AWS Rex adds runtime guardrails for agentic AI, but security leaders still need data-layer controls to satisfy compliance and audit demands.
The post AWS Rex Is a Big Step for Agentic AI Security, But Not the Final Layer appeared first on TechRepublic.
When governments introduced stricter online age checks under the UK’s Online Safety Act, the goal was to keep children away from harmful content. But in practice, the system is already showing cracks—and the most telling insight comes from the very users it’s meant to protect.
Children aren’t just countering age checks, they’re actively bypassing them—and often with surprising ease.
According to a new report from Internet Matters foundation, nearly half of children (46%) believe age verification systems are easy to get around, while only 17% think they are difficult. That perception isn’t theoretical. It’s grounded in real behavior, shared knowledge, and increasingly creative workarounds.
From simply entering a fake birthdate to using someone else’s ID, children have developed a toolkit to bypass techniques. Some methods are almost trivial—changing a date of birth or borrowing a parent’s login—while others reflect a growing sophistication. Kids reported submitting altered images, using AI-generated faces, or even drawing facial hair on themselves to trick facial recognition systems.
In one striking example, a parent described catching their child using makeup to appear older—successfully fooling the system.
I did catch my son using an eyebrow pencil to draw a moustache on his face, and it verified him as 15 years old. – Mum of boy, 12
But the problem goes deeper than perception. It’s systemic.
The report reveals that nearly one in three children (32%) admitted to bypassing age restrictions in just the past two months. Older children are even more likely to do so, which shows how digital literacy often translates into evasion capability.
The most common methods?
Despite widespread concerns about VPNs, they play a relatively minor role. Only 7% of children reported using them to bypass restrictions, suggesting that simpler, low-effort tactics remain the preferred route.
In other words, the barrier to entry is not just low—it’s practically optional.
Check Cyble's full analysis report here!
Ironically, even when children attempt to follow the rules, the technology doesn’t always cooperate.
Some reported being incorrectly identified as older—or younger—by facial recognition systems. In cases where they were flagged as underage, enforcement was often inconsistent or temporary. One child described being blocked from going live on a platform for just 10 minutes before being allowed to try again.
This inconsistency creates a loophole where persistence pays. If at first you’re denied, simply try again.
Perhaps the most concerning finding isn’t that children can bypass age checks—it’s that adults can too.
The report states fears that adults may exploit these same weaknesses to access spaces intended for younger users. In some cases, this involves using images or videos of children to trick verification systems. There are even reports of adults acquiring child-registered accounts to blend into youth platforms.
This flips the entire premise of age verification on its head. Instead of protecting children, flawed systems may inadvertently expose them to greater risk.
Adding another layer of complexity, parents themselves are sometimes complicit.
About 26% of parents admitted to allowing their children to bypass age checks, with 17% actively helping them do so. The reasoning is often pragmatic. Parents feel they understand the risks and trust their child’s judgment.
I have helped my son get around them. It was to play a game, and I knew the game, and I was happy and confident that I was fine with him playing it. – Mum of non-binary child, 13
But this undermines the consistency of enforcement. If rules vary from household to household, platform-level protections lose their impact.
Interestingly, the data also suggests that communication matters. Children who regularly discuss their online activity with parents are less likely to bypass restrictions than those who don’t.
The motivations aren’t always malicious. In many cases, children are simply trying to access social media (34%), gaming communities (30%), or messaging apps (29%) that their peers are already using.
What this resonate is a fundamental tension where age verification systems are trying to enforce boundaries in environments where social participation is the norm.
Age verification is often positioned as a cornerstone of online safety. But in practice, it’s proving to be more of a speed bump than a safeguard.
Children understand the systems. They share methods. They adapt quickly. And until the technology—and its enforcement—becomes significantly more robust, age checks may offer more reassurance than real protection.
The financial services ecosystem in India is undergoing rapid digital transformation, and fintech organizations sit at the center of this evolution. With increasing cyber threats targeting digital payments, lending platforms, and financial data, regulatory oversight has intensified. The Reserve Bank of India mandates a strong RBI cybersecurity framework that fintechs must follow to ensure resilience, […]
The post RBI Cybersecurity Compliance Checklist for Fintech Organizations appeared first on Kratikal Blogs.
The post RBI Cybersecurity Compliance Checklist for Fintech Organizations appeared first on Security Boulevard.
NIST Cybersecurity Framework for UK SMEs: A Practical Guide to Identify, Protect, Detect, Respond, and Recover The NIST Cybersecurity Framework is a useful way to organise cybersecurity work around business risk. For UK SMEs, that matters because most teams do not have the time or budget to do everything at once. A framework gives you […]
The post NIST Cybersecurity Framework for UK SMEs: A Practical Guide to Identify, Protect, Detect, Respond, and Recover appeared first on Clear Path Security Ltd.
The post NIST Cybersecurity Framework for UK SMEs: A Practical Guide to Identify, Protect, Detect, Respond, and Recover appeared first on Security Boulevard.
Cybersecurity financial risk is rising in commodity markets as breaches, data loss and espionage threaten operations and investor trust.
The post The Overlap of Cybersecurity and Financial Risk: Protecting Sensitive Data in Commodity Markets appeared first on Security Boulevard.
Shadow AI is spreading across enterprises as employees use AI tools without oversight, creating new data security and compliance risks.
The post What We Do in the Shadows: How CISOs Can Crack Down on Shadow AI appeared first on Security Boulevard.
Protective security is one of those topics that can sound broader and more complex than it needs to be. For UK SMEs, the practical question is simple: what do you need to protect, how much protection is enough, and how do you make it work without creating unnecessary overhead? Within the NCSC Cyber Assessment Framework, […]
The post Protective Security in the NCSC CAF: A Practical Guide for UK SMEs appeared first on Clear Path Security Ltd.
The post Protective Security in the NCSC CAF: A Practical Guide for UK SMEs appeared first on Security Boulevard.
Beyond the "headline breach," modern enterprises face a persistent threat: steady-state data leakage. Learn why traditional privacy definitions fail and how "authorized" data flows in workplace apps create continuous legal and operational risk.
The post Data Privacy Leaks – The Drip, Drip, Drip of Exposure appeared first on Security Boulevard.
Cyber risk used to be the kind of problem you could delegate. Something for the CISO, the IT team, and maybe an external auditor to worry about once a year. That comfort zone is gone. In the last decade, a new reality has set in: a single cyber incident can erase hundreds of millions of […]
The post The $700 million question: How cyber risk became a market cap problem first appeared on TrustCloud.
The post The $700 million question: How cyber risk became a market cap problem appeared first on Security Boulevard.
The Insurance Regulatory and Development Authority of India (IRDAI) has introduced significant amendments to its cybersecurity guidelines in 2026, marking a shift from static compliance to continuous cyber resilience. For insurers, IRDAI compliance is no longer just about implementing baseline controls. The updated framework demands stronger governance, tighter oversight, real-time monitoring, and accountability across business […]
The post IRDAI 2026 Cybersecurity Guidelines for Insurance Companies appeared first on Kratikal Blogs.
The post IRDAI 2026 Cybersecurity Guidelines for Insurance Companies appeared first on Security Boulevard.
The open vs. closed AI model debate misses the bigger issue. Confidential inference secures model weights and data during runtime.
The post Open vs. Closed Weight Models and Why You Need Confidential Inference Either Way appeared first on Security Boulevard.
In conversations I’ve had with CIOs over the past year, there’s been a noticeable shift in how NIS2 (Network and Information Security Directive 2) is being discussed. It used to be filed away as another regulatory hurdle to clear, but now it’s prompting CIOs and their teams to think a little deeper about how well they understand the systems they depend on. For a long time, risk has been largely framed within the boundaries of the organization — something that could be managed through internal controls, policies and audits. But that no longer reflects how digital services are built or delivered. Most organizations I encounter rely on a web of providers spanning cloud platforms, data centers, network operators and software vendors, all working together to create a “patchwork” ecosystem. NIS2 is different because it acknowledges that reality and, in doing so, it’s forcing a broader and sometimes more uncomfortable reassessment of where risk really sits.
What stands out to me is that NIS2 doesn’t just focus on individual accountability, but on the very definition of resilience itself. It recognizes that disruption rarely originates within a single process, or even a single organization. More often, it emerges from the connections between them; from unseen dependencies, indirect relationships and assumptions about how systems will behave under pressure. That’s novel, because it moves the conversation away from whether individual systems are secure, and toward whether the overall architecture those systems sit within can continue to function when something inevitably goes wrong. In that sense, NIS2 is less about tightening cybersecurity controls and more about encouraging a different way of thinking, where resilience is shaped as much by how infrastructure is designed and connected as it is by how it is protected.
One of the most immediate impacts I’m seeing from NIS2 is how it challenges long-held assumptions about control. Speak to any CIO, and they’ll usually talk about securing what sits within their own environments — their applications, services and data. But in practice, very little of today’s digital estate is fully owned because it’s so distributed among third parties with countless links and dependencies. Virtually all business services depend on layers of external providers, each with its own dependencies, architectures and risk profiles. According to the World Economic Forum, the top supply chain risk in 2026 is the inheritance risk — the inability to ensure the integrity of third-party software, hardware or services. NIS2 brings that into sharp focus by extending accountability beyond direct suppliers to include the wider ecosystem that supports them. In essence, it prompts businesses to shift from asking “are we secure?” to “how secure is everything we rely on to operate?”
That’s quite a challenge, because it’s not enough for businesses to simply know their suppliers — they need to understand how deeply interconnected those relationships are. In many cases, the real exposure sits several steps removed, in the providers behind your providers or in shared infrastructure that underpins multiple services at once. The “uncomfortable reassessment” I mentioned earlier is the squaring of this circle — how many organizations have full visibility into that sprawling landscape, let alone the means to control it?
NIS2 is compelling organizations to map dependencies more rigorously, to ask harder questions of their partners and network infrastructure, and to recognize that resilience is only as strong as the most fragile link in the chain. The WEF shows that in 2026, only 33% of organizations map their entire IT supply chain to gain this visibility. And even then, the added risk of unknown service providers, such as is the case when suing the public Internet, where data pathways are neither visible nor controllable, is difficult to quantify.
What I find interesting about NIS2 is that it goes deeper than compliance — it’s trying to trigger a shift in culture. It’s relatively straightforward to introduce new policies, expand reporting requirements or formalize supplier assessments. But what happens when those requirements collide with the reality of how modern IT environments are built? Many organizations simply don’t have a clear, end-to-end view of how their services are delivered, how data flows between providers or how incidents might spread like wildfire across the ecosystem they depend on. NIS2 asks CIOs to look beyond governance frameworks and examine whether their operating models support the level of oversight and responsiveness the directive expects.
And that is where the architecture question becomes essential. It’s one thing to require suppliers to report incidents or meet certain security standards; it’s another thing entirely to ensure that the underlying infrastructure is designed to absorb disruption without cascading failure. In my experience, this is where many organizations begin to realize that resilience cannot be layered on afterwards. It must be built into how systems are structured, how dependencies are managed and how connectivity is established between environments. NIS2 may define what needs to be done, but it doesn’t prescribe how to do it. That responsibility sits with CIOs, who now have to translate regulatory intent into practical design decisions about where workloads run, how services interconnect and how failure is contained when it occurs.
What this ultimately leads to is a big infrastructure rethink. I’m privileged to have had some interesting discussions with CIOs and other executives about this very topic, so I know that resilience is beginning to be understood as more than a set of security controls. Connectivity is now at the heart of resilience, and in that sense, NIS2 has succeeded in getting organizations to think differently about what resilience really means. If a service depends on a single cloud region, a single network path or a tightly coupled set of providers, then no amount of policy or monitoring will prevent disruption when one of those elements fails. I’m pleased to see organizations starting to question these assumptions — not just asking whether systems are secure, but whether they are structured in a way that allows them to continue operating under stress. That shift in thinking does away with the abstract theory of resilience and defines it as something that can be designed and architected.
From a connectivity perspective, this means building in diversity at every level. Distributing workloads across geographically separate locations, establishing multiple, independent network paths and avoiding unnecessary concentration of critical services all contribute to a more resilient architecture. Interconnection plays a starring role here as the mechanism that allows different parts of the digital ecosystem to communicate in controlled, redundant and predictable ways. When designed properly, this kind of architecture limits the blast radius of any single point of failure and makes it easier to maintain service continuity even when parts of the system are down or under strain. The real takeaway here is that resilience is not something any single organization can achieve in isolation. It emerges from the collective design of the entire ecosystem, where each participant contributes to the overall stability of the services they all depend on.
The building blocks are already there. Practices like supplier due diligence, security certifications and business continuity planning are not new. What NIS2 does is raise the bar on how consistently and how deeply they are applied. It also brings a level of structure to conversations that were previously fragmented, particularly when it comes to expectations between partners. And therein lies the strategic upside. Organizations that can clearly demonstrate how they manage risk across their supply chains, how they design for resilience and how they respond to disruption are in a stronger position, not just from a regulatory standpoint, but in how they engage with customers and partners. In some sectors, we’re already seeing this play out through increased requests for transparency, self-assessments and proof of compliance. That trend is only going to accelerate. For CIOs, it’s a golden opportunity to move beyond a defensive posture and position resilience as a key competitive differentiator. It becomes a way to build trust, strengthen relationships and support more sustainable growth, rather than simply a requirement to satisfy regulators.
NIS2 may be the catalyst, but the underlying change runs deeper. It’s pushing CIOs to think beyond compliance and toward a more structural understanding of risk that reflects how digital services operate today.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?
Responsible AI Governance for UK SMEs: A Practical Starting Point Artificial intelligence is moving quickly into everyday business use. For many UK SMEs, that means AI is no longer a future topic. It is already helping with drafting content, summarising documents, handling customer queries, analysing data, and supporting internal decisions. That can bring real value, […]
The post Responsible AI Governance for UK SMEs: A Practical Starting Point appeared first on Clear Path Security Ltd.
The post Responsible AI Governance for UK SMEs: A Practical Starting Point appeared first on Security Boulevard.
In boardroom discussions, data breaches are typically evaluated through the lens of financial impact, regulatory exposure, and operational disruption. While these factors are critical, they often overshadow a more fundamental concern: the consumer. Every piece of personal data collected by an organization represents a relationship built on trust. When that data is mishandled, exposed, or […]
The post Ignoring DPDP Compliance? Here’s the Risk to Your Organization appeared first on Kratikal Blogs.
The post Ignoring DPDP Compliance? Here’s the Risk to Your Organization appeared first on Security Boulevard.
Belgium's NIS2 conformity assessment deadline hits April 18, 2026, and other EU member states are ramping enforcement close behind. See what auditors will demand from your SOC: incident reporting timelines, Article 20 management liability, and automatic documentation.
The post Belgium’s NIS2 Audit Window Opens April 18, 2026. The Rest of the EU Is Right Behind. appeared first on D3 Security.
The post Belgium’s NIS2 Audit Window Opens April 18, 2026. The Rest of the EU Is Right Behind. appeared first on Security Boulevard.
Cyber policy has always lagged cyber reality. Regulations arrive after breaches, frameworks emerge after failures, and accountability structures materialize long after the damage lands on someone else’s balance sheet. NCC Group’s fifth edition of its Global Cyber Policy Radar suggests that cycle is finally breaking — not because governments have gotten smarter, but because the..
The post When Geopolitics Writes Your Compliance Roadmap appeared first on Security Boulevard.
There is a certain irony in watching a statute designed to prevent clandestine eavesdropping on telephone calls become one of the most aggressively deployed tools against ordinary website functionality. The federal Wiretap Act—codified as part of the Electronic Communications Privacy Act (“ECPA”), 18 U.S.C. §§ 2510–2522—was never intended to regulate marketing pixels, session replay scripts,..
The post From Analytics to “Interception”: How Website Tracking Became a Wiretap Problem—and What Companies Should Do About It appeared first on Security Boulevard.
The technological trajectory is clear: Hash-based systems anchored in the National Center for Missing and Exploited Children (“NCMEC”) database remain highly effective for identifying known CSAM, but they are structurally incapable of addressing synthetic, modified, or previously unseen material. Machine learning systems—trained on large corpora of images—offer the only plausible path forward for detecting novel..
The post Can AI Help “Solve” The Child Porn Problem? Magic 8 Ball Says, “Answer Hazy – Ask Again Later” appeared first on Security Boulevard.
Can Non-Human Identities Securely Navigate the Complexities of Regulated Industries? Ensuring the safety of Non-Human Identities (NHIs) within regulated industries emerges as a paramount concern. NHIs, essentially machine identities, play a critical role in cybersecurity, particularly in sectors that are under stringent regulatory oversight, such as financial services, healthcare, and travel. These industries face unique […]
The post How safe are NHIs in regulated industries appeared first on Entro.
The post How safe are NHIs in regulated industries appeared first on Security Boulevard.
Entrar