Cyber Coordination Group insights 2025

Maintain comprehensive service mapping

It’s important to maintain a detailed map of key personnel, technology assets, and third-party services to strengthen response capabilities.  

Effective mapping helped prioritise recovery actions and interdependencies and were linked to the scenarios used for exercising.  

This can help with developing the technology to support a minimum viable service, essential to recovery.

Broaden testing strategies

Sandbox testing is carried out in a controlled environment that replicates live systems. 

Testing in a sandbox as well as live systems helped members challenge assumptions more commonly found in tabletop formats. 

It also revealed operational nuances, which they then used to help improve cyber resilience planning. These included network configurations, or firewall dependencies that otherwise may only be identified during real incidents.

Develop severe but plausible scenarios

Developing a diverse set of severe but plausible scenarios is critical to robustly testing important business services (IBS).  

Members found resources such as the Cross Market Operational Resilience Group (CMORG) Dynamic Scenario Library valuable for developing scenarios that reflect a range of incident types and operational impacts.

Engage senior managers early

Senior management engagement from an early stage, including taking part in incident response exercises, was essential for strengthening response capabilities and embedding them across organisations.

If senior managers have rehearsed incidents, tested decision-making roles and escalation paths, they’ll be able to handle live incidents with more confidence and certainty. 

They can make decisions more quickly and communicate more clearly, resulting in a more coordinated and efficient response.

Early Warning service – NCSC

Many members reported benefits from subscribing to the National Cyber Security Centre's (NCSC) Early Warning service. Embedding it into their response planning delivered tangible benefits. It enhanced threat intelligence, enabled earlier detection, and provided additional time to assess exposure to the potential threat. 

Mapping dependencies

Members reported finding it hard to develop and maintain an accurate map of dependencies, particularly in complex, multinational organisations with complex technology environments. Instead, some have taken a more focused approach, mapping the systems that underpin the most critical components of their IBS rather than attempting high-level mapping.

Working with senior managers

Among those that have less established relationships with their board, securing early and effective senior manager or board-level engagement was often difficult, mainly because of availability and competing priorities. 

Members reported that the NCSC’s Cyber Security Toolkit for Boards was a valuable resource. It supported their messaging with independent guidance and provided a framework for governance discussions. It helped ensure that boards or senior managers considered cyber resilience in the context of existing governance responsibilities, in non-technical language, with clearly structured questions intended to enable confident discussions.

Third-party roles during incidents

It’s important to clearly understand the role of third parties during outages and where possible, introducing them into firms’ response and recovery testing. However, it can be difficult to engage third parties on incident response expectations and negotiate obligations where contractual requirements are limited or there’s no shared history of expectations.

Integrating AI-related risks

Firms are integrating AI related risks into existing governance frameworks. This maintains consistency and avoids fragmented processes. They are identifying all current as well as anticipated generative AI use cases and mapping them to existing risk categories. 

Establishing cryptographic hygiene

Establishing good cryptographic hygiene is an effective foundation for preparing for PQC migration. 

Organisations that practised good hygiene had cryptographic estates that were easier to map, had clear ownership of key lifecycle processes, and vulnerable assets that were simpler to identify. This shifts migration away from a broad discovery exercise to a targeted, risk-led programme. 

Use risk to prioritise migration

PQC migration is important, but because it’s long term and complex in nature, it’s beneficial to prioritise efforts and planning using a risk-based approach.  

Sources of migration guidance

Members said this was particularly useful when identifying which assets were critical for migration and when setting migration objectives to those assets. 

Members discussed how they identify the best guidance for PQC migration, highlighting the value of sources such as the NCSC and the G7 Cyber Experts Group (CEG). These provide technically detailed guidance in clear language, setting out quantum risks alongside mitigating actions.

Role-specific training on emerging technologies

Members are developing role-specific technology literacy programmes, enhancing staff awareness of how emerging technologies, like PQC and AI, may affect operational resilience. This includes delivering targeted awareness sessions, establishing communities of practice, and providing clear reference guidance to promote secure, consistent and informed use. 

Oversight of third parties implementing AI

Third-party AI oversight remains a concern. Members noted that it’s still hard to understand how external suppliers are deploying AI, due to limited visibility and vendors’ inconsistent engagement. 

Assessing whether supplier-led AI activities align with firms’ own risk frameworks can be difficult, and without clearer oversight, built into contractual requirements, firms risk inheriting unknown vulnerabilities. 

Threat actors using AI

Members have observed a rise in threat actors using AI to enhance phishing, vishing and deepfake-enabled attacks. AI makes these more convincing, harder to detect and faster to scale. This heightens operational risk.

Without strengthened defences and no instantaneous solution, members said they’re working to enhance their detection capabilities as well as user training. Firms found value in threat information published by NCSC as well as the G7 CEG Statement on AI and cyber security.

Lack of senior buy-in

For some boards, PQC is viewed as a distant and abstract issue, making it hard to secure sustained senior leadership support. 

Because the benefits are not immediately visible and PQC competes with other operational priorities, firms noted that it can be difficult to gain sustained executive sponsorship.

Training for non-technical teams 

Members highlighted that while PQC training is more available than in 2024, it’s still too often limited to technical training or academic guides and can be difficult to translate into practical steps for non-technology teams. 

Stay joined up

Insider risk management is inherently enterprise-wide across cyber security, financial crime, conduct and ethics, operations, HR, legal and technology. Because of this, it can be extremely challenging to update an approach.

Successful methods for working across so many functions included establishing joint operating forums or cross-functional triage groups to ensure potential risks were not missed, for example as the result of new technology.

Configuring detection tools

When discussing methods to strengthen detection capabilities or insider risks, effectively configuring behavioural analytics and data loss prevention tools was critical, particularly tools that support role-based activity, detect anomalous access or data movement, and enable the correlation of user activity across systems.

Insider scenario testing

Insider risk scenarios have been effective in strengthening risk understanding and are valuable across both red team and tabletop exercises. 

These scenarios helped members understand how processes could be subverted by a malicious insider with sufficient knowledge and access.

Effective identity and access controls

Identity and access management, if applied effectively, can help prevent, detect and respond to insider activity. 

Members suggested that ensuring access is proportionate to a role, and with regular review, was likely to reduce insider risk and especially where anomalous activity is quickly identified.

Privileged access management, especially when regularly reviewed, is a further key source of risk reduction.

Senior management support

Members with strong insider risk management said this was down to consistent, senior management-supported messaging.

Practices that supported effective insider risk management included:  

• Routinely considering insider risk in board risk discussions.
• Clear senior level accountability.
• Active challenge on risk appetite, escalation, and outcomes.

Create a culture of security and trust

Members highlighted the importance of fostering a positive security culture in which staff feel trusted, while understanding insider risk monitoring and controls.

Proactive, clear and transparent communication of acceptable use standards and the rationale for monitoring helps reinforce trust, reduce uncertainty, and encourage the right behaviours. This avoids both overreliance on controls and unintended cultural resistance, while supporting consistent application across the organisation.

Monitoring user activity

Privacy obligations and employment regulations, particularly in the EU, can limit a firm’s user activity monitoring, such as in relation to vetting and behaviour analysis. This necessitates differentiated approaches to manage insider risk between jurisdictions which increases complexity and operational overhead.

Controls seen as punitive 

Insider risk controls can be perceived as punitive or disproportionate, rather than protective. 

This risk is heightened by the complexity of consequence management, where decisions must balance legal, HR, regulatory and ethical considerations. 

Without clear governance and consistency in control implementation, security outcomes can appear arbitrary, undermining trust of employees and security culture.

High volumes of activity alerts

User activity and monitoring tools generate data in volumes that can be overwhelming for security teams. 

Some members have responded to this with automation and prioritisation, helping to filter out the lower-level alerts.

Calibrating AI tools

AI tools can be successful but are sometimes limited because they don’t understand behavioural context and don’t have sufficiently mature baselines.

They can be made more efficient at insider risk management through well-configured testing and calibration, as well as reviewing alerts to assess whether they are generated appropriately and proportionately.

Definining 'insider risk'

Members observed that the scope of insider risk is not always well defined. Some have strengthened their insider risk management by expanding the categorisation of ‘insiders’ to include:

• Internal employees (including current, prospective and former).
• Third-party suppliers.
• Contractors with access to systems and data.