Five Eyes Says AI Will Reshape Hacking in 'Months, Not Years.' Here's the MSP Response Plan.

When the intelligence agencies of the UK, US, Canada, Australia and New Zealand agree on something publicly, it is worth paying attention. They rarely speak with one voice, and when they do, it tends to be measured. So the phrase 'months, not years' stands out. That is the timeframe the Five Eyes alliance recently put on how quickly artificial intelligence will change the way attacks are carried out against businesses, governments and infrastructure.

Not a slow drift. Not a decade-long shift you can plan around at leisure. Months.

If you run a small or medium-sized business in Nottingham or anywhere else in the UK, your first reaction might be to assume this is someone else's problem. State-level threats, critical national infrastructure, the kind of thing that happens to power grids and defence contractors. But that reading misses the point. The reason AI matters to attackers is that it lowers cost and removes friction. The crude phishing email riddled with spelling mistakes is being replaced by fluent, personalised messages generated in seconds. Reconnaissance that used to take a skilled human days now happens automatically. The barrier to entry is dropping, and SMEs sit squarely in the blast radius because they are numerous, often under-defended, and connected to larger supply chains.

So let's turn the warning into something useful: a 90-day plan you can actually run, broken into the things that matter most.

Why AI changes the maths

Before the plan, a quick word on what is actually different. AI does not invent new categories of attack overnight. What it does is make existing attacks faster, cheaper and harder to spot.

Consider phishing. A convincing impersonation of your finance director used to require effort. Now an attacker can scrape a few public posts, feed them into a model, and produce an email that sounds exactly like the person it claims to be, complete with their habits and phrasing. Voice cloning takes the same idea to the phone. One UK firm lost a significant sum after staff acted on a call that sounded like a senior manager. That was before this latest wave of tooling.

The other shift is speed. When a software vulnerability is announced, there is a race between defenders patching and attackers exploiting. AI shortens the attacker's side of that race by helping write working exploit code faster. The window you have to react is closing.

This is why 'months, not years' is the right frame. The defences that worked in 2022 are not wrong, but the margin for error has shrunk.

Days 1 to 30: see what you actually have

You cannot defend what you cannot see. The first month is about visibility, not heroics.

Map your software supply chain. Most SMEs have no clear list of the software and services they depend on. Start one. Every application, every cloud service, every plugin, every vendor with access to your systems. The painful truth from recent years is that the biggest breaches often arrive through a trusted supplier rather than a direct attack. MOVEit and SolarWinds taught that lesson at scale. Your list should record who the supplier is, what data they touch, and how you would find out if they were compromised.

Turn on supply-chain monitoring. Once you have the list, you need alerts. Subscribe to vendor security notifications. Where your IT provider manages your stack, ask them to monitor for advisories affecting the products you use and to flag them to you quickly. The goal is to never learn about a critical supplier breach from the news.

Audit credentials. Pull a report of every account with administrative access. You will almost certainly find more than you expect: old employees, shared logins, service accounts nobody remembers creating. Each one is a door. Close the ones you do not need.

Days 31 to 60: close the obvious doors

With visibility in place, spend the second month hardening.

Enforce multi-factor authentication everywhere it matters. Email, remote access, financial systems, your IT management tools. MFA is not perfect, and attackers have ways around weaker forms of it, but it remains one of the highest-value controls you can deploy. Move away from SMS codes towards app-based or hardware key methods where you can.

Fix credential hygiene properly. This means a password manager for the business, unique passwords for every service, and the removal of shared accounts. It also means rotating credentials that have been sitting unchanged for years. Phishing-resistant authentication should be the direction of travel, because AI-generated phishing will get past the staff who used to spot the clumsy versions.

Tighten your patching rhythm. If patches currently get applied 'when someone gets round to it', that has to change. Critical security updates should be applied within days, not weeks. Your IT provider should be able to show you a patch status report on demand. If they cannot, that is a conversation worth having.

Set up AI-assisted threat escalation. This is where the defending side gets to use the same tools. Modern detection systems use machine learning to spot unusual behaviour, a login from an odd location, a sudden burst of file access, an account doing something it has never done before, and escalate it to a human fast. For an SME, this usually means a managed detection and response service rather than building it yourself. The aim is to match the attacker's speed with your own.

Days 61 to 90: make it a board issue

The technical work is necessary but not sufficient. The final month is about ownership.

Cyber resilience keeps getting treated as a technical footnote, a line item buried in the IT budget. That has to stop. The Five Eyes warning is, at its heart, a business risk warning. A serious breach can halt trading, trigger regulatory penalties, destroy customer trust and, for smaller firms, end the business entirely.

Present it as risk, not technology. When you take this to your board or owners, do not lead with firewalls and protocols. Lead with money and continuity. What would three days of downtime cost? What is the financial exposure if customer data leaks? What contracts require you to demonstrate security, and what happens if you cannot?

Assign clear ownership. Someone at senior level needs to own cyber risk, even if the day-to-day work is outsourced. Resilience decisions, how much to spend, what to accept, what to insure, are business decisions.

Test your assumptions. Run a tabletop exercise. Walk through a realistic scenario: a finance staff member acts on a cloned voice instruction, or a supplier is breached. See where your plan falls apart. It always does somewhere, and finding out now is far cheaper than finding out during a real incident.

Review your cyber insurance and Cyber Essentials position. Many UK contracts now require certification. Insurers increasingly demand MFA and tested backups before they pay out. Make sure your controls match what you have promised.

The point of all this

Ninety days will not make you invulnerable. Nothing will. But it will move you from hoping nothing happens to being ready when something does, and it will do so before the months the Five Eyes are warning about have run out.

The agencies did not issue this warning to cause panic. They issued it because the people closest to the threat believe the timeline is short and the response needs to start now. For most SMEs, that response is entirely achievable with a clear plan and a provider who treats your resilience as their job. If you are not sure where your gaps are, the first thirty days of this plan will tell you. Start there.