The National Cyber Security has called on organisational leaders to treat cyber resilience as a core business and governance responsibility rather than a technical matter in the light of a report by the Five Eyes intelligence alliance on the "fundamental" impact of AI on the speed and scale of cyber threats.
Frontier AI models are anticipated to exceed current industry expectations within months, not years, lowering barriers for malicious actors, accelerating the exploitation of vulnerabilities, and compressing the window between vulnerability discovery and attack, the report says. It urged leaders to:
- understand and assess risk, readiness and accountability
- prioritise foundational cyber security practices and controls
- empower cyber leaders with authority and resources
- stay actively engaged as threats and guidance evolve
"A whole-of-organisation and whole-of-society response is required," the report's authors said, "Cyber risk can no longer be treated as a purely technical issue. This is a core business risk and leadership responsibility. Boards and executives should ensure cyber resilience is in place and works under pressure. It is not enough to have controls. Leaders must be confident those controls will perform during a real incident. This requires reassessing long-standing trade-offs and using AI deliberately to strengthen defence - not just improve efficiency.
The NCSC and co-signatories from the United States, Australia, Canada and New Zealand, set out a number of practical actions that organisations should use to reduce technical, operational, financial and reputational risks:
1 Reduce your attack surface: Limit unnecessary system access and external connectivity. Challenge whether systems need to be exposed at all and isolate those that do not.
2 Accelerate patching processes: AI is shortening the time between vulnerability discovery and exploitation. Delays in patching increase risk, especially for operational systems with long update cycles. Prioritise security updates accordingly to manage risks.
3 Address legacy systems: Unsupported systems are easy targets. They are not just technical debt, they are strategic liabilities.
4 Review and strengthen identity and access controls: Limit who can access critical systems. Enforce strong authentication and regularly review permissions.
5 Prepare for incidents before they happen: Test response plans, train and prepare teams, and assume breaches will occur. Focus on fast containment and recovery.
In addition to the NCSC's chief executive Richard Horne, the signatories include counterparts from the Australian Signals Directorate, Communications Security Establishment Canada, New Zealand's Government Communications Security Bureau, the US National Security Agency, and the Cybersecurity and Infrastructure Security Agency.
The full Five Eyes statement is available at www.ncsc.gov.uk/news/the-ai-shift-in-cyber-risk-why-leaders-must-act-now

