How AI is making the UK’s cybersecurity crisis worse — and what businesses must do now

49%.

That is the share of UK businesses that cannot handle a basic malware incident. Not a sophisticated nation-state attack. Not a zero-day exploit. Basic malware — the kind that experienced security teams resolve before their morning coffee.

Nearly half of UK businesses. Unable to manage the basics.

And the threat is accelerating.

The AI attack problem no one is talking about honestly

In 2025, over 90% of phishing emails were AI-generated. That number sounds abstract until you understand what it means in practice.

“There is no grammar misspelling in phishing attacks anymore,” says Bohdan Chaban, GRC Team Lead. “They are no longer using ‘Hello all’ or ‘Hello guys.’ They always use your name. They know who you are, what you are, what you’re doing. They know what you read. The phishing email is now personalised for everyone.”

The era of spotting a suspicious email by its broken English or generic greeting is over. These messages know your role, your organisation, your recent professional activity. They are convincing, contextually accurate, and produced at machine scale.

What is more concerning is the asymmetry: attackers are deploying AI systematically and effectively, while defences — particularly among smaller organisations — have not kept pace.

“I hear a lot about AI security solutions, big words on websites and marketing material,” Bohdan adds. “But when you test it, when you actually play with it — it’s not even 10% of what AI attacks can already do.”

The structural gap that will not close itself

The public sector employs roughly 50 to 60 times fewer cybersecurity professionals than the private sector. When you narrow it to the legislative and policy teams responsible for writing cyber regulation, the gap is even larger.

The result is predictable: the institutions responsible for setting the rules are structurally unable to keep pace with the threats those rules are meant to address. Regulation arrives late, focuses on visible compliance markers, and rarely translates into meaningful operational protection.

“The focus is on form, not substance,” says Dmytro Pigul, Compliance Officer. “The public sector is checking whether your cookie banner is correctly formatted. Not whether the data gathered through that banner is actually secure. Not whether you have anonymised it. Not what legal basis you’re sharing it on. Just the cookie banner.”

The system is optimising for the audit. Not for the outcome.

When geopolitics becomes a cybersecurity variable

This is the part of the conversation most businesses are not factoring into their risk models — and it may be the most important.

Russia has systematically targeted UK critical infrastructure in direct response to UK support for Ukraine. When Storm Shadow missiles were approved for transfer, the UK experienced a significant surge in coordinated cyberattacks. The primary targets were not defence contractors or government ministries. They were the NHS. Transport networks. Public services.

Organisations that had no particular reason to consider themselves geopolitical targets — and were not prepared to be.

“Russia was targeting the UK each time the UK was trying to help Ukraine,” explains Mykola Kuzmin, researcher at the Henry Jackson Society and contributor to The Telegraph, in a recent conversation with Riskora. “The NHS, London transport — they were premier targets. Not because they were geopolitically significant. Because they didn’t expect the attack.”

Dmytro frames it as a risk management failure: “It’s the same logic as a major retailer preparing for Black Friday. Every merchant knows they’ll face DDoS attacks, scams, script kiddies, competitors — and they prepare for months in advance. The same logic applies here. If you are supporting Ukraine, or operating in a country that is, you need to be ready.”

2026’s regulatory wave: progress or noise?

This year has brought significant regulatory activity — the EI Act, DORA, updated GDPR frameworks. The intent is right. The execution raises questions.

More regulation does not automatically mean better protection. When the focus remains on documentation and visible compliance rather than operational security outcomes, organisations end up investing in processes that satisfy auditors rather than processes that reduce actual risk.

The UK sits at a genuinely interesting juncture — between the innovation-first approach of the US market and the regulatory density of the European Union. Neither extreme has delivered a working model. The US has competitive dynamism but patchy protection. The EU has regulatory rigour but has arguably crowded out the large-scale technology innovation that drives security advancement at the frontier.

The opportunity for the UK is to build something more effective than both. That requires treating substance as the priority, not form.

What actually protects a business

There is no single answer. Anyone who tells you otherwise is oversimplifying.

“Effective security is never a single control,” says Bohdan Chaban. “It is a combination of the right measures, implemented correctly for the specific organisation. ISO 27001 applied generically will not protect you. A single software subscription will not protect you. Encryption without access controls will not protect you.”

What works is a layered approach: the right tools, the right processes, the right oversight — tailored to the organisation, the sector, and the actual threat profile. Smaller organisations in particular face a real challenge here. Hiring an in-house senior security engineer in the UK runs £100,000–£250,000 per year at market rate. And one person is not a security operation.

The practical answer for most SMEs and growing organisations is managed security services — a model that gives the output of a full security operations team without the overhead of building one from scratch. The service integrates with existing infrastructure, works alongside internal teams, and scales as the business grows.

“Most businesses know they need better cybersecurity,” says Dmytro Pigul. “The problem is not awareness. It is the gap between knowing and being able to act.”

The real risk is not the attacker

The most dangerous condition in cybersecurity is not a sophisticated adversary or a complex regulatory landscape. It is the gap between what an organisation believes about its own security posture and what is actually true.

That gap — between perceived protection and real exposure — is what most incidents ultimately come down to. Not technical failures. Organisational ones.

Closing that gap honestly, practically, and without oversimplifying is the most valuable thing any security or compliance professional can do for the businesses they work with.

The risk is not the enemy. Ignorance is.

Riskora Consulting is a cybersecurity and compliance company operating across the UK, Europe, and the USA. The company works with organisations ranging from growing SMEs to multi-jurisdiction enterprises on SOC-as-a-Service, CISO-as-a-Service, ISO 27001 implementation, GDPR and DORA compliance, and technical security consulting.

This article draws on insights from Episode 1 of The Ignorance Factor, Riskora’s new podcast series on the real state of cybersecurity and compliance. The episode features Mykola Kuzmin, researcher at the Henry Jackson Society and contributor to The Telegraph.

Watch the episode: https://youtu.be/45aIZZdGEG4

Learn more: riskora.io