It has been a busy month for government announcements of support available for businesses of all sizes, and SMEs in particular, to help combat the biggest cyber challenges including governance and supply chain oversight.

Vibe coding security loopholes

Vibe coding, where human users generate code by prompting computers in natural language, has gained popularity in recent years. It provides several benefits, including faster development. It allows novice users to develop code without knowledge of programming languages or syntax.

However, it can also introduce significant security risks. As with other types of generative AI, vibe coding requires critical review of the output, including from a security perspective.

A cyber security researcher working with a BBC journalist recently demonstrated the ease with which one vibe coding platform could be hacked. The journalist used the platform to create code for a game, and the researcher was able to hack the platform to access and edit the code and gain access to the journalist’s computer. Unlike other attacks, there is no reliance on the victim to perform any actions – such as install software – to provide access.

Later in the month, a vulnerability was identified in Moltbook, a social networking site exclusively for AI agents to interact. Security firm Wiz identified a misconfigured database that provided read and write access to data, exposing 1.5m authentication tokens, 35,000 email addresses, and private messages between agents. The site was apparently entirely generated by vibe coding; site owner Matt Schlicht stating publicly that he “didn’t write one line of code”.

Organisations need to take the right care when building and using AI generated code. Checks and balances should be in place, and the code generation process should include security considerations. Experts recommend having discipline in the creation and use of AI generated code, sufficiently documenting the process, conducting appropriate security testing and implementing user reviews to avoid falling foul to the risks.

AI agents and privacy risk

AI agents have long been an area of concern for security professionals. AI agents often require access to a user’s computer, applications and accounts to perform tasks requested by the user.

Where access is misconfigured, or agents are not appropriately secured, an attacker can use a hacked agent to perform malicious tasks, such as autonomously making payments or accessing confidential information.

AI agents are often embedded in applications such as Microsoft Copilot, which uses them to perform tasks such as retrieving data, and executing tasks across various Microsoft applications. This month a bug was reported in Copilot chat, an AI-powered chatbot that allows users to interact with AI agents in applications, such as Word, Excel, Powerpoint and Outlook. The bug resulted in confidential emails being summarised and returned by chat, even though they were labelled as sensitive.

Microsoft has confirmed that the bug has been fixed and claims that it did not provide access to information a user was not already authorised to see. However, it highlights the risk of rolling out AI tools without due care. This is particularly important for Copilot, which is often hailed as an accessible and secure way for organisations to access AI capabilities.

The security and privacy implications of any AI tools and services should be assessed and they should be configured and implemented appropriately to maintain security and privacy. Experts recommending opting in rather than out of features.

Cyber incidents a “catalyst for change”

The Department for Science, Innovation and Technology has published the results of its fifth longitudinal study tracking the cyber security behaviours of organisations.

The report focuses on large and medium UK organisations, and high income charities (those with an annual income £1m to £10m). The study explores how and why these organisations are changing their cyber security practices, and how they implement and improve their cyber defences. The study is endorsed by ICAEW, alongside the Association of British Insurers and Tech UK.

The report concludes that cyber security incidents can occur at any organisation, with 82% of businesses and 77% of charities surveyed having experienced a cyber incident in the previous 12 months.

It also found that organisations are making progress in adhering to at least one cyber security standard, such as Cyber Essentials and ISO 27001, and more organisations are getting specific cyber insurance policies.

The study calls out supply-chain management as a continued area of weakness for charities and businesses, particularly medium-sized businesses. Less than one-third of organisations surveyed carried out formal assessments of suppliers, and they generally lacked awareness of cyber security incidents in their supply chains.

In November 2025, ministers and security chiefs wrote to large businesses asking them to require the adoption of Cyber Essentials in their supply chains. In December 2025, the National Cyber Security Centre published ‘Cyber Essentials Supply Chain Playbook’ to provide steps to help organisations do this.

The guide is supplemented by the IASME Supplier Check Tool which allows organisations to check the Cyber Essentials and Cyber Essentials Plus certification status for companies within their supply chain.

On governance, charities continued to be more likely to have a risk register than businesses (78% vs 64%). This risk acknowledgment did not necessarily result in an increase in investment or board involvement, with 10% of charities describing their cyber security budgets as insufficient.

External influences, such as reports of cyber-attacks, were a big catalyst for behaviour change, whether influencing budget, leadership discussions, or internal checks on cyber processes and policies.

Organisations that previously had an incident were more likely to formally assess their suppliers’ cyber security. Those that experienced an incident with a tangible impact were more likely to show improved implementation of the five Cyber Essentials controls. This reactive approach is identified as a concern in the report.

What about small businesses?

Despite not seeing themselves as targets, small businesses are not immune to cyber-attacks. The UK government 2025 cyber security breaches survey, which covers businesses and charities of all sizes, reports that half of small businesses surveyed had experienced a cyber breach or attack. They can be an attractive target, often holding personal information and connected to larger organisations.

The government recognises the importance of small businesses and the challenges they face in implementing good cyber security. To address this, the Department for Science, Innovation and Technology and the National Cyber Security Centre (NCSC) are running a campaign urging businesses to “lock the door” on cyber criminals.

The campaign provides practical tools to help organisations protect themselves from common online threats and encourages the adoption of Cyber Essentials. It also highlights freely available resources to help organisations achieve certification, such as free 30-minute consultations with an assured cyber advisor, an online self‑assessment to identify gaps (Cyber Essentials Readiness Tool) and the chance to preview the Cyber Essentials ‘question set’ for free.

It follows a ministerial letter to small businesses in November 2025 and co-signed by the NCSC, which identified the Cyber Action Toolkit as a key tool for small businesses and organisations, and a first step towards Cyber Essentials certification. It is designed for sole traders and small businesses and provides bite-sized actions to improve cyber security.