AI-generated threats are redefining risk, forcing organisations to rethink resilience, visibility, and board-level accountability. Cyber-attacks today are no longer just about data; they also disrupt physical systems, undermine trust, and expose dangerous blind spots in supply chains and leadership.
Cyber-attacks may be relentless, but attention spans are not. For most people, the headlines fade after a few days: the tills are down, the shelves are empty, the culprit is ransomware, and eventually, someone writes a blog post about lessons learned. But for the staff inside that business, the story is just beginning.
“There is a preconceived idea that recovery is quick,” Jonathan Lee, UK Cybersecurity Director, says. “But even if a ransomware attack is stopped before damage is done, the aftermath is complex. Passwords need to be reset, systems need to be rebuilt, and vulnerabilities need to be closed. It is a dark, lonely place to be.” The damage rarely stops with the breach. The psychological toll, reputational fallout and operational paralysis often linger for months.
For Lee, cyber risk today is a human risk. It is not just stolen data but disrupted blood tests, broken councils, and food deliveries that never arrive. “We need to stop separating cybersecurity from disaster recovery and business continuity,” he says. “It is all the same thing. Cyber resilience is not a technical exercise; it is the capacity to operate through crisis.”
Why phishing is still winning
According to Lee, part of the reason cyber resilience lags behind cyber innovation is the growing gap between real and perceived threats. A recent survey revealed a decline in incident reporting, but impersonation and phishing attacks continue to be widespread. The discrepancy, he argues, is rooted in a false sense of comfort.
“We are seeing AI being used to make phishing attempts look completely legitimate,” Lee continues. “Gone are the days of misspellings and dodgy logos. AI-generated messages are polished and hard to spot. And the problem does not stop at emails. Deepfake-powered social engineering is already infiltrating meetings, redirecting payments and extracting sensitive data under false pretences.”
Where organisations fall short, he suggests, is in assuming training is a compliance box to be ticked once a year. “We need to move from static to dynamic learning,” he explains. “Little and often. Make it fun, make it relevant, and use AI to adapt the experience to individual risk profiles.” He cites interactive games that help staff spot deepfakes and detect misinformation as a more effective route to behavioural change.
Outside the workplace, public education also plays a crucial role. Employees return home, share devices, and become digital gatekeepers for their households. A mature cyber workforce must begin with a digitally literate society.
Boards are still in the dark
Despite a decade of awareness campaigns, only around 30 per cent of UK organisations currently assign board-level accountability for cybersecurity. The result, Lee warns, is a crisis of maturity at the top. “Cyber is still seen as an IT problem,” he says. “Even in large organisations, it is too often siloed away from business risk. Until boards treat cyber like they would a fire, flood or major supply chain breakdown, nothing will change.” He calls for non-executive directors with firsthand breach experience and a shift from a reactive to a proactive strategy.
Visibility, he stresses, is everything. Many boards fail to realise they are blind. “They do not want to switch the lights on in case they do not like what they find,” Lee continues. “But if you do not know what is happening inside your systems, how can you manage the risk?” That reluctance to investigate, combined with a lack of contextual prioritisation, means critical threats are often hidden among irrelevant noise.
Proactive security, he argues, begins with understanding what devices are connected, what systems are critical, and what would happen if those systems were to fail. “Think like an attacker,” he advises. “Map your vulnerabilities. Prioritise what matters, and do not wait to be breached to act.”
The problem, according to Lee, is that too many boards treat compliance as a ceiling rather than a floor. “If you stop at ticking the regulatory box, adversaries will simply step one rung higher,” he says. “Cyber hygiene must go beyond frameworks. It must be embedded as a lived discipline that evolves with the threat.”
The supply chain is your attack surface
For many businesses, internal resilience is no longer enough. Modern digital operations depend on increasingly complex third-party ecosystems, each with its own vulnerabilities. The weakest link may not be your firewall but someone else’s spreadsheet.
“Supply chains are a blind spot,” Lee warns. “You may have hardened your own systems, but you rely on others. If a supplier goes down, it may not result in data loss, but how do you fill hospital shelves or serve school meals if the logistics are compromised?
“Contractual clauses and compliance checks are a start, but they are not a guarantee. The upcoming Cyber Resilience Act introduces the concept of ‘critical suppliers’ to enforce minimum standards, but Lee insists that resilience means more than compliance. You need a Plan B. And a Plan C. Ask what happens if your supplier fails, then work out how to stay operational anyway.”
This is especially pressing for organisations that sit quietly in the background of critical infrastructure, many of which are SMEs with limited security resources. “Too much of the economy depends on companies no one has heard of,” Lee says. “Raising the cyber maturity of these smaller players is not optional. It is survival.”
AI is both a problem and solution
There is no avoiding the elephant in the server room. AI is transforming both sides of the security equation. For attackers, it means faster social engineering, targeted reconnaissance, and automated exploitation. For defenders, it offers scale, speed, and predictive foresight.
“The good news,” says Lee, “is that we are currently ahead. Attackers tend to do the least for the most gain, and most organisations are still failing at the basics, with no multi-factor authentication, unpatched systems, and outdated processes. That allows defenders to innovate faster.”
But there is no room for complacency. AI is not a silver bullet. “Compliance is a floor, not a ceiling,” Lee advises. “If you stop at meeting regulatory standards, attackers will step right over you. We need to move beyond audit checklists and build AI-enabled tools that can triage threats, simulate scenarios, and adapt more quickly than the threat landscape shifts.
“The limitations of AI in cyber defence are less about the technology and more about the governance. The same tools that streamline detection can also embed bias or miss context if improperly trained or deployed. Like any revolution, the challenge is not just technical; it is organisational, cultural and educational.”
The real risk is not AI but inertia
There is no shortage of frameworks, platforms or acronyms. What is missing, Lee suggests, is realism. Too many incident response plans are theoretical, too many executives assume cyber is someone else’s problem, and too few organisations are testing what failure really looks like.
“Recovery planning often comes last,” Lee continues. “But what if you simulate the worst-case scenario based on your actual systems? Use AI to map the impact of a system going down, not just in data terms but also in terms of human outcomes. Could you still run diagnostics, deliver prescriptions, and pay suppliers? What would your staff do if every screen went dark?”
Executives must stop thinking of cyber-attacks as abstract risks. These are business-ending events. As AI drives new efficiencies, it also accelerates the collapse when things go wrong. The first step is no longer protection but visibility. Know what you rely on. Understand how it could break. Then, test how you will respond when it does.
“Cybersecurity is not a grudge purchase,” Lee concludes. “It underpins your ability to operate. Every board member needs to ask: if we were hit tomorrow, how would we cope, and why are we not investing in that today?”
For businesses investing in AI, the question is not whether they are exposed; rather, it is whether they are prepared. It is how much they are willing to see before it is too late.
