Securing AI 

Last month’s cyber outlook highlighted the increasing adoption of artificial intelligence (AI) and generative AI tools by organisations. DeepSeek, the new low-budget AI chatbot similar to OpenAI’s ChatGPT, gained widespread attention last month and became the most downloaded app in its first week of launch. 

However, the platform was also subsequently victim to a cyber-attack, which resulted in significant disruption and the company having to limit new registrations. Further reports also highlighted a worrying lack of cyber security basics, including a publicly accessible database, where sensitive data including chat history and API details from DeepSeek were left exposed. 

The widespread use of AI also brings new risks and cyber challenges. Certain security risks associated with AI systems, such as data poisoning and indirect prompt injections, differ significantly from the risks faced by other types of software. You can read more about the specific cyber security risks in ICAEW’s Generative AI guide. 

In response to this, the Department for Science, Innovation and Technology (DSIT) has published a Code of Practice for the Cyber Security of AI, which addresses security risks specific to AI and sets out how organisations using AI can protect themselves from a range of cyber threats as highlighted above. 

The code aims to cover the cyber security considerations across the AI lifecycle. As a result, the principles are separated into five phases: secure design, secure development, secure deployment, secure maintenance, and secure end of life. 

The code is supplemented with an implementation guide to support organisations in adhering to the voluntary code. This includes suggestions for implementing cyber security training programmes that are focused on AI vulnerabilities, developing recovery plans following potential cyber incidents, and conducting robust risk assessments. 

A continued focus on cyber resilience 

More research has found that more than two-thirds of UK businesses are vulnerable to having their data compromised by hackers due to failings in securing their networks and data from common and known cyber threats. This figure includes approximately 7,000 medium-sized and 1,000 large organisations that are likely to hold sizeable volumes of commercially sensitive and personal information. 

Sensitive and personal data is a common target in cyber attacks. Earlier this year, Gateshead Council reported that personal data had been stolen in a cyber attack on the council and that residents had been warned to look out for potential phishing emails and fraudulent activity. Multinational engineering firm IMI also reported a cyber-attack that led to unauthorised access to the company’s internal systems, including systems in the UK. 

Despite the disruption and loss cyber incidents can cause, many organisations often struggle to engage in cyber issues in a meaningful way due to constraints in resources and access to training. As a result, building cyber resilience among UK businesses, and ensuring business leaders have the tools to address cyber threats, has been a focus for the UK government. 

Last year, the government launched a consultation on a Cyber Governance Code of Practice, to support businesses to drive greater cyber resilience. The government’s response outlines improvements to the code based on the feedback received. 

The updated version, developed by DSIT in collaboration with the National Cyber Security Centre (NCSC) and other industry experts, will provide clear actions for organisations, directors, and non-executive directors to manage cyber risks effectively. The new code is expected to be published in the early part of this year. 

In January, the UK Home Office published a consultation on legislative proposals on ransomware, identifying it as the biggest cybercrime threat and a risk to national security. Covered in the last month’s cyber outlook, the ongoing consultation seeks views on legislation scope, structure, reporting thresholds, and enforcement. ICAEW’s Tech Faculty will be responding; email your views to techfac@icaew.com.

Monitoring and response

Along with following governance and best practices, effectively monitoring and responding to cyber events is also a key part of building cyber resilience. To aid this, this month a new Cyber Monitoring Centre was launched in the UK to monitor large-scale cyber attacks in real time. 

The system will aim to monitor and then rate the severity of cyber-attacks on a scale from least to most severe, to help businesses across the UK recognise the impact of cyber-attacks and how to better respond. 

The best way to get started with building good cyber practices is by focusing on the basics. The NCSC’s 10 Steps to Cyber Security provides a useful starting point with key activities to focus on, including identity and access management, asset management, supply-chain security and incident management.

• Want to learn more about cyber security? Visit the ICAEW cyber security webpages.
• Got an interesting cyber story for us? Email techfac@icaew.com