Cybersecurity Roundup: Partnerships, Funding, and Emerging Threats – January 23, 2026 [Bank of England / CBEST findings, LastPass phishing/backups campaign, AFOSI’s new cyber director, Senator Marshall’s cybersecurity workforce partnership]

Posted by Peter Tolan 4 months Ago

This briefing pulls together four high-impact cybersecurity developments that matter for boards, CISOs, vendors, and policy makers:

  • The Bank of England’s CBEST assessments show the UK financial sector still misses basic cyber controls — weak patching, permissive access, and social-engineering exposure remain persistent problems.

  • A sophisticated phishing campaign is weaponizing “backup request” messaging to steal LastPass and other vault credentials — an urgent reminder that credential protection and phishing-resistant controls must be prioritized.

  • The U.S. Air Force Office of Special Investigations (AFOSI) announced new leadership for its cyber mission — a signal of continued investment in military-grade cyber forensics and defensive operations.

  • Senator Roger Marshall announced a partnership aimed at training the next generation of cybersecurity professionals, an important public-sector effort to shrink talent gaps through targeted education and employer collaboration.

Taken together, these items form a clear narrative: attackers still exploit predictable human and operational weak points; defenders must harden basics while scaling advanced capabilities; and public-private workforce initiatives are finally getting the sustained attention they deserve. This article analyzes each story, explains their strategic significance, and gives a prioritized, concrete playbook for organizations to act on now.

Why these stories matter — the frame

Three recurring themes appear across the day’s headlines:

  1. The basics still bite you. Even in heavily regulated sectors like finance, routine errors — stale patching, weak access controls, help-desk process gaps — keep driving successful intrusions. The CBEST findings remind us: advanced detection is no substitute for consistent hygiene.

  2. Attackers exploit social processes, not just code. Phishing campaigns that mimic legitimate operational flows (backup requests, IT tickets) succeed because they bypass technical detection and target human trust. Attackers trade minimal technical sophistication for maximal social leverage.

  3. Capability and capacity require both tech and talent. Military cyber organizations are doubling down on leadership and mission focus (AFOSI), while legislators are investing in workforce pipelines. Technology alone won’t close the risk gap — people and process matter.

These themes require different, complementary responses: mandatory hygiene improvements, phishing-resistant authentication and human-centric ops, and long-term workforce development. Below I unpack each story in depth, offering operational context, implications, and specific actions.

1) Bank of England / CBEST: the financial sector’s persistent cyber gap

The facts

The Bank of England’s CBEST assessments — collaborative penetration tests and red-team exercises done in partnership with the PRA and the FCA — revealed that many financial institutions and Financial Market Infrastructures (FMIs) still fail basic cybersecurity expectations. Recurring issues include misconfigured systems, inconsistent patching, insufficient detection capabilities, and social-engineering vulnerabilities. The report shows the same classes of weakness that were flagged in 2023 and 2024 remain materially present in 2025 assessments.

Why this matters

Financial institutions are among the world’s highest-value cyber targets. A successful compromise — at a retail bank, payment processor, or clearing house — can cause immediate monetary losses, systemic liquidity shocks, and cascading confidence impacts. The CBEST program isn’t a vanity test; it simulates high-severity, plausible attacks to see whether FMIs can withstand them and recover. That institutions repeatedly show the same lapses suggests three failure modes:

  1. Governance drift. Controls may be designed on paper but degrade in practice as orgs prioritize features or cost reduction over operational controls.

  2. Technical debt. Legacy stacks and poorly maintained configurations keep reintroducing vulnerabilities that are trivial to exploit.

  3. People & process gaps. Even when tech is in place, human habits — password reuse, help-desk shortcuts, careless public posts — create exploit paths.

The CBEST findings are a regulatory red flag: expect sharper supervisory asks, more intrusive audits, and potential enforcement if remediation lags.

Operational implications — what financial orgs must do now

Priority 1 — Patch & Inventory Discipline

  • Establish a measurable SLA for critical patches (e.g., CVSS ≥7 within 7 days), and instrument dashboards tied to executive incentives.

  • Eliminate ambiguous ownership of devices; create a single source of truth for asset inventory with automated discovery.

Priority 2 — Harden access & help-desk workflows

  • Adopt least-privilege by default and remove standing privileged accounts; implement just-in-time (JIT) privilege elevation.

  • Harden help-desk authentication workflows with multi-factor voice/knowledge probes, and avoid using easily verifiable public metadata (LinkedIn job postings, social media) as identity signals.

Priority 3 — Simulate realistic social engineering at scale

  • Run repeatable, metrics-driven phishing campaigns, but pair them with in-role coaching for high-risk staff (custody, treasury, vendor ops).

  • Track not just click rates but behavioral remediation indicators: how quickly did the user report, did they disclose credentials, and did the help-desk follow the protocol?

Priority 4 — Integrate CTI into operations

  • Convert CTI into playbooks for defenders: when a supplier reports compromise, what is the triage path? Who is the escrow owner? Does the incident require customer notification?

Policy & regulator signal

The BoE will likely increase supervisory intensity: more frequent CBEST-style testing, mandated remediation plans, and public expectations for improved maturity. Boards should treat this as a capital-allocation problem and invest accordingly.

Source: The Register summarizing Bank of England CBEST assessments.

2) LastPass phishing: “backup request” lure weaponizes credential fatigue

The facts

Security researchers and reporting uncovered a targeted phishing campaign that abuses legitimate operational language — specifically “backup request” — to trick users into revealing vault passwords and multifactor authentication (MFA) backup codes. Attackers send convincing messages that appear to come from administrators or backup services, often leveraging compromised sender domains or lookalike email addresses. The campaign is particularly dangerous because it targets password-manager users and aims to exfiltrate the one artifact (the master password or recovery code) that defeats vault protections.

Why this matters

Password managers like LastPass are a high-value choke point: a single stolen master password or recovery token grants access to an entire suite of personal and corporate credentials. Attackers have adapted social engineering tactics to focus on vault recovery flows because they provide a clear route to privilege escalation, lateral movement and data exfiltration.

Two additional reasons this campaign is urgent:

  1. Backup flows are inherently trusted. People expect help with backup—making it a powerful social engineering lever.

  2. Multi-factor erosion. If attackers convince targets to reveal backup codes or temporary one-time-passwords, MFA becomes irrelevant.

Practical defensive actions — immediate and medium term

Immediate (0–72 hours)

  • Send an urgent all-staff notice: no legitimate backup or helpdesk will ever ask for your master password or recovery codes via email or chat. Provide a phishing report mechanism and require staff to forward suspicious messages to security.

  • For password manager admins: enable rekeying and emergency disable for exposed accounts; consider forcing a rotation of master passwords for targeted groups.

Short term (7–30 days)

  • Implement phishing-resistant MFA (FIDO2/WebAuthn) for vault access where possible. Upgrade admin accounts immediately.

  • Tighten privileged account policies: require hardware security keys for admins and high-risk users.

  • Review and remediate recovery flows: require step-up authentication and registered device checks before permitting recovery operations.

Medium term (30–90 days)

  • Conduct tabletop exercises of vault-compromise scenarios: how do you detect, stop and remediate? What legal notifications are required? What customer communications must be issued?

  • Deploy detection rules for unusual vault access patterns: location anomalies, rapid credential export, or new device enrollments clustered in short windows.

User education & UX changes

  • Publish stepwise guidance for users on identifying “backup request” scams: check sender domain, verify via approved channels, never paste recovery codes into web forms.

  • For vendors: improve UI friction around recovery—make recovery intentionally deliberate (delays, human verification) to deter automated social engineering.

Source: Cybersecurity Dive reporting on the backup-request phishing campaign.

3) AFOSI names new director for its cyber mission — military cyber leadership shifts

The facts

The United States Air Force Office of Special Investigations (AFOSI) announced a new director assuming leadership of its Program Joint Special (PJS) cybersecurity mission. The appointment underscores AFOSI’s continuing emphasis on cyber investigations, defensive operations, and coordination with allied military and federal law-enforcement partners. AFOSI’s remit includes technical forensics, attribution support, and protective missions for Air Force networks and installations.

Why this matters

Military and defense cybersecurity leadership shapes doctrine, partnership, and capability development for national security. AFOSI is a force multiplier in both tactical operations (e.g., intrusion response on airbases) and strategic investigations (e.g., supply-chain intrusions affecting weapons systems). Leadership transitions are not just personnel changes — they often accompany doctrinal adjustments, prioritization of mission areas (threat intel sharing, joint exercises), and procurement focus (forensic platforms, threat attribution technologies).

Several practical implications:

  • Interagency cooperation. AFOSI’s posture often informs how DoD shares forensic techniques and threat intel with civilian agencies and critical infrastructure partners. Strengthening AFOSI’s cyber leadership improves cross-sector response.

  • Capability signaling. New leadership may accelerate investments in tooling (endpoint forensics, hardware-level imaging, chain-of-custody automation) and training programs that civilian investigators can adapt.

  • Workforce partnerships. Military cyber programs often collaborate with academia and industry to develop talent pipelines — a direct tie to the Senator Marshall partnership described next.

What practitioners should watch

  • Joint exercises and public-private initiatives: AFOSI may expand joint training or offer shared playbooks — security teams should seek engagement opportunities to test critical-infrastructure scenarios.

  • Forensic tooling standards: Expect calls for standardized evidence packaging and chain-of-custody tools suited to multi-jurisdictional incidents.

Source: AFOSI announcement of new director and mission focus.

4) Senator Marshall’s partnership to train the next generation of cybersecurity professionals

The facts

U.S. Senator Roger Marshall announced a partnership aimed at bolstering cybersecurity workforce development. The initiative focuses on pipeline programs, apprenticeship pathways, and collaboration between federal, state and private employers to scale practical training for students and transitioning veterans. The program emphasizes hands-on skills, certifications, and employer commitments to hire program graduates.

Why this matters

Workforce shortages are a structural constraint on cyber resilience globally. Technology investments only pay off when skilled people can operate, tune and respond with those tools. Public-sector partnerships that combine education, on-the-job training, and employer hiring commitments can move the needle faster than traditional academic programs alone.

Key reasons this initiative is strategically timely:

  • Scale & speed. Apprenticeship and bootcamp models produce job-ready candidates faster than multi-year degree programs.

  • Diversity & inclusion. Targeted programs (veteran transitions, community college partnerships) expand the talent pool and bring operationally experienced individuals into cyber roles.

  • Public-private alignment. Employer commitments to hire reduce placement friction and create clearer ROI for trainees and funders.

Practical next steps for employers & institutions

  • Employer engagement: Sign memoranda of understanding to hire graduates and commit to on-the-job mentoring; provide rotational placements to broaden trainee exposure.

  • Curriculum co-design: Work with training providers to ensure courses focus on operationally relevant competencies (incident response, threat hunting, vulnerability management).

  • Measure outcomes: Track placement rates, time-to-proficiency, and retention to prove program value and scale funding.

Longer-term lift: These programs must be sustained: one-off funding is insufficient. Apprenticeship programs should be woven into hiring forecasts and workforce planning to reduce persistent talent gaps.

Source: Senator Marshall’s press release announcing the cybersecurity workforce partnership.

Cross-cutting analysis — what these stories collectively tell us

Taken together, the four stories produce a layered diagnosis of systemic cyber health:

  1. Controls-first reality: The BoE’s CBEST reports prove the strongest lever is not always exotic detection but consistent controls: inventory, patching, access management, hardening of human processes. Unless defenders fix the fundamentals, attackers will continue to succeed using tried-and-true techniques.

  2. Social engineering remains the path of least resistance: Phishing campaigns tailored to operational flows (vault recovery, backup requests) weaponize routine procedures. The most effective defenses are process redesign and phishing-resistant MFA, not just mailbox filters.

  3. Institutional capacity is growing but needs scale: Military and legislative initiatives indicate increased capacity building — more hands, better doctrine, and now public incentives to grow the bench. This is necessary to translate technology into sustained resilience.

  4. Public accountability and regulation will tighten: Persistent failures in critical sectors will invite regulator action—more intrusive testing, stricter remediation orders, and potential fines or restrictions for repeat offenders. Boards should treat cybersecurity maturity as a risk metric equivalent to liquidity or capital adequacy.

Tactical playbook — prioritized actions for the next 90 days

Below are concrete actions clustered by stakeholder and ordered by priority.

For Boards & CEOs (top 3 asks)

  1. Require an “Ops Hygiene Scorecard” — patch SLAs, inventory completeness, privileged account counts, and a help-desk verification index. Tie to executive compensation. (Priority: immediate)

  2. Mandate phishing-resistant MFA for high-risk roles (FIDO2/HSM tokens for treasury, legal, HR, vendor ops). (Priority: immediate)

  3. Invest in workforce pathways — fund apprenticeships and public partnerships to secure a hiring pipeline. (Priority: 30–90 days)

For CISOs & Security Ops

  1. Patch & asset blitz. Triage critical CVEs, reduce attack surface by decommissioning unused services and misconfigured endpoints. (Priority: immediate)

  2. Backup-flow and recovery hardening. Make recovery flows multi-factor and device-bound; never accept recovery codes or master-password resets via unauthenticated channels. (Priority: immediate)

  3. Simulate vault-compromise scenarios. Tabletop IR including legal, communications, vendor and customer-notification procedures. (Priority: 7–30 days)

For HR & Talent Leads

  1. Sponsor local apprenticeship programs and secure employer commitments to hire graduates; build fast onboarding for junior analysts. (Priority: 30–90 days)

  2. Cross-train SOC staff to support forensic and OT scenarios in collaboration with military partners or federal labs where possible. (Priority: 60–180 days)

For Product & Dev Teams

  1. Redesign help-desk auth flows. Implement step-up authentication, logged approvals and recorded verification steps for sensitive operations. (Priority: immediate)

  2. Instrument data exfiltration detection. Put DLP and UEBA rules focused on mass password export, credential stuffing, and suspicious vault-download patterns. (Priority: 7–30 days)

For Regulators & Policy Makers

  1. Scale public-private CBEST style exercises into cross-sector programs to stress critical-infrastructure resilience. (Priority: strategic)

  2. Fund apprenticeship & hire guarantees — public grants that match employer hiring commitments shorten the pathway from training to employment. (Priority: 30–180 days)

Risk checklist — what can go wrong and mitigations

  • Unchecked credential capture: attackers will pivot to social flows that neutralize MFA. Mitigation: hardware security keys, recovery flow hardening, immediate rotation on detection.

  • Delays in patching leading to compromise: a major financial firm could be breached via a known CVE. Mitigation: enforce patch SLAs and prioritization frameworks.

  • Talent pipeline fails to scale: apprenticeship programs are underfunded or lack employer uptake. Mitigation: legislate employer hiring commitments and tie public funding to placement metrics.

  • Defensive capability mismatch: military-grade tools may not translate quickly to civilian ops. Mitigation: invest in joint labs and know-how transfer programs; standardize for civilian legal contexts.

Board briefing one-pager — what to sign off this week

Headline: The CBEST results and recent phishing campaigns reveal a tactical and strategic gap: hygiene + human controls.
Immediate asks:

  1. Approve $X to remediate critical patch backlog and implement automated inventory within 30 days.

  2. Fund procurement of hardware FIDO2 keys for top 200 privileged users and high-risk teams.

  3. Sponsor one cohort of the Senator Marshall apprenticeship program and pledge three hiring slots for program graduates.

Key metric: Reduce “time-to-patch critical” to 7 days and achieve <1% high-risk help-desk protocol deviations in 90 days.

Longer-term strategic view (6–24 months)

  1. Operational resilience will become a competitive differentiator. Customers and counterparties will prefer partners who can demonstrably harden basics and recover quickly. Continuous-controls disclosure may become part of vendor procurement.

  2. Identity becomes the center of gravity. FIDO2 and phishing-resistant MFA adoption will accelerate as attackers focus on vaults and recovery flows. Expect enterprise SSO providers to integrate stronger device-bound recovery and hardware key support.

  3. Workforce programs will bear fruit if sustained. Apprenticeship plus guaranteed hiring is the fastest way to scale ops capability; governments and employers who institutionalize this will close gaps faster.

  4. Civil-military collaboration increases. AFOSI and similar organizations will continue to develop forensic techniques; public-private partnerships should be formalized to share sanitized playbooks and technical artifacts.

Closing — the practical thesis

Recent headlines expose a straightforward but hard truth: defensive success begins with systems and people getting the basics right and ends with systemic investments in talent and robust incident playbooks. The Bank of England’s CBEST review is not a “novel threat” alarm; it’s evidence that the same types of lapses — weak patching, permissive access, help-desk shortcuts — still catalyze the most damaging intrusions. Attackers know this and will keep weaponizing the human element (e.g., the LastPass backup scam). The response must be layered: enforce basic hygiene relentlessly, redesign operational processes that attackers exploit, and invest in people through practical public-private training programs.

The policy and military signals (AFOSI leadership, Senator Marshall’s partnership) are encouraging — but they are only the start. Organizations that treat this moment as a sustained program of change — not a one-time project — will be the ones that survive and thrive.

Sources

  • Bank of England: Financial sector failing to implement basic cybersecurity controls — CBEST report findings summarized. Source: The Register.
  • LastPass warns backup-request phishing campaign (credential theft via vault-recovery social engineering). Source: Cybersecurity Dive.
  • New director assumes leadership of AFOSI PJS cybersecurity mission (AFOSI announcement). Source: U.S. Air Force Office of Special Investigations (AFOSI).
  • Senator Marshall announces partnership for next generation of cybersecurity professionals (press release). Source: Senator Roger Marshall’s Office.

Tags:
Peter Tolan
View More Posts
Peter Tolan is a Junior Content Editor for the HIPTHER network, where he has quickly established himself as a versatile voice in the global iGaming and technology sectors. Operating across the network's specialized platforms, Peter leverages a deep understanding of the European and American gaming landscapes to deliver high-impact, B2B intelligence. He is a key contributor to the "Evolution" side of the industry, specializing in the analysis of online gaming trends, the fast-paced world of esports, and the integration of deep-tech innovations. With a sharp eye for emerging technologies, Peter ensures that the HIPTHER community remains at the forefront of the global digital revolution.