Generative AI is transforming the way organisations work, and the public sector is no exception. While it offers opportunities to increase efficiency and make better use of stretched resources, it also introduces new risks.
As a Sophos Partner Award winner for 2025 in the Public Sector, UK and EMEA, CyberLab invited experts from Sophos to our cybersecurity podcast to explore what the current threat landscape looks like and how generative AI is reshaping cyber security.
About Dave Mareels, Senior Director Product Management, Sophos
Dave is a Senior Director in Product and Service Management at Sophos, where he oversees the Managed Detection and Response (MDR) and Sophos Managed Risk services within the company’s expansive cyber security portfolio. He is passionate about driving innovation in managed security services, enabling organisations to stay ahead of evolving threats through cutting-edge detection and response capabilities.
About Jon Hope, Senior Technology Evangelist, Sophos
Since joining Sophos in 2011, Jon has taken on a variety of roles, including Channel Manager, Firewall Specialist, and Sales Engineer. Currently, as a Senior Technology Evangelist, he leverages his deep passion for cyber security to engage audiences as a dynamic speaker, showcasing the cutting-edge technologies and services Sophos provides to safeguard users.
What Generative AI Means for Cyber Security
As Dave Mareels explains, “Gen AI is generative. So it can generate. It can create things, it can craft an email, it can tell you what the colour of something is.” This ability to produce new content and respond more intuitively is why generative AI tools feel far more natural to use.
However, this also creates challenges. Generative models learn from huge volumes of unstructured online data, where reliable information exists alongside misleading or harmful content. CyberLab highlighted this risk, noting that “there’s also a lot of bad information, misinformation stuff that people are just getting wrong.” From improving phishing emails to lowering the skill-entry for cyber criminals, generative AI is increasing the risk for organisations.
For public sector organisations, trust and validation are essential, and this blog explores how the wave of generative AI is rapidly changing the threat landscape.
The dual impact of Gen AI: improved defence and stronger attackers
Generative AI is already being used on both sides of the cyber security divide, both driving attacks and strengthening defenders.
How attackers are using Gen AI
Criminal groups have quickly adopted generative tools to improve speed, accuracy and targeting.
Jon Hope explained that criminals now use AI to “very effectively replicate major brands when it comes to phishing”. Poorly written phishing emails used to be easy to identify. Now, AI removes language barriers, making messages polished, convincing and highly personalised.
Attackers also use AI to research targets and gather context. Dave Mareels shared a real example of how AI powered reconnaissance can go wrong, describing how one sales email ended up referencing a prospect’s deceased father because the AI had drawn incorrect conclusions. As Dave put it, “when you go confidently wrong in that sort of magnitude, it can be brand damaging.”
Deepfakes are another emerging threat. As Dave noted, “the deepfake videos… that’s another thing that Gen AI can be made to make.” In a public sector environment, where trust is critical, this could have serious implications.
How defenders benefit from Gen AI
Generative AI also brings powerful defensive advantages. It enhances email filtering, supports rapid investigation and lowers the barrier for staff to understand what is happening when alerts are raised.
Dave highlighted this benefit, saying that generative AI can “lower the adoption barrier for our users to make it easier for them to interface to probe data”. Analysts can interrogate incidents using natural language. Automation can accelerate triage and strengthen managed services.
Importantly, Dave believes defenders will gain more than attackers, stating: “I think it is the defenders who have more of a gain.” With the right controls, public sector organisations can use AI to improve response times and build resilience.
Why ransomware remains a major threat in 2026
The Sophos State of Ransomware Report shows that UK organisations continue to see high rates of encryption, and the public sector faces particular challenges.
Patching pressures and legacy estates
Many organisations understand the importance of patching but struggle with the scale of the task. Jon Hope explained that it is often a matter of time, not intent: “Organisations know they should be doing it, but they don’t really have the time.”
Legacy systems, specialist devices and operational constraints make this especially difficult for public bodies.
Remote ransomware and unmanaged devices
Attackers increasingly target unmanaged or unprotected devices, then launch encryption across the estate. These could include IoT devices, medical equipment or older hardware.
Jon highlighted why many tools miss this, explaining that criminals use an unmanaged device “as a bridgehead to then launch encryption attacks at other devices”. He noted that Sophos detects this through CryptoGuard which monitors encryption events “no matter where the demands came from”.
Data theft and extortion
A growing number of incidents involve data theft rather than encryption. Jon warned that criminals can “publish data externally” without ever asking for money. For the public sector, this poses regulatory, reputational and service delivery risks.
Data breaches happen every day, at companies large and small, with stolen credentials commanding a premium on the Dark Web. With over 24 billion sets of usernames and passwords currently for sale on the dark web, it has never been more important to keep control of your credentials.
The human impact of attacks
Ransomware does not only affect systems. It affects people. Jon explained that affected staff often feel “sensations of guilt and remorse”, even when they have not done anything wrong. He noted that leadership changes occur in “as many as 25 percent of cases”.
Public sector teams already work under pressure, so building a culture of openness is key. As Jon stressed, people should feel confident reporting mistakes early as “it is much better to ask and get it right than make a mistake”.
Building stronger public sector resilience
The key takeaways for building stronger cyber resilience are clear:
• Train staff regularly with realistic phishing simulations
• Consolidate tools to reduce complexity and time pressures
• Use network detection to monitor unmanaged or legacy devices
• Test and update incident response plans and store them offline
• Choose vendors who use AI responsibly to enhance visibility and reduce analyst workload
Discover Your Cyber Risk Score
HackRisk combines some of the most powerful security tools and provides you with all the information you need to secure your business.
We scan for security vulnerabilities, monitor your attack surface, scour the dark web for emerging risks, and help to defend against supply chain threats. Our AI-powered service suggests fixes and provides advice on how to address your security gaps.
Reduce your risk. Get Your Free HackRisk Report | HackRisk.ai
