The UK is finally treating cyber security as a boardroom issue rather than an IT problem. The government’s proposed Cyber Resilience Pledge, the continued passage of the Cyber Security and Resilience Bill, and a £90 million investment into national resilience all signal a serious shift in tone. At the same time, the UK cyber sector is booming, now worth £14.7 billion and supporting thousands of jobs. On paper, the trajectory looks encouraging.
But the uncomfortable question for business leaders is this: are we genuinely getting ahead of the threat, or are we simply becoming better at reacting after the damage is done?
Recent events suggest the latter may still be true.
The attack on Instructure’s Canvas platform is a reminder that no organisation is immune, even those trusted by universities, schools and public institutions worldwide. A single exploited vulnerability disrupted access for thousands of students during exam periods, while the attackers escalated pressure through defacement and extortion tactics. The technical breach itself was serious enough, but the wider impact on trust, operations and reputation was arguably even greater.
More concerning still is the changing nature of cybercrime itself. The BBC recently highlighted a growing trend where cyber-attacks are now accompanied by real-world intimidation and threats of physical violence. Ransomware gangs are increasingly targeting individuals as much as systems, using stolen personal data to threaten employees and executives directly. In some cases, globally, attacks have crossed into kidnappings, extortion and “violence-as-a-service”.
This evolution matters because it fundamentally changes how organisations must think about cyber risk. It is no longer purely a technology challenge. It is now an operational resilience, people protection and business continuity issue.
And then there is AI.
For years, organisations have spoken about AI as a future risk. That future has already arrived. Threat actors are now using AI routinely, not experimentally, to accelerate phishing, automate reconnaissance, develop malware and identify vulnerabilities faster than traditional defensive teams can respond.
Recent reports from Google Threat Intelligence and the IMF point to an uncomfortable reality: AI is dramatically lowering the barrier to entry for sophisticated attacks while simultaneously increasing their scale and speed. Large language models are now capable of identifying logic flaws in software, generating convincing impersonation content and even supporting semi-autonomous attack workflows.
The concern is not simply that attacks will become more common. It is that they will become exponentially faster, cheaper and harder to detect.
This creates a dangerous asymmetry. Most organisations still operate cyber defence models built around periodic patching, annual audits and reactive incident response. Attackers, meanwhile, are moving toward continuous, AI-enabled operations.
That gap is where the real risk lies.
So, is the UK doing enough?
The honest answer is that progress is being made, but resilience still lags behind the sophistication of the threat landscape. Government initiatives such as the Cyber Resilience Pledge are important because they push accountability to board level, which is exactly where it belongs. Cyber security can no longer sit solely with IT departments or external providers. Leadership teams must view cyber resilience in the same category as financial governance, health and safety, or regulatory compliance – it’s now a major Risk Register item.
However, regulation and pledges alone will not solve the problem.
Many organisations still rely too heavily on perimeter-based thinking, the idea that stronger firewalls and endpoint protection are enough. They are not. Modern cyber resilience is about assuming breaches will happen and designing systems, processes and teams capable of containing disruption quickly.
That means investing in visibility, detection and recovery just as much as prevention. It means scrutinising supply chains more aggressively. It means stress-testing crisis communication plans before an incident occurs, not during one. And critically, it means recognising the human element of cyber risk.
Employees remain both the first line of defence and the easiest target. AI-generated phishing attacks are becoming almost indistinguishable from legitimate communications, while social engineering tactics are becoming increasingly personalised and psychologically sophisticated.
For organisations looking to strengthen resilience now, the priorities are clear: make cyber security a genuine board-level agenda item; adopt recognised frameworks such as Cyber Essentials; improve incident response readiness; reduce dependency on single points of failure; and ensure staff training evolves as quickly as the threats themselves.
Perhaps most importantly, businesses must move away from asking, “Can we stop every attack?” and instead ask, “How quickly can we recover when one succeeds?”
Because in today’s landscape, resilience is becoming more valuable than prevention alone.
The cyber threat facing UK organisations is not slowing down. If anything, AI, automation and increasingly aggressive criminal tactics suggest we are only at the beginning of a far more complex era. The organisations that thrive will not necessarily be those with the biggest security budgets, but those willing to treat cyber resilience as a core business capability rather than a technical afterthought. If you’d like to discuss how your organisation can strengthen its cyber resilience strategy, reduce operational risk and prepare for the next generation of threats, please do get in touch with us.
If you found this insight of interest, please don’t forget to sign up for our NEWSLETTER for the latest industry news and insights delivered direct to your mailbox.
Photo by Bermix Studio on Unsplash
Comments are closed.