Cyber Security: Law and Guidance

Q & A with Helen Young MBE

| 22 Nov 2024

Helen Young MBE is the author of Cyber Security: Law and Guidance.

This is included in our Cyber Law Online Service.

What’s the most common misconception about cyber security and the law that you encounter from organisations?

The most common misconception about cyber security and the law that organisations often encounter is the belief that compliance with legal requirements alone is sufficient to ensure robust cyber security. Many organisations mistakenly assume that meeting the minimum standards set by regulations or frameworks like GDPR or NIS Directive equates to comprehensive protection against cyber threats. In reality, cyber security requires a proactive, multi-layered approach that goes beyond mere legal compliance to include continuous risk assessment, incident response planning, and employee training.

What would you say have been the biggest disruptors to cyber security in the UK and the EU since the first edition of Cyber Security: Law and Guidance?

  • Geopolitical Tensions: The ongoing conflict between Russia and Ukraine has heightened cyber threats, with state-sponsored attacks increasing in frequency and sophistication.
  • Ransomware Evolution: Ransomware attacks have become more targeted, with attackers using double extortion tactics, threatening to release sensitive data if ransoms are not paid.
  • Supply Chain Attacks: Incidents like the SolarWinds breach have underscored vulnerabilities in the software supply chain, prompting a re-evaluation of third-party risk management.
  • Regulatory Developments: The introduction and enforcement of new regulations, such as the EU's Digital Operational Resilience Act (DORA), have required organisations to adapt quickly to ensure compliance.
  • AI and Machine Learning: The use of AI in both offensive and defensive cyber operations has changed the landscape, with AI being used to automate attacks and improve threat detection.
  • Remote Work Vulnerabilities: The shift to remote and hybrid work models has expanded the attack surface area, with threats targeting home networks and personal devices.

These factors, among others, have significantly impacted the cyber security strategies of organisations across the UK and the EU.

Many organisations are currently banning the use of generative AI amongst their staff until they know more about the risks it poses. Do you think this is the best way for organisations to approach generative AI?

Generally speaking, banning the use of generative AI can be a cautious initial step for organisations concerned about potential risks. This approach allows them to assess and understand the implications, such as data privacy concerns, intellectual property issues, and security vulnerabilities, without exposing the organisation to unknown threats.


However, instead of a total ban, a more nuanced approach might involve:

  1. Risk Assessment: Conducting a thorough risk assessment to understand the specific threats and challenges posed by generative AI in their context.
  2. Policy Development: Developing clear policies and guidelines on the use of generative AI, including acceptable use cases and security protocols.
  3. Training and Awareness: Educating employees on the potential risks and benefits of generative AI to ensure informed and responsible usage.
  4. Pilot Programs: Implementing controlled pilot programs to explore the safe and beneficial use of generative AI technologies.
  5. Continuous Monitoring: Regularly monitoring the use and impact of generative AI and updating policies and practices as needed.

These steps can help organisations balance innovation with security and compliance concerns.

What would you say will be the biggest challenge to cyber security that organisations will face over the next couple of years?

Potential challenges could include:

  • Evolving Threat Landscape: As cyber threats become more sophisticated, organisations will need to continuously adapt their security measures to protect against new types of attacks, such as advanced ransomware and AI-driven threats.
  • Regulatory Compliance: Keeping up with and complying with an increasing number of cyber security regulations and standards, such as GDPR and the upcoming EU Digital Operational Resilience Act (DORA), will be challenging for many organisations.
  • Supply Chain Security: As demonstrated by incidents like the SolarWinds breach (where attack vector compromised the Orion software platform, then attackers inserted a malware, causing multiple government agencies’ data to be breached and exposed the vulnerabilities of supply chain security), securing the supply chain against attacks will be critical, requiring robust third-party risk management strategies.
  • Remote Work Security: With the continued prevalence of remote and hybrid work models, securing remote work environments against cyber threats will remain a significant challenge.
  • Talent Shortage: The ongoing shortage of skilled cyber security professionals may hinder organisations’ abilities to effectively manage and respond to cyber threats.
  • Integration of New Technologies: As organisations adopt emerging technologies such as AI, IoT, and blockchain, they will need to manage the associated security risks.

Addressing these challenges will require a comprehensive, proactive approach to cyber security, involving continuous risk assessment, investment in security technologies, and ongoing training and awareness programs for employees.