The UK’s cybersecurity sector is getting crowded with government research estimating that there are now 111 UK businesses selling cybersecurity products or services specifically designed for AI systems; that total stood at 66 a year earlier.
Software security is also becoming a bigger business and the government’s 2026 Cyber Security Sectoral Analysis estimates there are now 1,141 companies providing software security services across the UK and previously, the baseline counted 960.
A lot of this activity comes from smaller companies. Government research found that small and micro businesses now account for 55% of UK registered cybersecurity for AI providers compared to 43% previously.
New categories of cybersecurity services are also entering the market because now, AI red teaming and penetration testing account for 21% of AI security offerings. Agentic AI security and AI browser security each account for 5%.
Anyone looking at those statistics could assume organisations are investing a lot in protection, right? Well, the government’s research says something else…
Are Businesses Becoming Comfortable With Cyber Risk?
Government data found many small businesses continue choosing a “do nothing” response when having to deal with with cybersecurity threats and regulatory requirements.
Government breach data found that only around 33% of companies actually use cyber monitoring tools.
Money is one reason – the government said auditing expenses, certification requirements and limited awareness continue to stop organisations from taking action, which creates a curious situation where more companies are selling cybersecurity products and services, but many potential customers continue putting security spending further down their list of priorities.
Dhruva Pudel, Head of Cybersecurity at Skillcast, said, “Embedding cybersecurity into every aspect of compliance is one of the most effective ways a business can protect itself. While taking a “do nothing” approach may appear to be cost-effective in the short-term, it leaves companies highly vulnerable and the longer-term consequences can be devastating.”
His comments come after years of high profile cyber incidents affecting organisations of every size.
More from Business
- Have “Purpose-Driven” Business Ideas Become Harder To Fund?
- What Could The UK Online Safety Consultation Mean For UK Businesses?
- How Is Economic Pressure Changing The Way Companies Spend On Marketing?
- Why The Best Hotels Are Moving Their PMS Decisions Out Of The Server Room
- Top Compliance Challenges Solved by Workforce Management Software in 2026
- Is the Landline Switch-Off Optional For Small Businesses?
- International SEO Agencies Surge As Global Search Complexity Intensifies
- Sheikh Ahmed Dalmook Al Maktoum Targets Markets Where Infrastructure Investment Never Arrives
Does Constant Exposure To Cyber Attacks Change Behaviour?
Cyber attacks have become a routine aspect of modern business in a life where ransomware incidents, data theft and extortion attempts come so frequently that organisations can begin treating them as unavoidable business events.
A recent attack involving the Shiny Hunters extortion group exposed the personal information of 197,000 customers after attackers gained access to the databases of a major European retailer.
Events like that attract publicity for a few days just for another incident to take its place. It’s happening in retail, finance – literally everywhere.
Security specialists worry that repeated exposure to cyber attacks can encourage resignation. If attacks seem inevitable, investment decisions become easier to postpone.
Pudel said, “No organisation is too large or too small to be targeted and approaches to risk management need to be dynamic in an ever-changing technological landscape.”
Is Apathy Going To Be A Cybersecurity Problem?
The government’s research shows cybersecurity suppliers entering new markets and creating new services.
What’s interesting there, is the difference between what cybersecurity companies are building and what many organisations are doing.
Products exist and so do services exist and specialist expertise, right?
But government data found many organisations continue choosing not to act.
Pudel believes that decision can become expensive over time. He said, “The cost of responding to a cyber incident, from operational disruption and financial losses to reputational damage, can far outweigh employee training and robust compliance frameworks that can adapt over time.”
He added, “Businesses that act now will be in a far stronger position to protect themselves; action, not apathy, is what will future-proof corporate Britain.”
Cybersecurity companies are entering the market in greater numbers. New AI security services are being developed (and so are new attack strategies). But even then, too many organisations continue deciding that cybersecurity can wait until tomorrow – and that is a call for concern.
