Technology & Innovation

AI Is accelerating familiar attacks: What’s changing, and how leaders should respond

The cyber threat hasn’t changed. The speed has. Here’s a practical 90-day plan to strengthen your defences before it matters.

Apr 1, 20267 min read Share

Artificial intelligence is not creating a completely new class of cyber threat.

What it’s doing is making familiar attacks faster to launch, easier to tailor, and harder to stop in time.

That distinction matters.

For years, organisations have dealt with phishing, social engineering, account compromise, vulnerability exploitation, and ransomware.

None of that’s new.

What has changed is the pace. Tasks that once took attackers hours or days can now be completed in minutes, sometimes at scale, and often with very little effort.

That shift is easy to underestimate.

The real issue is not that attackers have suddenly become more inventive. It’s that they no longer need to be slow.

For leadership teams, this changes the security conversation.

The challenge is no longer just whether an organisation has the right controls on paper.

It’s whether the business can detect, decide, and respond quickly enough when routine weaknesses are exploited at machine speed.

That’s what we discuss in this article, as follows:

The threat is familiar but the tempo is not

AI helps attackers automate parts of the attack chain that used to require time, patience, and manual work.

That can include researching a company’s structure, identifying senior employees, generating convincing phishing emails, analysing public data for useful context, scanning for weaknesses, and testing different approaches before choosing the one most likely to succeed.

The underlying tactics are well established. The difference now is execution.

A phishing email no longer has to be generic, badly written, or sent in bulk to be dangerous.

It can be targeted, credible, and written in the tone a recipient expects.

Reconnaissance no longer depends on someone manually piecing together information over several hours. Public data, company websites, social media, and digital footprints can be analysed far more quickly.

This is where the pressure builds for defenders. When attackers can move faster, security teams have less time to notice what is happening, understand the risk, and contain it before damage spreads.

Why many organisations are still exposed

A lot of security programmes were built for a slower operating environment.

They rely on periodic reviews, annual training, delayed patching cycles, fragmented ownership, and incident response processes that look fine in a policy document but have never really been tested under pressure.

That may have been tolerable when attack preparation was slower and campaigns took more time to develop.

It’s far less tolerable now.

AI has not made every attacker more advanced, but it has made many attacks more efficient.

That creates strain in places where businesses are often weakest: decision-making, coordination, and speed of execution.

Three issues tend to show up quickly.

1. Governance falls behind reality

Organisations adopt new tools, new workflows, and new ways of sharing information faster than they update policy, oversight, or risk ownership.

That creates exposure, especially when leaders do not have a clear view of how AI is being used across the business.

2. Basic weaknesses stay open for too long

Unpatched systems, weak authentication, excessive access rights, and poor email discipline remain common.

These are not new failures, but they become more dangerous when attackers can identify and exploit them faster.

3. Response is often too slow

In many businesses, the attacker can now move faster than the internal chain of escalation.

By the time the right people are informed, the problem may already have spread.

That’s why this is not only a technical issue.

It’s a leadership issue. Security resilience depends on whether the organisation is set up to act quickly, not simply whether it has bought the latest tool.

What leaders need to understand now

There are three realities worth keeping in view.

1. AI lowers the cost of attack. Capabilities that once required time, specialist skill, or a larger criminal operation are becoming more accessible. That broadens the field of adversaries.
2. Volume will increase. When parts of the attack process can be automated, criminals can run more campaigns, test more variations, and look for easier wins.
3. Prepared organisations have an advantage. When attacks accelerate, the businesses that perform best are usually not the ones with the longest list of tools. They are the ones with clear ownership, strong basics, and a rehearsed response.

That last point is important. Leaders do not need to panic, and they do not need to treat every development in AI as a reason to rebuild their security strategy from scratch.

They do need to recognise that speed now matters more than ever, and that slow decisions create risk.

A practical 30-, 60-, 90-day response plan for small and medium-sized businesses

For small and mid-sized businesses, the response does not need to begin with complexity.

In most cases, the biggest gains come from tightening the basics, clarifying ownership, and improving response discipline.

Within 30 days:Reduce the obvious exposure

Most cyber incidents affecting small and medium-sized businesses still start with familiar weaknesses.

An employee account is compromised. A phishing email is opened. A device is unpatched. Access rights are broader than they should be.

AI does not change those fundamentals. It simply helps attackers move through them faster.

In the first 30 days, leaders should focus on the controls that reduce the most common forms of exposure.

Priorities should include:

• Enabling multi-factor authentication for email, remote access, and finance systems
• Applying software updates across operating systems and key business applications
• Checking that backups are in place, protected, and can actually be restored
• Reviewing administrative privileges and removing unnecessary access.

These are not sophisticated measures, but they remain some of the most effective.

For many organisations, they also deliver the fastest reduction in risk.

Within 60 days: Improve staff awareness and reporting

Employees remain one of the most common entry points for attackers, particularly in phishing and social engineering campaigns.

AI is making those attacks more convincing.

Messages are more fluent, more tailored, and less likely to contain the errors that people once relied on as warning signs.

That means awareness training needs to be practical, not performative.

Within 60 days, organisations should make sure employees know what suspicious requests look like, when to stop and question them, and how to report concerns quickly.

Priorities should include:

• Short, practical awareness training based on realistic examples
• A clear route for reporting suspicious emails, links, or requests
• Reinforcement from managers that fast reporting matters
• A no-blame culture that encourages people to speak up early, even if they may have made a mistake.

That last point is often underestimated. In many incidents, early reporting is the difference between a contained problem and a serious disruption.

Within 90 days: Be ready to respond at speed

Even well-run organisations will not prevent every incident.

The question is how quickly they can contain one.

By 90 days, leadership should make sure there is a simple response structure in place.

It does not need to be over-engineered, but it does need to be clear.

That should include:

• Naming the person responsible for coordinating incident response
• Identifying the systems and data that matter most to business continuity
• Keeping contact details for internal decision-makers, IT providers, insurers, and legal advisers easy to access
• Running a tabletop exercise based on a realistic phishing or ransomware scenario.

This kind of preparation is not about theatre. It’s about reducing hesitation.

When an incident happens, teams need enough clarity to act without wasting valuable time deciding who owns what.

Final thoughts: The real takeaway

AI is not redefining cyber risk from the ground up.

It’s accelerating the threats businesses already face, and exposing the cost of being slow.

For small and mid-sized businesses, that’s a useful message because it keeps the response grounded.

The priority is not to chase every new headline. It’s to strengthen the fundamentals, close common gaps, improve reporting, and rehearse response.

Organisations that do those things well will be in a far better position to deal with the reality of AI-assisted attacks.

Not because they can predict every threat, but because they can react faster when it matters.

In the current environment, that’s what resilience increasingly looks like.