Cyber Essentials
On 22 June 2026 the UK, US, Canadian, Australian and New Zealand cyber agencies issued a rare joint statement: AI is shrinking the gap between a vulnerability and an attack, and the timeline is months, not years. Jonathan Krause, founder of Forensic Control, explains what the statement actually asks organisations to do, and how its priorities map onto Cyber Essentials’ five controls.
By Jonathan Krause | Founder, Forensic Control | 29 June 2026
On 22 June 2026, the cyber security agencies of the UK, the US, Canada, Australia and New Zealand, the Five Eyes alliance, issued a joint statement warning that artificial intelligence (AI) is shrinking the gap between a vulnerability becoming public and someone exploiting it. The statement, signed by NCSC chief executive Richard Horne alongside his US, Canadian, Australian and New Zealand counterparts, puts a number on the urgency that has not appeared in a UK government cyber statement before: months, not years. For any UK organisation working out what Cyber Essentials certification actually involves and whether it is due for renewal, that timeline changes the calculation.
The five agencies are blunt about why this matters to ordinary organisations rather than just nation states. Frontier AI models are already being used to find and weaponise software flaws faster than defenders can patch them, and the agencies expect that gap to keep shrinking through the rest of 2026.
This is not the first NCSC warning this month. On 17 June, at RUSI’s Annual Security Lecture, Richard Horne told the audience that cyber security should be treated as a contest to be fought rather than a risk to be managed, and disclosed that the NCSC had handled over 200 incidents against UK critical infrastructure in the year to May 2026, three-quarters of them linked to state actors. We covered that speech in a separate piece on what the contest framing means for ordinary organisations.
The Five Eyes statement five days later is the same warning extended from critical national infrastructure to every business with a network connection, and it names AI specifically as the accelerant. It also reframes who owns the decision: the statement says plainly that cyber resilience “is not an IT issue,” but a leadership responsibility, which is a harder line to take into a board meeting than a routine renewal date.
The statement sets out five priorities for organisations: reduce the attack surface, accelerate patching, address legacy systems, harden identity and access controls, and prepare for incidents before they happen. Anyone who has been through a Cyber Essentials assessment will recognise four of these almost word for word. Cyber Essentials covers five technical control areas, firewalls, secure configuration, user access control, malware protection and patch management, and the overlap with the Five Eyes list is not a coincidence.
Reduce the attack surface maps onto secure configuration and firewalls: turning off services you do not use and closing ports you do not need. Harden identity and access controls maps onto user access control: least-privilege accounts, MFA, and regular permission reviews rather than a one-off setup. Accelerate patching and address legacy systems both map onto patch management, the control area where Cyber Essentials assessments most often catch a gap between what an organisation believes is up to date and what actually is. The one priority Cyber Essentials does not directly cover, incident preparedness, is the area the statement treats as a separate and equally urgent priority, worth noting if your renewal conversation has only ever been about the certificate.
Multi-factor authentication (MFA) is the one to start with: confirm it is enforced on every admin, cloud and remote-access account across Microsoft 365, Google Workspace and any other platform with a login, not just for IT staff, since administrator-only MFA is the single most common gap we see at assessment. Patch status matters just as much: pull the list of any internet-facing system, including routers, firewalls and VPN gateways, that has a vulnerability published on the NCSC or NVD advisory lists in the last three months, and confirm it has actually been applied, not just scheduled. Then check your asset register, since it still needs to list every device and service in scope; an out-of-date register is the single most common reason an otherwise well-run organisation fails the secure configuration question in assessment.
Cyber Essentials will not certify you against a future AI-driven attack specifically. No scheme can promise that. But it forces the same five-control discipline the Five Eyes statement is asking for, assessed independently rather than self-reported.
Forensic Control has been an IASME-licensed Cyber Essentials Certification Body since 2017, and every assessment we run is conducted by our own team rather than outsourced. The Five Eyes statement does not change what Cyber Essentials covers, but it is a reasonable prompt to check those five controls against what AI-accelerated attacks are now testing for, whether or not certification is on your radar at all.
Safeguard your business with our expert cyber security solutions. Whether you require digital forensics, penetration testing or proactive security assessments, our team is ready to assist. Contact us today to discuss your security needs and take the first step towards a more secure future.
