Get the latest cyber news and updates straight to your inbox.
Traditional Cyber Awareness Is No Longer Enough. Here's What Regulated Firms Need to Do Now.
Every October, cybersecurity companies rally around awareness month by pushing out toolkits, posters, and tipsheets to help employees avoid clicking on malicious links or using “123456” as a password. But in 2025, that message feels worryingly outdated.
This year, the threat landscape has changed dramatically. And the biggest reason? AI.
AI is not just powering innovation; it’s also supercharging cybercriminals. At FoxTech, we’ve been tracking how generative AI is accelerating phishing sophistication, deepfake precision, and even the automation of reconnaissance and exploitation. What we’re seeing in the wild is no longer amateur hour. It’s industrialised, AI-assisted cybercrime.
And it’s targeting regulated firms with precision.
If you work in financial services or professional services, you’re already on high alert due to your regulatory obligations. But the uncomfortable truth is this: most awareness programmes haven’t kept up. They rely on outmoded models that treat human error as a simple training issue, when in fact, it’s now being actively manipulated by machine learning.
Read our previous blog to find out more
In our recent webinar, New Rules, New Risks, we discussed how the UK’s latest codes of practice – particularly the Cyber Governance Code and Software Security Code – are quietly but decisively raising the bar. These voluntary frameworks reflect a growing reality: boards are now accountable for cyber resilience. And AI-driven threats are accelerating that shift.
For regulated firms, this means the classic awareness poster in the kitchen is no longer a viable defence strategy. The attack surface is now behavioural. It’s dynamic. And it changes as fast as the models that drive it.
Our free cyber risk tool shows you what attackers can see about your organisation
You can’t train your way out of a dynamic threat landscape. Instead, firms should combine frequent, microlearning-based training with continuous behavioural risk monitoring. That means moving beyond one-size-fits-all training to smaller, scenario-based modules delivered throughout the year. At the same time, firms should implement ongoing measurement of risky behaviours, with proactive interventions such as SOC-led behavioural monitoring, adaptive awareness nudges, or user risk segmentation to ensure a dynamic, responsive defence.
AI isn’t just a tool you can adopt; it’s a capability your adversaries are already using. Regulated firms should update risk registers and governance frameworks to account for AI-generated threats. This includes deepfakes, synthetic identity fraud, and hyper-personalised spear phishing.
Being audit-ready is not the same as being breach-ready. The DSIT Codes of Practice rightly emphasise board accountability, asset-level risk assessment, and continuous validation. Cybersecurity must now sit alongside financial and operational risk as a top-tier governance concern.
Traditional awareness efforts have their place, but in a world of AI-powered adversaries, they simply don’t go far enough. The smartest firms we work with are shifting from “awareness” to resilience. That means integrating human behaviour analytics, AI-risk modelling, and regulator-aligned controls that move faster than the threats themselves.
The question is no longer “Are our staff trained?” but rather:
“Are we equipped to defend against attacks that learn faster than we do?”
If you’re reviewing your current cyber strategy or preparing for an audit, we can help. Our regulatory-grade penetration testing, human-driven SOC, and executive risk advisory services are designed for exactly this moment.
Let’s have a conversation.
MFA Isn’t Enough: Real Stories from the Frontlines
Real incidents where attackers bypassed MFA by tricking employees into giving attackers access.
The Biggest CyberSecurity Threat Isn’t Who You Think It Is
4 CyberSecurity experts share their experience of the latest attacks targeting employees, practical ways to evolve cybersecurity awareness programs, and practical steps you can take today to protect against AI and human threats.
Get in touch to find out more about our comprehensive security services
Last week a new tool was brought to my attention, No-Defender, a tool published on GitHub that can deactivate Windows Defender by exploiting the Windows Security Center (WSC) registration mechanism. The method is typically
In today’s increasingly connected world, businesses of all sizes rely on Managed Service Providers (MSPs) to streamline their IT infrastructure
The UK’s new Cybersecurity Codes of Practice introduce voluntary guidance that could signal a shift in how digital risk is managed across sectors. In Webinar 001: “New Rules, New Risks: What the UK’s Latest Cybersecurity
