Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.

Ground control to major chaos

Another day, another reminder why supply chain security has been rising in prominence recently: a ransomware attack on a company that provides self-service check-in kiosks caused disruption at multiple European airports beginning on Friday 19 September and continuing over the weekend. Among the airports affected were Heathrow, Brandenburg, Brussels, Cork, and Dublin. ENISA, the EU’s cybersecurity agency, confirmed the cause was ransomware. A man was subsequently arrested in the UK following the incident.

The direct victim was Collins Aerospace, which makes MUSE software that powers airport check-in services around the world. When the kiosks running the software were affected, it forced passengers to turn to manual check-in desks. Dark Reading’s analysis focused on “the human impact of increasing cyberattacks on critical infrastructure, especially through third-party software and services”. Emmet Ryan’s reporting on how the story unfolded at Dublin Airport includes a telling line: “The world we live and work in today is heavily reliant on invisible companies”.

A matter of time: 3-5 years to influence workforce security behaviour

When it comes to security awareness, it takes on average 3-5 years to influence workforce behaviour and 5-10 years to achieve lasting culture change. The most mature programmes that have been going for more than 10 years and with six dedicated employees, achieve sustained, organisation-wide resilience. Those are some key findings from the 2025 SANS Security Awareness Report. Now in its 10th year, it includes responses from more than 2,700 practitioners in over 70 countries. The 32-page document provides benchmarks, challenges, and career insights for professionals working to reduce human cyber risk and build strong security cultures. According to SANS, awareness programme maturity correlates strongly with team size and longevity. Effective programmes require at least 2.8 dedicated full-time staff to impact behaviour, while shifting to culture change needs around 3.9 full-time employees, its research found.

The report also identifies challenges facing awareness professionals, such as lack of time, staffing, and leadership support. Mid-level managers, finance, and operations are frequently blockers to progress. Most awareness initiatives tend to belong to cybersecurity and IT teams. To scale efforts and save time, the SANS report recommends partnerships across HR, communications, and operations, as well as adopting generative AI.

Data protection and privacy roundup: Protected health research and chat control controversy

Let’s start with some positive privacy news: have researchers found a new model for securely sharing health data without privacy risks? Trinity College Dublin’s Irish Longitudinal Study on Ageing has launched TILDA-VISTA, a remote, virtual workspace where researchers worldwide can securely analyse information without needing to be physically present on site. Trinity previously provided this service from a secure physical processing environment. It says the new workspace removes the risk of breaches while staying compliant with ethical and governance requirements. Trinity notes that the data is only accessible to non-commercial entities.

On a more controversial subject, the EU’s drive to combat online child abuse material is running into privacy concerns. Its proposed CSAM regulation, also known as “chat control” legislation, would let authorities issue “detection orders” that push providers to scan private messages on devices. This raises the prospect of scanning people’s text messages. Not only would that undermine end-to-end encryption, it could breach the EU Charter’s rights to privacy and confidentiality of communications, according to the EU’s own data-protection bodies. Critics from civil society and security researchers warned of false positives, scope-creep, and systemic security risks if encryption is weakened (see our media section below for more). European Digital Rights called the measures “draconian”. In an op-ed for The Examiner, Brian Honan called it “potentially an unprecedented policy shift against the democratic values treasured by the European Union”. Council discussions remain divided and the proposal is still evolving.

In Ireland, the Data Protection Commission has launched a safeguarding toolkit for dealing with at-risk or vulnerable adults. It’s intended for organisations in sectors like health, social care, and advocacy. The regulator has also appointed a third commissioner, Niamh Sweeney.

Links we liked

Recorded Future’s malware and vulnerability trends from the first half of 2025. MORE

Cyber incidents cost Germany’s economy an estimated €300 billion in 2024. MORE

The record for a DDoS attack hasn’t just been broken; it’s doubled. MORE

Is the global system for combating financial crime broken? MORE

Marin Ivezic argues why AI can’t break modern encryption. MORE

NIST examines AI’s impact on the cybersecurity workforce. MORE

How to build a secure AI culture in your organisation [VIDEO]. MORE

New course on security leadership from Technology Ireland ICT Skillnet. MORE

A useful online resource of Microsoft vulnerable driver block lists. MORE

Apple user? Here’s a guide to hardening your iOS devices. MORE

Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe.

Sign up here

About the Author: admin

Let’s Talk

Head Office

The LINC Centre,
Blanchardstown Road North,
Dublin 15, Ireland

Email

info@bhconsulting.ie

Call

+353 1 440 4065

Please leave your contact details and a member of our team will be in touch shortly.

"*" indicates required fields

Company

This field is for validation purposes and should be left unchanged.

Name*

First Last

Company Name*

Phone

Email address*

Service interested in*

Security Roundup September 2025