Fewer UK businesses experienced a cyber attack in the last 12 months compared to last year, but boards still need a push to take measures seriously with AI threats on the horizon, Orange Cyberdefense's (OCD) new UK chief tells The Stack.

The government's latest Cyber Security Breaches Survey, released this week, found 43% of UK businesses had recorded an attack in the survey period, down from 50% the year before.

However, as the survey found growing concern around "the use of AI in phishing scams", still the top access tool for recorded attacks, and the National Cyber Security Centre (NCmake seSC) warning last year that AI will “almost certainly increase” the volume and impact of cyber attacks” in the coming years, can companies be confident in their ability to combat future threats?

Recently appointed UK Managing Director Ajay Bhardwaj at OCD, the security branch of European telco Orange, thinks not. "Swathes of industries just aren’t there” on cybersecurity as geopolitical tensions exacerbate supply chain vulnerabilities, he tells The Stack at the company's new London offices.

“Still large organisations are struggling with the basics. [Asking,] are they able to really even do the patching that they're supposed to be doing and keeping up with [vulnerabilities]? That's the tricky stuff, you wouldn't think it but it still is,” he says.

AI threats will only exacerbate the problem as well he warns: "For threat actors it's been pretty easy to get access. But now with AI evolving the threat and changing it up, I think that [access] becomes a lot easier. And what's coming on the horizon, with autonomous [AI], that's going to be another game changer."

Bhardwaj backs up his warning with the stat that 69% of the UK market do not even have a cyber incident response plan according to OCD. The government's survey had a slightly better outlook, finding 70% of large businesses and 57% of medium businesses had a formal cybersecurity strategy in place, but the numbers are clearly not where they need to be.

Regulation and workers “pushing up” will lead companies in the right direction says Bhardwaj, though a lack of industry benchmarking has some of his customers wondering “how much is too much”. And while many have tech leads pushing for investment into cybersecurity, execs are still not always convinced.

Cybersecurity by regulatory force

The government appears to agree, recently launching a new cybersecurity code of practice aimed at getting “boards and directors to strengthen their understanding of how to govern cyber security risks.”

Organisations supporting critical national infrastructure (CNI) could also soon be threatened with £100,000 a day fines for failing to secure their operations, if measures proposed for a Cyber Security and Resilience Bill go ahead.

The proposal is “a really good idea” as “it’s about time they’ve stepped in” says Bhardwaj, “I think a nudge from the government is really important, you’ve got to start somewhere and I think they’re starting in the right way.”

Regulatory enforcement of security best practice should focus on a “top down approach” he adds, “it’s an education for a lot of boards and directors.”

Ajay Bhardwaj and OCD CEO Hugues Foulon at the company's London office launch. Image Credit: Orange Cyberdefense

OCD hopes to lead by example , with its new UK “cybersecurity experience centre” designed to drive home the importance of the idea to execs.

Similar centres in Brussels have seen CISOs given significant rises in their budget, Strategic Advisor Simen Van der Perre tells The Stack after showcasing the experience.

AI threats? What AI threats?

So what are these threats that will leave CEOs quaking? OCD’s “ex-military, ex-GCHQ” Pentest Team Lead Stuart Kennedy shares a worrying list of AI-powered polymorphic malware, deepfake social engineering tricks, and hacking copilot agents, models for which he warns are available on HuggingFace.

On top of that, the red team leader is also seeing development of autonomous offensive AI models which "lets us sit back a little bit, chill out, pina colada [in hand], and let that attack happen. Then we pick up the pieces towards the end, that's where our expertise comes into play because we can then fine-grain that [initial access] into more of an advanced attack."

The threat would be a concern for any advanced security team, but Kennedy also emphasises the fact that many companies are still struggling with the basics, making them particularly vulnerable to more sophisticated versions of simple access tactics such as phishing.

In fact, the government's cyber breaches survey found phishing attacks were still by far the most prevalent for UK businesses, with 65% of those recording a breach attributing it to phishing.

While Kennedy says sophisticated security tools may help to prevent widespread phishing emails, AI may help bad actors to instead focus their attempts with hyper-personalised emails to specific people, an issue already seen in various forms in the wild including personalised fake email logins.

Many have advocated a 'fight fire with fire' approach to the issue by using AI tools to enable a more agile security environment, though OCD CSIRT Analyst Samantha Caven says her team is still exercising caution on the idea.

Bhardwaj though says "you still need human oversight" as "trust is a big thing". Humans can still have a leg up on their AI counterparts, says Kennedy. "We do see trends in what is AI generated and what is human generated, because humans all think differently whereas AI is very siloed into one set of thinking."

However, while he says an AI-powered hacking tool is "only as good as the model you're using" and the person driving it. "If you can train it really well, it gets really hard to detect."

The link has been copied!