Artificial intelligence has changed the rules of cybercrime. Attacks that once required significant skill and resource can now be executed at scale, at speed and with unsettling precision. It doesn’t matter what sector you’re in or how big your organisation is, if you hold any form of personal or sensitive data, you are a target.
This is not a threat unique to any one profession; the NCSC’s Annual Review 2025 recorded a 130% increase in cyber incidents, identifying artificial intelligence as a key driver. In a separate report, the NCSC warns that AI is already tipping the scales toward attackers by lowering the skill threshold needed to run sophisticated campaigns across any sector, shrinking the window between vulnerabilities being discovered and exploited.
Statistics like these make it clear that AI is accelerating cyber threats, and every organisation must strengthen their defences.
This is something we explored in depth in our recent Cyber Uncovered webinar. As Kerrie Machin, Mitigo Sales Director, put it:
“What were once ordinary attacks are now relentless, adaptive threats – faster and smarter than they have ever been. AI lowers the bar of entry for cybercriminals. It automates the work of breaking through your defences and exploiting vulnerabilities with unprecedented precision.”
How Criminals Are Using AI Against You
Phishing emails used to be easier to spot – poor grammar, odd phrasing, something slightly off. That is no longer the case. AI can now generate grammatically perfect, convincing messages that replicate the writing style of colleagues, partners or clients, complete with the right logos and tone. For any organisation managing client correspondence and financial transactions, this significantly increases the risk of convincing payment diversion or email account takeovers.
Phishing is already the most common form of cyber attack facing organisations. The UK Government’s Cyber Security Breaches Survey 2025 found that 79% of UK businesses experienced phishing attacks, making it the most widely reported cyber incident. AI is making this method more effective, with AI-generated phishing achieving significantly higher click-through rates than human-crafted attacks.
Then there are deepfakes. In 2024, a finance worker transferred $25 million after a video call in which every participant – including the CFO – was a deepfake. This tactic could easily target anyone handling sensitive data, confidential information or financial transactions. A convincing deepfake posing as a colleague, client or senior leader is simply all it takes.
The Repercussions Are Severe – And Most Businesses Are Not Ready
A successful cyber attack doesn’t just take down your systems. It can end your business.
The average cost of a data breach in the UK now stands at £3.29 million – before factoring in downtime, recovery costs, and reputational damage. The ICO can issue significant fines under GDPR Article 32, and all organisations have a legal obligation to protect the personal and financial data they hold. Understanding your exposure before an incident occurs has never been more critical.
Yet the gaps are stark. Only 19% of businesses have any cybersecurity training programme in place, and 78% have no incident response plan. Board-level responsibility for cyber risk has fallen to just 27% of organisations.
As highlighted in our recent Cyber Uncovered webinar:
“Too many organisations assume their IT provider is responsible for cyber risk management. It is not the same thing. Cyber risk management is a board-level responsibility – and if it goes wrong, it is the owners and directors who will end up paying the bill.”
Cyber risk management and IT support are not the same thing – and those that recognise this are the ones best placed to respond.
What You Need to Do
Cyber attacks are inevitable. What you do now is what matters. The right response comes down to three things: Assess your exposure. Act on the gaps. Assure ongoing resilience.
Assess: Start with an independent risk assessment – covering people, processes and governance, not just technology. Your IT provider cannot do this objectively. With AI lowering the bar for attackers, gaps that once seemed minor are now critical.
Act: Build and test an incident response plan. If your organisation suffered a cyber attack tomorrow – AI-driven or otherwise – would you survive? Furthermore, if your staff are using AI tools such as Copilot or ChatGPT, ensure clear policies are in place on what client data is being shared.
Assure: Board-level accountability is no longer optional – cyber risk is a leadership issue, not an IT one. Treat it as an ongoing discipline, not a one-off exercise. That means regular assessments, continuous oversight, and having a trusted cyber partner with specialist expertise.
How Mitigo Can Help
Mitigo is the trusted cyber risk management partner to the Law Society of England & Wales, ICAEW, the Law Society of Scotland, ICAS and RIBA. We help professional services firms assess their exposure, close the gaps and build lasting resilience. We provide the following services:
- Cyber risk assessments
- Incident response planning
- Policy and process development
- Staff training and awareness
- Ongoing monitoring
- Regulatory compliance support
Contact us today to find out how we can help protect your organisation.
