Five Eyes says the AI timeline is months, not years
If you have been treating "AI makes attacks worse" as a problem for next year, the people who watch the threat for a living have just told you to move it forward. The window to act is shorter than most businesses have planned for, and the things that close it are ordinary, not exotic.
That message comes from an unusual source. On 22 June the intelligence chiefs of all five Five Eyes nations, the UK, the US, Canada, Australia, and New Zealand, put their names to a single joint warning: "The rapid pace of frontier AI development means cyber risk assumptions can become outdated in months, not years." They went further: "The timeline is not years, it is months." Five spy agencies agreeing on anything in public is rare. Five of them agreeing on a timeline, and publishing a short list of things every organisation should do about it, is worth paying attention to. This is not a vendor selling fear. It is the people who do this for a living telling you the clock has sped up.
The good news, and the agencies say this themselves, is that none of what they ask for is new. The bad news is that it is now urgent.
What they actually said
The warning makes one core claim: frontier AI is accelerating the speed, scale, and sophistication of attacks faster than most organisations have planned for. The window between a vulnerability becoming known and being exploited is shrinking. Richard Horne, the head of the UK's National Cyber Security Centre, framed it as a shift in the global threat landscape that needs a step change in defence.
The agencies are careful to say AI cuts both ways. It will help defenders too, over time, by finding flaws earlier, improving software quality, and spotting unusual behaviour faster. But the offensive side is moving first, and the people on the receiving end are the same small teams that were already stretched.
The framing that matters most for a director is this one, lifted straight from the advice: "Cyber risk can no longer be treated as a purely technical issue. This is a core business risk and leadership responsibility." And then the line that follows: "Breaches will occur. Preparedness helps you contain them quickly and prevent escalation into major operational and financial crises."
That is a deliberate change of register. The agencies are not talking to security teams. They are talking to the board.
The five things they ask for
The advice lists five practical actions. The agencies describe them as "not new" but "now urgent". Here they are, in plain English, with what each one means for a business that does not have a security department.
1. Reduce your attack surface. Every system that faces the internet is a door. The question to ask is whether each door needs to be open at all. The remote-access tool nobody uses, the old server still reachable from outside, the admin panel exposed because it was easier that way: those are the doors. Close the ones you do not need. Isolate the ones you do.
2. Patch faster. AI is shortening the gap between a flaw being published and being attacked. That makes slow patching more dangerous than it used to be. The point is not "patch everything immediately", which no small business can do. The point is to know which updates are security-critical and get those on quickly, especially on anything exposed to the internet. We wrote about why patching by severity alone no longer works and what to prioritise instead.
3. Deal with legacy systems. The advice is blunt: unsupported systems "are not just technical debt, they are strategic liabilities". The Windows box that no longer gets updates, the application the vendor stopped supporting, the line-of-business tool that only runs on an old operating system: these are the easy targets. You do not have to replace everything this quarter. You do have to know what you are running that no longer receives security fixes, and have a plan to retire or isolate it.
4. Strengthen identity and access. Limit who can reach critical systems. Turn on strong authentication, the kind where a stolen password alone is not enough to get in. Review who has access to what, and take away the access people no longer need. Most breaches start with a login, not a clever exploit.
5. Prepare before the incident. Test your response plan. Train the people who would have to act. Assume a breach will happen and focus on containing it fast. The agencies are explicit that having controls is not enough: "Leaders must be confident those controls will perform during a real incident." A plan you have never tested is a plan you do not really have. Our piece on the first five minutes of incident response covers where to start.
Why this lands on small businesses
It would be easy to read "frontier AI" and assume this is a problem for governments and banks. It is not, for two reasons.
The first is that AI lowers the cost of attacking everyone, not just high-value targets. When a capable attack becomes cheap and fast to run, the economics change. The reason small businesses were often left alone was that they were not worth the effort. AI reduces the effort. A phishing campaign tailored to your staff, a scan for the one unpatched system you forgot, a convincing fake from someone who sounds like your finance director: these get cheaper and more convincing, which means they get more common.
The second is the supply chain. If you sell to larger organisations, their security questions are about to get sharper. The Five Eyes warning will filter into procurement the way every regulator warning does: as a new section on the supplier questionnaire. You will be asked about your patching, your access controls, and your incident plan, and "we have a firewall" will not be an answer.
What to actually do this quarter
You do not need an AI strategy to respond to this. You need to do the boring things well. If you do three things in the next quarter, do these.
Write down what you are running that is exposed or unsupported. A short list: what faces the internet, and what no longer gets security updates. You cannot reduce an attack surface you have not mapped, and the legacy-systems point depends entirely on knowing what your legacy systems are. This is an afternoon, not a project.
Turn on strong authentication everywhere it is not already on. Email, remote access, your finance system, your cloud admin accounts. This is the single highest-value control for the lowest effort, and it directly answers two of the five actions. If you have it on for some systems and not others, the gaps are where you will get hurt.
Test your incident plan once, badly. Pick a scenario, ransomware on a Friday afternoon is the classic, and talk through who does what in the first hour. Who do you call, how do you communicate if email is down, who can authorise paying for emergency help. The first time you do this, it will be a mess. That is the point. Better a mess in a meeting room than at 5pm on a Friday.
The Five Eyes did not publish anything you could not have read in a hundred security blogs over the past two years. What changed is who said it, that they said it together, and that they put a timeline on it. When five intelligence agencies tell you the basics are now urgent, the basics are now urgent.
How Steelwise can help
Mapping what you have exposed, getting strong authentication on properly, and running a first incident-plan walkthrough is the kind of focused work we do with clients who do not have a security team. None of it takes long, and it answers most of what the Five Eyes are asking for. Get in touch.
Further reading
- NCSC: Cyber Assessment Framework
- NCSC: 10 Steps to Cyber Security
- NCSC: Guidelines for secure AI system development