Why Cyber Security Is Now a Resilience Issue

For OCS, resilience is about building an organisation that can anticipate risk, protect what matters most, adapt under pressure and keep operating when the environment changes. In that context, cyber security is not just a technical issue. It is part of how organisations protect people, services, data and reputation when disruption hits. 

Neil Weller’s view is that organisations need to stop treating cyber risk as a specialist topic and start recognising it as a business resilience priority. 

AI is Changing the Operating Environment

That shift is already visible across day-to-day business operations. 

McKinsey’s State of AI research found that 88 per cent of organisations now use AI in at least one business function. The opportunity is clear, but so is the challenge: many businesses are adopting AI faster than they are adapting their controls, processes and governance around it. 

That matters because AI is not delivering value through technology alone. The organisations seeing the greatest benefit are redesigning work around it, rather than simply layering it on top of existing processes. The same principle applies to resilience: tools matter, but they only make a difference when they are supported by the right habits, controls and decisions. 

Trust Signals are Getting Harder to Read

AI is also changing the information environment around us. Tools that can generate convincing text, audio and video are making fraud and impersonation easier, faster and harder to spot. For organisations, that creates risks well beyond IT, from payments and hiring to reputation and decision-making. 

That means the checks people once trusted, such as recognising a voice, judging whether a message looks genuine or relying on familiar context, are no longer enough on their own. 

Recent cases show how costly this can be. In one widely reported case in Hong Kong, an employee at a multinational firm was tricked into transferring $25 million after joining a video call featuring AI-generated impersonations of senior colleagues. In this environment, stronger verification matters more than instinct alone. 

Access is Now a Resilience Issue

One of the clearest messages from recent cyber research is that attackers often get in by using real accounts, passwords or access that should no longer be available. Palo Alto Networks Unit 42’s Global Incident Response Report found identity weaknesses played a material role in almost 90 per cent of the incidents it investigated. 

Those attacks are happening faster too. Unit 42 reported that the fastest attacks reached data theft in just 72 minutes in 2025, down from 285 minutes the year before. When incidents move at that speed, businesses need controls that reduce exposure early rather than relying on people to spot every threat in time. 

Verizon’s 2025 Data Breach Investigations Report reached a similar conclusion: stolen credentials were the most common way attackers gained access, and they featured heavily in web application attacks too. 

For most organisations, the response is practical rather than highly technical: strengthen sign-in controls, limit unnecessary access, remove old permissions quickly and monitor unusual account activity more closely. These are resilience measures as much as security measures, because they help contain problems before they spread. 

The Business Impact Runs Deeper than Cost

The financial impact of a breach still matters, but the wider business disruption can matter even more. IBM’s Cost of a Data Breach Report found the global average breach cost fell in 2025, helped by faster detection and containment. That is encouraging, but it does not mean the risk is reducing overall. 

The headline figures only tell part of the story. Costs remain high overall, and vary widely by sector, geography and complexity, and recovery can still take months. For business leaders, that means cyber incidents should be seen not just as security events, but as operational events that can affect service, trust, revenue and reputation. 

Speed Changes the Threat

AI is not creating an entirely new cyber problem. What it is doing is helping attackers move faster, scale more easily and lower the effort needed to carry out familiar tactics. 

That includes scanning for weaknesses more quickly, automating phishing and speeding up extortion attempts. Unit 42 and IBM both point to the same trend: AI is becoming a force multiplier for attackers, even when the methods themselves are not new. 

For organisations, this raises the stakes on the fundamentals. The faster threats move, the more important it becomes to reduce avoidable gaps, protect key data and be ready to respond quickly. 

Resilience Can be Undermined from Within

Not all AI risk comes from outside of the business. It can also come from employees using public AI tools to work faster without realising the data and security implications. This is often called shadow AI. 

The best-known example is Samsung Electronics, where engineers pasted source code, meeting notes and other sensitive internal information into ChatGPT while trying to speed up routine work. The issue was not bad intent; it was a gap in awareness, policy and approved alternatives. 

IBM found that shadow AI is already contributing to breach risk and cost. If people are using AI at work, they need clear guidance, safe tools and boundaries they understand. 

The response does not need to be complicated. Give people access to approved AI tools, block unapproved consumer tools on managed devices, make sure data rules cover AI use and explain the risks in plain language. Most people are trying to work better, not create a breach, so organisations need guardrails that help people stay alert, stay connected to the right guidance and use AI safely. 

Recovery is Now Part of the Attack Surface

Backups still matter, but they are no longer enough on their own. Attackers increasingly target recovery systems early, because if they can stop an organisation recovering, they increase the pressure to pay. 

That is reflected in Rubrik Zero Labs’ State of Data Security research, which found many organisations had backup and recovery systems partly or fully compromised before ransomware was deployed. 

The response is practical: protect backups from tampering, keep offline copies, test recovery plans and rehearse what teams will do under pressure. As Rubrik’s research shows, resilience is not just about having the technology. It is about being ready to use it when systems are under strain. 

Governance Can No Longer Lag Behind Adoption

Governance is improving, but not quickly enough. The World Economic Forum’s Global Cybersecurity Outlook 2026 found that 94 per cent of leaders see AI as the biggest driver of cyber change in 2026, while 87 per cent say AI-related weaknesses are the fastest-growing risk. Yet many organisations still do not assess AI tools properly before using them. 

The pattern is familiar: adoption is moving faster than oversight. That makes cyber resilience a leadership issue as much as a technology one. 

What matters now is discipline. Organisations need visibility over which AI tools are being used, clear accountability for decisions, proper supplier checks and straightforward rules for public AI use. This is less about creating perfect policy and more about keeping pace with change. 

What Resilient Organisations do Differently

AI is accelerating the pace of change on both sides, which means resilience depends on keeping up with that shift. 

For most businesses, that does not mean chasing every new headline. It means focusing on the practical changes that improve resilience day to day. 

Neil Weller argues that cyber security now sits firmly within the broader resilience agenda. It shapes how organisations protect trust, maintain operations and respond under pressure. 

The most effective steps are often practical rather than dramatic. Stronger sign-in controls, clearer rules for AI use, better protection for important data and tested recovery plans can all reduce risk and strengthen resilience. Small actions, taken early, can have a big impact later. 

That is the focus of OCS Resilience Week 2026, and the message Neil Weller believes organisations should act on now: build the habits, confidence and controls that keep people, services and reputations strong under pressure. In cyber security, that means staying alert, staying connected and recognising that small changes can create big impacts.