- Jersey Cyber Security Centre Newsletter
- Posts
- CyberUK Special Edition
CyberUK Special Edition
Plus: a cyber audit, and time for passkeys
Dear reader,
April brought winds of change: in addition to John McCarthy joining us as Senior Analyst for GCSC, we hired an analyst for GCSC who will start later this month. We have also seen the emergence of Anthropic’s Mythos cyber model hit the headlines (closely followed by one from OpenAI), plus we have completed our cyber law workshops and begun the heavy lifting on implementing the requirements of the Cyber Law.
In total 93 people from 62 different organisations attended our Cyber Law workshops. After pulling together the lessons from these we reported back on the learnings to our Cyber Security Advisors Group (CSAG) yesterday and to our CISO forum just this morning. We’ll be publishing our insights in full after the election period.
This month also marks potential political change in Jersey with the commencement of an election period. During this period you may find we are quieter than usual online, as we are asked to minimise media activity over this period that could distract from the election.
Nonetheless there is a lot happening and we certainly don’t have the luxury of a pause: we report back in this newsletter on a successful visit to NCSC’s CyberUK conference in Glasgow, we are planning the launch of GCSC in Guernsey on 6th June (you heard it here first!), and we will of course continue to respond to emerging cyber security issues, not least the challenge and opportunity of AI. The world does not wait.
My personal takeaways from CyberUK were NCSC’s recognition that passkeys need to replace passwords (something JCSC has been raising for a while now), the value of shared working and collaboration across the Crown Dependencies, and the impact of AI in reducing the time from vulnerability to exploit from what was months to what can now be mere minutes. This requires a completely different response from organisations. More on all these, and how to respond to them, below.
Enjoy the long weekend; when it rains you can come back to this email and read more directly from the team who attended CyberUK, and of course when the sun comes out I’ll be heading to the Jersey Boat Show!
Until next time,
Bank Holiday closure
As usual, our Operations Centre will be closed for the upcoming Bank Holiday.
However, we’ll still be available. You can:
Report an incident to us via [email protected] or using this form
Report a vulnerability using this form
Call us on in an emergency +44 (0)1534 500 050 in Jersey or + 44 (0)1481 736 050 in Guernsey
Representatives from Jersey joined colleagues from Guernsey, the Isle of Man, Scotland, Wales, Northern Ireland, the UK and countries around the world at CyberUK.
Improving public policy and services
Here two members of the Channel Islands team - Government of Jersey’s Elisabeth Blampied and GCSC’s John McCarthy, report back to you in their own words.
Elisabeth Blampied
Senior Policy Officer, Government of Jersey, Department for the Economy
“From a policy perspective, the annual NCSC CyberUK conference is always a great chance to understand the key cyber challenges being tackled by the UK Government over the next 12 months, which supported by a funding commitment of £90million. Focus is shifting from increasing cyber security to improving cyber resilience, with the recognition that success transcends geographical boundaries and governments are only one part of the solution. More pressing than ever is the need and willingness of the public sector, private industries and academia to share, collaborate and lean-in to be part of the solution. A key takeaway we can all reflect on for Jersey, even if you are not captured as an ‘operator of essential service’ when our new cyber law comes into force later this year.
Raising the resilience of supply chains is paramount. Small enterprises and sole traders are part of our national cyber defence. The UK government is renewing its effort to increase the take-up of Cyber Essentials to protect these businesses. For Jersey, can you use this framework to start conversations to raise the cyber resilience of small entities within your own ecosystem?
Finally, there was a call to harmonise and move collectively. Whilst national autonomy is respected, across the Five Eyes community the challenges were stressed of working in borderless digitally connected ecosystems where different cyber security legislation, regulation and standards are applied. It will be interesting to see where this call-to-action leads in the next few years.”
John McCarthy
Senior Analyst, Guernsey Cyber Security Centre
“This year’s 10th anniversary outing of CyberUK (the National Cyber Security Centre’s flagship event) took place in Glasgow across two days, opening to the skirl of bagpipes and some impactful plenary speeches.
CEO of the NCSC Richard Horne focused on rapid technological change (in AI and post-quantum cryptography) along with current geopolitical tensions and the impact this is having on the threat landscape. The NCSC sees on average four nationally significant events per week, the majority of which are now linked to nation state actors rather than cybercrime groups.
Security Minister, Dan Jarvis MP discussed fearless innovation and resilience, drawing on feats in Glasgow’s history, and the need for baseline cyber hygiene. The opportunity was taken to announce a £90m investment by the UK government into cybersecurity including support for rolling out Cyber Essentials and the signing of a “Cyber Resilience Pledge” by large organisations.
These themes ran strong for the entirety of the event in messaging from keynote speakers, vendors and delegates alike. Below are some interesting takeaways:
The human layer remains vitally important. While AI models continue to improve in technical capabilities (such as discovering vulnerabilities), AI is predominantly still being used for initial access via social engineering vectors such as phishing and vishing.
Ransomware groups are evolving. There is a growing trend towards “pay or leak” extortions rather than encryption. Where encryption is used, new methods such as partial file encryption help to increase attack speed. A recent case saw less than an hour from initial access to encryption. One group used AI to facilitate an attack and the decryption keys didn’t work making it effectively destructionware.
The time between a vulnerability being discovered and exploited is narrowing dramatically. Mean “time-to-exploit” in 2021 was one year; it is now one week with the one hour milestone expected to be reached in 2026.
The use of AI in cyber defence is necessary to counter this, however it should be used separately from production environments and should not replace human decision making. Time consuming tasks such as alert triage could be outsourced to agentic AI, but care must be taken not to cut off the talent pipeline by removing valuable learning opportunities for younger practitioners.
The message is clear across the community: cyber defenders will need to be agile to keep pace with the rate of change. It will be interesting to see how far we have come at next year’s event in Liverpool.”
Building bridges and developing local businesses
Elisabeth and John were joined in Glasgow by the Cyber Centres’ Director Matt Palmer, the States of Guernsey’s Emma Jones, and several local private sector providers including Soteria and CyberTec Security. CyberUK provides an opportunity for local cyber providers to reach a UK and an international audience, with some organising their own fringe events. Soteria’s Lynne Capie shares her update below.
Lynne Capie
Director of Jersey-based Crisis Communcations specialist Soteria
“Channel Islands Cyber Communications business Soteria hosted a round table Cyber UK fringe event last week in Glasgow where they brought together incident responders and Cyber Security Centre representatives from the National Cyber Security Centre, Scotland, Northern Ireland, Wales, Guernsey, the Isle of Man and the Jersey Cyber Security Centre as well as cyber industry experts and academics from across the UK and Crown Dependencies. Bringing together such an experienced group from across the cyber and national security community meant that the quality and openness of the discussion made for a genuinely insightful evening.
The Chatham House rule was applied to the round table discussion, where topics included compliance theatre, supply chain risk, the weaponisation of AI, the importance of strong and experienced leadership and the criticality of effective communications in cyber crisis response.
The event also involved the launch of Soteria's academic research partnership, which we hope to share shortly with the Jersey cyber community in order that you can participate and contribute.”
Lynne presenting at a local event
Do you have a cyber initiative, event or collaboration that benefits our Islands? Let us know and we may be able to share it or support you.
Passkeys – time to get moving?
One of the key outcomes from Cyber UK 2026 was the NCSC’s statement that they were “overhauling decades of security practice” to recommend passkeys as the best option for securing accounts. Here James McLaren explains what this means and why now is a great time to give passkeys a try.
JCSC Senior Analyst James McLaren
We’ve been keeping a close watch on the development of passkeys for the last couple of years. We’ve published explanations of:
(Note: we pitched these at a LinkedIn reader level. We may need to come up with something more at the level of Johnny Ball’s Think of a Number as well).
We have looked at the business benefits of it. Business leaders might be surprised at how much MFA using SMS text messages costs. They might want to think how much they are spending to reset passwords. (Forrester prices password resets at around £70 each). User experience with passkey access is more positive than with passwords and MFA. It’s easier and faster.
We’ve looked at how people can use passkeys. So far, most passkey use has been customer facing. (Think people logging into Google or similar systems). You can also use passkeys as a replacement for passwords in a single sign-on environment. However, there are complexities to this. And businesses should think carefully about back-up plans.
We’ve looked at how major players (Google, Apple, Microsoft) have created their own ways of storing passkeys. This is the kicker. The incompatibilities between these systems still make passkeys unnecessarily hard to use consistently. We’ve seen implementations that were excellent. We’ve seen others that were weaker.
We’ve also been tracking how other parts of the world have approached passkeys. For example, the Australians have adopted passkeys in two large scale projects, with quite a lot of success. The Japanese finance industry has gone all-in, but they have had problems because of the range of technologies the passkeys need to serve.
So yes: passkeys are certainly a more secure solution. Are they also a simple, seamless answer to authentication? Will they encourage ordinary users to replace something they have been using for nearly forty years? Not quite. But now is the time to dip toes in the water with passkeys, if you haven’t tried them already. If you have Gmail – start there. And if you have problems or questions – ask JCSC.
Jersey’s Comptroller & Auditor General issues Cyber Resilience Report
On 17 April Jersey’s Comptroller and Auditor General Lynn Pamment issued her report into Critical Infrastructure Resilience – Cyber Security. We welcome this review and her conclusions, which included 11 key findings. She concluded:
“Jersey’s cyber security is being strengthened through the implementation of the new Cyber Security Law and the supporting Framework. It is essential for the States and for Operators of Essential Services to ensure that their arrangements meet the requirements and expectations placed on them under the new Law.
While Government has taken action to improve its own cyber security resilience there remains considerable work to be undertaken to ensure that the arrangements in place meet minimum expected maturity standards.”
We agree there is work to be done to be ready for the Cyber Security (Jersey) Law, and organisations can access help, support and guidance from JCSC at jcsc.je/cyberlaw.
The Jersey Audit Office report also noted the progress already made by JCSC, stating:
“In April 2025, JCSC was reviewed virtually by the NCSC to conduct an initial evaluation of its process maturity levels. The NCSC produced a summary report which was largely positive towards JCSC in relation to its process maturity and comparison to other small-nation cyber incident response teams.”
We’d like to thank the Jersey Audit Office, UK NCSC, and everyone else who has supported and challenged us on our journey to maturity.
You can read the full report here.
Cyber Law: Workshop outcomes and next steps
Thank you again to everyone who attended the workshops on the Cyber Security (Jersey) Law - we were delighted with the engagement, feedback and input which we’ve already used to refine our approach. We published the recording of the workshop presentation online, along with the slides and an online version of the key questions. If you have missed the workshops or were unable to attend, you can watch the video and provide your feedback online to help us tailor our support.
We’re now waiting from a response from the Privy Council so the law can be brought in.
You can still access the resources from the workshops via our website here, and in due course we’ll publish the findings from the workshops here too.
That’s a wrap!
Yes we’re a bit shorter than usual due to the CyberUK special 😃