Microsoft released fixes for 80 security flaws this September, including eight critical issues. Several updates cover major products like Azure, Office, Hyper-V, NTFS, and SharePoint.

Most of the patched bugs allow hackers to either take control of a computer remotely or get higher access than they should. Two key vulnerabilities—one in Windows SMB (CVE-2025-55234, publicly disclosed) and another in NTLM (CVE-2025-54918)—should get top attention, since both could let attackers get high-level system access.

For CISOs, the priority is clear: patch systems quickly, especially those exposed to the internet or used for important workloads. Direct technical teams to review business-critical systems, with extra focus on Hyper-V, SMB, Office, and NTFS. Run vulnerability scans to verify patch coverage.

September’s cycle reminds us that zero-day risks and privilege bugs remain a real threat, and that rapid patching is a core business protection.

AI tools are being added to businesses much quicker than people can make them secure. Attackers are already taking advantage of this gap, using AI to break into systems much faster than humans can react.

Many security teams are using AI without plans or special protections. Almost half of security centers just use AI tools as they are, without custom settings or rules. Most do not even watch how AI behaves, making it easier for attacks to go unnoticed.

CISOs and leaders should invest in controls that let workers use approved AI tools safely. This means building systems that watch who use AI, protect data, and track what AI is doing. The goal is clear: lower the risk by stopping sneaky AI usage, while making sure real work gets done through trusted channels.

The blueprint in the article says companies should focus on three things: keep AI and data protected, use AI smartly to help stop attacks, and follow the rules set by governments and regulators. It’s important to use strong identity checks and teach staff in risky departments to spot fake messages made by AI.

New laws make it urgent to track and control all AI use. If companies cannot prove what their AI systems are doing or where data comes from, fines and trouble will follow.

AI security is now a business problem, not just a technical one.

CISOs and their teams want directors and executives to understand why cybersecurity matters at the highest level.

Boards want simple answers: What risks are most serious and what needs attention?

In board meetings, security leaders should keep things focused. Don’t get stuck describing every technical detail. Instead, say what threats could hurt the business, how much, and which fixes are most urgent.

Boards need to know if the company is protected against big threats, like ransomware, data loss, and system outages. Security leaders should use stories, not just numbers, for stronger impact.

Strong protection depends on clear communication between security leaders and top company decision-makers.

In August 2025, attackers used a clever mix of voice phishing and abuse of OAuth permissions to break into several companies’ Salesforce systems.

They pretended to be trusted support, calling employees and tricking them into approving a fake but very convincing version of Salesforce’s Data Loader app. This gave the attackers long-lasting, special access tokens that let them quietly copy sensitive customer data and sales info from the cloud.

One of the biggest breaches involved Google’s Salesforce data, where millions of records were stolen. Other major companies like Chanel, Adidas, and Zscaler were also hit. In one case, a third-party app called Salesloft Drift was compromised, letting attackers steal OAuth tokens and siphon data without raising alarms.

These attacks show how easy it is for hackers to bypass normal security checks like multi-factor authentication by tricking users into granting app permissions. This makes careful control of OAuth apps and employee training essential.

To reduce risks, companies should monitor and limit OAuth app permissions, use strict identity checks, and have strong processes for reviewing any third-party apps connected to critical systems like Salesforce. Quick token revocation and close partnerships with cloud and SaaS providers can stop attackers from staying in networks for long.

The big lesson is that cloud security must include managing trusted app access, not just user accounts, to prevent this kind of stealthy data theft.

KioSoft, a company that makes self-service payment kiosks, had a serious security hole in some of its NFC stored-value cards.

A researcher group called SEC Consult found the issue in 2023. The problem: the cards kept the balance locally instead of on a secure server. Because of that, someone could use a tool to read and rewrite the balance, making free credit repeatedly.

It uses a kind of NFC tech called MiFare Classic, which is known to have security problems. The exploit could let someone increase the balance up to $655 each time.

SEC Consult tried to tell KioSoft about the flaw starting in October 2023. KioSoft didn’t reply much until CERT at Carnegie Mellon got involved. The vendor finally said they released a firmware patch in summer 2025 and plan to send new hardware later.

The lesson is that delays in patching known security flaws can let attackers exploit weak tech for a long time and cause real financial risk.

Schools are slowly turning the tide against ransomware, but the fight is far from over.

According to Sophos, 84% of primary and secondary schools, and 79% of higher education institutions, were hit by ransomware in the past year. Despite this high rate, the median payments dropped by almost 90% compared to the year before. Primary and secondary schools went from $6.6 million to $800,000, while higher education fell from $4 million to $463,000.

The share of schools paying ransoms is also falling. Just 24% of K-12 schools and 35% of universities ended up paying in 2025, compared to more than half last year. Recovery costs excluding ransom are also lower, dropping by nearly 40%.

More than half of schools admitted their IT and security teams are understaffed. Almost 50% of K-12 institutions said they don’t have the right tools or budget to deal with ransomware. The human toll is heavy too: 38% of IT staff reported stress, anxiety, or burnout after an attack, with some needing time off work.

Sophos recommends several actions: