A series of warnings landing in quick succession is sending UK businesses the same message from every direction: the threat environment has shifted, and the time to act is now – not next quarter, and not when the board next reviews IT spend.
NCSC: “between peace and war”
In a media interview on 7 May, Dr Richard Horne, CEO of the National Cyber Security Centre (NCSC), once again delivered an unambiguous warning: the UK is approaching a “perfect storm” in cyber security – and too many organisations remain unprepared.
The NCSC is now handling around four nationally significant cyber incidents every week. Ransomware remains the most common criminal activity, but Horne stressed that the most serious and damaging threats now originate directly or indirectly from nation states, posing far greater risks to business, public services and critical infrastructure. The UK, he said, is operating in a cyber environment “between peace and war” – shaped by geopolitical tension, AI-driven technological change and highly capable state-linked actors.
IMF: AI is about to “crack the cyber risk world open”
That warning landed alongside an equally stark assessment from the International Monetary Fund. In a recent report, the IMF cautioned that AI-powered attacks could threaten the stability of the global financial system – dramatically lowering the cost, speed and skill required for attackers to identify and exploit vulnerabilities at scale.
Bank of England Governor Andrew Bailey has echoed the concern, warning that frontier AI could “crack the whole cyber risk world open”. The IMF’s conclusion is blunt: “Defences will inevitably be breached. Resilience must also be a priority.”
This is not a financial-services-only problem. AI is collapsing the cost of attack across every sector: phishing at native-speaker quality in any language, automated reconnaissance, deepfake-enabled fraud, and malware that adapts faster than human defenders can respond.
From criminal noise to systemic risk
Horne’s core message, repeated both on the BBC and previously at the CYBERUK conference, is that cyber security is no longer a background technical issue.
Supply-chain attacks are amplifying risk across the economy. One successful compromise can now cascade across multiple organisations, sectors or services, turning individual weaknesses into system-wide exposure. Large-scale hacktivist attacks, particularly during periods of international conflict, can cause disruption comparable to ransomware, but with no option to pay for recovery and little warning before impact.
A culmination, not a coincidence
Taken together, these warnings – NCSC on threat volume, the IMF and Bank of England on AI-enabled attack capability, and the wider shift toward mandatory resilience reporting – are not isolated headlines. They are the same signal arriving from regulators, central banks and national security agencies at the same time:
This message applies equally to private enterprises, suppliers, professional services firms and SMEs. Every UK business – regardless of sector or size – now sits inside an interconnected, contested digital environment. Buying more tools is not a strategy. Resilience now depends on visibility, response capability, governance and accountability being built into how organisations operate.
“Cyber security must be part of the mission”
As Horne put it: “Defending against this means every organisation embedding cyber security into their corporate mission… cyber security is the responsibility of everyone, whether they sit on the board or the IT help desk.”
He went further, warning that organisations which fail to treat their technology foundations as core to their prosperity are no longer merely taking risks, they are failing to grasp the reality of today’s world.
How Equity helps: Proteq
At Equity, we see daily evidence of the gap Dr Horne and the IMF are pointing to: organisations that recognise the risk but lack the structure or capacity to act decisively.
That’s why we developed Proteq: a tiered, managed cyber security framework that meets organisations where they are. Whether you need baseline protection, enhanced assurance, or compliance-aligned resilience for a regulated environment, Proteq scales to your sector, size and exposure – embedding protection, response and assurance into how you operate, not just into your IT stack.
The perfect storm is forming. In a threat environment moving this quickly, resilience must be deliberate, scalable and actively managed – never assumed.