CattleGrid

Data Protection

The Current Security Landscape

The Current Security Landscape
Author: Brian PaintingPublished:

Despite widespread Cyber Essentials adoption, 43% of UK businesses suffered breaches in 2025

• Average UK breach cost: £3.29 million (financial services: £5.74 million)

• Shadow AI breaches cost an additional £498,000

• Internal threats (malicious/negligent/compromised) account for 30% of breaches

• 63% of breached organisations lacked AI governance policies

• Only 31% of UK organisations have governance policies for AI usage

The attacks that succeed—phishing campaigns exploiting human behaviour, insider threats, shadow AI data leakage, supply chain compromise—occur in the 90% of the attack surface that basic technical controls cannot address.

For organisations serious about security, the question is not whether to obtain Cyber Essentials (government procurement may require it), but whether to treat it as sufficient security posture or as the bare minimum procurement hygiene it actually represents.

 EU AI Act: Penalties That Exceed GDPR

The EU AI Act, which began enforcement from August 2025, establishes penalty structures from inception that create existential risk for non-compliant organisations:

Tier 1 Violations (Prohibited AI Practices): Up to €35 million or 7% of global annual turnover, whichever is higher

Tier 2 Violations (Compliance Failures): Up to €15 million or 3% of global annual turnover

Tier 3 Violations (Information Violations): Up to €7.5 million or 1% of global annual turnover

For a UK mid-market firm with £100 million revenue, a Tier 1 violation could trigger €35 million (£30 million). For a growth company with £500 million revenue, that becomes €40.6 million (£35 million). For enterprises, the percentage-based calculation creates exposure that dwarfs fixed-penalty schemes.

The Act requires demonstrable AI governance systems, risk assessments, transparency mechanisms, and continuous monitoring—precisely what ISO 42001 provides (and Cyber Essentials does not.)

Organisations demonstrating mature governance frameworks through ISO 27001 and ISO 42001 certification position themselves to evidence good-faith compliance efforts—a significant factor in enforcement discretion and penalty mitigation.

Aligning with ISO 42001 provides a “Presumption of Conformity” for many AI Act requirements. This certification is the most effective way to demonstrate “Lifecycle Monitoring” and build trust with international stakeholders, effectively turning regulatory compliance into a competitive advantage.

UK Data Protection Act and UK GDPR

Existing UK regulatory frameworks remain in force with cumulative exposure:

• UK ICO fines up to £17.5 million or 4% of global turnover for UK GDPR violations

• Data Protection Act 2018 parallel enforcement powers

• Organisations operating in EU face both UK and EU regulatory regimes simultaneously

• Regulatory actions become public, creating reputational damage beyond financial penalties

Organisations can face operational disruption through requirements to withdraw non-compliant AI systems from the market, potentially halting business operations and disrupting customer relationships. For growth companies, regulatory censure can terminate funding rounds and partnership opportunities.

The Enterprise Security Imperative

Enterprise-class organisations—and SMEs aspiring to compete at that level—require security frameworks that address:

• Strategic governance and board accountability for information security

• Systematic risk assessment and management across all business processes

• AI-specific controls for an environment where 85% of workflows integrate AI agents

• Supply chain security in a landscape where 15% of UK breaches originate from third parties

• Insider threat mitigation for the 30% of incidents involving internal actors

• Continuous monitoring and improvement rather than annual self-assessment

• Demonstrable due diligence for customers, partners, and insurers who understand security maturity

This is why ISO 27001 has become the de facto enterprise security baseline, with ISO 42001 emerging as the standard for AI management systems. These frameworks provide demonstrable maturity that reduces breach costs by an average of £1.10 million through faster detection and containment.

Why ISO 27001 is the De Facto Enterprise Baseline

ISO 27001 provides what basic technical checklists cannot: a comprehensive Information Security Management System (ISMS) that addresses security as a strategic governance challenge, not merely a technical configuration exercise.

Core Capabilities

• Risk assessment methodologies that identify vulnerabilities across all business processes

• Access control frameworks preventing unauthorised data exposure

• Incident response protocols for rapid breach detection and containment

• Third-party security requirements protecting against supply chain compromise

• Continuous monitoring standards ensuring ongoing security assurance

• Board-level accountability mechanisms embedding security into strategic governance

ISO 42001: AI Management Systems

Published December 2023, ISO 42001 represents the world’s first AI management system standard, addressing the governance gap that for those 63% of businesses exposed

AI-Specific Requirements

1. AI Management System (AIMS)

• Documented policies for AI development, deployment, and usage

• Clear objectives aligned with business strategy and risk appetite

• Risk management processes tailored to AI-specific threats

• Governance structures for AI decision-making and oversight

2. Risk Assessment and Management

• Systematic identification of AI-related risks (shadow AI, data leakage, model manipulation)

• Impact assessments covering economic, societal, and regulatory dimensions

• Mitigation controls for identified risks

• Continuous evaluation and updating of risk profiles as AI usage evolves

3. Transparency and Accountability

• Explainability requirements for AI decision-making processes

• Documentation of AI system capabilities and limitations

• Audit trails for AI-driven actions and decisions

• Stakeholder communication protocols for AI usage disclosure

4. Continuous Monitoring and Improvement

• Regular performance evaluations of AI systems and controls

• Scheduled reviews at planned intervals

• Course-correction mechanisms for identified issues

• Adaptation to evolving threats and technologies

ISO 42001 provides the AI governance framework that EU AI Act compliance requires and that Cyber Essentials does not address. For organisations serious about AI adoption, it represents the systematic approach to managing AI-specific risks whilst capturing AI’s productivity benefits.

Cattlegrid Recommendations and Fit

1 Establish Strategic Security Posture

• Define board-level commitment to enterprise-class security, not procurement compliance and document risk appetite for AI adoption and data protection

• Assign executive accountability for information security governance

• Establish AI governance committee with cross-functional representation and  executive accountability and budget for ISO 27001 implementation

2. Conduct Comprehensive Risk Assessment

• Inventory all AI systems currently in use (sanctioned and shadow) and assess data exposure through AI services

• Identify regulatory compliance gaps (EU AI Act, UK GDPR, DPA 2018) and quantify potential financial exposure

• Evaluate current security posture against ISO 27001 requirements

3. Initiate ISO 27001 Certification Process

• Engage accredited certification body and develop implementation roadmap

• Begin documentation of policies, procedures, and controls

4. Implement Technical Controls

• Deploy AI-specific data loss prevention (evaluate Cattlegrid or equivalent)

• Extend monitoring to cover all AI API interactions

• Establish real-time alerting for policy violations

• Create audit trails for regulatory compliance

• Target £498,000 shadow AI cost avoidance through technical controls

5. Build Organisational Capability

• Foster security-first culture through continuous education

Conduct enterprise security awareness training for all employees

Develop specialised training for AI system owners and developers

   Establish AI ethics and responsible use guidelines

6. Complete ISO 27001 Certification

• Undergo Stage 1 audit (documentation review)

• Undergo Stage 2 audit (implementation verification)

• Address any non-conformities identified

• Achieve certification and communicate to customers, partners, investors

7. Develop AI Management System (ISO 42001) and Pursue ISO 42001 Certification

• Evaluate certification as strategic differentiator for AI-intensive operations

• Leverage certification for EU AI Act compliance demonstration

• Position as AI governance maturity signal to enterprise customers and investors

• Integrate with existing ISO 27001 ISMS for unified governance

8. Establish Continuous Evolution

• Conduct regular board-level reviews of AI risk landscape

• Monitor regulatory developments across UK and EU jurisdictions

• Update policies and controls as AI capabilities and threats evolve

• Benchmark against enterprise peers and best practices

• Maintain annual surveillance audits for ISO certifications