June 29, 2026
The National Cyber Security Centre (NCSC) has urged organisations to strengthen their cyber defences in response to the growing risks posed by increasingly sophisticated artificial intelligence.
Reflecting the scale of the challenge, the CEO of the NCSC was joined by the heads of the cyber security agencies in the other ‘Five Eyes’ countries of Australia, Canada, New Zealand and the United States in issuing the warning. The coordinated intervention reflects a growing international consensus that AI is fundamentally changing the nature of cyber threats and requires organisations to rethink how they manage risks.
The message is a simple one: whilst AI can strengthen cyber defences, it also increases the speed, sophistication and frequency of attacks, lowering the technical expertise required for malicious actors to launch them. In order to respond to this changing environment, organisations are urged to adopt a “whole-of-organisation approach”, no longer treating cyber security as purely an ‘IT problem’, but rather as “a core business risk and leadership responsibility”.
Boards and senior executives are encouraged to ensure that cyber resilience measures are robust and capable of performing during a real incident. Defence in depth is stressed: it is not sufficient to depend on a single solution, and AI should be used to strengthen defences rather than just improve efficiency.
The letter also sets out a list of practical actions that organisations should take now as a matter of urgency to reduce operational, financial and reputational exposure:
- Reduce the attack surface. Limit unnecessary system access and external connectivity. Challenge whether systems need to be exposed at all and isolate those that do not.
- Address patching processes. Delays in patching increase risk, especially for operational systems with long update cycles. Organisations are encouraged to prioritise security updates accordingly to manage risks.
- Address legacy systems. Unsupported systems are easy targets.
- Review and strengthen identity and access controls. Limit who can access critical systems, enforce strong authentication, and regularly review permissions.
- Prepare for incidents before they happen. Test response plans, train and prepare teams, and assume breaches will occur. Focus on fast containment and recovery.
To read the letter in full, click here.
Expertise