Another fresh batch of reasons to stop treating cyber security like optional admin UK Warns Businesses Over AI-Driven Data Leakage What’s happening Fresh guidance from the National Cyber Security Centre and Information Commissioner’s Office highlights a growing issue: AI tools unintentionally leaking sensitive business data. The problem isn’t always malicious. It’s usually staff copying: Client lists Financial data Internal documents …into AI tools without thinking about where that data goes next. Why it matters for SMEs You’re not being hacked. You’re handing over your own data. Which is somehow worse. “Data shared with AI services may be stored, processed, or reused in ways organisations do not expect,” warns the National Cyber Security Centre. What you should do Ban sensitive data input into public AI tools Use enterprise-grade AI platforms where possible Train staff on what not to upload Reference: https://www.ncsc.gov.uk https://ico.org.uk Rise in “Session Hijacking” Attacks on UK Businesses What’s happening Attackers are increasingly using session hijacking to bypass passwords and even multi-factor authentication. Instead of logging in, they steal active session tokens from compromised devices. Once inside, they behave like legitimate users. Why it matters for SMEs No password reset. No alert. Just quiet access to: Emails Cloud systems Financial platforms And they can sit there for weeks. “Attackers are shifting toward stealth-based techniques that avoid detection,” reports the National Crime Agency. What you should do Log out of critical systems regularly Use device security and endpoint protection Monitor unusual session activity Reference: https://www.nationalcrimeagency.gov.uk AI-Generated Malware Becoming More Accessible What’s happening Cybercriminals are using AI to accelerate malware development, lowering the skill barrier needed to launch attacks. Tools discussed in security circles (and occasionally lurking in darker corners of the internet) can: Generate exploit code Modify malware to evade detection Automate attack workflows Why it matters for SMEs You’re no longer dealing with just “skilled hackers.” You’re dealing with average criminals using advanced tools. That’s a volume problem, not just a sophistication problem. “AI is amplifying both the scale and speed of cyber threats,” notes analysts at PwC. What you should do Keep systems patched (still the most ignored advice) Use modern endpoint protection Limit user privileges across your network Reference: https://www.pwc.co.uk UK SMEs Targeted via Third-Party Software Vulnerabilities What’s happening Attackers are increasingly exploiting vulnerabilities in widely used software and plugins, especially those common in SMEs. Rather than attacking you directly, they target: Accounting software CRM systems Website plugins …and wait for you to fall behind on updates. Why it matters for SMEs You can do everything right internally and still get compromised through a third party. Comforting, isn’t it? “Supply chain and software vulnerabilities remain a critical risk for UK organisations,” says the National Cyber Security Centre. What you should do Regularly update all software (yes, all of it) Remove unused plugins and systems Track what third-party tools you rely on Reference: https://www.ncsc.gov.uk AI Fatigue Setting In — But Competitors Aren’t Slowing Down What’s happening Many UK SMEs are experiencing AI fatigue. Too many tools, too much hype, not enough clarity. So businesses are: Slowing adoption Ignoring new tools Waiting for things to “settle down” Why it matters for SMEs Your competitors are not waiting. Some are quietly getting more efficient while others hesitate. That gap adds up. “The competitive advantage of AI compounds over time,” highlights Deloitte. What you should do Focus on a few high-impact use cases Ignore hype, prioritise value Build gradual adoption, not all-or-nothing Reference: https://www2.deloitte.com/uk Final Word (the part that saves money if you read it) Cyber risk isn’t exploding because technology is unstoppable. It’s exploding because basic controls are still being ignored. Meanwhile, AI is: Making businesses faster Making attackers faster So the gap between “secure” and “compromised” is mostly down to effort. Not budget. Not luck. Effort. Which is mildly inconvenient, because effort requires actually doing something about it. Post navigation AI & Cyber Daily Briefing for UK SMEs: AI Transparency, email Compromise and Theft Attacks