What happened?

The ICO has issued a clear warning to UK organisations: cyber criminals are increasingly using artificial intelligence to make attacks faster, more convincing and harder to detect.

The ICO says AI is being used for highly convincing phishing emails, deepfake social engineering, automated vulnerability scanning, AI-powered malware, credential stuffing, data poisoning and indirect prompt injection attacks.

This matters because many businesses are still treating cyber risk as a technical issue for IT teams.

That is no longer enough.

AI powered cyber risk affects:

• Staff behaviour
• Supplier access
• Personal data
• Remote working
• Procurement
• Client trust
• Board accountability
• Business continuity
• Public sector service delivery

The key question is simple:

If an AI powered attack happened today, could your organisation detect it, respond to it and prove its controls worked?

Why this matters to businesses

AI has changed the speed and quality of cyber attacks.

A phishing email can now sound more personal.
A fake voice message can sound more believable.
A fake video call can look more convincing.
A vulnerability scan can happen faster.
A password attack can be automated at scale.

The ICO says foundational security is important, but AI powered threats require layered defences so that if one control fails, others contain the damage.

This means organisations need more than one protective measure.

They need:

• Strong access controls
• Multi-factor authentication
• Patching and updates
• Supplier due diligence
• Monitoring and logging
• Incident response planning
• Staff awareness
• Data minimisation
• AI governance
• Clear accountability

The ICO also reminds organisations that UK GDPR requires appropriate technical and organisational measures to protect personal data.

So this is not just a cyber issue.

It is also a data protection, governance and compliance issue.

Who Is Affected?

SMEs

Small businesses may think AI powered cyber attacks only target large organisations.

That is not safe.

AI makes it easier for criminals to create convincing messages, impersonate suppliers and target weaker systems.

SMEs should focus on Cyber Essentials basics, MFA, staff awareness, backups, patching and clear incident reporting.

Medium Businesses

Medium sized organisations often have more staff, suppliers, cloud tools and remote access points.

Their risk is complexity without structure.

They should map systems, review access rights, test incident response and check whether supplier access is properly controlled.

Large Businesses

Large organisations need stronger governance because risk spreads across departments, sites and suppliers.

They should use ISO 27001 style internal audits, privileged access reviews, vulnerability scanning, supplier assurance and board level cyber reporting.

Multinationals

Multinationals face group-level exposure.

A weakness in one country, system, supplier or AI tool can create wider reputational and regulatory risk.

They need consistent cyber governance, AI governance and supplier assurance across the group.

Contractors

Contractors are increasingly asked to prove cyber readiness before accessing client platforms, portals or data.

Weak evidence can delay onboarding, block framework access or cost work opportunities.

Subcontractors

Subcontractors may be targeted through fake emails, invoice fraud, supplier impersonation and shared systems.

They need basic controls, staff training and clear reporting routes.

Public Sector

Public sector bodies must protect public data, public services and public trust.

They should treat AI powered cyber threats as part of procurement, supplier assurance, incident readiness and information governance.

Practical Actions Organisations Should Take Now

1. Review AI powered phishing risk

Train staff to recognise emails, messages and voice requests that look real but may be generated or supported by AI.

2. Strengthen MFA

The ICO specifically highlights multi-factor authentication for remote access, admin accounts and email.

3. Audit privileged access

Users, systems and applications should only access what they genuinely need. Privileged accounts should be reviewed regularly.

4. Patch systems quickly

AI tools can identify and exploit known weaknesses at speed, so patching and updating must be disciplined and evidenced.

5. Map supplier access

Know which third parties can access your systems or data. Put security requirements into contracts and carry out proportionate due diligence.

6. Improve monitoring and logging

Look for unusual login patterns, abnormal API usage and unexpected data transfers.

7. Test incident response

Staff should know who to contact, what to do and where to find key information if systems are unavailable.

8. Audit personal data

Know what personal data you hold, where it is stored, who can access it and whether you still need it.

9. Review AI tool governance

If AI tools process personal or sensitive data, assess privacy, security and misuse risks properly.

10. Build evidence

Clients, insurers, regulators and procurement teams increasingly expect proof, not promises.

How TPMG Can Help

TPMG helps organisations move from uncertainty to cyber and AI governance control.

Relevant TPMG services include:

• Cyber Essentials readiness
• Cyber Essentials Plus preparation
• Supplier cyber assurance
• Contractor cyber onboarding checks
• Data protection evidence reviews
• Incident response readiness
• Business continuity reviews
• Policy Shop documents
• E-learning and staff awareness training
• Digital dashboards for actions and evidence

TPMG helps organisations answer the question buyers, insurers and regulators increasingly ask:

Can you prove your cyber, data and AI controls are working?

Need confidence that your cyber controls, AI governance, supplier access and data protection evidence are ready for scrutiny?

Speak to TPMG about Cyber Essentials readiness, ISO 27001 audits, ISO/IEC 42001 AI governance, supplier assurance or incident response readiness.