During a recent Threat Watch Live session, Adam Pilton challenged Morten Kjaersgaard, Heimdal’s Chairman and Founder, to predict three cyber security trends for 2026.  Adam added his own predictions, drawing from this experience as a former cybercrime detective. Spoiler: Both Morten and Adam agreed that 2026 will bring a sharper focus on compliance.   Here’s what they predict.  SMBs catch a break if they’ve done compliance right  Hackers recently discovered there’s no use in targeting […]

The post Five Predictions for Cyber Security Trends in 2026  appeared first on Heimdal Security Blog.

Dan Cole, senior vice president of product management at Sophos, unpacks how cybersecurity strategy is shifting from a prevention-first mindset toward resilience and response. Cole traces his career from the early days of mass malware outbreaks like Melissa and ILOVEYOU through today’s environment of nation-state actors, AI-assisted attacks, and sprawling hybrid workforces. While the tools..

The post Security Is Shifting From Prevention to Resilience appeared first on Security Boulevard.

Snir Ben Shimol, CEO and co-founder of Zest Security, talks about why vulnerability and exposure management has become one of the most stubborn problems in security operations. Ben Shimol argues that the numbers are getting worse, not better. Exploitation has become the top initial access path, new CVEs keep piling up and teams are still..

The post Using AI Agents to Separate Real Risk From Vulnerability Noise appeared first on Security Boulevard.

Ad fraud isn’t just a marketing problem anymore — it’s a full-scale threat to the trust that powers the digital economy. As Data Privacy Week 2026 puts a global spotlight on protecting personal information and ensuring accountability online, the growing fraud crisis in digital advertising feels more urgent than ever.

In 2024 alone, fraud in mobile advertising jumped 21%, while programmatic ad fraud drained nearly $50 billion from the industry. During data privacy week 2026, these numbers serve as a reminder that ad fraud is not only about wasted budgets — it’s also about how consumer data moves, gets tracked, and sometimes misused across complex ecosystems.

This urgency is reflected in the rapid growth of the ad fraud detection tools market, expected to rise from $410.7 million in 2024 to more than $2 billion by 2034. And in the context of data privacy week 2026, the conversation is shifting beyond fraud prevention to a bigger question: if ads are being manipulated and user data is being shared without clear oversight, who is truly in control?

To unpack these challenges, The Cyber Express team, during data privacy week 2026, spoke with Dhiraj Gupta, CTO & Co-founder of mFilterIt,  a technology leader at the forefront of helping brands win the battle against ad fraud and restore integrity across the advertising ecosystem. With a background in telecom and a passion for building AI-driven solutions, Gupta argues that brands can no longer rely on surface-level compliance or platform-reported metrics. As he puts it,

“Independent verification and data-flow audits are critical because they validate what actually happens in a campaign, not just what media plans, platforms, or dashboards report.”

Read the excerpt from the data privacy week 2026 interview below to understand why real-time audits, stronger privacy controls, and continuous accountability are quickly becoming non-negotiable in the fight against fraud — and in rebuilding consumer trust in digital advertising.

Interview Excerpt: Data Privacy Week 2026 Special

TCE: Why are independent verification and data-flow audits becoming essential for brands beyond just detecting ad fraud?

Gupta: Independent verification and data-flow audits are critical because they validate what actually happens in a campaign, not just what media plans, platforms, or dashboards report. They provide evidence-based accountability to regulators, advertisers, and agencies, allowing brands to move from assumed compliance to provable control. Importantly, these audits don’t only verify whether impressions are real; they also assess whether user data is being accessed, shared, or reused - such as for remarketing or profiling, in ways the brand never explicitly approved. In today’s regulatory environment, intent is no longer enough. Brands must be able to demonstrate operational control over how data moves across their digital ecosystem.

TCE: How can unauthorized or excessive tracking of users occur even when a brand believes it is compliant with privacy norms?

Gupta: In many cases, this happens not due to malicious intent, but because of operational complexity and the push for funnel optimization and deeper data mapping. Common scenarios include tags or SDKs triggering secondary or tertiary data calls that are not disclosed to the advertiser, and vendors activating new data parameters, such as device IDs or lead identifiers without explicit approval. Over time, incremental changes in tracking configurations can significantly expand data collection beyond what was originally consented to or contractually permitted, even though the brand may still believe it is operating within compliance frameworks.

TCE: How does programmatic advertising contribute to widespread sharing of user data across multiple intermediaries?

Gupta: Programmatic advertising is inherently multi-layered. A single ad impression can involve dozens of intermediaries like DSPs, SSPs, data providers, verification partners, and identity resolution platforms, each receiving some form of user signal for bidding, measurement, or optimization. While consent is often collected once, the data derived from that consent may be replicated, enriched, and reused multiple times across the supply chain. Without real-time data-flow monitoring, brands have very limited visibility into how far that data travels, who ultimately accesses it, or how long it persists across partner systems.

TCE: What risks do brands face if they don’t fully track the activities of their data partners, even when they don’t directly handle consumer information?

Gupta: Even when brands do not directly process personally identifiable information, they remain accountable for how their broader ecosystem behaves. The risks include regulatory exposure, reputational damage, erosion of consumer trust, and an inability to defend compliance claims during audits or investigations. Regulators are increasingly asking brands to demonstrate active control, not just contractual intent. Without independent verification and documented evidence, brands effectively carry residual compliance risk by default.

TCE: Why do consent frameworks sometimes fail to ensure that user data is controlled as intended?

Gupta: Consent frameworks are effective at capturing permission, but far less effective at enforcing downstream behaviour. They typically do not monitor what happens after consent is granted, whether data usage aligns with stated purposes, whether new vendors are added, or whether data access expands over time. Without execution-level oversight, consent becomes symbolic rather than operational. For example, data that was shared for campaign measurement may later be reused by third parties for audience profiling, without the user’s awareness and often without the brand’s visibility.

TCE: How can brands bridge the gap between regulatory intent and real-world implementation of privacy rules?

Gupta: Brands need to shift from document-based compliance to behaviour-based verification. This means auditing live campaigns, tracking actual data access, and continuously validating that data usage aligns with both consent terms and declared purposes. For instance, in quick-commerce or hyperlocal advertising, sensitive data like precise pin codes can be captured through data layers or partner integrations without the brand’s direct knowledge. Only runtime monitoring can surface such risks and align real-world execution with regulatory intent.

TCE: What strategies or tools can brands use to identify unauthorized data access within complex digital ecosystems?

Gupta: Effective control requires continuous, not one-time, oversight. Key strategies include independent runtime audits, continuous monitoring of data calls, partner-level risk scoring, and full data-journey mapping across platforms and vendors. Rather than relying solely on contractual assurances or annual audits, brands need ongoing visibility into how data is accessed and shared, especially as campaign structures, vendors, and technologies change rapidly.

TCE: How does excessive tracking or shadow profiling affect consumers’ privacy and trust in digital services?

Gupta: Consumers are becoming increasingly aware of how their data is used, and excessive or opaque tracking creates a perception of surveillance rather than value exchange. When users feel they have lost control over their personal information, trust declines, not only in platforms, but also in the brands advertising on them. For example, when consumers receive hyper-local ads on social media for products they were discussing offline, they often perceive it as continuous tracking, even if the data correlation occurred through indirect signals. This perception alone can damage brand credibility and long-term loyalty.

TCE: In your view, what will become the most critical privacy controls for organizations in the next 2–3 years? What practical steps can organizations take today?

Gupta: The most critical controls will be data-flow transparency, strict enforcement of purpose limitation, and continuous partner accountability. Organizations will be expected to prove where data goes, why it goes there, and whether that usage aligns with user consent and regulatory expectations. Privacy will increasingly be measured by operational evidence, not policy declarations. Practically, brands should start by independently auditing all live trackers and data endpoints, not just approved vendors. Privacy indicators should be reviewed alongside media and performance KPIs, and verification must be continuous rather than episodic. Most importantly, privacy must be treated as part of the brand’s trust infrastructure, not merely as a compliance checklist. Brands that invest in transparency and control today will be far better positioned as regulations tighten and consumer expectations continue to rise.

The second week of 2026 continues to fetch new cybersecurity issues that affect national security, public stability, business operations, and technology governance. Developments this week ranged from senior intelligence leadership appointments and nationwide internet shutdowns to data breaches, new cybercrime services, and regulatory pressure on generative AI platforms.  Across regions and sectors, the incidents reflect how cyber risks now extend beyond technical environments into policy decisions, civil rights, financial systems, and public trust. Governments, enterprises, and technology providers faced challenges tied to resilience, accountability, and threat escalation, reinforcing cybersecurity’s role as a strategic issue rather than a purely operational one. 

The Cyber Express Weekly Roundup 

X Tightens Grok AI Restrictions 

X (previously Twitter) introduced new restrictions on its AI chatbot Grok to prevent the creation of nonconsensual sexualized images, including content that may constitute child sexual abuse material. Measures include blocking sexualized image edits of real people, limiting image generation to paid users, and applying geoblocking where such content is illegal. The changes follow widespread abuse reports and ongoing investigations by U.S. and European authorities. Read more… 

NSA Appoints Timothy Kosiba as Deputy Director 

The National Security Agency announced the appointment of Timothy Kosiba as its 21st Deputy Director, making him the agency’s senior civilian official responsible for strategy execution, policy, and operational priorities. Kosiba brings more than 30 years of experience across the U.S. intelligence community, including senior roles at the NSA and U.S. Cyber Command, overseas liaison assignments, and leadership of major operational units. Read more… 

Iran Enters Fourth Day of Nationwide Internet Blackout 

Iran entered a fourth day of a nationwide internet blackout amid widespread unrest linked to the collapse of the rial, now trading at 1.4 million to the U.S. dollar. Authorities reduced national connectivity to approximately 1%, cutting off communications for more than 80 million people. Reports indicate thousands have been detained and hundreds killed since protests began, drawing international concern over censorship, human rights, and crisis communications. Read more… 

Dr. Amit Chaubey Warns of Expanding “Business Blast Radius” 

In an interview with The Cyber Express, Dr. Amit Chaubey said cyber incidents in 2026 are creating a broader “business blast radius,” extending beyond IT into national resilience, legal exposure, operational continuity, and public trust. He identified failures in external dependencies, such as cloud services, identity systems, connectivity, and key suppliers, as the primary drivers of large-scale disruption, warning that many organizations remain unprepared for sustained degraded operations. Read more… 

Endesa Data Breach Affects Energía XXI Customers 

Spanish energy provider Endesa disclosed a data breach involving unauthorized access to its commercial platform, impacting customers of its regulated operator Energía XXI. Exposed data includes identification details, contact information, national identity numbers, contract data, and possible payment information such as IBANs. Endesa stated that account passwords were not compromised and reported no evidence of data misuse as investigations continue. Read more… 

New Android Banking Malware deVixor Identified 

Cyble researchers identified a new Android banking malware called deVixor, a remote access trojan combining credential theft, device surveillance, and ransomware functionality. Active since October, the malware targets Iranian users through phishing sites distributing malicious APKs and is operated as a service-based criminal platform using Telegram and Firebase infrastructure. Researchers noted the malware’s scalability and long-term operational design. Read more… 

Microsoft Disrupts RedVDS Cybercrime Platform 

Microsoft announced the takedown of RedVDS, a cybercrime-as-a-service platform costing $24 per month that provided criminals with disposable virtual machines for fraud operations. In coordination with international law enforcement, Microsoft seized infrastructure linked to an estimated $40 million in reported U.S. fraud losses, with victims across healthcare, real estate, nonprofit, and other sectors. The action marks Microsoft’s 35th civil case against cybercrime infrastructure. Read more… 

Weekly Roundup Takeaway 

This week’s events highlight how cybersecurity in 2026 directly affects governance, economic stability, civil rights, and technology accountability. From intelligence leadership changes and state-imposed internet shutdowns to advanced malware, large-scale fraud platforms, and AI safety enforcement, cyber risks now demand coordinated action across policy, regulation, and operations rather than technical controls alone. 

In an exclusive interview with The Cyber Express, Dr. Amit Chaubey, Managing Director and Board Chair of Chakra-X, Founder & CEO of NIAD Technologies, and Board Director for Yirigaa – An Aboriginal Business, provides new insight into what he calls the “2026 Business Blast Radius", a rapidly expanding risk landscape where cyber incidents spill far beyond IT and into national, economic, and societal consequences.  Over the course of his career, Dr. Amit has held influential leadership roles across the industry. These include Chair of the AISA NSW branch, and Cyber Ambassador for Investment NSW & multiple advisory board member roles.

The Expanding Blast Radius in 2026 

According to Dr. Amit, the most dangerous cyber events facing large organizations in 2026 will not necessarily originate inside corporate networks. Instead, the greatest risk comes from outside dependencies failing simultaneously, such as power, connectivity, cloud platforms, identity systems, and core suppliers, forcing organizations to operate with reduced visibility, coordination, and control.  This is the new “business blast radius”: a disruption that may begin as a cyber incident or geopolitical shock but rapidly becomes a continuity, safety, legal, and trust crisis. Dr. Amit describes it as a sovereign resilience challenge, one that can escalate into national consequences across critical infrastructure and essential services. Crucially, this blast radius is expanding faster than most boards and executives realize.  When “the lights go out,” whether due to a cyberattack, cascading technology failure, or deliberate containment action, organizations don’t just lose IT systems. They lose coordination itself: approvals, communications, trusted records, customer service, logistics, payroll, and the ability to make confident decisions.

Threat Activity Accelerating in 2025 

This expanding risk is reinforced by threat intelligence. According to Cyble's Global Cybersecurity Report 2025, new data highlights a sharp escalation in cyber activity across sectors and regions: 

• Ransomware attacks increased by 50% year over year, with telecom, government, and financial services among the hardest hit. 
• Over 6,000 data breaches were observed, with government (16.5%) and BFSI (10.5%) sectors the most frequently targeted. 
• Dark web activity surged nearly 30%, including sales of stolen data, initial access, and discussions of zero-day exploits. 
• Top targets remain government, banking and finance (BFSI), and IT/technology organisations due to the value and leverage of their data. 
• Most impacted geographies include the United States, India, Indonesia, Brazil, and the United Kingdom. 

Threat actors are using expanding social engineering, zero-day vulnerabilities, and underground forums for extortion. Ransomware groups such as Qilin, Akira, and Play continue to dominate, while access brokers and infostealer operators fuel a growing underground economy designed for both financial gain and strategic advantage. 

Dr. Amit Chaubey Speaks with The Cyber Express 

TCE: How should enterprises and boards rethink the 'blast radius' of a cyberattack in 2026, considering operational, reputational, and regulatory impacts, and how do common misconceptions about cyber resilience expand that risk?  Given today’s geopolitical volatility, the rapid adoption of AI, and an expanding external attack surface driven by heavy reliance on third parties, managing security and resilience is becoming increasingly complex. Organizations and leadership teams need to recognize that these factors make cyber risk a shared problem - one that can’t be managed internally alone. To reduce exposure and strengthen resilience, they must work in close partnership with both internal stakeholders and external providers, aligning controls, responsibilities, and response plans across the broader ecosystem.  TCE: In the first critical hour of a cyberattack that shuts down core systems, what do executives most often underestimate about keeping the business running?  In the first critical hour of a cyberattack, executives often underestimate how quickly the organization loses operational certainty - and how hard it becomes to keep the business moving when the digital foundations disappear. Core systems don’t fail neatly; they fail in unexpected, interdependent ways. Teams can’t immediately tell whether they’re dealing with a simple outage, an active compromise, or deliberate containment shutdowns, so decision-making slows while pressure rises.  In that vacuum, people default to improvisation- switching to personal devices, using unofficial channels, bypassing controls, or actioning requests without verification. This is the moment when consequence management becomes essential. While technical teams work to understand what has failed, executives must immediately stabilize the organization - protecting people, operations, safety, regulatory obligations, and public trust before the technical diagnosis is complete. In modern incidents, the first hour is not just about containment; it’s about preventing cascading consequences. That’s where business impact multiplies, not because teams are incompetent, but because the organization hasn’t rehearsed how to operate safely and compliantly without the digital scaffolding that it normally depends on.  TCE: If digital systems are unavailable for days, which non-technical capabilities, people, processes, and decision-making structures truly determine whether a business survives?  If systems are down for days, survival depends less on cyber tools and more on strong leadership and command structure. It begins with a clear crisis operating model: one accountable incident leader supported by empowered deputies across critical functions. A disciplined decision of cadence keeps everyone aligned, reduces confusion, and prevents competing priorities. The business must also be ready to run in degraded mode, with minimum viable operations clearly defined and rehearsed manual or offline workarounds available - rather than relying on ad hoc fixes. The next determinant is people's readiness and role clarity; in prolonged disruption, fatigue, uncertainty, and fear become operational risks that must be actively managed through shifts, support, and clear escalation paths. Finally, trust is sustained through communication discipline - consistent, verified updates internally and externally - so the organization maintains credibility while it stabilizes, recovers, and meets its obligations.  TCE: Beyond ransomware, which newer cyber threats do you see as the most dangerous for 2026, and why are most organizations unprepared for them?  While ransomware remains a key threat, the other cyber threats in 2026 are those that don’t need to encrypt anything to cause maximum business impact. AI-enabled identity attacks are accelerating - phishing, vishing, and executive impersonation are becoming more convincing and scalable, while infostealers and token theft let attackers walk in using legitimate sessions rather than “breaking” in.  By 2026, this evolves further into Agentic AI - autonomous systems capable of navigating identity and cloud control planes at machine speed, compressing the time between compromise and consequence.’ At the same time, rapid exploitation of internet-facing edge systems is shrinking the window between vulnerability discovery and compromise, and cloud/SaaS control-plane attacks can create enterprise-wide blast radius by disabling logging, creating new identities, or changing critical configurations.  Add to this a rise in disruptive campaigns - wipers, sabotage, and denial-of-service used for pressure rather than profit - and the real pattern emerges that attackers are targeting high-leverage layers like identity, access, and shared services. Most organizations are unprepared because they still plan for technical recovery, not sustained “degraded mode” operations; they lack continuous visibility into identity and cloud admin behavior, and third-party concentration risk means a single provider compromise or outage can cascade straight into their own business. TCE: How should executives approach personal accountability and regulatory obligations when a cyber event disrupts operations or public services?  Executives should treat a disruptive cyber event as a personal governance obligation, not something to hand off to IT. Leaders must still make timely risk decisions and ensure everything is documented - timelines, approvals, and rationale - from the first hour for audit and review. At the same time, they need to identify which regulatory regimes apply and meet notification obligations early where required, updating as facts are confirmed. Success depends on tight alignment across security, legal, risk, comms, and operations to keep actions and messaging accurate and consistent, while enforcing verification controls to prevent secondary fraud, unsafe workarounds, and further compliance exposure.  TCE: In your experience, what’s the most surprising source of operational failure during a major cyberattack, something leaders never see coming until it hits?  A surprisingly common operational failure is that many organizations don’t plan the restoration sequence - they simply assume that “backups exist” and everything will come back quickly. In reality, recovery is a dependency puzzle, not a restore button: you need to know which foundations come first (identity/AD, DNS, certificates, networking, core storage, virtualization, endpoint management), then which platforms (databases, middleware, messaging), and only then the business applications that sit on top. If that order isn’t mapped and tested, teams burn precious hours restoring systems that can’t function because their upstream services aren’t online yet, or because integrations and service accounts can’t authenticate.  Without current architecture diagrams, CMDB accuracy, and integration maps, leaders often discover mid-crisis that “critical” systems rely on hidden components - SaaS connectors, API gateways, license servers, time synchronization, hinting services, or a single shared database instance. Recovery then stalls while teams scramble to identify missing dependencies, rebuild configurations, or recreate secrets and certificates. Even worse, cyber containment can deliberately break the very pathways you need to restore - segmentation blocks, disabled admin accounts, frozen IAM policies, or quarantined management networks - so recovery requires not just restoring data but re-establishing clean administrative control.  The real twist is that even when backups are available, recovery can still fail if the backup environment isn’t usable. Access keys may be locked out, encryption keys may be unavailable, backup consoles may sit behind the same identity system that’s down, or the backup storage may be reachable only through networks you’ve isolated. In some cases, the backup platform itself is impacted - corrupted catalogues, compromised backup credentials, or insufficient compute to rehydrate at scale. That’s when leaders learn the hard lesson: “we have backups” doesn’t equal “we can restore,” and outages stretch far longer than expected unless restoration sequencing, access pathways, and recovery infrastructure have been designed, documented, and exercised in advance.  Lastly, if you’re serious about managing cyber risk, you need a disciplined approach to “controls hygiene.” My parting message is to focus on three fundamentals: people, identity/authentication, and vulnerability management. Most attacks start with people - through deception that steals credentials - then use those identities to authenticate as if they’re legitimate, and finally exploit exposed or unpatched vulnerabilities to get into your “HOUSE” and move around undetected. 

Christmas is the time where we allow our imaginations to run wild, it’s the season of goodwill, high spirits and Christmas joy. However, cybercriminals don’t take holidays. We still have to be on our guard, and question what is real and what is not. Common Holiday Scams Fake Online Stores Around this time of year, […]

The post How to Avoid Holiday Shopping Scams (From a Former Cyber Detective) appeared first on Heimdal Security Blog.

I’ve worked in cybersecurity long enough to see that our biggest challenge isn’t a technical one, it’s motivational. We can build the strongest firewalls, design the smartest detection systems, and run endless awareness campaigns, but none of it matters if people don’t want to care. That’s the uncomfortable truth; cyber security has a motivation problem. […]

The post Cybersecurity Has a Motivation Problem appeared first on Heimdal Security Blog.