- Comparitech Stack Report
- Posts
- UK Council Websites Show How Basic Security Gaps Still Persist
UK Council Websites Show How Basic Security Gaps Still Persist
Protect access wherever work happens
Logging into work accounts while traveling increases the risk of business access being intercepted or exposed.
This opens the door to phishing and unauthorized login attempts.
NordLayer helps teams stay protected wherever work happens – now with up to 20% OFF annual plans during the Summer Sale. Use code "nl-summer-26" at checkout.
From the Editor’s Desk
Over the last week, one theme has stood out across security discussions: compliance is becoming harder to separate from operational security. Whether it is government standards, AI governance, or infrastructure testing, organizations are under more pressure to prove that controls work in practice rather than simply documenting that they exist. The gap between “compliant” and “secure” continues to narrow.
🔎 Deep Brief
UK Council Websites Show How Basic Security Gaps Still Persist
This Comparitech analysis of 373 UK council websites found that browser-side security controls remain underused despite clear government guidance. The biggest concern was Content Security Policy (CSP) adoption, a control designed to limit which scripts and resources a browser can load and reduce exposure to cross-site scripting (XSS) and code injection attacks.
Only 128 councils, or 34.3%, had a CSP in place. More concerning, just 75 councils (20.1% of all websites analyzed) implemented a strong policy. Another 21 councils had moderate implementation with notable gaps, while seven councils used report-only mode that monitored violations without enforcing restrictions. Overall, 238 councils, representing nearly two-thirds of those analyzed, had no CSP at all.
The findings matter because XSS was ranked by CWE as the most dangerous software weakness in 2025 and remains one of the most commonly exploited paths in web attacks. While councils have broadly adopted modern encryption practices, adoption of browser-hardening controls appears to lag behind.
Takeaway
Encryption alone does not create a secure web presence. Browser-level controls such as strong Content Security Policies remain an important layer in reducing preventable web application risk.
🧠 Strategy in Action
FedRAMP Turns Red Teaming Into a Compliance Requirement
A shift inside FedRAMP Revision 5 is changing how cloud providers prepare for authorization in the US federal market. Through control enhancement CA-8(2), red team exercises are becoming a formal expectation rather than an optional maturity exercise.
The change pushes organizations beyond traditional penetration testing. Instead of asking whether systems can be breached, red teaming evaluates whether people, processes, and technology can detect and respond to realistic adversary behavior.
The approach draws from established models already used in regions such as the UK and EU, where intelligence-led testing has become part of broader resilience programs. FedRAMP’s version introduces flexibility, allowing organizations to shape programs around their environment while still demonstrating effectiveness to assessors.
Takeaways:
For security leaders, the lesson is clear: security validation is moving toward continuous testing and measurable outcomes.
🕵️ Threat Actor Spotlight
Interlock
Interlock is a financially motivated cybercriminal group known for combining ransomware operations with data theft and extortion. The group gained attention through attacks that focused on business disruption and pressure tactics rather than encryption alone.
Interlock operators typically rely on initial access methods that exploit weak credentials, exposed services, or social engineering techniques. Once inside, they prioritize lateral movement, privilege escalation, and data collection before triggering the final stage of the operation.
One of the group’s notable traits is operational flexibility. Campaigns have shown a willingness to adjust techniques depending on the target environment instead of relying on a fixed playbook.
🛠️ Tool Check
NordLayer Business VPN
NordLayer offers a business VPN and network security platform built on the infrastructure standards associated with NordVPN. This platform is designed to simplify secure access management through a cloud-based approach that can scale from small businesses to enterprise environments. It emphasizes fast deployment, centralized administration, and reducing the operational burden traditionally tied to maintaining on-premises network security infrastructure. According to NordLayer, organizations can deploy in around 10 minutes, access VPN infrastructure with speeds up to 1 Gbps, and reduce long-term ownership costs through a consolidated security model.
🗣️ Community Signal
AI has absolutely made parts of defense better. It has also made phishing messages cleaner, more convincing, and easier to scale. So the old entry point keeps getting refreshed with new tricks. If the basics around email security, identity, user awareness, and response discipline are weak, attackers do not need anything sophisticated. Lock down the foundation first, and a lot of those modern attacks get a lot harder to pull off. JT H, Strategic IT & Cloud Advisor.
📚 Don’t Miss This
|
Until Friday’s edition - Let’s keep that zero-day count at zero!
