AI Is Rewriting the Rules of Cyber Attacks, Is Your Business Ready?

The cyber threat landscape is always changing, but what is happening now is different in both scale and speed. Attackers are no longer simply improving their techniques, they are fundamentally changing how attacks are created, personalised, and executed.

The key driver behind this shift is artificial intelligence. Generative AI has become a force multiplier for cybercriminals, lowering the barrier to entry and dramatically increasing the volume and realism of attacks. Tasks that once required skill and time, such as writing convincing phishing emails or impersonating trusted individuals can now be done in minutes. IBM’s Cost of a Data Breach Report shows that generative AI can reduce phishing email creation time from around 16 hours to just 5 minutes, enabling attackers to scale social engineering campaigns at unprecedented speed.

 

The Attack Has Changed But Many Defences Have Not

For years, organisations trained staff to detect phishing through obvious indicators: poor grammar, unusual phrasing, and suspicious formatting. Those signals are rapidly disappearing. AI-generated phishing emails are now grammatically correct, context-aware, and often personalised using publicly available data. This makes traditional awareness training significantly less effective against modern attacks. Microsoft’s 2025 Digital Defense Report highlights that AI is now being used to generate highly convincing phishing content at scale and notes that AI is contributing to a measurable rise in attack sophistication across identity-based threats.

IBM’s Cost of a Data Breach Report shows that generative AI can reduce phishing email creation time from around 16 hours to just 5 minutes, enabling attackers to scale social engineering campaigns at unprecedented speed. The report detailed 1 in 6 breaches involved attackers using AI, organisations without strong AI governance experience significantly higher breach costs and the global average cost of a breach has reached approximately $4.4 million, reinforcing the financial impact when attacks succeed.

Alongside this, deepfake technology has become a serious operational risk. Voice and video impersonation is now being used in fraud attempts against organisations, enabling attackers to convincingly pose as executives or suppliers. Academic research from 2025 demonstrated that 66% of participants failed to identify AI-generated audio as fake, highlighting how effective these techniques have become at bypassing human judgement.

The Shadow AI Problem Most Organisations Are Missing

While attackers are using AI externally, a second risk is emerging internally: Shadow AI.

This refers to employees using public AI tools without organisational approval or governance, often by inputting sensitive business data into third-party platforms.

This can include:

• Customer data
• Internal documents
• Credentials or system information
• Commercially sensitive strategy materiaL

IBM’s research shows that 63% of organisations either lack formal AI governance or are still developing it, leaving a significant gap between AI adoption and AI control. The same dataset also highlights that organisations with high levels of unmanaged AI usage experience significantly higher breach costs, particularly where sensitive data is exposed.

 

Speed Is Now the Defining Factor in Cyber Defence

One of the most consistent findings across modern breach research is that time directly determines impact. The longer an attacker remains undetected, the more damage they can cause, including data exfiltration, credential harvesting, and system disruption. IBM data shows that faster detection and containment significantly reduces breach costs, with differences exceeding $1 million between fast and slow response organisations.

At the same time, attackers are also accelerating. CrowdStrike reports that average “breakout time”  the time it takes an attacker to move laterally inside a network has fallen to just 29 minutes in 2025, meaning organisations now have far less time to detect and respond than ever before. This creates a widening gap between attacker speed and organisational response capability.

 

What a Real Cyber Attack Actually Looks Like

Statistics only tell part of the story. In real-world incidents, compromise is rarely immediate or obvious. Attackers typically: Gain initial access through phishing or credential theft, remain undetected inside systems for extended periods, escalate privileges gradually and identify high-value systems before launching impact events. The result is that by the time an organisation becomes aware of an attack, significant damage has often already occurred. This is why detection speed, visibility, and response readiness are now the most critical components of modern cyber resilience.

At our upcoming event at Inside the Next Breach at The Crystal Maze Live Experience in London, we will take participants inside the mindset of both attacker and defender, showing how modern threats exploit gaps in technology, process, and human judgement.

The aim is to move beyond theory and into practical, real-world understanding of how modern cyber incidents actually behave.