The UK faces a “perfect storm” for cybersecurity as the next decade will be defined by a combination of geopolitical tensions and high-seed technological evolution.

Speaking at the tenth annual CYBERUK conference in Glasgow, Richard Horne, CEO of the UK’s National Cyber Security Centre (NCSC), said that the meeting of rapid technological change driven by developments in AI and geopolitical tensions are giving rise to a period of “tumultuous uncertainty”. 

The NCSC had dealt with 204 “national significant” cyber incidents at the time of its last annual review, published in October 2026. Today, Horne said the number of incidents remained “fairly steady”.

Most Serious Cyber Threats Come from Nation States

Ransomware attacks continue to be the most prevalent threat to most firms. However, Horne warned that the majority of “nationally significant” threats the NCSC deals with originate directly from nation states.

Speaking to Infosecurity, Jamie Collier, lead threat intelligence advisor, (Europe), Google Threat Intelligence Group (GTIG) said the firm’s research shows that the UK is currently “navigating a complex and blended threat landscape where nation-state actors pursue very different strategic goals.” This he said, makes it difficult to compare them side-by-side.

In his speech at CYBERUK, Horne outlined how Russia, China and Iran continue to target both UK firms and individuals with their different tactics and objectives.

He noted that China’s intelligence and military agencies now display an “eye-watering level of sophistication” in their cyber operations.

In August 2025, the NCSC published a joint advisory alongside twelve allied agencies publicly linking three China-based companies to a global campaign targeting critical networks, overlapping with what industry tracks as Salt Typhoon.

China-nexus activity is often quieter and persistent, especially compared to the likes of Russian threat actors. They have typically moved away from traditional targets to focus on edge infrastructure like routers and VPNs, explained Collier.

Meanwhile, Iran is “almost certainly” using cyber activities to support the repression of British individuals on our streets who are seen as a threat to the regime, Horne said.

The NCSC has previously warned about an increase in targeted attacks against individuals using social media messaging apps.

Martin Riley, CTO at cybersecurity services firm Bridewell, told Infosecurity that Iran is “the shifting piece.”

The Handala wiper activity in March, which compromised Stryker's Microsoft Intune environment and remotely wiped devices at a key UK NHS supplier, “shows the direction of travel,” Riley noted.

“UK organizations should expect more direct Iranian or Iran-aligned targeting in the months ahead, not less,” he added.   

Regarding Russia, Horne’s analysis noted that cyber lessons are being learned in the theatre of war with Ukraine.

“The tactics and techniques honed in conflict are now being directed at states it considers hostile,” Horne said.

The NCSC and its partners, including the National Protective Security Authority, are observing sustained Russian hybrid activity targeting assets across the UK and Europe.

Collier noted, “Russia remains the most visible and disruptive threat, characterized by a mix of sophisticated espionage and a surge in pro-Russia hacktivist activity.”

While this is cause for concern, Bridewell’s data found that the current Russian cyber effort remains heavily concentrated on Ukraine and on espionage against government and policy targets, with pro-Russia hacktivist noise on the margins.

“Direct targeting of UK operational technology (OT) and critical national infrastructure (CNI) by Russian state actors is not what we are seeing in volume right now,” said Bridewell’s Riley.

GTIG’s Collier said their analysis shows Russia move toward tactical, frontline objectives.

“This includes targeting the mobile devices and battlefield applications used by individual soldiers to gain immediate military advantages. This shows a Russian cyber apparatus that has become much more disciplined and integrated into traditional military operations,” he said.

UK Preparedness Under the Spotlight

The readiness of UK organizations against sustained nation-state attacks is uncertain. Anthony Young, CEO at Bridewell cautioned that the majority or businesses are “not well prepared.”

“Most organizations are still struggling to get basic security controls in place and have full visibility across their estate. At a time of heightened security budgets are being squeezed like never before therefore CISO’s are having to do more with less and most are still starting from a relatively low level of maturity,” he told Infosecurity.

Horne urged for a “cultural shift” within organizations to prepared for cyber risks, calling for everyone “whether they sit on the board or the IT help desk” to be part of the cybersecurity mission.

Young said, “Execs across organizations need to start to stand up, stop putting lip service to cybersecurity and actually invest for the long term.”

If a nation state was to undertake a sustained attack on the UK today, Young said he would be “very worried.”

“We have the right people and skills to be able to respond fast as a country but if we focused on actually improving cyber properly as a country we would be in a lot better position," Young concluded.

Meanwhile, Rob Demain, CEO, e2e-assure cautioned that if organizations don't evolve how they are detecting and responding to threats over the next 12 months, then they will soon become “significantly under prepared.”

Collier said for cybersecurity leaders, the most critical shift is moving from a prevention-only mindset to a resilience mindset.

“Organizations have to assume adversaries can gain initial access and focus on making their environment as difficult as possible for intruders to navigate,” he said.

AI, a Cause for Concern

Following the release of Anthropic’s Claude Mythos frontier AI model, which promises to identify and fix software vulnerabilities at speed, the UK government sent an open letter to business leaders urging them to plan for such AI models to rapidly increase over the next year.

The letter also encouraged businesses to take cybersecurity seriously and deploy cyber hygiene methods.

During CYBERUK, Horne said, “Frontier AI is rapidly enabling discovery and exploitation of existing vulnerabilities at scale, illustrating how quickly it will expose where fundamentals of cyber security are still to be addressed.”

Demain highlighted that zero-day attacks are becoming more common and real across all business sizes and industries as a result of advancements in AI.

Although the threats and technologies are changing, we still need to ensure the basics are correct, he added.

“Basics such as full visibility across all environments, 24/7 monitoring, and correct technological configuration are still some of the easiest ways to remain a hard target for threat actors, even with the threats from AI looming,” he said.