Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.
OWASP updates top ten risk list
OWASP’s 2025 release of its Top Ten Web Application Security Risks is the first update to the list since 2021. The draft adds two major categories: software supply chain failures, expanding the prior “vulnerable and outdated components,” and mishandling of exceptional conditions. As reported by SecurityWeek, broken access control remains the top risk, while security misconfiguration and software supply chain failures move into the second and third positions, pushing cryptographic failures, injection, and insecure design down the list. OWASP’s ranking blends industry-contributed testing data with community-surveyed categories chosen by practitioners “on the front lines”.
Separately, OWASP introduced its AI Vulnerability Scoring System (AIVSS), which incorporates an agentic AI risk score across ten AI-specific factors and applies an environmental threat multiplier. SC World described AIVSS as aiming to capture risks posed by increasingly autonomous, non-deterministic AI systems.
Cybersecurity in Ireland: defences are stronger, but gaps remain
Senior security leaders in Ireland have strengthened their organisation’s cybersecurity in recent months, but gaps in training, talent, and AI-related investment are slowing progress. That’s according to a survey of 165 senior cyber leaders in sectors like corporate, health, life sciences, and government, carried out for EY. A majority – 83 per cent – have enhanced their cybersecurity measures, but just 32 per cent say budgets are up. More than 70 per cent struggle to secure funding for staff cyber-awareness training, and 43 per cent face challenges hiring and retaining skilled personnel.
AI and data security are top priorities for nearly half of leaders, and many are updating practices in line with the EU AI Act. However, 44 per cent say AI-security budgets are difficult to obtain, which suggests investment is lagging behind strategy. Supply-chain protection is a priority for 68 per cent of security leaders. Compliance pressures, including NIS2, are driving progress: 47 per cent said they have updated their data handling and monitoring practices and 39 per cent have updated their data protection impact assessment systems. RTÉ’s coverage of the survey highlighted the risk of burnout among security teams due to their workloads.
Data protection and privacy roundup: definitions, trust and hosting concerns
The EU looks set to scale back the General Data Protection Regulation and the AI Act that was due to come into force in 2026. Proposed changes to core elements of the GDPR are intended to make it easier for companies to share anonymised and pseudonymised personal datasets. The European Commission described the changes as “simpler rules”. IAPP called the reforms a “course correction”. Noting pressure from tech giants and the US Government, The Verge put it more succinctly: “Europe has blinked”.
From blinking to linking, the Data Protection Commission identified risks and issues with how LinkedIn was processing data to train its own generative AI models. After the regulator made several recommendations, the company agreed to limit the types and timespan of user data it will use, issue clearer transparency notices, enhance opt-out mechanisms, prevent use of data from under 18s, and filter sensitive information from its training datasets.
In a survey of 550 Irish companies, 51 per cent don’t have a dedicated GDPR compliance role. Nearly two-thirds expect compliance to become more difficult over the next 12 months, and 40 per cent think they don’t get sufficient support from regulators or industry groups. Other compliance risks include fraud prevention and financial services regulation. The figures come from CRIFVision-Net, a provider of credit risk and compliance data.
Finally, health data is always a strong privacy risk due to the sensitive nature of the information involved. The Health Service Executive’s 2024 data‐protection log included the revelation that a patient’s clinical image was “inadvertently” shared in a private WhatsApp group. It was one of 624 reported breaches, with the HSE insisting that each breach is subject to internal review and preventive training. Staying with health, researchers from two US universities audited 272 mobile health apps available on Android and found significant privacy risks, intrusions and data misuse. This story looks like a case of ‘the doctor will see you always’.
Links we liked
The password problem we keep pretending to fix. MORE
Three guesses what the (recently robbed) Louvre login was? MORE
The price of stolen Irish credit cards on the dark web more than doubled. MORE
Researchers find satellite comms aren’t as secure as you might expect. MORE
Google anticipates “a new era for AI and security” in its 2026 forecast MORE
Kevin Beaumont unpicks lessons from Capita’s ransomware incident. MORE
Trend Micro investigates AI-powered scam assembly lines MORE
Is ‘chief trust officer’ a thing? And if so, what now for CISOs? MORE
Security leaders share experiences from Salesloft Drift supply chain attacks. MORE
Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe.
Sign up here
