UK ministers have warned business leaders that the cyber threat landscape is changing as advanced Artificial Intelligence models become capable of work that previously required highly skilled criminals. These systems can identify software weaknesses, write exploit code, and operate at a speed and scale that was previously out of reach. The government said this shift means businesses must change how they prepare for cyber risk, as attackers are likely to target ordinary companies as well as government systems and critical infrastructure.
Recent testing has sharpened that warning. Last week, Anthropic announced a new model called Mythos. Testing by DSIT’s AI Security Institute found it to be substantially more capable at cyber offence than any model previously assessed. The institute said frontier model capabilities are doubling every 4 months, compared to every 8 months previously. OpenAI also announced scaling up their Trusted Access for Cyber program last night, reinforcing the view that accelerating cyber capability is not limited to one company. Ministers said businesses should plan for frontier Artificial Intelligence model capabilities to rise rapidly over the next year.
The government highlighted its own response, pointing to the AI Security Institute as a core capability for independently assessing frontier Artificial Intelligence systems. It also cited the National Cyber Security Centre’s guidance for businesses, the Cyber Security and Resilience Bill currently progressing through Parliament, and plans to publish a National Cyber Action Plan. These measures are intended to strengthen protections for critical services and support the UK’s national security against cyber threats.
Business leaders were urged to treat cyber security as a matter for boards and senior management rather than something delegated entirely to information technology teams. Organisations were encouraged to use the Cyber Governance Code of Practice, while smaller businesses were directed to the NCSC’s Cyber Action Toolkit. Ministers also stressed the need to prepare for incidents through planning and rehearsal, and noted that free cyber insurance is available to small organisations that obtain Cyber Essentials.
The practical advice focused on established cyber hygiene rather than new or specialised defences. Businesses were told to get the basics right with Cyber Essentials, which addresses common weaknesses such as outdated software, weak passwords, and missing backups. They were also encouraged to embed Cyber Essentials requirements across supply chains, with larger organisations directed to use the NCSC’s Cyber Assessment Framework. In addition, organisations were urged to follow NCSC guidance and sign up for the Early Warning service, which provides alerts on potential cyber attacks so action can be taken before incidents escalate.
