July 9, 2026

In June 2026, something unusual happened. The heads of the UK, US, Australian, Canadian and New Zealand cyber security agencies (collectively known as the Five Eyes) put their names to a single, joint statement. Not a technical advisory. Not a threat bulletin. A call to action, addressed squarely at business leaders.
Their message was blunt: artificial intelligence is compressing the timeline of cyber risk from years to months, and the organisations that treat this as "an IT problem" are going to lose ground quickly.
For a global bank or a critical infrastructure operator, that message lands on a security team with a CISO, a budget, and a seat at board level. For a 40-person architecture practice or a growing marketing agency, it raises a more uncomfortable question: if cyber risk is now a leadership responsibility, who on our leadership team actually holds it?
What the statement actually says
Stripped of the diplomatic language, the Five Eyes statement makes three points that matter to any business, regardless of size.
AI is shrinking the gap between a vulnerability being discovered and it being exploited. Attackers are using AI to find weaknesses and build exploits faster than security teams can patch them. The agencies describe this shift in months, not years.
Cyber resilience is now a business risk, not a technical one. The statement is explicit that this can no longer sit purely with "IT." It's framed as core to business continuity, market confidence and long-term value, which is another way of saying: if something goes wrong, it won't just be a technical postmortem. It will be a leadership one.
Getting the basics right matters more than buying more tools. The agencies' recommended actions are not exotic. They're the fundamentals that most breach post-mortems come back to: reduce your attack surface, patch faster, retire legacy systems, tighten access controls, and prepare for incidents before they happen.
Why this is harder for SMEs than the statement lets on
Large organisations that this statement is aimed at generally have a structure for acting on it: a CISO or Head of IT who can be handed the five actions, a board that reviews risk quarterly, and a budget line for security.
Most creative and professional services SMEs have none of that. IT is often owned informally, by an office manager, a founder who "knows computers," or an outsourced provider on a support-ticket relationship. Nobody is accountable for asking whether the firm's patching cadence has kept pace with a threat landscape that's now moving in months rather than years, because nobody owns that question.
This is the accountability gap the Five Eyes statement is really pointing at, even if it doesn't use those words. AI hasn't just made attacks faster. It's exposed how many businesses have never assigned genuine ownership of cyber risk to anyone.
The five actions, translated for a business without a security team
1. Reduce your attack surface.
Every remote access tool, old VPN, or forgotten cloud login you're not actively using is a door left ajar. For firms with hybrid or site-based teams (architects working across office and client sites, engineers on location), this is worth an honest audit rather than an assumption that "IT already checked."
2. Accelerate patching.
If your current process is "wait for the next update rollout" rather than "patch critical vulnerabilities within days," the agencies would consider that a strategic liability, not a scheduling preference. See our guide to patch management for what a faster cadence actually looks like.
3. Address legacy systems.
That unsupported server, the CAD workstation nobody's replaced, the old file share still holding client data: these are the easiest entry points for attackers, and they tend to be invisible until an infrastructure audit surfaces them.
4. Strengthen identity and access controls.
Who can access your project files, financial systems, and client data, and does that list actually reflect who's still on the team? Identity and access management is one of the highest-return, lowest-drama fixes available to smaller firms.
5. Prepare for incidents before they happen.
Not "we have backups," but "we've tested what happens in the first hour of a breach, and everyone knows their role." A business continuity plan that's never been tested isn't a plan. It's a document.
Who's actually accountable for this at your firm?
This is the question the statement forces, even for a 30-person studio. Someone needs to own the answer to "are we prepared" and be able to say so with confidence, not hope.
For most SMEs in creative and professional sectors, the realistic options are: build that function in-house (expensive, and hard to justify below a certain size), leave it informally distributed (which is how the accountability gap opens in the first place), or bring in outsourced IT leadership that functions as your IT director without the full-time headcount. That third option is precisely the model behind Lyon Tech's advisory and architecture service: independent, senior-level guidance on risk, investment and readiness, sitting alongside your team rather than replacing it.
It's also worth being honest that this doesn't happen through better tooling alone. It happens through named accountability, a clear read on your current risk position, and a partner willing to say "here's what's actually exposed" rather than "here's what we can sell you." That's the difference the NCSC and Cyber Essentials framework both point towards, and it's worth checking your firm's current certification status against that baseline if you haven't recently.
Where to start this week
You don't need a security team by Friday. You need three honest answers:
- Do we know how quickly we patch critical vulnerabilities, and is that fast enough for a threat landscape now measured in months?
- Could we say, with confidence, who has access to what, and why?
- If we had an incident tomorrow, does everyone know what happens in the first hour?
If any of those answers is "not sure," that uncertainty is the real finding, not the specific vulnerability. Ownership of that uncertainty is what the Five Eyes statement is actually asking leaders to take on.
If you'd like an outside view on where your firm stands against these five actions, get in touch and we'll talk through what a realistic starting point looks like for a business your size.
FAQ
What is the Five Eyes cyber security statement about?
In June 2026, the heads of the UK, US, Australian, Canadian and New Zealand cyber security agencies published a joint statement warning that AI is accelerating the speed and sophistication of cyber attacks, shrinking the time between a vulnerability being discovered and exploited from years to months. They called on business leaders, not just IT teams, to treat cyber resilience as a core business risk.
Does this apply to small and medium-sized businesses, or only large organisations?
The statement is written with large organisations and critical infrastructure in mind, but the underlying risk, faster and more automated attacks, applies to any business connected to the internet. SMEs are often more exposed because they're less likely to have dedicated security leadership or a tested incident response plan.
What are the five actions the agencies recommend?
Reduce your attack surface, accelerate patching, address legacy systems, strengthen identity and access controls, and prepare for incidents before they happen. None of these are new; the statement's point is that they're now urgent.
Who should be accountable for cyber risk in a business without an in-house security team?
Someone needs to own the answer to "are we prepared," even if that's an outsourced IT partner acting in an IT director capacity rather than a full-time hire. The risk of leaving it undefined is exactly the gap the Five Eyes statement is highlighting.
How can Lyon Tech help with this?
Lyon Tech provides outsourced IT leadership and cyber security services for creative and professional services firms, including infrastructure audits, identity and access management, and ongoing advisory support, so smaller firms get the same accountability and readiness that the Five Eyes statement expects of larger organisations.


.jpg)
