NewsNight: Three Stories and a Cuppa

Right then, welcome to NewsNight: Three Stories and a Cuppa. I'm here with my Saturday evening brew to walk you through three stories from around the pond that caught my eye this week - the sort of news that matters if you're trying to keep systems running, data secure, or just navigate the world with a brain that works a bit differently.

This week's episode is "Breached, Bypassed, and Still Bloody Struggling," and we've got the UK's latest cybersecurity reality check that's properly sobering, the EU actually implementing AI regulation whilst everyone else dithers, and yet another reminder that the tech industry still can't figure out basic workplace inclusion.

So grab whatever's in your mug, and let's dive in.

First up, the UK government's Cybersecurity Breaches Survey 2025 dropped this week, and it's a proper reality check. Just over four in ten businesses (43%) reported experiencing some form of cybersecurity breach or attack in the last 12 months. That's around 612,000 UK businesses getting hit.

Now, before you think "oh, it's dropped from 50% last year, that's progress" - hold on. The decline was mostly among micro and small businesses reporting fewer phishing attacks. But here's the kicker: for medium businesses it's 70%, and for large businesses it's 74%. Three quarters of big organisations getting breached in a year.

The survey found that phishing remains the most prevalent attack method, hitting 85% of affected businesses. But here's what's properly concerning - there's growing worry about AI-driven impersonation techniques becoming more sophisticated and harder to detect.

And the consequences are getting worse. Businesses reported a rise in temporary loss of access to networks - up from 4% to 7%. That's not just "oh dear, someone clicked a dodgy link." That's proper operational disruption.

What's maddening is that whilst 77% of businesses have updated malware protection and 73% have password policies, only 40% use two-factor authentication. It's 2025, and we're still treating 2FA like it's some exotic luxury feature rather than basic hygiene.

The report distinguishes between cybersecurity breaches and actual cyber crimes under the Computer Misuse Act, which is important because whilst all cyber crimes are breaches, not all breaches meet the legal criteria. But when three-quarters of large businesses are getting hit annually, we're clearly not dealing with isolated incidents anymore.

Right, moving on to something that's actually working. Whilst the UK continues its "wait and see" approach and the US debates banning state regulation entirely, the EU AI Act is quietly becoming reality.

The Act's various provisions are kicking in progressively. The ban on AI systems posing unacceptable risks started in February. Governance rules and obligations for general-purpose AI models become applicable this August. And the EU AI Office is actively recruiting "AI technology specialists" to govern cutting-edge models.

This week, the Commission launched a public consultation on high-risk AI systems and is seeking views on using data to develop AI. They're also developing preliminary guidelines for general-purpose AI model providers, covering seven key topics including definitions, responsibilities along the value chain, and exemptions for open-source models.

Meanwhile, the EU allocated €145.5 million to boost European cybersecurity, including for hospitals and healthcare providers. They're also working on AI regulatory sandboxes - each member state must establish at least one by August 2026.

The contrast with elsewhere is stark. The UK's AI bill remains a Private Member's Bill with no government backing, pushed back until "at least summer 2025" and likely not happening this year. The US is actively trying to ban state-level AI regulation for a decade.

What's fascinating is that the EU is treating AI regulation like grown-ups handle infrastructure - systematic, comprehensive, with proper enforcement mechanisms and funding. Whilst everyone else argues about whether regulation stifles innovation, the EU is just getting on with building a framework that actually works.

It's like watching one group properly fireproof a building whilst others debate whether smoke alarms are too restrictive for the candle industry.

And finally, more evidence that the tech industry still fundamentally doesn't understand inclusion. This week marked Neurodiversity Celebration Week, and the stats remain depressing.

Research shows that 51% of neurodivergent individuals feel they can't or shouldn't disclose their neurodiversity in the workplace due to stigma. Half have been discriminated against when job hunting, with one in five being laughed at and one in six having job offers rescinded because of neurodiversity.

The 2025 Neurodiversity Index Report found that whilst there's been some progress in basic accommodations, the fundamental problems persist. "Masking" - hiding neurodivergent traits during social interaction - remains incredibly common as an adaptive response against negative social and employment outcomes.

What's particularly frustrating is how simple many of the solutions are. Experts are calling for quiet breakout spaces, visual aids, flexible hours, and proper mentoring programmes. We're not talking about massive structural changes - we're talking about basic workplace adjustments that often cost nothing.

Yet employers are still treating neurodiversity as an afterthought rather than a business imperative. As one expert put it: "inclusion can't remain a box-ticking exercise - we need to be making real, structural changes that allow neurodivergent employees to thrive."

The research shows that teams with neurodivergent employees can be up to 30% more productive and generate innovative solutions at higher rates. But instead of capitalising on this, we're still stuck in a cycle where people are afraid to ask for basic accommodations and employers don't know what to offer.

It's estimated that around one in seven people in the UK are neurodivergent. That's a massive talent pool that we're systematically excluding through ignorance and stigma rather than malice - which somehow makes it worse.

It's the same bloody patterns every week, isn't it? We've got organisations failing at basic cybersecurity hygiene whilst cyber attacks become more sophisticated. We've got the EU actually building comprehensive regulatory frameworks whilst others debate whether rules are too scary for innovation. And we've got the tech industry - which should understand different ways of thinking better than anyone - still failing to support neurodivergent talent.

The UK cybersecurity survey shows we're not getting better at the fundamentals. Three-quarters of large businesses getting breached annually isn't a security posture, it's a crisis normalised. Meanwhile, the EU is systematically building AI governance that actually works, complete with enforcement mechanisms and proper funding, whilst everyone else dithers about stifling innovation.

And all of this whilst we continue to exclude people whose different thinking styles could help solve these problems. It's like watching a coordinated effort to make everything harder than it needs to be.

Right, that's your three stories and whatever was left in my mug.

If any of this has got you thinking, drop me a line. And if you know someone who works in tech, policy, or just needs to hear that their brain works fine even if it works differently, maybe share this along.

Next week, I'll be back with three more stories and hopefully evidence that someone, somewhere, has learned from their mistakes. Until then, keep your 2FA enabled, your thinking diverse, and your expectations of institutional competence appropriately calibrated.

This has been NewsNight: Three Stories and a Cuppa. If you want to read more about any of the stories I've covered, head to store.boggs.one, hit the ancillary menu, and look for NewsNight - News Sources.

See you next Saturday.