Cybersecurity Has Never Been This Relevant
The Bank of England has named cyber attacks as a drag on UK GDP. The NCSC says the time to act is now. And the dual-edge of AI — both defender and weapon — is rewriting what "secure" means. This is what the UK's leading research institutions are telling us.
Richard Horne, Chief Executive of the National Cyber Security Centre, gave a speech in October 2025 that should have been front-page news.
"Last year, I spoke to you about the widening gap between the rising pace of the cyber threat and the UK's collective resilience in facing that threat. This year, that gap continues to grow. So today, my message is simple: the time to act is now." (NCSC, 2025a)
The numbers behind the speech are stark. In the year to August 2025, the NCSC handled 429 cyber incidents. 204 of those were classified as nationally significant — more than double the 89 recorded a year earlier. 18 were classified as highly significant, the second-most-severe category in the UK system, representing a 50 percent increase on the previous year and the third successive annual rise (NCSC, 2025b; Tripwire, 2025).
The economic consequence has now reached the central bank. The Bank of England named the September 2025 cyberattack on Jaguar Land Rover as a contributing factor to the UK's third-quarter GDP contraction, alongside weaker US exports (Bank of England, 2025). The Cyber Monitoring Centre — the insurance industry's independent classifier of cyber events — has assessed the JLR incident as a Category 3 systemic event, with a total UK economic impact of approximately £1.9 billion and disruption to more than 5,000 organisations across the supply chain (Cyber Monitoring Centre, 2025). It is the most economically damaging cyberattack in British history.
It was not an isolated event. The same loosely affiliated collective of mostly English-speaking adolescents — operating under banners including Scattered Spider, Lapsus$, and ShinyHunters — had already cost Marks & Spencer £300 million in lost operating profit and the Co-op £107 million, with 6.5 million Co-op customer records compromised (Computer Weekly, 2025; Daily Security Review, 2025).
Three of the highest-profile names in British retail and manufacturing. One spring. £1.9 billion of national economic damage by autumn. This is the context in which the UK's leading universities are now reframing what cybersecurity actually means.
What the academic community is saying
The University of Oxford, in partnership with the Alan Turing Institute and HM Government, launched the Laboratory for AI Security Research (LASR) in December 2024 — an £8.22 million initiative explicitly created to address the intersection between artificial intelligence and cybersecurity. Professor Sadie Creese, Director of Oxford's Global Cyber Security Capacity Centre, set out the rationale plainly: "The Laboratory for AI Security Research is a crucial initiative at a time when understanding the interplay between AI and cybersecurity is more important than ever" (University of Oxford, 2024).
LASR's research focus is unusually direct. Rather than treat AI security as a single problem, Oxford's team has separated it into two related but distinct questions: how to secure AI systems against attack, and how to use AI to defend conventional systems. Both questions have escalated in importance throughout 2025.
The dual nature of AI in cybersecurity is now a settled finding in the peer-reviewed literature. A 2025 paper in IEEE Transactions on Artificial Intelligence, co-authored by researchers at the Oxford Martin School, framed the problem precisely: AI introduces new categories of vulnerability — data poisoning, prompt injection, adversarial inputs — while simultaneously providing defenders with novel capabilities in threat detection, anomaly recognition, and incident response (Schmitt & Koutroumpis, 2025).
The Oxford Handbook of the Foundations and Regulation of Generative AI, published in April 2025, dedicates an entire chapter to the same dual-edge: generative AI enables attackers to write more convincing social engineering content, generate functional malware variants at scale, and automate reconnaissance — while also dramatically improving defensive capabilities in vulnerability detection and code review (Wischmeyer & Strecker, 2025).
At Imperial College London, the Security and Machine Learning Lab has gone further. The team's CLOUSEAU framework, presented at the Annual Computer Security Applications Conference 2025, demonstrates a multi-agent AI system that autonomously analyses security incident logs and assembles forensic reports explaining how attacks occurred (Imperial College London, 2025). This is no longer theoretical. UK academic research is producing defensive AI systems that operate at machine speed against attackers who now operate at machine speed themselves.
The dual edge in practice
The implication of this body of work for British business is uncomfortable.
On one side, attackers are now leveraging AI to lower the cost and raise the quality of attacks that were already working. The 2025 Oxford handbook documents how large language models have collapsed the cost of producing convincing phishing content in dozens of languages, accelerated the generation of malware variants that evade signature-based detection, and automated the reconnaissance phase that previously required skilled human operators (Wischmeyer & Strecker, 2025). The teenage social engineering crews behind the British retail attacks did not need AI to succeed. The next generation of attackers will not need to be teenagers.
On the other side, AI provides genuine defensive capability that did not exist five years ago. The same research community that documents the threats also documents the countermeasures: behavioural analytics that distinguish legitimate from malicious use of administrative tools, anomaly detection that flags credential abuse before lateral movement occurs, and autonomous response systems that contain an intrusion in minutes rather than days. Schmitt and Koutroumpis (2025) describe a "cyber shadows" framework in which AI policy and AI defence must evolve in lockstep with AI-enabled threats — neither can be considered in isolation.
The practical question for a UK business in 2026 is not whether to engage with AI. The practical question is whether the AI investments being made — copilots, agents, internal tooling — are being matched by proportionate investment in the security architecture that makes those investments survivable.
The evidence from the M&S, Co-op, and JLR incidents suggests that, across British corporate life, they are not.
The board-level shift
The NCSC's 2025 review draws an explicit conclusion. Cyber risk is no longer a technical question to be delegated to the IT department. It is a board-level governance question, in the same category as financial risk and regulatory risk. Threat actors target vulnerabilities, not sectors — meaning every digital organisation is a potential target — and the largest single factor distinguishing organisations that recover from organisations that do not is the quality of board-level oversight (NCSC, 2025b; CyberSmart, 2025).
In October 2025, the NCSC, the National Crime Agency, and the Chancellor Rachel Reeves jointly wrote to every CEO in the FTSE 350 with the same message: act now, do not wait for the breach (CNBC, 2025). The letter has no legal force. It is, however, a written record that the most senior cyber authorities in the country put boards on notice during 2025. The next FTSE-listed CEO to face a major incident will be asked, in front of select committees and shareholders, what they did between receiving that letter and the breach itself.
The honest answer for most British boards is: very little.
What good actually looks like
The interventions that close most of the exposure are not glamorous and not new. They are, however, the interventions that the academic literature, the NCSC, and the insurance industry independently agree matter most.
Identity-first security — multi-factor authentication enforced across all systems, conditional access policies, just-in-time admin privileges, removal of dormant accounts. This addresses the entry vector used in every major UK incident in 2025.
Resilient infrastructure — segmented networks, immutable backups, tested recovery procedures. This determines whether a breach is a 48-hour disruption or a six-week shutdown.
Independent review of outsourced relationships — the helpdesk procedures, the admin access, the supplier chain. This is the gap that the JLR and M&S attacks exploited.
AI used as a defender, not just a target — behavioural detection, anomaly recognition, autonomous response. This is where the academic research is moving fastest, and where most British SMBs have not yet started.
Where Neurotic comes in
Cybersecurity is no longer an IT line item. It is, in the words of the UK's senior intelligence agencies and its leading research universities, a national priority and a board-level responsibility. The organisations that responded in time will not appear in the next NCSC annual review. The ones that did not will be the case studies.
Neurotic works with growth companies, scale-ups, and corporates to fix the security and infrastructure gaps that vendors won't talk about and auditors won't catch — pragmatic, engineering-led, without the overhead. If your board has spent more time discussing AI strategy than cyber resilience in the past twelve months, the imbalance is the gap.
Talk to us further if interested [email protected]
References
Bank of England (2025) Monetary Policy Report, November 2025. [online] Available at: https://www.bankofengland.co.uk/monetary-policy-report/2025/november-2025 [Accessed 18 May 2026].
CNBC (2025) Jaguar Land Rover's cyberattack holds an ominous lesson for British businesses. [online] Available at: https://www.cnbc.com/2025/10/29/jaguar-land-rover-cyberattack-holds-ominous-lesson-for-british-firms.html [Accessed 18 May 2026].
Computer Weekly (2025) M&S, Co-op attacks a 'Category 2 cyber hurricane', say UK experts. [online] Available at: https://www.computerweekly.com/news/366626336/MS-Co-op-attacks-a-Category-2-cyber-hurricane-say-UK-experts [Accessed 18 May 2026].
Cyber Monitoring Centre (2025) Statement on the Jaguar Land Rover Cyber Incident, October 2025. [online] Available at: https://cybermonitoringcentre.com/ [Accessed 18 May 2026].
CyberSmart (2025) 6 key takeaways from the NCSC Annual Report 2025. [online] Available at: https://cybersmart.co.uk/2025/10/6-key-takeaways-from-the-ncsc-annual-report-2025/ [Accessed 18 May 2026].
Daily Security Review (2025) Co-Op Reports $107 Million Loss After Scattered Spider Cyberattack. [online] Available at: https://dailysecurityreview.com/cyber-security/co-op-reports-107-million-loss-after-scattered-spider-cyberattack/ [Accessed 18 May 2026].
Imperial College London (2025) CLOUSEAU: A Hierarchical Multi-Agent Approach for Autonomous Attack Investigation. Annual Computer Security Applications Conference (ACSAC) 2025. [online] Available at: https://www.imperial.ac.uk/a-z-research/cyber-security/ [Accessed 18 May 2026].
NCSC (2025a) Annual Review 2025 launch speech — Richard Horne, CEO. [online] National Cyber Security Centre. Available at: https://www.ncsc.gov.uk/speech/annual-review-2025-richard-horne-speech [Accessed 18 May 2026].
NCSC (2025b) Annual Review 2025. [online] National Cyber Security Centre. Available at: https://www.ncsc.gov.uk/collection/ncsc-annual-review-2025 [Accessed 18 May 2026].
Schmitt, M. & Koutroumpis, P. (2025) 'Cyber Shadows: Neutralizing Security Threats With AI and Targeted Policy Measures', IEEE Transactions on Artificial Intelligence, 6(7), pp. 1697–1705. Available at: https://www.oxfordmartin.ox.ac.uk/publications/cyber-shadows-neutralizing-security-threats-with-ai-and-targeted-policy-measures [Accessed 18 May 2026].
Tripwire (2025) What Did We Learn from the NCSC's 2025 Annual Review? [online] Available at: https://www.tripwire.com/state-of-security/what-learn-ncsc-2025-annual-review [Accessed 18 May 2026].
University of Oxford (2024) Oxford University to lead AI security research through new national laboratory partnership. [online] Available at: https://www.ox.ac.uk/news/2024-12-04-oxford-university-lead-ai-security-research-through-new-national-laboratory [Accessed 18 May 2026].
Wischmeyer, T. & Strecker, M. (2025) 'Generative AI and Cybersecurity', in Hacker, P. et al. (eds) The Oxford Handbook of the Foundations and Regulation of Generative AI. Oxford: Oxford Academic. Available at: https://doi.org/10.1093/oxfordhb/9780198940272.013.0035 [Accessed 18 May 2026].
