You will, no doubt, have seen the media coverage around artificial intelligence firm Anthropic’s decision to withhold the release of its latest model, Mythos, on cyber security grounds.
It prompted governments and business leaders to meet to discuss the acceleration of AI cyber threats. This risk advisory is intended to help you navigate the same thinking.
What has happened?
The Government has sent a letter to all UK business leaders to talk about the threat of AI-enabled cyber attacks.
The AI Security Institute, an organisation within the Department for Science, Innovation and Technology, has performed an independent evaluation on Anthropic’s Mythos model, and “has found it to be substantially more capable at cyber offence than any model we have previously assessed,” and that “AI cyber capabilities are accelerating even faster than had been previously envisaged.”
This sounds alarming but doesn’t require a knee-jerk reaction. AI changes the pace, not the principles, of cyber security. It multiplies familiar risks and makes the basics more important than ever.
It’s important to do what you can, and remember that it is in Anthropic’s interest to generate hype and market its products as being at the cutting edge.
What is the risk?
Of particular concern is the potential for there to be a ‘tidal wave’ of severe vulnerabilities being found in common software. Organisations might struggle with the volume of updates that need to be applied, leaving them exposed, or day-to-day business activities disrupted.
- Source: External threat actors (most likely security researchers, cyber criminals, or state actors)
- Event: System Intrusion, leading to information breach or availability interruption
- Consequence: Business Disruption (and potentially second-order consequences like regulatory fines or legal challenge)
However, it’s important to note that, as of today, there has been no material change in the volume of updates that teams need to deal with. The controlled release of these new tools is designed to help mitigate this in the near term.
How might it evolve?
In the future, patching a vulnerability before it is exploited in the wild may become essentially impossible, especially since exploitations may be discovered before the vulnerability is publicly disclosed.
Patch prioritisation and deployment for critical systems will still be important, but additional redundant controls to defend in depth – and avoid single points of failure – will be increasingly important.
Our actions are geared to establish solid foundations to build upon and protect you now, and into the future.
What action is required?
The government’s call to action in response to this is grounded in establishing good governance, and getting the basics right.
For the majority of organisations, they are more likely to suffer an incident because of basic hygiene factors or common social engineering than by a complex artificial intelligence.
There are three steps you can take to improve your cyber security posture:
- Make cyber a board-level responsibility and govern cyber security as a business problem
- Focus on getting the basics right to build defence in depth
- Sign up for NCSC’s Early Warning Service
Make cyber a board-level responsibility and govern cyber security as a business problem
As a business leader, it is your responsibility to protect your organisation and to be ultimately accountable for security decisions the organisation makes. This means you need to understand your organisation’s cyber security risk and make security decisions which protect and enable your business objectives.
The Cyber Governance Code of Practice, introduced in 2025, was created to support boards and directors in governing cyber security risks, and sets the expectations for what good governance looks like.
The NCSC has also released free cyber governance training for board directors to help reinforce top management’s understanding.
Agree and document who has board-level responsibility for cyber security in your organisation
Focus on getting the basics right to build defence in depth
Common cyber security incidents stem from gaps in basic security protections. Cyber criminals are, broadly, looking for a quick buck, and will opt for the easy path. Make yourself an unattractive target. Focussing on getting these basics right, and building ‘defence in depth’ so you’re not reliant on a single point of failure, is one of the most impactful things you can do to protect your organisation.
Implement Cyber Essentials controls (and consider certification)
The UK’s Cyber Essentials scheme, which focuses on these basics, has been proven to drastically reduce the frequency of cyber insurance claims, this includes:
- Controlling incoming and outgoing internet traffic using firewalls and gateways
- Securing device configuration to change default passwords and turning off unused functionality
- Ensuring user access control by limiting access to what they ‘need to know’ and turning on multi-factor authentication
- Installing malware protection, such as antivirus software or using application whitelisting
- Regularly apply security updates (patching) so that important updates are applied within 14 days
Most of these actions make use of existing functionality or configuration options in standard IT tooling and do not require significant capital outlay or expensive subscriptions.
UK organisations are also being encouraged to get certified to boost national cyber resilience, and to request the same of their suppliers. You should expect that larger customers may start mandating this level of certification in future tenders and contracts. Cyber certifications can unlock commercial opportunities.
Sign up for NCSC’s Early Warning Service
UK organisations can take advantage of this free service, which will complement any other detection and response capabilities you have.
Sign up for the NCSC’s free early warning service
An incident response plan will allow your organisation to make the most of this early information. We have published a free incident response plan template that can help, if you don’t have one already.
Summary actions
Carry out these three actions as a priority, and use the linked resources (or contact us for more help) to build longer-term resilience:
- Agree and document who has board-level responsibility for cyber security in your organisation
- Implement Cyber Essentials controls and consider certification (Cydea can help)
- Sign up for the NCSC’s free early warning service
Other resources:
If you are struggling to understand the impact AI may have on your cyber security, we have a new pack of AI risks to help you get started quantifying the security impact on your organisation. Sign up to Login/Signup to Cydea’s Risk Platform for free, or drop us a line to speak with one of the Cydea team.
Cydea uses the Open Information Security Risk Universe (OISRU) as a framework and taxonomy for describing information security risks independently of models or methods of analysing risks. Find out more about our contribution to the project on our [cydea.tools[(https://cydea.tools/) site.
Photo by The New York Public Library on Unsplash.
Tim Orchard
Nicolas Aristegui
Lucia Turner