87% of UK Businesses Are Unprepared for Cyberattacks

A report from Microsoft and Goldsmiths, University of London has found that just 13% of U.K. businesses are resilient to cyberattacks, with 48% deemed vulnerable and the remaining 39% facing high risk.

A survey of 1,039 senior business decision-makers and 1,051 employees revealed that the majority of U.K. organisations lacked adequate cybersecurity tools or processes. Microsoft warned that this left 87% of organisations exposed to security threats at a time when bad actors were using AI to launch more sophisticated attacks (Figure A).

Figure A

Highlights from the Microsoft and Goldsmiths research Using AI in cyber defence could save the U.K. economy £52 billion ($66 billion USD) a year. Only 27% of U.K. organisations are using AI to strengthen their cybersecurity. Organisations that use AI-enabled cybersecurity are twice as resilient to attacks than those that don’t and suffer 20% less costs when attacked. 35% of U.K. organisations are struggling to fill permanent cybersecurity roles. 69% of business decision-makers agree the U.K. needs better cybersecurity defences to be a leader in AI.

UK not living up to its “AI superpower” title

According to the report, titled Mission Critical: Unlocking the UK AI Opportunity Through Cybersecurity, cyberattacks currently cost the U.K. an estimated £87 billion ($111 billion USD) each year.

The report’s authors argued that U.K. businesses’ lack of resilience to cyberattacks stood at odds with the country’s ambition of becoming a global leader in AI, symbolised by the signing of The Bletchley Declaration in November 2023 and the National AI Strategy in 2021, an ambitious 10-year plan that seeks to boost AI in business and attract international investment.

SEE: Cyber League: UK’s NCSC Calls on Industry Experts to Join its Fight Against Cyber Threats

Microsoft UK CEO: British organisations must be ready to fight fire with fire

In the study, 52% of security decision-makers and 60% of senior security professionals expressed concern that current geopolitical tensions could escalate cybersecurity risks for their organisations.

As a result, over half (55%) viewed inadequate protection as a potential threat to the U.K.’s economic expansion, while approximately two-thirds (69%) acknowledged the need for better cybersecurity defences to achieve the U.K.’s ambition of global AI leadership.

Microsoft, meanwhile, recently committed £2.5 billion ($3.2 billion USD) to expand its artificial intelligence capabilities in the U.K. as part of plans to fuel the country’s AI sector.

In a foreword to this new report, Microsoft UK CEO Claire Barclay said the U.K. could only meet its AI aspirations if businesses invested in cybersecurity processes and upgraded their security toolkits to match those of bad actors.

“Just as businesses and governments are keen to tap into AI’s potential, so are bad actors. Traditional add-on security solutions can no longer keep pace with the threat posed by cybercriminals, meaning British organisations must be ready to fight fire with fire,” said Barclay.

“Unless we arm ourselves with AI-enabled cyber defences that are stronger than AI-enabled cyber threats, it will be difficult, impossible even, for us to grow and, ultimately, thrive as a nation.”

SEE: Generative AI Defined: How it Works, Benefits and Dangers

How AI boosts cybersecurity capabilities

Paul Kelly, director of Security Business Group at Microsoft UK, said in the report that the right AI technologies could boost businesses’ abilities to detect and mitigate cybersecurity threats by automatically identifying complex patterns and anomalies that human analysts might miss.

“AI for cybersecurity uses AI to analyse and correlate cyber threat data across multiple sources, turning it into clear and actionable insights. Security professionals can then use these insights for further investigation, response and reporting,” said Kelly.

“If a cyberattack meets certain criteria defined by an organisation’s security team, AI can also automate the response and isolate the affected assets. Generative AI takes this one step further by producing original natural language text, images and other content based on patterns in existing data.”

Potential financial benefits of AI-enhanced cybersecurity for UK businesses

The report highlighted the potential benefits of AI-enhanced cybersecurity.

For businesses of various sizes, a typical cyberattack costs £20,700 ($26,300 USD), with larger organisations facing an average cost of £148,700 ($189,800 USD). However, companies implementing AI-powered cybersecurity tools saw this expense decrease to £16,600 ($21,200 USD), marking a 20% reduction in costs. The report attributed this to the ability of AI security tools to more swiftly identify and react to cyber threats.

The six dimensions of effective Al defence

Understanding current cybersecurity capabilities is crucial for businesses that want to improve their defences against AI threats.

Researchers at Goldsmiths developed an assessment model based on six key areas to evaluate the cybersecurity strategies of U.K. organisations (Figure B):

• Resources.
• Agility, AI and automation.
• R&D and innovation.
• Transparency and technical knowledge.
• Organisational buy-in.
• Trust and mindset.

Figure B

The model was designed to align with criteria used in international benchmarks for establishing strong cybersecurity measures. Based on this model, the report found that only a fraction of U.K. organisations could be considered resilient to the evolving threats posed by AI.

Cyber awareness needs to be spread throughout organisations

The report also highlighted a gap in cybersecurity awareness among U.K. decision-makers.

Specifically, 27% are unaware of the costs associated with successful cyberattacks, and 53% are uncertain about recovery times from such incidents. This contrasts with a higher level of understanding among security professionals, indicating the importance of spreading cybersecurity awareness throughout organisations.

Likewise, the study highlighted a notable difference of opinion when it comes to risks posed by Internet of Things devices: 38% of senior security professionals said they are worried about IoT, compared to 12% of decision-makers. This suggests that improving knowledge about cybersecurity risks and mitigation strategies is critical for organisations, the report said.

A five-step blueprint for better cybersecurity using AI

The report offered a blueprint for government and business leaders designed to build resilient cyber defences and use AI effectively. These are the five key steps to guide the development of robust protections while leveraging AI technology:

• Support widespread adoption of AI in cybersecurity: Encourage the rapid uptake of AI defences and innovative cyber strategies.
• Target investment: Guide organisations towards targeted investment in AI solutions, either custom-built or off-the-shelf.
• Cultivate talent: Leverage skills programs, on-the-job training and partnerships to enhance U.K. cybersecurity skills.
• Foster research and knowledge sharing: Invest in R&D partnerships and promote the sharing of insights from cyberattacks for better preparedness.
• Support simple, safe adoption: Collaborate with leaders in various sectors to provide clear, standards-aligned guidance for AI deployment.

SEE: UK Deep Tech Faces Major Diversity Challenge, Royal Academy of Engineering Finds

In a press release accompanying the report, Dr. Chris Brauer, director of Innovation at Goldsmiths, said, “The UK has phenomenal potential to lead the world in the use of AI, an unprecedented opportunity to supercharge our economy and transform our public services. But that future must be built on secure foundations.”

He added, “To become an AI superpower, the UK must maintain its position as a cybersecurity superpower. With so many organisations shown to be vulnerable to cybercrime, our research surfaces both the urgency of the issue, and useful actions that leaders can take to boost the country’s cyber resilience.”