UK faces "perfect storm" for cyber security: Lessons for boards from ‘Cyber UK’

We’ve just returned from Cyber UK (the Government’s flagship cyber security conference) with the clear message that (i) the UK is facing the perfect storm in terms of cyber risk – acute geopolitical uncertainty combined with fast-developing technological advancements; and (ii) Government and industry will need to work together to combat this evolving threat.  

Boards are clearly already taking cyber risk seriously but what are the practical takeaways from this evolving landscape and the changing expectations of Government and regulators? 

Increased risk 

• Geopolitical uncertainty:  The NCSC and ministers were keen to stress that the UK is currently in the ‘grey zone’ between peace time and conflict. This means seeing cyber-attacks not just as a criminal act for financial gain but a routine feature of geopolitical conflict used for disruption and destabilisation. There have already been warnings of a heightened risk of indirect cyber threat for those organisations who have a presence, or supply chains, in the Middle East and specific guidance those organisations, and CNI (who may face increased attacks), can follow.  
   
• AI accelerating cyber-attack capability: While AI‑related cyber risk has been approaching for some time, speakers at CyberUK from across the world provided examples of its capabilities and risks.
  • AI firm Anthropic released its Mythos model in April which is, according to the UK’s AI Security Institute (AISI), substantially more capable at cyber offence than other models. The Government is so concerned by its capabilities that it has written an open letter to business leaders, warning of the threat. Regulators like the FCA and OFCOM have also warned of increased scrutiny in light of these technological developments. At the conference, Anthropic’s Head of Threat Intelligence described how attackers progressed, over the course of just a few months last year, from using AI primarily as a sophisticated search tool to deploying it as a fully‑fledged assistant across the attack lifecycle (supporting reconnaissance, penetration testing and the creation of targeted phishing campaigns).
  • AI is already lowering the barrier to entry for cyber criminals and making them more efficient (increasing the volume of expected attacks), and its capabilities are accelerating even faster than had been envisaged. The AISI  assess that the capability of these most powerful AI (frontier) models is now doubling every 4 months, compared to every 8 months previously. So, for example, further accelerating the reduction in the ‘dwell’ time between infiltration and attack, which used to be measured in weeks or months but can now be less than an hour.
  • That said, one of the risks with this proliferation of AI-enabled attacks is their indiscriminate nature. Speakers from the US and Japan highlighted ‘bad’ attacks that had been prevented but where the encryption tools used simply didn’t have functioning decryption built in or ‘noisy attacks’ which are easy to spot. The attacks are therefore not necessarily more sophisticated, with many detectable with effective monitoring, but more voluminous.  
     
• Humans still matter: Law enforcement agencies were also keen to emphasise the growth and sophistication of AI in human exploitation. That includes phishing, deep fake videos and, in some cases, de facto blackmail of key staff if they or their family are hacked. The clear lesson being that multi-human verification remains key alongside AI-supported detection and response systems.

Rising expectations on organisations and boards

• Move from cyber security to cyber resilience: Taking this together, the key theme was that cyber resilience has to mean having a ‘no pay’ plan fit for your business. This includes both technical work (system segregation, secure back-ups, principle of least privilege etc.) and operational and governance processes (for example, regularly practising incident response at gold and silver team level). As the NCSC said in a clear steer as to what ‘acceptable’ might look like in any ‘look back’ scenario, failing to grasp this is failing to respond to today’s reality.
   
• Cyber resilience pledge: Security minister Dan Jarvis echoed this when announcing that the government will ask every major organisation to sign a new Cyber Resilience Pledge this summer. The Pledge will invite organisations to make a “public commitment” to their investors,  customers and supply chains, to make cyber security a Board responsibility, to sign up to the NCSC’s Early Warning service and to require that suppliers are Cyber Essentials certified (which is the Government’s cyber certification scheme). This Board commitment builds on a series of recent interventions, from changes to Provision 29 of the Corporate Governance Code and last year’s Government letter to all major organisations, to the more recent letter on the latest AI threat which expressly asks boards to discuss cyber risk at their next meeting if they have not done so recently.   
   
• Using AI in cyber defence: While AI is creating new cyber risks, it can also help cyber security professionals, for example by finding vulnerabilities and patching them at speed. Cyber defenders (both those within your organisation, and experts appointed by your CISO) will need to be at least as adept at using AI as their adversaries which may involve re-assessing current capabilities.

Against this backdrop, organisations will be keen to avoid being an early test case for regulatory scrutiny, while ensuring that boards, GCs and CISOs are aligned on risk, investment and accountability.

The good news is that there is an expanding body of guidance and support available to help, including targeted assistance for SMEs. At a time when supply‑chain exposure is receiving governmental and regulatory focus, this should help organisations strengthen not only their own resilience, but that of smaller suppliers, without imposing disproportionate cost.