Current developments in AI technology are fundamentally shifting the cyber risk equation: new frontier models like Anthropic’s Mythos can uncover and exploit software vulnerabilities at unprecedented speed, with UK authorities already warning business leaders to act. This short read explains what is changing, why resilience matters as much as prevention, and the practical steps boards should prioritise now.
Advances in artificial intelligence are rapidly redefining the cybersecurity threat landscape. The most significant recent development is cutting-edge research company Anthropic’s new AI tool, Claude Mythos Preview – Mythos for short.
Mythos is an advanced “frontier model” AI system that has demonstrated the ability to identify vulnerabilities in computer systems at a previously unprecedented speed and scale. According to Anthropic, Mythos has already discovered thousands of severe vulnerabilities, including in major operating systems and web browsers.
Some commentators are convinced that this marks a step change in how professionals tasked with defending their employers’ organisations from Cyber-attacks and Ransomware will need to operate given that cutting-edge AI models are now capable of outperforming all but the most skilled human experts in finding and exploiting software weaknesses. However, many experts doubt whether Mythos should be a major area of concern given the extensive cost involved in deploying it effectively at scale.
Sceptics have questioned whether Mythos’ capabilities are overstated, but evidence from the UK government’s AI Security Institute (AISI) suggests otherwise. Their evaluation confirms that Mythos represents a significant advance over previous AI models, particularly in its ability to autonomously attack vulnerable systems. The AISI recommends that all businesses ensure their cyber defences are up to date to counter these emerging threats, but the commercial reality is that the largest organisations with the ability to devote significant resource to their cyber defences will be less vulnerable than the majority of businesses working with greater resource constraints.
Pragmatic commercial risk mitigation decisions must balance the cost versus the benefits of additional cybersecurity investment - so a clear-eyed understanding of the threat landscape is a vital piece of the puzzle.
The UK government, through the AISI and the National Cyber Security Centre (NCSC), has highlighted the urgent need for increased cyber vigilance. They have warned that hackers may already be using advanced AI-enabled tools and have issued an open letter to business leaders outlining their concerns and recommended actions. In the financial services sector, regulators including the Bank of England and the Financial Conduct Authority are actively assessing the risks, with meetings planned to brief leading banks, insurers, and exchanges.
Our assessment is that the actual risk lies somewhere between the two opposing positions set out above. Whilst Mythos itself may not be the immediate existential threat to business that some commentators are claiming, the rate of development of AI models continues to push ahead ever more quickly. If the history of how AI has developed to date tells us anything, it is that new models will simultaneously get better and cheaper to run over time and the rate of development of AI technology as a whole is radically faster than any deployment of such a societal shifting technology seen before.
In short, even if we don’t need to worry right now about hackers using Mythos against businesses due to availability and cost limitations, any feeling of safety on those grounds cannot be relied upon indefinitely. Some commentators have assessed the potential time lag between the development of Mythos and non-US based models with equal or greater capabilities as being as little as eight months.
The speed at which AI is advancing means cyber threats are becoming ever more sophisticated. Cyberattacks are sector agnostic and no organisation which relies upon being connected to the Internet to do business is immune. Even well-defended businesses are at risk; one of the key areas of focus should be not on attempting to build an impenetrable wall around your IT systems but rather to focus on how quickly key business functions can be stood up and put back on-line after an attack.
A valuable way of approaching the issue is to consider what your Minimum Viable Business (MVB) looks like in practice. There will be certain functions within any business which are critical to continuing to trade and operate whilst others can be considered, at least in the short term, as ‘nice to haves’. Effective planning in this space should focus on ensuring that the critical functions which contribute to the MVB model can be brought back online as quickly and effectively as possible.
The good news is that, with the right planning and oversight, these risks are manageable. The key is to ensure your organisation’s cybersecurity strategy evolves in step with technological change and that you have a clear vision of what really matters if the worst happens.
Cybersecurity lessons for today's C-suite
Listen now
