Cyber risk: what leaders need to know

Adrian Munday (Global Head of Operational, Technology & Cyber Risk, Standard Chartered): 40 per cent of business leaders rank cyber risk as their top risk.

Christian Arndt (PwC UK’s Head of Cyber Strategy): Hackers are logging in, they’re not hacking in.

Emma Hughes (Head of Corporate Content & Production, Standard Chartered): This week we’re talking cyber risk and I’m joined by Adrian Munday, Global Head of Operational, Technology & Cyber Risk at Standard Chartered, and Christian Arndt, Head of Cyber Strategy at PwC UK. A question for both of you, actually, about the field in general. What interests you about it, and how did you get into it? Christian, maybe you could start?

Christian: I started off being a pentester or ‘ethical hacker’ as it were, in that team, and just kind of grew out of there. And why am I interested in the topic and why have I stayed? It’s always evolving. It’s always changing. It’s a really fascinating topic. You know, it was very, very niche, very technical. But over the years it’s like a boardroom topic now, right? Everybody talks about it, it’s in the news. It’s a fantastic topic. Every day is different as well. That’s why I’m in cyber security.

Emma: Adrian, what about you?

Adrian: So, I started my career leading technology and operational transformation in banks.  And I’ve now spent the last 10 years leading operational technology and cyber risk functions, at a couple of different institutions. So, my perspective is a little bit different. I come at it from the angle of the resilience of the organisation.

And what fascinates me is that there are very few topics that really speak to the ongoing viability of the business model of an organisation, and I think the work in and around cyber resilience – it really is at the heart of most organisations.

That’s why I continue to find it fascinating. I also get to work with an incredible team. So, our first line Cisos are an amazing bunch, and the second line team that I have specialising in cyber working for me as well are a very talented group. Big plug. Delete that out.

Christian: I think sometimes you can be really lucky to find yourself in a space where you’re really passionate and curious about the topic, and every day you get up and you’re like, wow, this happened in the news. I must tell someone about that. And that’s the job I work in, and that’s why I love it.

Adrian:  Yeah, I think, cyber – if I think about my role parochially – a lot of what I do is like the cardiovascular system of an organisation. It’s the blood that pumps around. Cyber is really the nervous system. And so, it’s really fascinating to see those two things interplay.

Emma: Just to help us set the scene a little bit, Adrian, I wonder if you can just tell us from your perspective, what is cyber risk?

Adrian: Big, big question. I’ll maybe start off with a lightly formal definition, which is how we define it here, which is the risk of loss of data, loss of funds, or loss of service due to the activities of an external threat actor, an internal actor or a third-party vulnerability.

Ransomware is something that’s high profile in the press, where a threat actor gains access to your organisation’s technology in some way, shape or form, and then seeks to extort funds from the organisation by holding part of your organisation to ransom. Typically, it’s encrypting data, for example.

Emma: It’s a really critical issue. So, Christian, I wonder if you could just tell us a bit about your experience in this space and why it is such a critical issue?

Christian: It’s quite interesting. In the last 20 years or so, it’s something that a board will now regularly talk about. There’s been so many things in the media over the last, even six months or the last year that have made it super, super topical. And what that’s meant is that people have become very, very interested in the topic, not only from, “Have I got the right controls in place?” “Am I doing the right things?” “How worried should I be about this topic?” It’s driven investment in cyber risk over time.

Adrian: Just to add to that, I think I saw a stat recently that now versus 10-20 years ago, 40 per cent of business leaders rank cyber risk as the top risk across their enterprise. So exactly to Christian’s point, it’s very much top of mind at board. And then if you think about financial services specifically, security (and) trust is clearly central to our mission. People put their livelihoods, their money, for safety, with us. So, unsurprisingly, cyber risk, cyber security is a big topic for banks.

Christian: It’s actually what people are really worried about from a topic point of view. Because if you talk about cyber risk, it’s a bit ethereal, right? What does it actually, really mean? And underneath, over time, it’s kind of changed a little bit. We always used to be very worried about someone breaking in, whether stealing funds or money. That evolved over time to be, “Someone might steal our data”. And then we had regulations and GDPR and stuff like that.

Now it’s evolved into this whole resilience conversation where people are worried about their organisation existing or being able to trade or being available for customers to use, whether it’s selling stuff, or their online portals being available. And that’s kind of the evolution of the topic, where it was very technical – someone might get in here and do something very niche, and they were super hackers with hoodies – to, “they’re going to steal our data”. Well, okay, we’re going to lose data, what does that really mean?

Or we might be fine. What’s our real impact? Now, to a topic where people see in the media: “Wow, if that happens to us, we won’t be able to sell product tomorrow”. And that just changed that narrative massively for the board, for the exec, for shareholders and everybody through the organisation.

Emma: I mean, thinking about that evolution, obviously, you know, you’ve both used that word. What’s happened in that 20 years that has made it so important?

Adrian: I think one of the big features – and then I’ll let Christian chip in – is the explosion, I think it’s fair to say, of attacks taking place. And I think over the last four years – there were some World Economic Forum data out – in which [it was stated that] the average organisation suffers, weekly, 800 attacks a week. And that was four years ago – now it’s closer to 2,000. So, I think one part of why this is now so high profile, and if you think about 2025, there’s been what feels like a very significant increase in the number of attacks being reported in the press. So, I think that for me is probably the number one feature. It’s just the volume of attacks that are going on, and the activity of threat actors.

Christian: I think this is quite – I mean, over the last 20 years – quite a long time of technical evolution. So, we say, right. And the digitisation of business is probably what’s driven that. And we talk a lot about, in cyber, we talk about the attack surface, and the idea that a company isn’t as simple as it used to be. It’s not this kind of colossal like structure with one internet portal, maybe you saw some brochureware. Now everything’s online, every service is delivered digitally, and it’s not in your own data centre anymore – it’s in cloud data centres, it’s in SaaS platforms and other ways of delivering technology to people.

It’s very, very complicated the ecosystem you’re trying to protect. So not only have you got increasing threats and more threat actors, you’ve also got an ecosystem of a business that’s very complicated. It’s also very digital so there’s a lot more places that people can poke holes in it. At the same time, threats have gone up for a couple of reasons.

One of them is obviously IT skills have increased. The internet has enabled the training of people in many things, including hacking skills. There’s, we talk a lot about the commoditisation of tools and techniques, and that is the idea of that, maybe a long time ago, I was the single guru hacker – the people you kind of see in movies that could do everything end-to-end.

It’s just not how it works in the common. These people still exist, but the common world now is: I might specialise in writing a tool that does X. You might pick that tool up and then use it to break into somewhere and get some credentials. You might then sell that to someone else, and someone else specialises in the next bit of that chain.

So, you have like an ecosystem of threat actors working together, training each other, sharing information, sharing logins that they’ve stolen. That’s the evolution. So, threats have evolved, threat actors have evolved, they they’ve got more skills, they’ve evolved, they’ve digitised. So, the whole ecosystem is just more efficient, in a way.

Adrian: And I think Christian mentioned it a couple of times there – I think we probably used to see this as a discipline with a fortress with high walls, and the ecosystem, the evolution of the business model, the digital business model, I think is being critical in hybrid environments, working on premise and with cloud providers, for example, that has emerged over the last few years. And so rather than having this single perimeter of the organisation, now we’ve got multiple fronts that we need to fight on.

Emma: And can you share some examples? Christian, I know you’ve had a lot of experience as a Ciso in your past. When you talk about these threats and some of these attacks and the evolution of them, what do they look like now? What’s an example?

Christian: So, Adrian already mentioned like, ransomware as an example. That’s probably the most prevalent thing that’s happening at the moment. And, actually, if you just take that as a topic, you think, okay, that’s one form of attack, but how that occurs and happens has really changed recently. We started to coin the term: hackers are logging in, they’re not hacking in. So, what’s really changed over the last, say, three or four years is we – and it’s a positive story – we’ve gotten better at protecting the endpoints of laptops and servers. Now attackers have realised that, so they’ve kind of went: “That’s good, I’ll go somewhere else”. So, what they’ve been doing is they’ve been either, looking for stolen credentials where people have been phished or the people have reused the credential or something, and they’ve been using those credentials to log directly into cloud services.

So instead of going through the corporate network, which we’ve got a little bit better at over the years, they’re now going just directly to the cloud services, bypassing that and different ways those credentials might be available on the dark web, or they might just be phoning up a helpdesk and asking for a password to be reset. Or, if someone’s deployed two-factor authentication, they’ve worked out ways of maybe spamming the user so that just gets reset or asking for that to be reset to a different phone number. So, they’ve actually just moved places where they get in initially.

And then the long-term goal with ransomware is I want to steal the data. Or I’ll say I won’t release it if you pay me some money, or I’ll just encrypt everything on your network so you can’t use it. So, the end game is the same, but the entry point has moved and that’s always changing. So, in the most recent attacks we saw that was all through, helpdesks and people sitting at help desks because they realised those processes weren’t as good as they should have been. So, it’s like an evolution of attack.

Adrian: I think an interesting aside, I saw, and this is a fairly well-known research, but the, the level of damage inflicted by cyber-attacks every year in the global economy is into the several trillion dollars. There’s some debate around the number, but it ranks only behind the US and China in terms of the size of the economy involved. So, it is an amazing scale.

Emma: And, Adrian, how do you defend against that?

Adrian: Well, maybe there’s two answers. What assets have you got exposed to the internet, for example? ‘Protect’: so patching, access management that Christian was referring to a second ago. ‘Monitor’: so make sure that you are, actively, spotting where a threat actor may have gained access to your environments. ‘Respond’: so make sure you’ve got the appropriate, incident management. And then ‘Recover’: so make sure you’ve got the appropriate, incident management and then recover.

Christian: Patching is ridiculously difficult when you’ve got large legacy estates. Trying to keep them up to date is really, really hard to do. And we’re always playing catch up that just you have to keep focusing on it. If you lose focus, you get behind. Identity is massively important. I talked about why because of the ransomware threat, but there is also a topic that we’ve always struggled with as an industry because it is complex. You’ve got lots of users accessing lots of different things, and it’s just expanding at a rapid rate. You just have to focus on it.

And then the last well, there’s many hard bases, but the last thing I want to kind of just mention is I had the most important piece of advice when I became Ciso, which was focus on what will happen when you have an incident. You know, there’s a classic comment about it’s not if, it’s when something will happen. And the advice I was given was: go and find out who your incident response is, and put their number in your phone, which is exactly what I did. And it’s to be able to make sure that you you’ve planned, you’ve tested, you thought about, you know who to phone, you know what you’re going to do in a crisis.

Prepare for it. If you don’t prepare, then you’re running around like a headless chicken, and you’re just wasting so much time at the beginning of a crisis and it’s super, super important. Once you’ve focused on the hard basics and you know what you’re doing around incidents and you’ve planned and stuff, you can really think longer term. What what’s my strategy? What am I going to really do, what areas I’m going to target? And where that’s changed over the last couple of years, I’ve really started to talk to people about the idea of the securable enterprise. Now, the idea is that I talk a little bit about attack surface and how that’s changing. If you’re trying to secure something that’s not securable, right, you’ve got hundreds of users, you’ve got hundreds of websites, you’ve got 20 different versions of server software, you’ve got 20 different versions of cloud providers. It becomes very, very difficult to secure. So, one way of thinking about security, which is completely counter-cultural, is don’t throw a new tool at it. Actually, think about IT and how you can evolve your IT, your business models.

Adrian: And so that is, some of the things you mentioned there, moving on to standardised platforms to enable us to manage the security standards within our architecture rather than tackling each individual problem, and then making sure that we’ve exercised crisis management processes so that in the case of an incident, we’re able to respond, as quickly as possible with the right people immediately. And then the third is building the infrastructure to enable us to recover when if we do suffer an incident. So, as I mentioned earlier, immutable backups, storage, where we can access a clean version of the data and restore our services as quickly as possible.

Emma:  AI is obviously the hot topic of the moment, and this conversation won’t be complete without it. But how is that changing the point of entry, are we going to start seeing AI becoming more of a threat in this space than people? What is the landscape looking like in that respect?

Christian: So, AI is a double-edged sword when it comes to cyber security. On one side, you’re definitely seeing attackers utilising it in a number of different ways. But we’re also seeing from a defender’s point of view, all of the security tooling is getting AI-enabled. And what we kind of see is a gap is going to develop whereby attackers can utilise AI a lot faster and a lot easier in their processes. They don’t have anything that needs to be signed off or budgets, they can just utilise stuff. You know, who cares about what the risks are?

And data leakage and all the challenges that we have are adopting AI in organisations faster than we can adopt a new tool that’s got AI behind them. And I’ll give you a really concrete example. So, attackers are using AI in a couple of different ways. One is writing using vibe coding effectively, which is everybody doing the internet, writing exploits or looking for vulnerabilities in systems.

And we’ve seen that play out in a couple of ways. One is the time period between when a vulnerability is known about on a platform and an exploit is available. Someone can actually use that code to break into something, somewhere around we think it’s about 10x faster between I’ve got a vulnerability now, I’ve got some code where I could actually go and use it to break into someone – 10x faster. So, what that means is the time as an organisation, you now have to fix that problem just got 10x shorter.

Now see earlier comment that patching is quite difficult. Patching in the current time scales where you know most people are trying to get critical patches out in 14 days or 10 days. And now just said that has to be 10 times faster. So that’s going to be the real pain point for us as organisation is how are we going to deal with that challenge of being able to patch faster? How are we going to deal with that problem? And that’s the pain that’s being created for us.

Adrian: And to pin some data on Christian’s observation there. Two years ago, the time taken, from a known vulnerability to that vulnerability being exploited was about just over 30 days. Last year that dropped to five days, and this year, more like 24 hours, is much more common. And if you read – both Anthropic and OpenAI publish a threat intelligence report, makes fascinating reading. Anthropic talk about the weaponisation of their own technology being used by threat actors. And they’ve introduced the term ‘vibe hacking’. Which is how, threat actors are using their technology to produce malicious code, automate aspects of their operations, and really advance the way that phishing activity, for example, is conducted. All the way through to supporting fraudulent employees at big tech companies, and so they can actually deliver real work product but all AI-enabled, without the skills in the background. That that could be a nation state actor, for example, which is the example that Anthropic use, where nation state actors are getting access, as employees to big tech companies, which obviously gives them access to funds and data.

Emma: And is AI actually changing the way that threats show up, or is it just making them faster and harder to pin down?

Christian: Bit of everything. I think.

Adrian: I think as Christian said. There are sort of three impacts, really. One is the threat actors are using it to improve their own operations, ransomware as a service, etc. Professionalising what they can offer, to the criminal market effectively. We’re using it to defend ourselves.

So, if you can think about security logs, we might have billions of log entries using AI to process our own logs to detect anomalies. And then thirdly, it’s also in itself an attack surface. So, OpenAI recently launched an agent for browsers, and that introduces things like indirect prompt injection attack risks, where a browser gives an instruction to the LLM and it goes off and performs, a malicious action like disclosing your data, for example. So really three ways in which AI is impacting cyber risk.

Christian: If you if you take that last point, one of the things that I would say in the next three to f years that we’re most worried about in cyber space is that, the whole agentic AI agenda. So, we’ve actually got an AI operating on your behalf as an agent, and it’s got powers to do things, right. And if you imagine in a corporate space as, as a hacker, I’m actually going to target that system now directly. So, part of the new attack surface. And one of the challenges we’ve always had, I mentioned identity, is we’re not very good at locking down role-based access control. So that’s very granular access about you as an individual having access to this system to do this very specific thing.

If you imagine you’ve got 100 systems, you don’t want to be very granular about every system. It’s quite difficult to do. It’s a large overhead. So, when we deploy these agentic AIs, if we don’t do that, if we’re not very, very granular about the access it has and what it can do, you’ll be able to manipulate them to do things that you didn’t expect them to do, because they’ll be over permissioned. So as an attacker, what I’ll do is I’ll talk to the agentic AI and I’ll try and get it to do things that it shouldn’t be able to do, whether it has access to systems. It’s a new attack surface as well as it’ll be able to do things that we don’t expect you to do. So, it’s going to be a real challenge from that point of view.

Emma: I think this is obviously why there’s a lot of nervousness in this space, both from a corporate perspective, but also on a personal level. Obviously financial institutions and other highly regulated areas find this stuff challenging because we can’t keep pace with some of what the threat actors are working with. So how do we challenge or work with that, balance of needing to innovate, but also needing to protect?

Adrian: I think, there’s a famous quote, virtue falls between two vices. I think it was Aristotle, maybe, and the two vices were recklessness and cowardice. And I think we’ve got a similar, similar challenge to find the golden mean ourselves about how do we balance these things. But in reality, we need to think less of a balance between risk and reward. But actually, how do we integrate security into every aspect of how we operate? This is where you’ll hear the concept of security by design, and how you embed security and security-related controls into the way that you build your systems. And as Christian mentioned earlier, looking at it from how you architect your technology is a first step. So, rather than having to build security controls over every aspect of your organisation, how do you build platforms in your architecture that standardise those security controls, so that out of the gate, you’ve got security by design for the things that you’re building? I think that’s one, one part of the response.

Christian: I think that’s a great quote, by the way. I’m going to use that. What are the challenges that I think we see coming with AI is this whole notion of fear of missing out, right? Is if you see other organisations are adopting it faster, how do I adopt it as an organisation, faster and faster, with kind of just kind of, worry about the risks later a little bit. Right. And if you take vibe coding as a really interesting challenge. So, I want to produce code or solutions faster and faster so we adopt more vibe coding-type techniques.

That does a couple of things. One, we know it produces more code and the volume, the code quality isn’t as good and potentially it could introduce vulnerabilities. But we love the idea that you can have citizen-led development where everybody could be a coder, and the idea that you can just create content and solutions faster and faster and faster, but then you have to build alongside that these rails that are going to keep us safe.

Before the code can go in production, we need to scan it, we need some other AI maybe looking at it. And it’s kind of that ecosystem of pipeline that we’re going to have to build so that we have to adopt. Otherwise we will be left behind. But at the same time, we have to adopt things alongside quickly. And I think lots of people are incubating ideas, trying it in certain areas where they trust people. And it’s that balance that everybody is trying to aim for.

Emma: So, we’ve talked a lot about how AI is a big part of the problem, but there’s also a quite a positive side to this that we could probably unpack a little bit more around how it can also be part a big part of the solution; can you share some thoughts on that, Adrian?

Adrian:  Okay. In general terms, AI can automate the detection, of things like anomalous network traffic or, the automation of detection of new forms of malware by their behaviour rather than the footprint that they leave behind. And within Standard Chartered, the first line have built a fusion platform which, seeks to use AI to correlate activity across financial crime, fraud, physical security and cyber to give us the best intelligence we can about the behaviour of those threat actors.

Emma:  Christian, do you have anything that you would share for more general perspective on the positive aspects of AI? What could it bring to the table?

Christian: Yeah, happy to, and I mean, I’m quite a glass half full kind of person when it comes to AI. I’m very, positive about some of the aspects. I’ll give us a really interesting analogy. I read about, yesterday, actually, where if you look at how AI has been used historically, which is a funny thing to say -it’s a new piece of technology – but if you take radiology, for example, and looking at X-rays and body scans and stuff like that, that’s probably one of the most advanced area where AI has been used. If you imagine before, it used to take, quite a number of days for someone to take pictures, for radiographer to look at them. Now that’s completely changed, whereby it takes seconds to look at a scan to determine if someone has cancer or some sort of problem or something like that. You can process images at a really, really rapid, rapid pace. And that really started me thinking about like, well, we thought that we would lose all these radiologists. But what actually happened was we needed more radiologists because instead of just scanning one person when we really had to, because we worried about something, we just started to scan everybody.

And that’s what’s happened in the US most recently. And I was like, actually, that’s a really positive story. If you spin that into cybersecurity, maybe there’s things that we do in cyber that we’ve always wanted to do, but we haven’t been able to do them because they’re too expensive, they’re too labour intensive. So, for example, when you build a new application, we would love to be able to do a really detailed risk assessment or a threat profile of how someone might attack that application.

But to do that on every single application, maybe historically when you’ve got 5,000 apps, you just would never do that. In five years, you would still be going, but you could use AI to do that, or you could use AI to look at every single interaction that a user has to a platform to see if they’re committing fraud in detail, against every other user. You just wouldn’t do that. So, I’m kind of thinking of a very positive spin, that we’re just going to be able to do things that we’ve never, never been able to do at scale and at speed. So, threat targeting is one example of where that’s going to go. So, one of the dreams of AI is the idea of automated control testing; the fact that instead of us doing sample testing of kind of, you know, here’s 100 transactions, I’ll pick 20 of them and I’ll look at them in detail.

Why don’t we just look at all 100 transactions in real time, all the time, using AI? And that’s a slightly different way of looking at controls. So, you don’t have this event at the end of the year and go, oh, we had some anomalies. Why didn’t we pick them up? You just continuously do controls assessment. There’s a completely different way of thinking about it. No one would ever in their right mind do that now because it would just be too expensive to do. But AI and automation will allow us to do those kind of things.

Emma: Obviously, we’re doing a lot in this space, Adrian, around supporting and making everything more secure. Thinking about the regulatory landscape and how we’re being pushed, particularly in financial services, by regulators, to do better. What does that look like in terms of evolution? How is that helping financial institutions, but also the broader corporate landscape in elevating in this space?

Adrian:  Yeah, I think in financial services, we’re lucky in that we have, regulators working with us to improve the resilience of our services because our services are critical for the real economy. And so, when we think about the types of asks that regulators and regulation makes of us, they include, asking ourselves questions such as, what are the severe but plausible scenarios that could impact our organisation and impact our most important business services, and how would we mitigate the effects, should those impacts come to pass? So, we run scenario testing, we run simulations, we look at our control environment, and we look at our ability to recover. Not if but when such an event would occur. And that I think, scenario planning, looking at the failure modes of our controls, really helps us understand where things can go wrong and how to prepare, in the event of the worst. And that extends to our regulators, working with us to perform, simulated cyber-attacks. There are, whether it’s iCAST or CBEST, depending on which regulator you’re talking about. But these funny acronyms that describe exercises that are simulated adversarial attacks. So that’s working with third parties, and we simulate attacks on the organisation and make sure that we can, respond, to and protect ourselves against, against those kind of incidents.

Emma: And is the regulatory landscape changing, as are we seeing more in the space?

Christian: I think definitely going to see even more. I think going forward ,I think the focus from the regulator in the last couple of years has really shifted, obviously, to resilience–mentioned that a number of times. That’s definitely the core focus, for the regulator. And I think that’s also driven by this whole area of transparency. And you can see that in a couple of places, whether it’s through the testing you talked about, whether it’s regular reporting, it’s regular visibility of what’s happening in the ecosystem. And that’s filtering down. Right. The regulators are asking those questions. Boards are asking those questions. You know: “How do I know where I’m safe?” “How do you know you’re safe?” You know, how do we report on cyber risk. How are you reporting it externally. That’s very, very strong from a regulatory point of view.

Emma:  And just to close us out, you’ve both mentioned resilience a number of times. So, thinking about maintaining true resilience, what separates an organisation from having that, from just simply kind of ticking the boxes. And with that, what kind of key piece of advice would you like people to take away from today?

Christian: I think that the real challenge with true resilience is to understand how your business is built from the ground up, what boxes make up what services, did those services depend on other services what business processes sit on top of that, what third party, it’s a really, really complex jigsaw. I think you can get lost in that complexity of the organisation.

So, you know, focusing on the basics around, you know, whether it’s patching, whether it’s responding to an incident, whether having immutable backups, understanding that you’re how you’re managing your attack surface and just being ready is a long way to getting to resilience while you deal with that mesh of complexity. I think you could try and map everything out in a document. How your organisation… but it doesn’t actually make you any more resilient. And I know while you’re doing that, you need to focus on some of the fundamentals.

When you actually look at how people get attacked or they get hacked, it’s not some sort of really, really complex thing that’s occurred. It’s normally a series of chains of quite simple things. Someone didn’t follow a process, let someone reset a password or two-factor authentication wasn’t on the system, or the system wasn’t patched or we knew about it was legacy.

That’s actually where I would say 80 per cent well, even more of people actually get into trouble. It’s with the basics, not with really complex things you see in Hollywood blockbusters. And I think that’s where we lose direction sometimes.

Emma: So is that the advice you’d give? Focus on the basics.Get them right.

Christian: Yeah.

Emma: Work from there.

Christian: Work from there. Yeah. Okay.

Emma: Adrian, what about you?

Adrian: Christian and I were talking a couple of weeks ago about what’s happened in Japan this year where there’s been a massive explosion in cyber-related fraud. So, investment fraud and banking related fraud. And that is down to age old tactics – phishing and exploiting the weaknesses inherent in individuals. And so, I would say people and culture for me.

Christian: That’s a fascinating one because that’s got an AI element to it as well, that historically, when phishing emails were written in different languages, they weren’t very good. And I couldn’t write a phishing email in Japanese. But with an LLM, I can now. And there’s this massive explosion in kind of writing very good phishing emails in different languages where people might not have been used to seeing it before.

Emma: So yeah, convincingly as well.

Christian: It all comes back to AI.

Emma: Yeah, all roads lead back to AI. On that note, thank you both very much for your time.

Adrian: Thank you.

Christian: Thank you.

• Threat actor – An individual, group, or entity that intentionally carries out malicious activities against computer systems and networks.
• Ransomware – A type of software or malware used to encrypt a victim’s files, devices, or networks, to prevent them from gaining access until they pay a ransom.
• Attack surface – The sum of all points an attacker could exploit to gain unauthorised access to a system or to extract data.
• SaaS – Software as a Service provides access to software over the internet, usually by subscription.
• Patching – The process of applying updates (patches) to software, firmware, or systems to fix bugs, patch security holes, and add features.
• Legacy estates – The collection of outdated or unsupported IT systems, software and hardware still in use within an organisation.
• Anomaly detection – This is the process behind the flagging of any deviations in behaviour within systems, networks, or datasets.
• Phishing – The practice of sending emails or messages to victims masquerading as a reputable source with the intention of stealing sensitive information such as usernames and passwords.

• Learn more about our approach to cyber security and fraud safety
• Why do 40 per cent of business leaders rank cyber risk as their top risk? [PwC]
• The growing volume of cyber attacks on businesses [Check Point Research]
• Cyber crime costs climbed into the trillions of dollars in 2025 [Cybercrime Magazine]
• Download the World Economic Forum’s Global Cybersecurity Outlook 2025 report
• Download Chubb’s Emerging risks that can impede sustainable company growth report