We recognise that staying on top of changes to legislation and advice can be difficult. Here are some articles and alerts we’ve seen lately that we think you should be aware of, or might be interested in.
Please note that we’ve included links below to external websites. PCML consultants are not responsible for the content of any external websites.
We’ve collated the below from alerts and bulletins that we receive from UK Government agencies and others. You can find links to those sources and others on our website. We’ve linked to that page on our website at the end of this email.
This update includes Information Security, Environment, Health & Safety and Quality – click to jump to the relevant section.
Information Security
If you are an IT professional; these articles may be directly of use to you. If you are a manager with responsibility for information security and an in-house or outsourced IT function, you may wish to check that they are aware of this advice.
Legislative changes
The following security-related legislation came in to effect during the quarter. We mentioned the Online Safety Act 2023 as a breaking news story in the last update. After reviewing it, we have published a summary on InfoSec. Organisations may wish to revisit their acceptable use policies in light of that new legislation.
Name |
Potentially affected Management Systems |
Anticipated impact on Infosec subscribers |
High level summary |
Online Safety Act 2023 |
Security |
Low |
Legislation intended to make the internet safer, particularly for children by reducing illegal and harmful content and harassment. It is aimed primarily at service providers, but some requirements have been controversial, particularly those which aimed to make messaging providers scan users’ messages for illegal material, which would require they bypass encryption.The online safety act has been added to Infosec for subscribers. |
Various commencement regulations for Online Safety Act 2023 |
Security |
Low |
Regulatory and enforcement commencement acts |
Other updates
Microsoft
Patch Tuesday roundups
-
October-Included fixes for more than 100 issues, including three actively exploited zero-days and a patch for the rapid reset attack mentioned under Android & Google below. More details here
-
November– Addressed 64 vulnerabilities flaws, including three which were known to be actively exploited. More details here
-
December– 35 patches were released in December, for of which were critical and none known to be actively exploited. More details here
Other
-
Microsoft is depreciating VBScript ahead of its removal entirely from future releases of Windows client. More here
-
Microsoft announced that it will end full security support for Windows 10 on 14th October 2025. MS is encouraging users to upgrade to Windows 11, but users will be able to purchase extended security updates for Windows 10, including Windows 10 Home for an annual subscription fee.
Apple
Key apple updates and security fixes
-
October– 11 updates were released including five for iOS and iPadOS and three for MacOS (Monterey, Ventura and Sonoma)
-
November– Eight updates released including two for IOS and iPadOS, and three for MacOS (two for Ventura and one for Sonoma).
-
December– 12 updates including four for iOS and or iPadOS four for and MacOS (Monterey, Ventura and two for Sonoma)
-
More information can be found on Apple’s security updates page
Linux, Android, Google
-
In October; Amazon, Cloudflare and Google released advisories on addressing a rapid reset DDoS attack that affected their various cloud environments. Google provided an overview of the attack Microsoft included a patch for this in their October Patch Tuesday release.
-
Updates were released in October for a number of Linux distros including Debian and Ubuntu, to address a buffer overflow vulnerability. More here
-
Google, Amazon and WhatsApp all announced support for, or made passkeys the default login setting for users, in further moves away from passwords. Users are now able to use biometrics to log in to supported accounts. More here and here
-
Google’s Chrome browser now automatically upgrades all HTTP requests to HTTPS
-
A vulnerability in Android was announced where the restricted settings feature could be used to install malware on devices and obtain access to accessibility services. More here
-
In late November, number of Google Drive users reported loss of several months’ worth of data.
Roundup of recent posts by the National Cyber Security Centre (NCSC) and partner agencies
-
With draft standards for Post Quantum Cryptography (PQC), the NCSC published guidance on implementing PQC and managing its risks here
-
Adding to its body of work around AI, new guidelines for Developers were published here
Noteworthy cyber incident and breach news in the quarter
-
Probably the largest breach in the quarter affected the 23AndMe genetic testing company with the theft of genetic and ancestry data. It was estimated that nearly 7 million users were affected. 23andMe later appeared to blame the users’ poor password hygiene. Hackers initially breached 14000 accounts and were then able to scrape data of 6.9million users who had opted to share data with people who they had genetic links to.
-
A Spanish Aerospace company suffered an attack via LinkedIn messages from a fake recruiter from Meta that contained malicious code in the form of coding quizzes and challenges. More info here
-
Boeing was hit by a Lockbit ransomware incident in November. More here
-
Okta confirmed a breach in its support case management system in October. They later informed more than 5000 current and former employees that their data had been breached and said the breach affected all Customer Support users. Okta said the breach likely arose when an employee signed in their personal Google account on a company device. More here, here and here
-
The Irish Police confirmed that more than 500,000 records relating to seized vehicles, including personal data were found online in an unprotected database
-
The British Library suffered a major outage in October
-
OpenAI confirmed that ChatGPT outages in early November were due to DDoS attacks.
-
CTS, a managed services provider, confirmed a cyber breach affecting a number of UK law firms in late November. The outage interrupted property transactions.
New and emerging malware and techniques in the quarter
-
The FBI published a Private Industry Notification (PIN) warning of new ransomware attack trends, where organisations are hit by two ransomware variants in quick succession, and new data destruction techniques. The PIN includes recommendations for preparing for and protecting against incidents.
-
On a related note, the No More Ransom initiative from Europol provides guidance and decryption tools for cracked ransomware strains here
-
-
Microsoft’s Digital Defence Report claimed 80-90% of successful Ransomware compromises originated through unmanaged devices, including users’ personal devices (BYOD) and that human-operated ransomware attacks, mostly affecting organisations with less than 500 users, had increased by 200%. More here and here
Other infosec news
-
Researchers announced a credential-stealing flaw that they have named Auto Spill affecting some of the big password managers on older Android devices.
-
Cisco announced a critical zeroday flaw in its IOS XE software that was seen to be exploited.
-
Citrix urged users to patch a widely-exploited NetScaler ADC and Gateway
-
VMWare released patches for a critical vCentre vulnerability
-
NSA and CISA released a list of the Top 10 network misconfigurations here
-
NSA and CISA released Identity and Access Management guidance for Developers and vendors here, with guidance for administrators here
-
Amazon announced that all AWS privileged access accounts will be required to use multifactor authentication by mid-2024
-
MGM says the 2023 ransomware attack is likely to cost the organisation more than $100Million
-
Progress Software the manufacturer of the MOVEit file transfer tool in which a zero-day vulnerability was revealed in May, that is reported to affected more than 2000 of its customers, and millions of people announced a number of vulnerabilities in its WS_FTP Server that was later seen to be exploited. The company released a number of patches. More here and here
-
Google’s Threat Analysis Group said it has seen evidence of government-backed hacking Groups exploiting a known vulnerability in WinRAR.
-
Noteworthy victories against some high-profile ransomware gangs were announced in the quarter.
-
A joint law enforcement operation took down the Ragnar Locker Website in October
-
The FBI took down the BlackCat/ALPHV darknet website in December
-
European law enforcement agencies shut down the ransomw4re group in November
-
And while we were preparing this update, it was announced that a joint UK and US operation seized control of the Lockbit group’s website
-
Environment
Legislative changes
No new principal legislation was identified in this quarter. The only relevant legislative changes were, one amendment and one commencement order for aspects of acts already summarised on the InfoSec portal and an extension to The Value Added Tax (Installation of Energy-Saving Materials) Order 2024 relating to Scotland.
Name |
Potentially affected Management Systems |
Anticipated impact on Infosec subscribers |
High level summary |
The Value Added Tax (Installation of Energy-Saving Materials) Order 2024 |
Environment |
Low |
Widens the scope of the temporary zero-rate of VAT on supply and installation of energy-saving materials in Scotland. |
The Fluorinated Greenhouse Gases (Amendment) Regulations 2023 |
Environment |
Low |
Corrects an error in the Article 16 of the F-gas regulation provides for the allocation of quotas for placing hydrofluorocarbons (HFCs) on the market. |
Various commencement regulations for Environment Act 2021 |
Environment |
Low |
Amendments relating to biodiversity gain |
Health & Safety
Legislative changes
No new principal legislation was identified in this quarter. The only relevant legislative changes were one amendment and one commencement order for aspects of acts already summarised on the InfoSec portal.
Name |
Potentially affected Management Systems |
Anticipated impact on Infosec subscribers |
High level summary |
Various commencement regulations for Building Safety Act 2023 & High Risk Buildings Act |
Health and Safety |
Specialist |
Regulatory and enforcement commencement acts |
Minor amendments to the Working Time and Flexible Working regulations |
Health and Safety |
Low |
Amends some aspects of eligibility |
Round up of posts and announcements by the by the Health and Safety Executive (HSE) released in the quarter
-
Annual Health and Safety Statistics for 2023 published – summary here
-
Key facts include 1.8million workers suffering from work related ill health in 2022/23, with almost half (875,000) relating stress, depression or anxiety and 27% (473,000) relating to musculoskeletal disorders
-
2268 mesothelioma deaths due to past exposure were recorded
-
135 workers were killed and 561,000 injured in work-related accidents or at work
-
60,645 RIDDOR-reported injuries
-
2 million working days lost due to work related illness and workplace injury at a cost of approximately £20.7 billion
-
Both the total number of workers suffering from work related ill health, and the number relating to stress spiked up during the Coronavirus pandemic (covered in the 2021/22), and have not returned to pre-pandemic levels
-
Musculoskeletal disorders have declined slightly, but remain fairly constant
-
Stress at work – A new free online learning tool for employers was released in November. More here and stress guidance here
-
Refreshed asbestos guidance published here
Quality / Other
Legislative changes
No new principal legislation was identified in this quarter. The only relevant legislative changes were two amendments to the Russia Sanctions Regulations that are already summarised on the InfoSec portal.
Name |
Potentially affected Management Systems |
Anticipated impact on Infosec subscribers |
High level summary |
The Russia (Sanctions) (EU Exit) (Amendment) (No. 4) Regulations 2023 |
Quality |
Low |
Further amendments to the scope of goods and services covered under the The Russia (Sanctions) (EU Exit) Regulations 2023 |
The Russia (Sanctions) (EU Exit) (Amendment) (No. 5) Regulations 2023 |
Quality |
Low |
Further amendments to the scope of goods and services covered under the The Russia (Sanctions) (EU Exit) Regulations 2023 |