#NSBCS.119 - From Findings to Fixes: Identifying Issues is the Easy Part
Organisations regularly conduct cybersecurity and information security activities, such as risk assessments, penetration tests, audits, and post-incident reviews. These exercises often provide valuable insights into control gaps, process weaknesses, and opportunities to enhance security. However, while identifying issues is usually straightforward, implementing remediations and sustaining improvements are often much more challenging.
Many organisations receive detailed reports with practical recommendations, yet months later, the same findings remain unresolved, only partially addressed, or postponed. This is rarely due to a lack of awareness-more often, it reflects the practical challenges of prioritisation, ownership, and maintaining change within busy operational environments.
Why Findings Persist: Prioritisation and Resource Constraints
It is common for organisations to see the same findings reappear across multiple assessments. A risk assessment identifies a gap, a penetration test highlights related weaknesses, or a post-incident review reinforces issues that were already known but not fully resolved. This often happens because remediation requires more than just technical fixes.
Improvements such as access management maturity, asset visibility, incident readiness, or governance uplift usually need coordination between teams, process changes, and ongoing effort. Such improvements are often more complex and take longer than initially expected. Meanwhile, organisations are frequently balancing competing priorities, like operational delivery and business growth. With limited resources, security remediation can be postponed in favour of immediate operational needs. As a result, organisations might focus on quick wins while more complex, yet higher-impact, improvements remain unfinished, leading to recurring findings over time.
Ownership, Accountability and Tracking
Remediation efforts can also halt when ownership is unclear. Findings often involve multiple teams, including IT, security, operations, and business stakeholders. Without clear ownership, tasks may be delayed, only partly completed, or assumed to be someone else's responsibility. Even when ownership is initially assigned, tracking can become inconsistent over time. As priorities change, visibility decreases and open risks may stay unresolved. This can make it hard to track progress, communicate risk exposure, or keep momentum.
Assigning clear ownership, supported by realistic timelines, centralised tracking, and periodic governance reviews, helps organisations maintain focus and drive remediation forward. Establishing a structured remediation register and regularly reviewing progress ensures improvements are not only implemented but sustained.
To move from findings to meaningful improvements
Prioritise remediation based on risk and impact;
Assign clear ownership for each finding;
Track remediation centrally;
Review progress regularly; and
Focus on embedding sustainable improvements
Looking to strengthen your Cyber Resilience? Book a meeting with our team today.
What we read this week
CISA and FBI Warn of Iranian-Affiliated Actors Exploiting PLCs in US Critical Infrastructure - A joint cybersecurity advisory (AA26-097A) from CISA, the FBI, and partner agencies details how Iranian-linked threat actors are actively targeting exposed programmable logic controllers (PLCs) in US energy, water, and other critical infrastructure sectors. The actors scan for internet-facing devices with weak or default credentials, then deploy custom tools to disrupt operations via SCADA systems. Multiple incidents have already caused physical process interference, with no evidence of data exfiltration but clear intent to cause real-world disruption. The advisory highlights the rising risk to industrial control systems amid geopolitical tensions. Organisations should immediately inventory and segment OT networks, disable unnecessary internet exposure of PLCs, enforce strong authentication, and monitor for anomalous scanning activity.
New Chaos Malware Variant Targets Misconfigured Cloud Deployments with SOCKS Proxy - Security researchers have identified an evolved variant of the Chaos ransomware family that specifically hunts for exposed cloud environments, adding a built-in SOCKS proxy for stealthy command-and-control and data exfiltration. The malware exploits common misconfigurations in cloud storage and containerised workloads to gain initial access before encrypting data and demanding payment. This latest iteration has been observed in attacks across multiple sectors since late March, demonstrating improved evasion against cloud-native security tools. Organisations are urged to enforce least-privilege access in cloud environments, implement continuous configuration monitoring, enable immutable backups, and integrate cloud-specific threat detection to counter these adaptive tactics.
Masjesu Botnet Emerges as New DDoS-for-Hire Service Targeting Global IoT Devices - A previously undocumented botnet named Masjesu has surfaced as a pay-per-use DDoS platform, primarily compromising vulnerable IoT devices worldwide through weak credentials and unpatched firmware. The service offers attackers affordable, high-volume distributed denial-of-service capabilities, with early campaigns already disrupting online services and testing infrastructure. Its modular design allows easy addition of new exploitation modules, raising concerns about rapid evolution. Security teams should prioritise IoT network segmentation, enforce regular firmware updates, deploy anomaly-based detection for outbound traffic, and monitor dark-web indicators for Masjesu-related activity to reduce exposure.
Russian APT28 Deploys PRISMEX Malware in Targeted Campaign Against Ukraine and NATO Allies - The Russian state-sponsored group APT28 (also known as Fancy Bear) has been observed using new PRISMEX malware in a campaign aimed at Ukrainian government entities and NATO member organisations. The tool enables credential theft, lateral movement, and persistent access within cloud and on-premises environments, with sophisticated evasion techniques to avoid detection. The attacks align with ongoing geopolitical tensions and focus on intelligence gathering from defence and diplomatic targets. Organisations in government, defence, and allied sectors should enhance email and cloud security controls, implement strict identity verification, conduct regular threat hunting for PRISMEX indicators, and strengthen supply-chain risk management.
Signature Healthcare Massachusetts Hospital Disrupted by Cyberattack - Signature Healthcare in Massachusetts has been forced to divert ambulances, cancel elective procedures, and switch to manual processes after a cyberattack severely impacted hospital systems and connected pharmacies. The incident has led to operational chaos, with prescription filling halted and patient care relying on paper records in some areas. While the exact threat actor and method remain under investigation, the attack highlights the vulnerability of healthcare delivery systems to ransomware or disruptive malware. Healthcare providers should accelerate network segmentation, maintain offline backups, test incident response plans frequently, and prioritise rapid restoration of critical clinical systems to minimise patient harm.
Referenceshttps://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097ahttps://thehackernews.com/2026/04/new-chaos-variant-targets-misconfigured.htmlhttps://thehackernews.com/2026/04/masjesu-botnet-emerges-as-ddos-for-hire.htmlhttps://thehackernews.com/2026/04/apt28-deploys-prismex-malware-in.htmlhttps://www.securityweek.com/massachusetts-hospital-diverts-ambulances-as-cyberattack-causes-disruption/