maintained only one account, which was shared by every employee. Passwords were insecure, often shared across several different cloud services, and stored in an unencrypted spreadsheet to which all employees had access.<br \/>\nUnsurprisingly, it was soon discovered that multiple machines were infected with malware.<br \/>\nVery obvious issues such as search redirects in browsers had gone unnoticed or, at least, unreported. Former employees retained access to sensitive company resources. Links to confidential folders were not password protected, and were accessible to anyone on the internet.<br \/>\nSuch IT setups for very small companies are not exceptional: virtually all firms with under 10 employees will to some extent blur personal with work systems.<br \/>\nWhich brings us to the personal devices and residential networks of the citizenry. While significant progress on securing mobile and desktop operating systems has been made over recent years, the application market remains the Wild West.<br \/>\nSome of the world\u2019s most popular consumer apps are developed by firms based in adversarial countries. Malicious apps and browser extensions are frequently identified and removed from official marketplaces, despite a range of automated checks designed to prevent them from becoming available in the first place.<br \/>\nOften, these malicious apps and extensions tie back to a relatively small number of prolific cyber crime developers, usually shielded by, and under the ultimate control of, those same adversary countries, and some of them have hundreds of thousands or even millions of users by the time they are identified as malicious.<br \/>\nThere is increasing evidence that hostile state-sponsored actors are developing and promoting apps and extensions that seemingly appear legitimate in order to build a substantial user base, waiting for the day when access to those devices and the traffic to and from them might be useful.\u00a0State-sponsored actors are also now heavily targeting shared code libraries. These are integrated into many different applications, giving these supply chain attacks devastating potential.<br \/>\nBut the uncontrolled nature of consumer and small business apps is only part of the story.<br \/>\nThere is an ever-increasing array of Internet of Things (IoT) devices in every small business and home, from smart speakers, to washing machines, to security cameras. The shockingly insecure state of most of them means that a national-scale attack on small business and home networks could enable an adversary to wreak havoc at a time of their choosing.<br \/>\nUnsecured devices can be hacked, of course, but that may not actually be necessary since recent research shows that even devices sold by major retailers now often come pre-loaded with malware, largely controlled, once again, by cyber crime groups based within adversary countries. Compromised IoT devices can be recruited to form part of so-called botnets; networks of devices controlled remotely by an adversary to do their bidding.<br \/>\nBut what bidding? Well, that would be up to the adversary. Botnets are routinely used in Distributed\u00a0Denial of Service (DDoS) attacks, and the trend towards ever larger DDoS incidents points to the scale of an attack that could be launched if the hybrid war escalates. In 2011-2013, attackers suspected to be linked to the Iranian state caused significant disruption to US financial institutions with a DDoS attack that peaked at around 140 gigabits per second.<br \/>\nFast forward to 2026, and a private cyber crime group behind the Aisuru-Kimwolf botnet launched a DDoS attack that reached 31.4 terabits per second \u2013 nearly 230 times larger than a state-sponsored attack 15 years earlier.<br \/>\nBut an adversary could also simply sabotage the IoT devices under its control en masse. In 2016, for example, the cyber crime group behind the Mirai botnet exploited vulnerabilities in a number of router models to disrupt the internet connections of 100,000 customers in the UK, and 900,000 in Germany.<br \/>\nIn the future, our adversaries might simultaneously push malicious updates to the apps and extensions under their control to either temporarily brick or seriously decay the performance of the computers and phones that they are installed on.<br \/>\nThis could lead to huge social and economic disruption. It would dramatically decay both the ability of the government to communicate with the populace, and the ability of individuals to cope with the wider crisis of a nationwide cyber attack. It would also likely have a severe psychological impact on the population as a whole.<br \/>\nOr the attackers could use control over apps, extensions, smart TVs and speakers to broadcast messages to intimidate the population and spread disinformation.<br \/>\nWestern nations are reported to have carried out this exact type of attack. By some media accounts, in the opening days of the recent attack against Iran, the US and Israel took over a popular app with around 5 million users to convey a message to Iran\u2019s population and its military. Similarly, our adversaries could use their control over many popular apps, extensions, smart TVs and smart speakers to broadcast messages to intimidate our populations and spread disinformation.<br \/>\nAnother possibility is initiating widespread power-sapping activity on attacker-controlled devices to cause a power surge at an unexpected hour, indirectly attacking the power grid. Attacking critical national infrastructure may not require hacking CNI infrastructure itself.<br \/>\nIf the UK\u2019s population is to play its part in defending against these types of attacks, it\u2019s going to need some help.<br \/>\nThe NCSC \u2013 the UK government\u2019s National Cyber Security Centre \u2013 has a mandate to play an essential role in defending against those attacks, as it lays out in its own mission statement: \u201cOur mission is to make the UK the safest place to live and work online so that everyone \u2013 whether at work or at home \u2013 can navigate the cyber landscape safely and with confidence.\u201d<br \/>\nSince its inception almost a decade ago, the NCSC has become a trusted source of cybersecurity advice in the UK. All EU nations have their equivalents; it is a very wise requirement of EU membership.<br \/>\nWhat the NCSC could do<br \/>\nThe NCSC\u2019s website is a well-designed, intuitive platform that guides concerned users through a structured assessment of their own cybersecurity requirements, pointing them towards remediation advice where it is needed.<br \/>\nBut while this much needed advice is welcome, it often doesn\u2019t go far enough. Scan through the pages of advice on the NCSC\u2019s excellent website and you couldn\u2019t fail to notice a couple of things. First, there is a lot of it. Far too much for even the keenest cyber nerd to want to read. Second, it often doesn\u2019t tell the reader precisely what is required of them.<br \/>\nThe NCSC does recommend that we use key pieces of technology to keep our personal data and small business or home networks secure. Anti-virus software, password managers, and VPNs are a few examples.<br \/>\nBut the NCSC doesn\u2019t tell us which products to use. Instead, it provides guidance on the technical features and specifications we should be judging a candidate piece of software against. This technical due diligence is beyond the expertise, and frankly interest, of most citizens. Will your elderly parents or grandparents be determining which vendor is a \u201ctrusted vendor\u201d? Is it fair to expect a hard-pressed small business owner, acting as their own CMO, CFO and Head of HR, to work out how to block access to USB ports on company machines? Of course not.<br \/>\nSo what do people do? They make ill-informed decisions. Or no decisions at all. Our governments should recognise that digital overload is real. It is too much to expect most people to devote the time needed to carefully select the right solutions.<br \/>\nIf our government wants us to do our part in protecting networks and data, it should step up and tell us exactly how.<br \/>\nThe NCSC should develop a national register of approved hardware, software and cloud services that follow secure by design principles, which are transparent about their ownership and that are based in safe jurisdictions.<br \/>\nFor each security tool that the NCSC advises citizens to adopt, a list of approved solutions should be provided, and continuing the NCSC\u2019s existing website design, an intuitive set of simple questions should be used to guide users to the solutions that best meet their needs. The register should be regularly refreshed to make sure that its recommendations remain current, because the level of security offered by any given vendor can change over time.<br \/>\nThe UK has a free market, where vendors should in general be free to compete without the government preferencing one over another. Many in government will therefore be understandably reluctant to consider such a broad ranging register since it risks being perceived as tipping the commercial scale towards specific favoured vendors.<br \/>\nBut while that is a sound principle in general, the scale of the cyber threat and the speed with which it is developing requires that we find a way to work around such qualms where that is necessary to secure the nation.<br \/>\nThe NCSC, with the Department for Science, Innovation and Technology (DSIT), has already taken steps down this road by launching a Software Security Code of Practice and a small network of Cyber Resilience Test Facilities, which technology vendors can work with to get certified. These are valuable programmes, but they are pitched primarily at helping large organisations with IT and procurement teams make informed risk-based decisions about what solutions their organisations implement.<br \/>\nIn contrast, the national register that we are proposing would be designed squarely to guide individual citizens and small business owners, not large organisations.<br \/>\nIt would provide specific approved solutions in every major category of technology. Citizens would not need to digest a complex risk-based certification report. They would simply pick a solution from the register.<br \/>\nAnd the national register would not, in fact, be a certification programme as such, in which each vendor needed to sign up, devote considerable effort to compliance, and pay for expensive audits. That kind of programme works for vendors wanting to sell to government or highly regulated enterprises, but it would simply never scale in the way required.<br \/>\nInstead, our government should staff up a large team of full-time reviewers whose job is to proactively analyse existing commercial solutions. While reviewers could seek the cooperation of vendors, they would mainly assess vendors based on publicly available data.<br \/>\nFor example, reviewers would consider the headquarters jurisdiction of each vendor, its ownership, whether it openly publishes its security policies and what those policies are, how many internal security personnel it employs, any documented history of breaches, the security features it offers, its data processors and infrastructure providers (where visible), and so on. To meet the challenge of our changing world, any vendor based in adversary countries should be automatically barred from the register, regardless of its other merits.<br \/>\nThis kind of security review is far from perfect. But the same is true of even the most extensive and expensive certification audits. And our suggested approach has the very significant advantage of speed and scale. We no longer have time for lengthy consultation periods and incremental roll-outs that don\u2019t genuinely move the needle on which solutions our citizens are actually buying. We need this national register quickly.<br \/>\nAnd the government should fund the NCSC to launch a national-level public safety campaign for this register so that individuals and small business decision makers up and down the country learn about it where they already are: in their social media feeds, in television advertising, on billboards, at events.<br \/>\nNational-level public information campaigns around critical health or economic issues can serve as a useful model here. Current social divisions will mean that some people will be suspicious of any products recommended by the government. But many, many others, confused and worried about cybersecurity, will be grateful for simple guidance that cuts through the noise and allows them to choose secure solutions without the burden of doing their own research.<br \/>\nA large proportion of the populace is keen to do its bit to support national defence. But they are busy and often confused. Give them the clear guidance they need to play their part in this national effort.<br \/>\nMark Philpott is a security specialist based in London. After spending the first half of his career working for the UK government, he moved into consultancy advising governments and commercial organisations globally on security matters.<br \/>\nEd Hare started his career in the diplomatic corps. He then moved into consulting, initially training government agencies and then specialising in working with large international technology firms to improve their competitive strategies around AI, big data, cloud and cybersecurity products. Ed also led many cross-border due diligence projects and investigations.<br \/>\nAs the cybersecurity threat worsened in the 2010s, Ed took charge of security for his small consulting firm. He founded Keosetech in 2022 to help small organisations in high threat sectors such as defence with cyber and physical security, due diligence and investigations. In 2026, Ed also launched SAFE (Security Assistance for Everyone), a pay what you can afford service for low income or vulnerable individuals and families.<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>National defence requires much better cybersecurity advice for citizens \u2013 Resilience Media https:\/\/resiliencemedia.co\/national-defence-requires-much-better-cybersecurity-advice-for-citizens\/ Publish Date:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":240709,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/resiliencemedia.co\/wp-content\/uploads\/2026\/07\/iijruoerocq.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,24,32],"class_list":["post-240708","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-cybersecurity","tag-malware"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/240708"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=240708"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/240708\/revisions"}],"predecessor-version":[{"id":240710,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/240708\/revisions\/240710"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/240709"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=240708"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=240708"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=240708"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}