-optimized.jpg){kind=avatar}
The evolving landscape of artificial intelligence (AI) is rapidly transforming cyber risk, and we must act swiftly to remain ahead, say the Five Eyes cyber security agencies.
The agencies for the UK (the National Cyber Security Centre, NCSC), United States, Australia, New Zealand and Canada have stated that cyber risk can no longer be treated as a purely technical issue. They write: “This is a core business risk and leadership responsibility. Boards and executives should ensure cyber resilience is in place and works under pressure. It is not enough to have controls. Leaders must be confident those controls will perform during a real incident. This requires reassessing long-standing trade-offs and using AI deliberately to strengthen defence – not just improve efficiency.”
As for what to do in practice, they urge businesses to among other things address legacy systems; and test response plans, train and prepare teams, and assume breaches will occur. AI is shortening the time between vulnerability discovery and exploitation, they point out. Delays in patching increase risk, especially for operational systems with long update cycles. Adversaries are already using AI to move faster and more effectively. Defenders must do the same, they say. They sum up: “Cyber resilience is not an IT issue – it is central to operational continuity and market trust. Leaders who act now will reduce exposure, strengthen resilience, and build confidence with customers, partners, and investors. Those who delay will face growing and avoidable risk.” For their advice in full visit the NCSC website.
Comments
Andrew Woodford, CTO of network security provider Titania and former Director of Engineering at the cyber firm Darktrace, said: “Everything we need to prepare for AI-accelerated cyber threats needs to be based in cybersecurity fundamentals. Following Five Eyes’s statement, there will be a temptation to panic: faster patching, new defensive AI tools, gathering intelligence on new threats. But the most important advice is to make sure that core fundamentals are in place: least privileged access, network segmentation, and reducing exposure through hardening and continuous monitoring. The shift from patching to remove vulnerabilities, to mitigating the effects of exploits should have already happened – if it hasn’t, AI makes it absolutely necessary.”
James Mackay, CEO of MetaCompliance, a security awareness training and human risk management platform, called the Five Eyes warning a timely reminder that the pace of AI development is outstripping the ability of many to adapt their defences. He said: “The statement is right to call for cyber security to be embedded in core business strategy, but it doesn’t address where most breaches often start – with people. AI is already reshaping the threat landscape in ways that exploit human behaviour, not just technical vulnerabilities. Convincing phishing emails, deepfake voice calls impersonating executives, and AI-generated social engineering are now within reach of much less skilled attackers, and they target employees, not firewalls.
“Patching legacy systems and strengthening identity controls are important, but if organisations don’t also build a workforce that can recognise and resist AI-enhanced manipulation, they’re only closing half the gap. Employees need to be treated as the first line of defence in a zero-trust culture, with the awareness and judgement to question what they see and hear, especially as AI makes deception harder to spot. Without this human layer of resilience, even the strongest technical controls will struggle to hold up under the pressure the Five Eyes are warning about.”
Graeme Stewart, Head of Public Sector at Check Point said: “AI will turbocharge a new wave of devastating cyber attacks, the likes of which the world has never seen. However, whilst these warnings raise awareness of the impending threat, they do little in terms of offering guidance and support for organisations in the firing line.”
And Michael Jepson, Head of Penetration Testing at CybaVerse said the warning from the intelligence community aligns with many similar industry concerns. He said: “CybaVerse recently conducted a survey on security professionals’ attitudes towards advanced AI, and the majority believe these platforms will do more to reduce security than improve it. Our survey revealed that 86 per cent of security professionals believe advanced AI systems will significantly reduce the time attackers need to identify and exploit vulnerabilities, while 75pc believe advanced AI systems will eventually be weaponised by cyber criminals
“The risk these models present will no doubt continue to grow as they scale and become more capable, and these fears are reflected both among cybersecurity and intelligence leaders. The question of course is whether existing mitigations will be enough to cope, or if newer paradigms will need to be developed to respond to the widening of the threat landscape. As the Five Eyes report warns, organisations in the future need to be oriented towards security from the ground-up, with a focus on isolated systems, regular review of internal permissions and controls, and reduced reliance on legacy, unpatched systems.
“An interesting aspect of this is whether the threat landscape will ‘deepen’ and if mature organisations will be exposed to more sophisticated attacks, or if it will broaden and expose a much wider range of organisations not previously worth targeting to state and criminal attacks. The latter seems to be a real concern: 68pc of respondents said they were worried that their organisations would not have the resources to cope with increased patching demands, and this problem could cascade across organisations, especially SMEs, whose capacity to defend themselves is already limited.
“As the Five Eyes go on to say, AI may be part of the answer here, and the resource gap could potentially be mitigated through proactive, defensive use of LLMs for monitoring and flagging; humans need to continue to remain well in the loop for accountability and verification, but for less serious issues automation could become key.”
