This page translates real, active cyber threat intelligence into plain English for UK business owners. No acronyms. No jargon. Just what you need to know and what you should do about it.
Last updated: 7 July 2026 · Week 28 / 2026 · Next update: 14 July 2026
Every week we assess the overall risk level for UK small businesses in financial services — insurance brokers, financial advisers, mortgage intermediaries, and professional services firms. This is based on real intelligence from the UK's National Cyber Security Centre (NCSC), US cyber agencies, and industry reporting.
Seven criminal and state-sponsored groups are currently running active operations targeting UK businesses in your sector. Attacks involving fake payment requests, account takeover, and ransomware are all running at higher-than-normal frequency. This does not mean an attack on your specific business is imminent — but it does mean your defences are more likely to be tested than they would be in a quieter period.
Each week we identify the single highest-risk attack technique that is seeing a spike in use against UK businesses. This week:
For years, every cyber attack has required a person at a keyboard making decisions — when to move, what to target, when to deploy the ransomware. That has changed this week.
Security researchers at Sysdig have identified and documented what they describe as the first confirmed case of agentic ransomware — an attack called Jadepuffer in which an artificial intelligence system completed an entire ransomware operation end-to-end, from initial access through to the extortion demand, without a human directing it at any point. The AI made its own decisions, adapted to the environment it found itself in, and executed the attack autonomously.
The US and its allies — including the UK — warned at the end of June that attacks like this could appear within months. It took less than two weeks.
What does this mean for your business in practical terms? The speed and volume of attacks will increase significantly. Attackers no longer need skilled humans to be available at every stage. An AI can run hundreds of attacks simultaneously, learning from each one. The window between a vulnerability being discovered and your systems being targeted gets shorter.
The practical response has not changed — but the urgency has. The businesses that get attacked are overwhelmingly those with known gaps: unpatched software, no multi-factor authentication, no tested backup and recovery plan. AI makes those gaps more dangerous, not different. Closing them matters more now than it did six months ago.
Microsoft SharePoint Server has a newly confirmed vulnerability (CVE-2026-45659) that allows someone with access to your network to run malicious code on the server. SharePoint underpins document management, intranet sites, and collaboration tools across a large proportion of UK businesses — often accessed through Microsoft 365 without staff realising it is there. The vulnerability was added to the US government's confirmed-exploited list on 1 July 2026, meaning it is being actively used in real attacks right now. Contact your IT provider and ask specifically whether this patch has been applied. If they manage your Microsoft 365 environment, they should be able to confirm within minutes. If they are not aware of the vulnerability, that itself tells you something important.
Why now: CVE-2026-45659 was confirmed exploited on 1 July 2026. SharePoint is one of the most widely deployed platforms in UK professional services. Unpatched systems are being targeted actively.
SimpleHelp is remote support software used by many IT providers and managed service companies to access client systems remotely — the tool they use when they "take control of your screen" to fix a problem. It was added to the US government's confirmed-exploited vulnerability list this week (CVE-2026-48558). If your IT provider uses SimpleHelp and has not updated it, there is a confirmed vulnerability in the software that has access to your systems. You may not even know SimpleHelp is installed on your machines — it often runs quietly in the background. Ask your IT provider: do you use SimpleHelp to access our systems, and has it been updated following the CISA alert published 29 June 2026? A good IT provider will know immediately. If they are not aware, ask them to check and update before their next remote session on your systems.
Why now: Vulnerabilities in remote access tools used by IT providers are a particularly high-risk category — they provide access to multiple clients' systems from a single compromised tool. This one has confirmed active exploitation.
The UK government launched the Cyber Resilience Pledge today. Around 60 organisations have signed so far — including M&S, Nationwide, ITV, Microsoft UK, and Accenture. The pledge commits signatories to a set of cybersecurity standards. It is currently voluntary. However, the documentation makes clear that organisations signing the pledge are expected to extend those standards through their supply chains — meaning if you supply a signatory, you may be required to sign too. This is the same model used for Cyber Essentials in government contracts, which started voluntary and became mandatory. If any of your clients or the organisations you work with are large enough to appear on that list, it is worth checking whether a supply chain requirement is coming. Cyber Essentials certification is the most direct way to demonstrate compliance with the kind of baseline standards the pledge covers.
Why now: The pledge launched today (7 July 2026). Supply chain pressure is the mechanism that has driven Cyber Essentials adoption among SMEs supplying the public sector. The same dynamic is now beginning in the private sector.
A GET-IT resilience scan maps your current defences against the active threat techniques on this page and tells you exactly where your gaps are — in plain English, with costs to fix them.
Book a Free Resilience Scan → View Technical Version