Five Eyes AI Cyber Warning — 22 June 2026: How the 612,000 UK Businesses Breached This Year Can Close the Gap Before Attackers Do

On 22 June 2026, the cybersecurity agencies of the UK, United States, Canada, New Zealand and Australia issued a joint statement that should sit on the desk of every UK business leader today. The Five Eyes group — comprising NCSC, CISA, CCCS, NCSC-NZ and ASD — warned that frontier artificial intelligence will “fundamentally” transform offensive and defensive cyber capabilities not in years, but in months. “AI is not a future consideration – it is already here,” the statement read. “It lowers barriers for malicious actors and increases the speed and complexity of attacks, shrinking the window between vulnerability discovery and exploitation ever more quickly.”

The timing could not be more pointed. The very same week, two British teenagers — members of the Scattered Spider collective — pleaded guilty at Woolwich Crown Court to hacking Transport for London in August 2024, an attack that cost TfL £29 million in losses and recovery. And the government’s own Cyber Security Breaches Survey 2025/2026, published on 30 April 2026, confirmed that 43 per cent of UK businesses — approximately 612,000 organisations — identified a cyber security breach or attack in the last 12 months. Against that backdrop, the Five Eyes guidance arrives not as background reading but as a directive. This article decodes what it means in practice for UK SMEs, maps the current exposure landscape, and sets out the 10-step Cyber Essentials action programme for the remainder of 2026.

612k

UK businesses breached in 12 months (DSIT, Apr 2026)

43%

Share of UK businesses hit by cyber attack

UK businesses holding Cyber Essentials (up from 3%)

5.19m

Estimated cyber crimes against UK businesses per year

What the Five Eyes Statement Actually Said

The joint communiqué issued on 22 June 2026 was unusually direct for an intelligence-agency document. Rather than couching its warnings in bureaucratic hedging, it opened with a clear assertion: the rapid pace of frontier AI development means that organisations can no longer afford to treat their cyber risk posture as stable. Assumptions that were valid twelve months ago may already be obsolete. The window between a vulnerability being discovered — whether by a researcher, a vendor, or a hostile actor — and active exploitation is compressing, driven by AI-powered scanning, fuzzing and code-generation tools that automate what once required skilled human analysis.

The statement identified five concrete areas where organisations must act. First, reduce the attack surface by limiting unnecessary system access and external connectivity and isolating systems that do not need to be internet-connected. Second, accelerate patching — the 14-day Cyber Essentials patching window for internet-facing systems was not invented arbitrarily; it exists precisely because the average time-to-exploit has been falling for years, and AI is expected to compress it further. Third, address legacy systems: unsupported software and hardware remain the easiest entry point for attackers, particularly when AI tools can identify and catalogue known vulnerabilities in legacy stacks at scale. Fourth, review and strengthen identity and access controls — enforce strong multi-factor authentication, apply least-privilege principles, and regularly audit who can access what. Fifth, prepare for incidents before they happen: test response plans, train teams, and assume breaches will occur. The focus must shift toward rapid containment and recovery rather than the increasingly unrealistic goal of perfect prevention.

Richard Horne, CEO of the UK’s National Cyber Security Centre, has made similar warnings consistently across 2026. Speaking at CYBERUK 2026 earlier this year, he warned that hostile states — principally Russia, China and Iran — are behind approximately 75 per cent of cyber activity targeting the UK’s critical infrastructure, and that AI is expected to accelerate these capabilities significantly by 2028. But the Five Eyes statement on 22 June moved the conversation on from critical national infrastructure to the entire business community, explicitly calling on “business leaders” to prioritise cyber resilience or face “growing operational and strategic disadvantage.”

The window is closing — and UK SMEs are the most exposed

The NCSC’s own assessment is that AI-enabled cyber capabilities will likely be used by attackers against known vulnerabilities in legacy technology at scale across UK critical infrastructure by 2028. For SMEs, the risk is more immediate: AI-powered phishing kits, automated credential-stuffing tools, and code-generation platforms that lower the barrier to entry for less-skilled attackers are already widely available on criminal marketplaces. The DSIT Cyber Security Breaches Survey found that 38 per cent of UK businesses experienced phishing attacks in the last 12 months, and qualitative interviews highlighted that interviewees perceived phishing volumes had increased significantly, driven by precisely the AI tooling the Five Eyes agencies are now warning about at the highest level.

The Timeline: How We Got Here

August–December 2025 — CSBS 2025/2026 fieldwork

The Department for Science, Innovation and Technology and the Home Office commissioned Ipsos to survey 2,112 UK businesses and 1,085 charities on their cyber security posture. The data captures the period immediately before AI-accelerated attack tooling reached consumer-grade availability.

30 April 2026 — CSBS 2025/2026 published

DSIT published the full Cyber Security Breaches Survey. Key headline: 43% of UK businesses (612,000 organisations) identified a cyber breach or attack in the last 12 months. Only 5% of businesses hold Cyber Essentials certification, despite 24% having the technical controls across all five areas.

27 May 2026 — Barclays Business Prosperity Index Q1 2026

Barclays published its Q1 2026 Business Prosperity Index, revealing that 68% of UK businesses plan to increase cybersecurity spending over the next 12 months. Average spend has reached £505,000 for decision-makers overall, but micro businesses are spending only £15,000 — a gap the Five Eyes warning makes materially significant.

2026 (ongoing) — CYBERUK 2026 and NCSC warnings

NCSC CEO Richard Horne delivered a keynote at CYBERUK 2026 warning that hostile state actors — Russia, China and Iran — are behind 75% of attacks on UK critical infrastructure. AI is expected to allow attackers to exploit known vulnerabilities in legacy technology at scale by 2028.

22 June 2026 — Five Eyes joint statement

The cybersecurity agencies of the UK, US, Canada, New Zealand and Australia issued a rare joint public statement, calling on business leaders to prioritise cyber resilience. The statement explicitly named frontier AI as the primary emerging accelerant to both offensive capability and the speed of the vulnerability-to-exploitation cycle.

22 June 2026 — Scattered Spider guilty pleas, Woolwich Crown Court

Two British members of the Scattered Spider cybercriminal collective — Thalha Jubair, 20, and Owen Flowers, 18 — pleaded guilty to hacking Transport for London. The NCA confirmed the attack cost TfL £29 million and forced all 28,000 employees to attend a TfL office for a password reset. Sentencing is set for 16 July 2026.

24 June 2026 — Today’s position

UK businesses operate in an environment where the highest-authority cybersecurity bodies in five countries have simultaneously confirmed that the threat is accelerating and the fundamentals — patching, access control, incident response — are still not in place across the majority of UK SMEs. Cyber Essentials provides the framework. The question is execution speed.

The UK SME Exposure Breakdown

Businesses with phishing attacks (past 12 months)

38% of all businesses

Businesses treating cyber as high priority

72%

Businesses with updated malware protection

81%

Businesses with two-factor authentication

47%

Businesses with network firewalls

74%

Businesses with a formal incident response plan

25% overall (76% of large)

Businesses actually holding Cyber Essentials certification

The bar chart above makes the fundamental tension plain. The majority of UK businesses understand that cyber security is important — 72 per cent call it a high priority. The majority have deployed some basic controls. But the gap between “having some controls” and “having a certified, audited and demonstrable security baseline” remains enormous. Only 5 per cent of businesses hold Cyber Essentials certification, despite 24 per cent reporting that they have the technical controls across all five Cyber Essentials areas. That 19-percentage-point gap represents organisations that have the controls in place but have not formalised them — and therefore cannot demonstrate compliance to clients, insurers, or public-sector procurement frameworks.

The Certification Gap — Why 19% Are Leaving Value on the Table

UK businesses with all 5 Cyber Essentials controls in place — but only 5% hold the certificate

The CSBS 2025/2026 data reveals a structural problem in how UK businesses think about Cyber Essentials. Certification requires not just implementing the five technical controls — firewalls, secure configuration, access control, malware protection and patch management — but demonstrating them through a verified assessment process. The IASME body, appointed by the NCSC as the sole certification body, runs two levels: the basic self-assessment questionnaire (Cyber Essentials) and the hands-on independent technical audit (Cyber Essentials Plus). For businesses supplying the UK public sector, basic CE has been mandatory on many contracts since October 2014. For those in supply chains, insurers, and regulated sectors, Plus is increasingly the de-facto requirement.

The certification gap matters for three commercial reasons. First, government procurement: the UK Cabinet Office requires CE for all contracts involving handling sensitive data or personal information on central government networks. Many local authority and NHS procurement frameworks follow suit. A business with 24 employees and appropriate controls that is not certified is locked out of this revenue pool. Second, cyber insurance underwriting: underwriters who saw the M&S and Co-op Group incidents of 2025 — both linked to Scattered Spider — have tightened requirements significantly. CE certification has moved from “nice to have” to “required for reasonable premium” across a growing range of policy types. Third, supply chain gatekeeping: larger organisations under NIS2-influenced frameworks are pushing CE requirements down to their suppliers. Not holding the certificate increasingly means not being on the supplier list.

The SME Compliance Scorecard

Where UK SMEs stand against the Five Eyes framework today

Perimeter firewalls deployed Mid — 74% of businesses

Secure configuration of devices and software Low — less than half of SMEs audited

Two-factor / multi-factor authentication Low — only 47% of businesses

Malware protection updated and active Mid — 81% of businesses

Patch management within Cyber Essentials 14-day window Low — small businesses dropped from 48% to 41% risk-assessing

Formal incident response plan in place Low — only 25% of all businesses

Supply chain cyber risk reviewed Low — only 15% review immediate suppliers

Cyber Essentials certified Critical gap — only 5% of UK businesses

The Cost of Getting This Wrong: Size-Band Analysis

Business size	Breach rate (CSBS 2025/2026)	Median breach cost	95th-percentile cost	Average cyber spend
Micro (1–9 employees)	42%	£0 perceived	£4,000	£15,000 / year (Barclays)
Small (10–49 employees)	46%	£0 perceived	£4,000	£134,000 / year (Barclays)
Medium (50–249 employees)	65%	£30	£10,000	£505,000 average (Barclays)
Large (250+ employees)	69%	£30	£10,000+	£1,300,000 average (Barclays)
TfL (public sector benchmark)	Attacked Aug 2024	N/A	£29,000,000 total	N/A

The £0 median cost figure requires careful interpretation. It does not mean breaches are costless; it means the majority of businesses either did not quantify their cost or experienced disruption without a traceable financial figure. The CSBS notes that costs rise significantly at the 95th percentile, and that businesses reporting an outcome from the breach — loss of revenue, reputational damage, operational disruption — show substantially higher figures. The Barclays Business Prosperity Index for Q1 2026 found that businesses identified loss of sensitive data or intellectual property (33%), damage to customer trust (28%), operational disruption (27%) and loss of revenue (26%) as their primary cyber concerns. These are not theoretical risks; they are the lived experience of the 612,000 businesses breached in the last 12 months.

The micro-business spending figure is particularly concerning in the context of the Five Eyes statement. At £15,000 per year average, micro businesses are spending less on cyber security than the cost of a single serious incident at the 95th percentile. For context, Cyber Essentials certification costs a fraction of that figure and demonstrably covers approximately 80 per cent of the most common attack vectors according to NCSC guidance.

Reactive vs Proactive: The Two Cyber Postures

Reactive posture

What most UK SMEs operate today

No formal risk assessment (70% of businesses)
No incident response plan (75% of businesses)
Patching driven by user complaints rather than schedule
MFA not deployed on all accounts
Breach detected after business impact, not before
Recovery improvised; no tested runbook
No Cyber Essentials certificate; locked out of public-sector procurement
Cyber insurance premium not optimised; possible coverage gaps

Proactive posture

Where the Five Eyes framework takes you

Annual cyber risk assessment with documented findings
Tested incident response plan with defined RTO/RPO
14-day patch cycle for internet-facing systems (CE v3.3 requirement)
MFA enforced on all administrative and remote-access accounts
Continuous monitoring; anomaly detection configured
Regular tabletop exercises; staff phishing simulation
Cyber Essentials Plus certificate; eligible for government contracts
Cyber insurance discounts; clear coverage scope understood

The 10-Step Cyber Essentials Action Plan for UK SMEs — June to December 2026

Step 1 — Estate audit: catalogue every device, user account and internet-facing service

Week 1–2

Step 2 — Firewall review: confirm all internet-facing systems sit behind a correctly configured boundary firewall; close unnecessary ports

Week 2–3

Step 3 — Secure configuration: remove default accounts and passwords; disable unused services on servers, workstations and network devices

Week 3–4

Step 4 — Access control and MFA: implement least-privilege accounts; enforce MFA on all admin, cloud and remote-access accounts

Week 4–6

Step 5 — Malware protection: deploy managed endpoint detection on every device in scope; verify signatures are updating automatically

Week 5–6

Step 6 — Patch management: establish a documented 14-day patch cycle for internet-facing systems; 30-day cycle for internal systems

Week 6–8

Step 7 — Legacy system remediation: identify all end-of-life OS and software; plan upgrade, isolation or controlled retirement

Week 8–10

Step 8 — Incident response plan: draft and tabletop-test a basic IR runbook; assign roles; define escalation path to NCSC and ICO

Week 10–12

Step 9 — Gap assessment and pre-certification audit: commission an IASME-aligned gap analysis; remediate findings before formal submission

Week 12–14

Step 10 — Cyber Essentials Plus certification: formal submission to IASME-accredited body; hands-on technical audit; receive certificate

Week 14–16

UK businesses currently Cyber Essentials certified — the target is 100%

The 16-week timeline is achievable

For a well-managed SME with an existing IT support relationship, the gap assessment and remediation phase typically takes 2–4 weeks. Certification at the basic CE level can follow within days. Cyber Essentials Plus — which requires a hands-on technical audit, external vulnerability scanning, internal configuration testing and email/phishing simulation — adds 2–4 more weeks. The total programme from standing start to CE Plus certificate for a business of 20–100 employees is typically 6–8 weeks when remediation is managed proactively and 12–16 weeks when significant changes are required. Starting now puts a June-starting business on track for a September 2026 certificate — before the annual insurance renewal window for most UK businesses.

At-a-Glance: Key Facts for UK Business Leaders

Topic	Key figure or fact	Source
UK businesses breached in 12 months	43% (approx. 612,000)	DSIT CSBS 2025/2026, April 2026
UK cyber crimes against businesses (estimated)	5.19 million per year	DSIT CSBS 2025/2026, April 2026
Businesses holding Cyber Essentials	5% (up from 3% in 2024/2025)	DSIT CSBS 2025/2026, April 2026
Businesses with controls across all 5 CE areas	24%	DSIT CSBS 2025/2026, April 2026
Businesses with MFA deployed	47%	DSIT CSBS 2025/2026, April 2026
Businesses with formal incident response plan	25% overall; 76% large businesses	DSIT CSBS 2025/2026, April 2026
Businesses reviewing supplier cyber risk	15% immediate suppliers; 6% wider supply chain	DSIT CSBS 2025/2026, April 2026
UK businesses planning to increase cyber spend	68%	Barclays Business Prosperity Index Q1 2026
Average cyber spend (all businesses)	£505,000 in 2026	Barclays Business Prosperity Index Q1 2026
Average cyber spend (micro businesses)	£15,000 in 2026	Barclays Business Prosperity Index Q1 2026
TfL Scattered Spider attack total cost	£29 million	NCA, June 2026
Five Eyes statement date	22 June 2026	NCSC / CISA / CCCS / NCSC-NZ / ASD joint statement
NCSC AI threat assessment	AI-enabled attacks on legacy systems “highly likely” at scale by 2028	NCSC, CYBERUK 2026
Cyber Essentials mandatory for UK government contracts	Since October 2014	UK Cabinet Office

Five Eyes, NCSC and Cyber Essentials: The Connected Framework

One of the most important aspects of the Five Eyes statement is that its five practical recommendations map almost exactly onto the five technical controls of Cyber Essentials v3.3. Reducing the attack surface maps to boundary firewalls and secure configuration. Accelerating patching maps directly to CE’s patch management control. Addressing legacy systems is a precondition of satisfying the secure configuration and malware protection controls, since unsupported software cannot be patched and cannot maintain a consistent malware protection baseline. Reviewing identity and access controls maps to CE’s user access control area, including MFA requirements that were tightened in v3.1 and further refined in v3.3. Preparing for incidents is not itself a CE control, but it is the logical outcome of having the first four in place and tested.

This alignment is not coincidental. The NCSC — which administers the Cyber Essentials scheme through IASME — designed the five controls to address the most common attack vectors. The Five Eyes statement is essentially a high-level strategic endorsement of exactly what CE has been saying at the operational level since 2014. For UK SMEs, this convergence is useful: the Five Eyes framework does not require learning a new vocabulary or investing in a new compliance process. It requires doing Cyber Essentials properly, and then formalising it through the certification pathway.

The CSBS 2025/2026 data shows that awareness of Cyber Essentials — when prompted — has increased to 17% of businesses and 16% of charities. The Software Security Code of Practice, launched in May 2025, reached 22% of businesses. The Cyber Governance Code of Practice, launched in April 2025, reached 16% of both groups. These are meaningful increases from the troughs seen in earlier years. But awareness is not the constraint. The constraint is the gap between understanding that CE exists and actually pursuing certification. That gap closes most effectively when a business has a managed IT partner who can run the gap assessment, remediate the findings, and coordinate with the IASME-accredited certification body — rather than leaving the CTO or IT manager to navigate the process alone while also running day-to-day operations.

The Barclays data reinforces this. Businesses that already use agentic AI in their operations (61% of those surveyed) are more likely to have a structured approach to investment — but only 24% of that AI-using group have cyber security practices in place to manage the risks from AI. The Five Eyes statement is a direct response to that gap: the same AI capabilities that businesses are deploying for productivity are being deployed by attackers for reconnaissance, phishing and exploitation. A business that has adopted AI tools without closing its CE baseline is accelerating both its potential and its exposure simultaneously.

Prior articles in this series that provide relevant context include the analysis of the NCSC patch-wave warning from May 2026, the decode of the WordPress mass-takeover vulnerability wave, the implications of the Microsoft 365 Copilot Anthropic Claude default for UK governance, and the Veeam data resilience findings on the 3-2-1-1-0 backup framework. Each addresses a component of the posture the Five Eyes statement is now calling for at the highest level of authority. Together, they form the full picture of what a compliant UK SME baseline looks like in June 2026.

Ready to act on the Five Eyes framework?

Cloudswitched’s end-to-end Cyber Essentials Plus certification service handles the gap assessment, technical remediation, vulnerability testing, IASME registration and examination — with a first-time-pass focus and no hidden costs. One price covers the full programme.

Talk to us about Cyber Essentials Certification

Frequently Asked Questions

What did the Five Eyes statement on 22 June 2026 actually say, and why does it matter to my business?

The Five Eyes cybersecurity agencies — NCSC (UK), CISA (US), CCCS (Canada), NCSC-NZ (New Zealand) and ASD (Australia) — issued a joint public statement on 22 June 2026 warning that frontier AI is accelerating both offensive and defensive cyber capabilities. They specifically called on “business leaders” to prioritise cyber resilience and outlined five practical steps: reduce attack surface, accelerate patching, address legacy systems, strengthen identity and access controls, and prepare for incidents. This matters to your business because it is the highest-authority possible confirmation that the threat landscape is changing faster than most organisations’ security posture is keeping up. The five steps map directly onto the Cyber Essentials controls, making CE the most practical and immediate response framework available to UK SMEs.

The DSIT survey says only 5% of UK businesses hold Cyber Essentials. Is there a realistic reason for that, or is it just complacency?

The 5% figure reflects a combination of genuine barriers and structural inertia. The genuine barriers include the time and resource cost of the gap assessment and remediation process, which can be significant for a micro or small business without a dedicated IT function. The structural inertia reflects the “we’re too small to be a target” perception, which the CSBS data directly refutes: 42 per cent of micro businesses experienced a breach or attack in the last 12 months. The good news is that 24 per cent of businesses already have the technical controls across all five CE areas — meaning the certification process for these businesses is primarily about documentation and a verified assessment rather than significant infrastructure change. Working with a managed IT partner who handles the gap analysis and coordinates the IASME process removes the primary operational barrier.

How does AI specifically change the threat picture for a 30-person UK business?

AI changes the threat picture in three concrete ways. First, phishing emails and social engineering messages are now generated at scale with no spelling errors, contextually aware content and convincing impersonation of known contacts — the tells that trained staff learned to spot are largely gone. Second, vulnerability discovery is faster: AI-powered scanning tools can catalogue known CVEs across a target’s internet-facing systems in minutes, compressing the window between a patch being released and active exploitation. Third, the barrier to entry for attackers has dropped: the Scattered Spider members convicted at Woolwich Crown Court on 22 June 2026 were 18 and 20 years old when they attacked TfL. AI tools reduce the skill requirement for sophisticated attacks, broadening the pool of potential attackers. For a 30-person business, the practical response is to close the basic attack surface — patching, MFA, configuration — so that commodity AI-assisted attacks have no foothold, regardless of how they are generated.

Is Cyber Essentials mandatory for my business? Who legally requires it?

Cyber Essentials is currently mandatory for any organisation bidding for UK central government contracts that involve handling sensitive information or personal data, a requirement in place since October 2014 under the Cabinet Office standard. Many local authority and NHS procurement frameworks follow equivalent requirements. Beyond legal mandate, it is increasingly required by: cyber insurance underwriters who will not issue or renew certain policy types without it; larger enterprises who are passing CE requirements down to their supply chains under NIS2-influenced frameworks; and regulated sectors including financial services, healthcare and defence. For businesses not in any of these categories, CE remains strongly advisable because it demonstrably covers approximately 80 per cent of the most common attack vectors and is the single most cost-effective cyber security baseline available to UK SMEs.

What is the difference between Cyber Essentials and Cyber Essentials Plus, and which do I need?

Cyber Essentials (basic) is a self-assessment questionnaire verified by an IASME-accredited certification body. It covers the five technical controls and provides a certificate valid for 12 months, plus cyber liability insurance cover. Cyber Essentials Plus includes everything in the basic level plus a hands-on independent technical audit: external vulnerability scanning of internet-facing systems, internal configuration testing of devices, and a phishing/email simulation exercise. Plus is required for many government contracts involving more sensitive data, for NIS2-aligned supply chain requirements, and is now effectively the standard for businesses wanting to optimise cyber insurance terms. If you are supplying the public sector or operating in a regulated industry, start with Plus. If you are building towards CE for the first time and need to demonstrate progress quickly, basic CE provides the certificate immediately while you work towards Plus.

The DSIT data shows a £0 median breach cost. Doesn’t that suggest the risk is overblown?

The £0 median requires careful reading. It means the majority of businesses either did not attempt to quantify the financial impact or did not experience a direct cash loss they could attribute to the breach. It does not mean the breach was costless. The CSBS notes that businesses reporting an actual outcome from the breach — operational disruption, data loss, reputational damage — showed substantially higher cost figures. At the 95th percentile, breach costs reach £4,000 for small businesses and £10,000 for medium and large businesses. The TfL attack, which cost £29 million, illustrates what happens when the 95th-percentile scenario materialises at scale. The £0 median also does not capture indirect costs: the productivity loss from staff dealing with the aftermath, the reputational damage that may cost future revenue, or the regulatory exposure under GDPR’s 72-hour reporting requirement if personal data was compromised. These costs are real and often not attributed to the incident in financial reporting.

How long does getting Cyber Essentials Plus actually take, end to end?

For a well-managed SME with an existing IT support relationship and broadly sound infrastructure, the full process from initial gap assessment to receiving the CE Plus certificate typically takes 6–8 weeks. This breaks down as: one to two weeks for the gap assessment and scope definition; one to three weeks for remediation of findings; one week for the pre-certification vulnerability scan and configuration review; one to two weeks for the formal IASME examination process. For businesses where significant changes are required — legacy system replacement, MFA rollout, network segmentation — the timeline extends to 12–16 weeks. Starting now, in June 2026, puts most businesses on track for a Q3 2026 certificate, before the autumn insurance renewal and procurement cycle for most organisations.

My business already uses IT support. Does that cover the Cyber Essentials requirement?

IT support and Cyber Essentials certification are complementary but distinct. IT support covers reactive break-fix and proactive monitoring; it does not in itself produce a verified assessment against the five CE controls or generate a certificate. For CE certification, you need a provider who will: conduct a formal gap assessment against the IASME questionnaire; remediate any non-compliant findings; register with the IASME certification body; coordinate the external vulnerability scan and internal configuration audit (for Plus); and manage the formal examination submission. Some managed IT providers offer this as a bundled service. The value of working with an IT partner who can handle both the day-to-day management and the CE programme is that the gap between your operational posture and the CE baseline is minimised continuously rather than addressed in a one-off project.

What should I do this week, right now, in response to the Five Eyes statement?

This week, three actions are directly achievable for most SMEs. First, audit your internet-facing attack surface: make a list of every external-facing service, port and system your business exposes to the internet, and check whether each is patched and whether access is protected by MFA. Second, check your patch status for internet-facing systems: the Five Eyes statement specifically highlights accelerated patching as a priority. If you are running any software on internet-facing systems that is more than 14 days behind its latest security update, you are outside the Cyber Essentials baseline right now. Third, contact your IT provider or a managed IT partner to discuss a Cyber Essentials gap assessment — understanding where you stand against the five controls is the prerequisite for everything else. These three actions can be taken before the end of this week and form the foundation of the 10-step programme outlined above.

Does Cyber Essentials cover AI-related cyber risks?

Cyber Essentials v3.3 was updated to address cloud services and home working but does not yet contain explicit AI-specific controls. However, the five CE controls address the primary mechanisms through which AI-assisted attacks succeed: misconfigured systems provide the foothold that AI-powered reconnaissance identifies; weak or absent MFA is the access control gap that AI-generated credential attacks exploit; unpatched systems are the vulnerabilities that AI tools catalogue and prioritise. The CSBS 2025/2026 found that only 24 per cent of businesses using or considering AI had specific cyber security practices in place to manage AI-related risks. CE provides the foundational baseline upon which AI-specific governance — covering prompt injection, data leakage from AI tools, and shadow AI usage by staff — can be built. The Five Eyes statement is explicit that organisations should use AI defensively as well as addressing their exposure to AI-enabled attacks.

The Five Eyes agencies have spoken — now is the time to act

Cloudswitched handles the entire Cyber Essentials Plus journey: gap assessment, technical remediation, IASME registration, vulnerability testing and certification. Single price, no hidden extras, first-time-pass focus. If you are in the 95 per cent of UK businesses without CE certification, this is where you start.